Vulnerability is a weakness or flaw in the design or implementation in a system. The vulnerabilities can be within people, technology or procedures.
Exploit is a piece of code or action that takes advantage of vulnerability in order to cause unintended or unanticipated behavior or a computer system.
Threat is the potential that vulnerability will get exploited.
Threat Agent is the entity that exploits vulnerability.
Risk is the probability that a threat will exploit vulnerability.
Exposure is the state of being exposed to losses. If vulnerability gets exploited an exposure is created.
Asset is a tangible or intangible resource recognized as “valuable” to an organization and must be protected.
Security Control is put in place to reduce the risk associated with specific threat or a group of threats. Countermeasures can be logic, physical, or administrative.
Security Control Types
Security controls are categorized based on the type of implementation into the following three groups:
- 1. Logical/technical security controls - Logical and technical controls are hardware or software mechanisms used to manage access to resources and systems. Examples of logical or technical controls include encryption, smart cards, passwords, firewalls, routers, intrusion detections systems, biometrics.
- 2. Physical security controls - Physical controls are physical barriers deployed to prevent direct contact with systems or areas within a facility. Examples of physical access control include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.
- 3. Administrative controls - Administrative controls (also called directive controls) are implemented by creating and following organizational policy, procedure, or guideline. User training and awareness also fall into this category.
Security Control Functions
Security controls can be further divided into the following categories based on function or purpose. Some security mechanisms may fall into multiple categories.
- 1. Preventive controls - A preventive security control is implemented to stop unwanted or unauthorized access or activity from occurring. Examples of preventive access control include fences, licks, mantraps, alarm systems, separation of duties, job rotation, data classification, encryption, smart cards, security policies, antivirus software and hiring practices.
- 2. Deterrent security control - A deterrent security control is implemented to discourage violation of security policies. Examples of deterrent security controls are warning banners, security cameras, trespass or intrusion alarms, auditing, security awareness training, and so on.
- 3. Detective security control - A detective security control is implemented to discover unwanted or unauthorized activity. Typically, detective controls operate after something happens other that in real time. Examples of security controls include motion detectors, recording and reviewing of events captured be security cameras or CCTV, intrusion detection systems, mandatory vacations, audit trails, violation reports, incident investigations, and job rotation.
- 4. Corrective security control - A corrective security control is implemented to restore systems to normal after an unwanted or unauthorized activity has occurred. Corrective controls have only minimal capability to respond to access violations. Examples of corrective security controls include intrusion detection systems, antivirus solutions, and business continuity planning.
- 5. Recovery security control - A recovery security control is implemented to repair or restore resources, functions, and capabilities after a violation of security policies. Recovery controls have more advanced or complex capabilities to respond to access violations that corrective access controls. Examples of recovery security controls include backups and restores, fault-tolerant drives, server clustering, and database or VM shadowing.
- 6. Compensating - A compensating access control is a second or third access control that kicks in in case the first one fails. Examples of compensating security controls are VM shadowing, power supply.
Governance and Layers of Responsibility
Board of Directors
The board of directors is a group of members elected by the shareholders who oversee the activities of a company of organization. The board consists of two types of representatives: chosen from within the company (CEO, CFO, or manager working for the company), the other type of representative is chosen from outside of the company and is independent from the company The main responsibilities of the board include: accounting to the shareholders for the organization’s performance, approving annual budgets, governing the organization by establishing broad policies and objectives and ensuring availability of adequate financial resources. The responsibilities of the board highly depend on the nature of the organization.
Chief Executive Officer (CEO)
The CEO is responsible for the entire day-to-day operations of the corporation and reports directly to the chairman and board of directors. The responsibilities of the CEO depend on the structure and size of an organizations. Generally the CEO is responsible for developing and implementing high-level strategies, making major corporate decisions, managing the overall operations and resources of the company and service as the main point of communication between the board of directors and the corporate operations.
Chief Operation Officer (COO)
The COO is responsible for managing the company’s day-to-day operations and reporting them to the chief executive officer (CEO).
Chief Financial Officer (CFO)
The CFO is responsible for overseeing the financial data and operations of the entire organization. The CFO’s responsibilities include financial planning and monitoring cash flow and analyzing the company’s financial strengths and weaknesses.
Chief Information Officer (CIO)
The CIO is responsible for the management and the strategic implementation of information and computer technologies. The CIO analyzes how different technologies can benefit a company or improve an existing business process. The CIO is also responsible for effectively bringing together the business and the technology sides of an organization.
Chief Information Security Officer (CISO)
The CISO is responsible for the vision, strategy and program to ensure information assets are adequately protected. The CISO is responsible for directing the organization in identifying, developing, implementing and maintaining processes with the goal of reducing the information security risks, respond to incidents, establishing appropriate standards and controls, and defining policies. The CISO is also responsible for information-related compliance.
Chief Privacy Officer (CPO)
The CPO is responsible for ensuring that the customer, company, and employee data is kept safe and in compliance with privacy laws and regulations. The CPO position is relatively new and was created to respond to the concerns over the use of personal information, including medical data and financial information, and laws and regulations, concerning the protections of an individual’s personal data, such as HIPPA and Gramm-Leach-Bliley Act.
Information Security Steering Committee
The information security steering committee is an important tool in the quest for coordinated corporate security strategy, with the goal of reducing duplication is security spending, for taking control of complex infrastructure and ultimately, for reducing security risk. The information security committee defines clear responsibilities and well defined processes based upon five primary organizational roles:
Leadership - the role of the CIO
Analysis/design - the role of developing security policies and effecting security solutions
Security administration - day-to-day administration of access rights, passwords and et cetera
Security operations - the role of monitoring the security status of the organization and managing incident response procedures
Awareness communication - the role of designing and managing security awareness training and programs
Roles and Responsibilities
An executive, a manager, a designated ‘head’ of a unit, or a person who initiates the creation or storage of the information is the information owner. The information owner is responsible for ensuring that the data is properly classified and that appropriate security controls are in place within each classification category. He/she is also responsible for determining and delegating access policies, selecting data custodians, defining backup and recovery requirements, performing risk assessment.
The Information Custodian is the person responsible for overseeing and implementing the necessary safeguards to protect information assets, at the level classified by the Information Owner. This could be the System Administrator, controlling access to a computer network, a specific application or even a standard filing cabinet. Some of the responsibilities of the data custodian include performing backup, restore; implementing and maintaining security controls and audit trails; validating the integrity of the data.
The application owner is an individual responsible for ensuring that the application accomplishes the business objective, specifying the user requirements established for that application and implementing the appropriate security safeguards.
The user manager is the manager or a supervisor of an employee and is responsible for all the company information assets owned or created by the employee. He/she is also responsible for the information assets used by non-employee individuals such as contractors and consultants. The user manager is responsible for notifying the security administration of the hire, termination, or transfer of any employee; reporting security incidents; distribute initial passwords for newly created user IDs; educate employees with regards to security policies, procedures, and standards.
The security administrator is the person responsible for the monitoring and implementing security controls and procedures for a system. The security administrator’s responsibilities include creating and removing user IDs, issuing new passwords, implementing new security software and ensuring that access rights are in accordance with security policies and guidelines.
The security analyst is the person responsible for setting security baselines and developing security policies, standards and procedures based on asset value and risk of loss or compromise.
Change Control Analyst
The change control analyst is the person responsible for ensuring that all the changes are implemented in secure fashion; approving or rejecting request to make changes to information technology systems; analyzing the impact of the changes.
The data analyst is the person who specializes in collecting, organizing data and designing data structures to meet business needs. Responsibilities include assisting the data owner with the development of data architectures; designing database structures; creating, maintaing, and using metadata.
The process owner is the person responsible for designing, monitoring and improving the processes necessary to achieve the objective of the business objectives.
A solution provider can be a vendor, a service provider or an application provider that participates in the solution development and delivery processes in deploying business solution.
The end user is an employee, contractor, consultant or vendor who uses the data for work-related tasks. The responsibilities of the end user include adhering to all the information security policies, standards procedures and guidelines while using company’s assets and information resources for management approved purposes only while maintaining the confidentiality, integrity and availability of the data.
Product Line Manager
The product line manager is the person responsible for understanding business objectives and the technology required to support those business objectives. The responsibilities of the product line manager include ensuring that new releases of software are evaluated and the upgrades are properly implemented; ensure compliance with license agreements.
Information Risk Management is a complex and dynamic task. It is the process of identifying threats and vulnerabilities; assessing and analyzing risk; reducing, or transferring risk. The main goal of the risk management is to select and implement security controls to ensure that the organization’s assets are protected in the most cost-effective manner and following the constraints of the applicable laws, directives, policies, standards, or regulations.
The Risk Management Processes
General Risk Management Process
The six general steps of the risk management are:
1. Identification of assets and their values
2. Threat assessment and analysis
3. Conduct a vulnerability assessment
and calculate the risk for each vulnerability
4. Conduct impact analysis to determine the magnitude of the potential impact
5. Implement security controls to reduce or transfer the risk
6. Repeat the above steps again and again
NIST Risk Management Framework
The six steps of the NIST Risk Management framework are:
1. Categorize Categorize the information system and the information
2. Select Select an initial set of baseline security controls for the information system
3. Implement Implement the security controls and document how the controls are deployed
4. Assess Assess the security controls using appropriate procedures
5. Authorize Authorize information system operation based upon a determination of the risk
6. Monitor Monitor and assess selected security controls in the information system on an ongoing basis
Risk Response Strategies
Clearly defined risk response strategies help to ensure that the leaders of an organization take ownership of the organizational risk and are responsible and accountable for risk decisions.
The four basic types of responses to risk are:
- Risk Acceptance : determining the level of risk tolerance and it is based on comparing the security control cost vs. benefit
- Risk Avoidance: wise use of information technology
- Risk Mitigation: reduce or mitigate the level of risk
- Risk Transfer: purchase of an insurance
Risk analysis is the process used to identify and assess factors that may jeopardize the success of a new project. Risk analysis, also referred to as Project Impact Analysis (PIA) is conducted in the early stages of the business process development cycle (BPDC), also known as the system development life cycle (SDLC). It is used to document and demonstrate the business reason why a new project should be approved.
Risk analysis is performed to demonstrate that a due diligence obligation was met when making a decision about approving a new project. It requires an in-depth cost-benefit analysis to be conducted and the proposal is being assessed before becoming a life project.
Risk assessment, which is discussed in the next section is performed in the next phase of the BPDC to identify potential threats, prioritize those threats, and determine controls that can reduce the risk to acceptable levels.
Risk assessment is NOT a one time process that provides permanent and definite information, rather it is a process that has to be performed on an outgoing basis and across all the tiers of the management hierarchy.
Risk assessments is a process of identifying threats and then determine risk levels based on the risk assessment methodology.
The following are the nine steps of the Risk Assessment process according to NIST:
1. System characterization: describes the scope of the risk assessment and the systems that will be analyzed
2. Threat Identification: the threats are identified
3. Vulnerability Identification: the vulnerabilities are identified
4. Control Analysis: analyzes the security controls that are in place
5. Likelihood Determination
6. Impact Analysis: based on the approach can be descriptive, qualitative, quantitative
7. Risk Determination
8. Control Recommendation
9. Result Documentation
Quantitative Risk Assessment Approach
Quantitative risk assessment evaluates the risk based on numbers. This type of assessment most effectively supports cot-benefit analyses of risk responses of courses of action.
Quantitative risk assessment is performed in six main steps:
1. Asset Valuation (AV)
2. Threat Identification:
- Calculate the Exposure Factor (EX): represents the magnitude of a loss or impact on the Asset Value and it is represented as a percent from 0 to 100%.
- Calculate the Single Loss Expectancy (SLE): this value is derived from the following formula and the result is used to determine the loss/impact for each occurrence of a threatened event:
SLE = AV x Exposure Factor
SLE is Single Loss Expectancy
AV is Asset Value
EF is exposure factor
- Calculate the likelihood of each threat taking place in a single year: Annualized Rate of Occurrence (ARO) is the frequency with which a threat is expected to occur in a single year
- Calculate Annualized Loss Expectancy: this value is derived from the following formula:
ALE = SLE x ARO
ALE is Annualized Loss Expectancy
SLE is Single Loss Expectancy
ARO is Annualized Rate of Occurrence
6. Perform Cost/Benefit analysis