Managing risk in information systems darril gibson free pdf

JONES AND BARTLETT LEARNINGJONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES

Managing Risk in Information Systems DARRIL GIBSON

91872_TPCP_Gibson.indd 1 7/23/10 2:19 PM

World Headquarters Jones & Bartlett Learning 40 Tall Pine Drive Sudbury, MA 01776 978-443-5000 info@jblearning.com www.jblearning.com

Jones & Bartlett Learning Canada 6339 Ormindale Way Mississauga, Ontario L5V 1J2 Canada

Jones & Bartlett Learning International Barb House, Barb Mews London W6 7PA United Kingdom

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright © 2011 by Jones & Bartlett Learning, LLC

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Chief Operating Officer: Don Jones, Jr. SVP, Chief Technology Officer: Dean Fossella SVP, Chief Marketing Officer: Alison M. Pendergast SVP, Chief Financial Officer: Ruth Siporin SVP, Business Development: Christopher Will VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Editorial Management: High Stakes Writing, LLC, Editor and Publisher: Lawrence J. Goodrich Reprints and Special Projects Manager: Susan Schultz Associate Production Editor: Tina Chen Director of Marketing: Alisha Weisman Associate Marketing Manager: Meagan Norlund Cover Design: Anne Spencer Composition: Mia Saunders Design Cover Image: © ErickN/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Malloy, Inc. Cover Printing: Malloy, Inc.

ISBN: 978-0-7637-9187-2

Library of Congress Cataloging-in-Publication Data Unavailable at time of printing

6048 Printed in the United States of America 14 13 12 11 10 10 9 8 7 6 5 4 3 2 1

91872_TPCP_Gibson.indd 2 7/23/10 2:19 PM

iii

Contents

Preface xv

Acknowledgments xvii

part one Risk Management Business Challenges 1

Chapter 1 risk Management Fundamentals 2 What Is Risk? 4

Compromise of Business Functions 4 Compromise of Business Assets 5 Driver of Business Costs 6 Profi tability Versus Survivability 6

What Are the Major Components of Risk to an IT Infrastructure? 7

Seven Domains of a Typical IT Infrastructure 7 Threats, Vulnerabilities, and Impact 12

Risk Management and Its Importance to the Organization 13

How Risk Affects an Organization’s Survivability 14 Reasonableness 15 Balancing Risk and Cost 15 Role-Based Perceptions of Risk 16

Risk Identifi cation Techniques 18

Identifying Threats 18 Identifying Vulnerabilities 19 Pairing Threats with Vulnerabilities 22

Risk Management Techniques 23

Avoidance 23 Transfer 23 Mitigation 24 Acceptance 24 Cost-Benefi t Analysis 25 Residual Risk 26

Chapter SUMMarY 27

KeY ConCeptS and terMS 27

Chapter 1 aSSeSSMent 28

iv Contents

Chapter 2 Managing risk: threats, Vulnerabilities, and exploits 29 Understanding and Managing Threats 30

The Uncontrollable Nature of Threats 30 Unintentional Threats 31 Intentional Threats 32 Best Practices for Managing Threats Within Your IT Infrastructure 34

Understanding and Managing Vulnerabilities 35

Threat/Vulnerability Pairs 36 Vulnerabilities Can Be Mitigated 37 Mitigation Techniques 38 Best Practices for Managing Vulnerabilities Within Your IT Infrastructure 40

Understanding and Managing Exploits 41

What Is an Exploit? 41 How Do Perpetrators Initiate an Exploit? 44 Where Do Perpetrators Find Information About Vulnerabilities and Exploits? 46 Mitigation Techniques 47 Best Practices for Managing Exploits Within Your IT Infrastructure 48

U.S. Federal Government Risk Management Initiatives 48

National Institute of Standards and Technology 49 Department of Homeland Security 50 National Cyber Security Division 51 US Computer Emergency Readiness Team 51 The MITRE Corporation and the CVE List 52

Chapter SUMMarY 54

KeY ConCeptS and terMS 54

Chapter 2 aSSeSSMent 55

Chapter 3 Maintaining Compliance 57 Compliance 58

Federal Information Security Management Act 59 Health Insurance Portability and Accountability Act 59 Gramm-Leach-Bliley Act 62 Sarbanes-Oxley Act 62 Family Educational Rights and Privacy Act 62 Children’s Internet Protection Act 63

Regulations Related to Compliance 64

Securities and Exchange Commission 65 Federal Deposit Insurance Corporation 65 Department of Homeland Security 65 Federal Trade Commission 65 State Attorney General 67 U.S. Attorney General 67

Contents v

Organizational Policies for Compliance 68

Standards and Guidelines for Compliance 69

Payment Card Industry Data Security Standard 70 National Institute of Standards and Technology 72 Generally Accepted Information Security Principles 73 Control Objectives for Information and Related Technology 73 International Organization for Standardization 74 International Electrotechnical Commission 76 Information Technology Infrastructure Library 77 Capability Maturity Model Integration 79 Department of Defense Information Assurance Certification

and Accreditation Process 81

Chapter SUMMarY 82

KeY ConCeptS and terMS 82

Chapter 3 aSSeSSMent 83

Chapter 4 developing a risk Management plan 85 Objectives of a Risk Management Plan 86

Objectives Example: Web Site 87 Objectives Example: HIPAA Compliance 88

Scope of a Risk Management Plan 89

Scope Example: Web Site 91 Scope Example: HIPAA Compliance 91

Assigning Responsibilities 92

Responsibilities Example: Web Site 93 Responsibilities Example: HIPAA Compliance 93

Describing Procedures and Schedules for Accomplishment 94

Procedures Example: Web Site 96 Procedures Example: HIPAA Compliance 97

Reporting Requirements 97

Present Recommendations 97 Document Management Response to Recommendations 102 Document and Track Implementation of Accepted Recommendations 103

Plan of Action and Milestones 103

Charting the Progress of a Risk Management Plan 106

Milestone Plan Chart 106 Gantt Chart 106 Critical Path Chart 107

Chapter SUMMarY 109

KeY ConCeptS and terMS 109

Chapter 4 aSSeSSMent 109

vi Contents

part tWo Mitigating Risk 111

Chapter 5 defi ning risk assessment approaches 112 Understanding Risk Assessment 113

Importance of Risk Assessments 114 Purpose of a Risk Assessment 114

Critical Components of a Risk Assessment 115

Identify Scope 115 Identify Critical Areas 116 Identify Team 117

Types of Risk Assessments 117

Quantitative Risk Assessments 118 Qualitative Risk Assessments 120 Comparing Quantitative and Qualitative Risk Assessments 128

Risk Assessment Challenges 129

Using a Static Process to Evaluate a Moving Target 130 Availability 131 Data Consistency 131 Estimating Impact Effects 133 Providing Results That Support Resource Allocation and Risk Acceptance 134

Best Practices for Risk Assessment 135

Chapter SUMMarY 136

KeY ConCeptS and terMS 136

Chapter 5 aSSeSSMent 137

Chapter 6 performing a risk assessment 138 Selecting a Risk Assessment Methodology 139

Defi ning the Assessment 140 Review Previous Findings 142

Identifying the Management Structure 143

Identifying Assets and Activities Within Risk Assessment Boundaries 144

System Access and System Availability 145 System Functions 146 Hardware and Software Assets 147 Personnel Assets 148 Data and Information Assets 148 Facilities and Supplies 148

Identifying and Evaluating Relevant Threats 149

Reviewing Historical Data 150 Modeling 150

Contents vii

Identifying and Evaluating Relevant Vulnerabilities 151

Vulnerability Assessments 151 Exploit Assessments 152

Identifying and Evaluating Countermeasures 153

In-Place and Planned Countermeasures 153 Control Categories 154

Selecting a Methodology Based on Assessment Needs 157

Quantitative 157 Qualitative 158

Develop Mitigating Recommendations 159

Threat/Vulnerability Pairs 159 Estimate of Cost and Time to Implement 160 Estimate of Operational Impact 160 Prepare Cost-Benefit Analysis 161

Present Risk Assessment Results 162

Best Practices for Performing Risk Assessments 162

Chapter SUMMarY 163

KeY ConCeptS and terMS 164

Chapter 6 aSSeSSMent 164

Chapter 7 Identifying assets and activities to Be protected 166 System Access and Availability 167

System Functions: Manual and Automated 170

Manual Methods 170 Automated Methods 170

Hardware Assets 171

Software Assets 173

Personnel Assets 174

Data and Information Assets 175

Organization 177 Customer 178 Intellectual Property 178 Data Warehousing and Data Mining 179

Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure 181

User Domain 182 Workstation Domain 183 LAN Domain 183 LAN-to-WAN Domain 183 WAN Domain 184 Remote Access Domain 185 System/Application Domain 185

viii Contents

Identifying Facilities and Supplies Needed to Maintain Business Operations 186

Mission-Critical Systems and Applications Identification 186 Business Impact Analysis Planning 187 Business Continuity Planning 188 Disaster Recovery Planning 189 Business Liability Insurance Planning 190 Asset Replacement Insurance Planning 190

Chapter SUMMarY 191

KeY ConCeptS and terMS 192

Chapter 7 aSSeSSMent 192

Chapter 8 Identifying and analyzing threats, Vulnerabilities, and exploits 194 Threat Assessments 195

Techniques for Identifying Threats 198 Best Practices for Threat Assessments Within the Seven Domains

of a Typical IT Infrastructure 202

Vulnerability Assessments 203

Documentation Review 204 Review of System Logs, Audit Trails, and Intrusion Detection System Outputs 205 Vulnerability Scans and Other Assessment Tools 206 Audits and Personnel Interviews 207 Process Analysis and Output Analysis 208 System Testing 209 Best Practices for Performing Vulnerability Assessments

Within the Seven Domains of a Typical IT Infrastructure 213

Exploit Assessments 214

Identify Exploits 214 Mitigate Exploits with a Gap Analysis and Remediation Plan 218 Implement Configuration or Change Management 218 Verify and Validate the Exploit Has Been Mitigated 219 Best Practices for Performing Exploit Assessments Within an IT Infrastructure 219

Chapter SUMMarY 220

KeY ConCeptS and terMS 220

Chapter 8 aSSeSSMent 220

Chapter 9 Identifying and analyzing risk Mitigation Security Controls 222 In-Place Controls 223

Planned Controls 223

Control Categories 224

NIST Control Classes 224

Contents ix

Administrative Control Examples 228

Policies and Procedures 229 Security Plans 230 Insurance and Bonding 231 Background Checks and Financial Checks 232 Data Loss Prevention Program 233 Awareness and Training 234 Rules of Behavior 234 Software Testing 235

Technical Control Examples 235

Logon Identifier 236 Session Timeout 236 System Logs and Audit Trails 237 Data Range and Reasonableness Checks 238 Firewalls and Routers 239 Encryption 240 Public Key Infrastructure (PKI) 241

Physical Control Examples 243

Locked Doors, Guards, Access Logs, and Closed-Circuit Television (CCTV) 243 Fire Detection and Suppression 244 Water Detection 245 Temperature and Humidity Detection 245 Electrical Grounding and Circuit Breakers 246

Best Practices for Risk Mitigation Security Controls 247

Chapter SUMMarY 248

KeY ConCeptS and terMS 248

Chapter 9 aSSeSSMent 249

Chapter 10 planning risk Mitigation throughout Your organization 250 Where Should Your Organization Start with Risk Mitigation? 251

What Is the Scope of Risk Management for Your Organization? 252

Critical Business Operations 253 Customer Service Delivery 254 Mission-Critical Business Systems, Applications, and Data Access 255 Seven Domains of a Typical IT Infrastructure 258 Information Systems Security Gap 262

Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization 263

Legal Requirements, Compliance Laws, Regulations, and Mandates 264 Assessing the Impact of Legal and Compliance Issues on Your Business Operations 266

Translating Legal and Compliance Implications for Your Organization 270

Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure 270

x Contents

Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation 271

Understanding the Operational Implications of Legal and Compliance Requirements 272

Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization 272

Performing a Cost-Benefit Analysis 273

Best Practices for Planning Risk Mitigation Throughout Your Organization 275

Chapter SUMMarY 276

KeY ConCeptS and terMS 276

Chapter 10 aSSeSSMent 276

Chapter 11 turning Your risk assessment Into a risk Mitigation plan 278 Review the Risk Assessment for Your IT Infrastructure 279

Overlapping Countermeasures 280 Matching Threats with Vulnerabilities 281 Identifying Countermeasures 282

Translating Your Risk Assessment into a Risk Mitigation Plan 285

Cost to Implement 285 Time to Implement 289 Operational Impact 292

Prioritizing Risk Elements That Require Risk Mitigation 293

Using a Threat/Vulnerability Matrix 293 Prioritizing Countermeasures 294

Verifying Risk Elements and How These Risks Can Be Mitigated 296

Performing a Cost-Benefit Analysis on the Identified Risk Elements 297

Calculate the CBA 298 A CBA Report 298

Implementing a Risk Mitigation Plan 299

Stay Within Budget 300 Stay on Schedule 300

Following Up on the Risk Mitigation Plan 303

Ensuring Countermeasures Are Implemented 303 Ensuring Security Gaps Have Been Closed 304

Best Practices for Enabling a Risk Mitigation Plan from Your Risk Assessment 305

Chapter SUMMarY 306

KeY ConCeptS and terMS 306

Chapter 11 aSSeSSMent 307

Contents xi

part three Risk Mitigation Plans 309

Chapter 12 Mitigating risk with a Business Impact analysis 310 What Is a Business Impact Analysis? 311

Collecting Data 312 Varying Data Collection Methods 313

Defi ning the Scope of Your Business Impact Analysis 314

Objectives of a Business Impact Analysis 315

Identify Critical Business Functions 317 Identify Critical Resources 318 Identify MAO and Impact 319 Direct Costs 320 Indirect Costs 321 Identify Recovery Requirements 322

The Steps of a Business Impact Analysis Process 324

Identify the Environment 325 Identify Stakeholders 325 Identify Critical Business Functions 326 Identify Critical Resources 326 Identify Maximum Downtime 327 Identify Recovery Priorities 328 Develop BIA Report 328

Identifying Mission-Critical Business Functions and Processes 329

Mapping Business Functions and Processes to IT Systems 331

Best Practices for Performing a BIA for Your Organization 331

Chapter SUMMarY 333

KeY ConCeptS and terMS 333

Chapter 12 aSSeSSMent 333

endnote 334

Chapter 13 Mitigating risk with a Business Continuity plan 335 What Is a Business Continuity Plan (BCP)? 336

Elements of a BCP 337

Purpose 339 Scope 339 Assumptions and Planning Principles 339 System Description and Architecture 342 Responsibilities 346 Notifi cation/Activation Phase 349 Recovery Phase 353

xii Contents

Reconstitution Phase (Return to Normal Operations) 354 Plan Training, Testing, and Exercises 356 Plan Maintenance 359

How Does a BCP Mitigate an Organization’s Risk? 360

Best Practices for Implementing a BCP for Your Organization 361

Chapter SUMMarY 362

KeY ConCeptS and terMS 362

Chapter 13 aSSeSSMent 362

Chapter 14 Mitigating risk with a disaster recovery plan 364 What Is a Disaster Recovery Plan (DRP)? 365

Need 367 Purpose 367

Critical Success Factors 368

What Management Must Provide 368 What DRP Developers Need 369 Primary Concerns 370 Disaster Recovery Financial Budget 377

Elements of a DRP 378

Purpose 379 Scope 380 Disaster/Emergency Declaration 381 Communications 381 Emergency Response 382 Activities 382 Recovery Steps and Procedures 383 Critical Business Operations 384 Recovery Procedures 385 Critical Operations, Customer Service, and Operations Recovery 385 Testing 386 Maintenance and DRP Update 387

How Does a DRP Mitigate an Organization’s Risk? 388

Best Practices for Implementing a DRP for Your Organization 388

Chapter SUMMarY 390

KeY ConCeptS and terMS 390

Chapter 14 aSSeSSMent 390

Contents xiii

Chapter 15 Mitigating risk with a Computer Incident response team plan 392 What Is a Computer Incident Response Team (CIRT) Plan? 393

Purpose of a CIRT Plan 395

Elements of a CIRT Plan 397

CIRT Members 397 CIRT Policies 400 Incident Handling Process 401 Communication Escalation Procedures 410 Incident Handling Procedures 411

How Does a CIRT Plan Mitigate an Organization’s Risk? 416

Best Practices for Implementing a CIRT Plan for Your Organization 417

Chapter SUMMarY 418

KeY ConCeptS and terMS 418

Chapter 15 aSSeSSMent 418

appendIx a answer Key 421

appendIx B Standard acronyms 423

Glossary of Key terms 425

references 437

Index 443

To my wife, who has enriched my life in so many ways over the past 18 years.

I’m looking forward to 18 more.

xv

preface

purpose of this Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cyber Security, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information- security principles packed with real-world applications and examples. Authored by Certifi ed Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the fi eld, these books are not just current, but forward-thinking— putting you in the position to solve the cyber security challenges not just of today, but of tomorrow, as well.

This book provides a comprehensive view of managing risk in information systems. It covers the fundamentals of risk and risk management and also includes in-depth details on more comprehensive risk management topics. It is divided into three major parts.

Part 1, Risk Management Businesses Challenges, addresses many of the issues relevant to present-day businesses. It covers details of risks, threats, and vulnerabilities. Topics help students understand the importance of risk management in the organization, including many of the techniques used to manage risks. Many of the current laws are presented with clear descriptions of how they are relevant in organizations. It also includes a chapter describing the contents of a risk management plan.

Part 2, Mitigating Risk, focuses on risk assessments. Topics presented include different risk-assessment approaches including the overall steps in performing a risk assessment. It covers the importance of identifying assets and then identifying potential threats, vulnerabilities, and exploits against these assets. Chapter 9 covers the different types of controls that you can use to mitigate risk. The last two chapters in this part identify how to plan risk mitigation throughout the organization and convert the risk assessment into a risk management plan.

Part 3, Risk Mitigation Plans, cover the many different elements of risk mitigation plans such as a business impact analysis and a business continuity plan. The last two chapters cover disaster recovery and computer incident recovery team plans.

xvi Preface

Learning Features

The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional and helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

audience

The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

xvii

acknowledgments

I would like to thank Jones & Bartlett Learning for this opportunity to write a detailed and practical information security textbook. I would also like to thank Jeff T. Parker, the technical reviewer, for his outstanding feedback and recommendations, and Kim Lindros the project editor. Kim managed the project from beginning to end, reviewing and ferrying all of the pieces that fl owed between me and Jones & Bartlett Learning. Kim was a pleasure to work with and made even the most challenging elements of this project simpler. Thanks again, Kim!

About the Author

Darril Gibson is the CEO of Security Consulting and Training, LLC. He regularly teaches, writes, and consults on a wide variety of security and technical topics. He’s been a Microsoft Certified Trainer for more than 10 years and holds several certifications, including MCSE, MCDBA, MCSD, MCITP, ITIL v3, Security, and CISSP. He has authored, coauthored, or contributed to 10 books including the successful Security: Get Certified, Get Ahead.

PaRT ONe

Risk Management Business Challenges

Risk Management Fundamentals 2

Managing Risk: Threats, Vulnerabilities, and Exploits 29

Managing Compliance 57

Developing a Risk Management Plan 85

2

1 CHaPTeR Risk Management

Fundamentals

R ISK MANAGEMENT IS IMPORTANT to the success of every company—a company that takes no risks doesn’t thrive. On the other hand, a company that ignores risk can fail when a single threat is exploited.  Nowadays,  information technology (IT) systems contribute to the success  of most com panies. If you don’t properly manage IT risks, they can also  contribute to your company’s failure.

Effective risk management starts by understanding threats and vulnerabilities.  You build on this knowledge by identifying ways to mitigate the risks. Risks  can be mitigated by reducing vulnerabilities or reducing the impact of the risk.  You can then create different plans to mitigate risks in different areas of  the company. A company typically has several risk mitigation plans in place. 

Risk management is presented in three parts in this textbook. Part 1 is titled  “Risk Management Business Challenges.” It lays a foundation for the book,  with defi nitions of many of the terms and techniques of risk management.  It fi nishes with details on how to develop a risk management plan. Part 2 is  titled “Mitigating Risk.” This section covers risk assessments. Once you identify  risks, you can take steps to reduce them. It ends with methods for turning a risk  assessment into a risk mitigation plan. Part 3 is titled “Risk Management Plans.”  Here you learn how to create and implement several different plans, such as  the business continuity plan and the disaster recovery plan.

This book can help you build a solid foundation in risk management as  it relates to information system security. It won’t make you an expert. Many  of the topics presented in a few paragraphs in this book can fi ll entire chapters  or even entire books. You’ll fi nd a list of resources at the end of the book.  Use these resources to dig deeper into the topics that interest you. The more  you learn, the closer you’ll be to becoming the expert that others seek to solve  their problems.

Chapter 1 Topics

This chapter covers the following topics and concepts:

•  What risk is and what its relationship to threat, vulnerability, and loss is

•  What the major components of risk to an IT infrastructure are

•  What risk management is and how it is important to the organization

•  What some risk identifi cation techniques are

•  What some risk management techniques are

Chapter 1 Goals

When you complete this chapter, you will be able to:

•  Defi ne risk 

•  Identify the major components of risk 

•  Describe the relationship between threats and vulnerabilities, and impact

•  Defi ne risk management 

•  Describe risk management’s relationship with profi tability and survivability 

•  Explain the relationship between the cost of loss and the cost of risk management 

•  Describe how risk is perceived by different roles within an organization 

•  Identify threats 

•  List the different categories of threats 

•  Describe techniques to identify vulnerabilities 

•  Identify and defi ne risk management techniques 

•  Describe the purpose of a cost-benefi t analysis (CBA) 

•  Defi ne residual risk

1 Risk M

anagem ent

Fundam entals

3

4 PART 1 | Risk Management Business Challenges

What Is Risk?

Risk is the likelihood that a loss will occur. Losses occur when a threat exposes a vulnerability. Organizations of all sizes face risks. Some risks are so severe they cause a business to fail. Other risks are minor and can be accepted without another thought. Companies use risk management techniques to identify and differentiate severe risks from minor risks. When this is done properly, administrators and managers can intelligently decide what to do about any type of risk. The end result is a decision to avoid, transfer, mitigate, or accept a risk.

The common themes of these defi nitions are threat, vulnerability, and loss. Even though the common body of knowledge (CBK)— see note —doesn’t specifi cally mention loss, it implies it. Here’s a short defi nition of each of these terms:

•  Threat—A threat is any activity that represents a possible danger.

•  Vulnerability—A vulnerability is a weakness.

•  Loss—A loss results in a compromise to business functions or assets.

Risks to a business can result in a loss that negatively affects the business. A business commonly tries to limit its exposure to risks. The overall goal is to reduce the losses that can occur from risk. Business losses can be thought of in the following terms:

•  Compromise of business functions

•  Compromise of business assets

•  Driver of business costs

Compromise of Business Functions Business functions are the activities a business performs to sell products or services. If any of these functions are negatively affected, the business won’t be able to sell as much. The business will earn less revenue, resulting in an overall loss.

Here are a few examples of business functions and possible compromises:

•  Salespeople regularly call or e­mail customers. If the capabilities of either phones or e­mail are reduced, sales are reduced.

•  A Web site sells products on the Internet. If the Web site is attacked and fails, sales are lost.

•  Authors write articles that must be submitted by a deadline to be published. If the author’s PC becomes infected with a virus, the deadline passes and the article’s value is reduced.

NOTE

The Offi cial (ISC)2 Guide to the SSCP CBK provides a more technical defi nition of risk. Risk is “the probability that a particular security threat will exploit a particular vulnerability.” If you’re not familiar with the alphabet soup, the (ISC)2

System Security Certifi ed Practitioner (SSCP) certifi cation includes seven domains that are derived from a common body of knowledge (CBK).

NOTE

Threats and vulnerabilities are explored in much more depth later in this chapter, and later in this book.

CHAPTER 1 | Risk Management Fundamentals 5

1 Risk M

anagem ent

Fundam entals

•  Analysts compile reports used by management to make decisions. Data is gathered from internal servers and Internet sources. If network connectivity fails, analysts won’t have access to current data. Management could make decisions based on inaccurate information.

•  A warehouse application is used for shipping products that have been purchased. It identifies what has been ordered, where the products need to be sent, and where they are located. If the application fails, products aren’t shipped on time.

Because compromises to any of these business functions can result in a loss of revenue, they all represent risks. One of the tasks when considering risk is identifying the impor­ tant functions for a business.

The importance of any business function is relative to the business. In other words, the failure of a Web site for one company may be catastrophic if all products and services are sold through the Web site. Another company may host a Web site to provide information to potential customers. If it fails, it will have less impact on the business.

Compromise of Business Assets A business asset is anything that has measurable value to a company. If an asset has the potential of losing value, it is at risk. Value is defined as the worth of an asset to a business. Value can often be expressed in monetary terms, such as $5,000.

Assets can have both tangible and intangible values. The tangible value is the actual cost of the asset. The intangible value is value that cannot be measured by cost, such as client confidence. Generally acceptable accounting principles (GAAP) refer to client confi­ dence as goodwill.

Imagine that your company sells products via a Web site. The Web site earns $5,000 an hour in revenue. Now, imagine that the Web server hosting the Web site fails and is down for two hours. The costs to repair it total $1,000. What is the tangible loss?

•  Lost revenue—$5,000 times two hours 5 $10,000

•  Repair costs—$1,000

•  Total tangible value—$11,000

The intangible value isn’t as easy to calculate but is still very important. Imagine that several customers tried to make a purchase when the Web site was down. If the same product is available somewhere else, they probably bought the product elsewhere. That lost revenue is the tangible value.

However, if the experience is positive with the other business, where will the customers go the next time they want to purchase this product? It’s very possible the other business has just gained new customers and you have lost some. The intangible value includes:

•  Future lost revenue—Any additional purchases the customers make with the other company is a loss to your company.

•  Cost of gaining the customer—A lot of money is invested to attract customers. It is much easier to sell to a repeat customer than it is to acquire a new customer. If you lose a customer, you lose the investment.

6 PART 1 | Risk Management Business Challenges

•  Customer influence—Customers have friends, families, and business partners. They commonly share their experience with others, especially if the experience is exceptionally positive or negative.

Some examples of tangible assets are:

•  Computer systems—Servers, desktop PCs, and mobile computers are all tangible assets.

•  Network components—Routers, switches, firewalls, and any other components necessary to keep the network running are assets.

•  Software applications—Any application that can be installed on a computer system is considered a tangible asset.

•  Data—This includes the large­scale databases that are integral to many businesses. It also includes the data used and manipulated by each employee or customer.

One of the early steps in risk management is associated with identifying the assets of a company and their associated costs. This data is used to prioritize risks for different assets. Once a risk is prioritized, it becomes easier to identify risk management processes to protect the asset.

Driver of Business Costs Risk is also a driver of business costs. Once risks are identified, steps can be taken to reduce or manage the risk. Risks are often managed by implementing countermeasures or controls. The costs of managing risk need to be considered in total business costs.

If too much money is spent on reducing risk, the overall profit is reduced. If too little money is spent on these controls, a loss could result from an easily avoidable threat and/or vulnerability.

Profitability Versus Survivability Both profitability and survivability must be considered when considering risks.

•  Profitability—The ability of a company to make a profit. Profitability is calculated as revenues minus costs.

•  Survivability—The ability of a company to survive loss due to a risk. Some losses such as fire can be disastrous and cause the business to fail.

In terms of profitability, a loss can ruin a business. In terms of survivability, a loss may cause a company never to earn a profit. The costs associated with risk management don’t contribute directly to revenue gains. Instead, these costs help to ensure that a company can continue to operate even if it incurs a loss.

When considering profitability and survivability, you will want to consider the following items:

CHAPTER 1 | Risk Management Fundamentals 7

1 Risk M

anagem ent

Fundam entals

•  Out-of-pocket costs—The cost to reduce risks comes from existing funds.

•  Lost opportunity costs—Money spent to reduce risks can’t be spent elsewhere. This may result in lost opportunities if the money could be used for some other purpose.

•  Future costs—Some countermeasures require ongoing or future costs. These costs could be for renewing hardware or software. Future costs can also include the cost of employees to implement the countermeasures.

•  Client/stakeholder confi dence—The value of client and stakeholder confi dence is also important. If risks aren’t addressed, clients or stakeholders may lose confi dence when a threat exploits a vulnerability, resulting in a signifi cant loss to the company.

Consider antivirus software. The cost to install antivirus software on every computer in the organization can be quite high. Every dollar spent reduces the overall profi t, and antivirus software doesn’t have the potential to add any profi t.

However, what’s the alternative? If antivirus software is not installed, every system represents a signifi cant risk. If any system becomes infected, a virus could release a worm as a payload and infect the entire network. Databases could be corrupted. Data on fi le servers could be erased. E­mail servers could crash. The entire business could grind to a halt. If this happens too often or for too long the business could fail.

What Are the Major Components of Risk to an IT Infrastructure?

When you start digging into risk and risk management, you’ll realize there is a lot to consider. Luckily, there are several methods and techniques used to break down the topics into smaller chunks.

One method is to examine the seven domains of a typical IT infrastructure. You can examine risks within each domain separately. When examining risks for any domain, you’ll look at threats, vulnerabilities and impact. The following sections explore these topics.

Seven Domains of a Typical IT Infrastructure There are a lot of similarities between different IT organizations. For example, any IT organization will have users and computers. There are seven domains of a typical IT infrastructure.

Figure 1­1 shows the seven domains of a typical IT infrastructure. Refer to this fi gure when reading through the descriptions of these domains.

When considering risk management, you can examine each of these domains separately. Each domain represents a possible target for an attacker. Some attackers have the skill and aptitude to con users so they focus on the User Domain. Other attackers may be experts in specifi c applications so they focus on the System/Application Domain.

NOTE These seven domains are also explored in Chapters 7, 8, and 10. Chapter 7 covers these domains as they relate to asset and inventory management. Chapter 8 covers them as they relate to threat assessments. Chapter 10 covers them as they relate to risk management.

8 PART 1 | Risk Management Business Challenges

An attacker only needs to be able to exploit vulnerabilities in one domain. However, a business must provide protection in each of the domains. A weakness in any one of the domains can be exploited by an attacker even if the other six domains have no vulnerabilities.

User Domain The User Domain includes people. They can be users, employees, contractors, or consul­ tants. The old phrase that a chain is only as strong as its weakest link applies to IT security too. People are often the weakest link in IT security.

You could have the strongest technical and physical security available. However, if personnel don’t understand the value of security, the security can be bypassed. For example, technical security can require strong, complex passwords that can’t be easily cracked. However, a social engineer can convince an employee to give up the password. Additionally, users may simply write their password down. Some users assume that no one will ever think of looking at the sticky note under their keyboard.

Users can visit risky Web sites, and download and execute infected software. They may unknowingly bring viruses from home via universal serial bus (USB) thumb drives. When they plug in the USB drive the work computer becomes infected. This in turn can infect other computers and the entire network.

7-Domains of a Typical IT Infrastructure

User Domain

Workstation Domain

Computer

LAN Domain

Hub

Server

LAN-to-WAN Domain

Firewall

Router Firewall

Mainframe Application & Web Servers

Remote Access Domain

System/Application Domain

Computer

FiguRe 1-1

The seven domains of a typical IT infrastructure.

CHAPTER 1 | Risk Management Fundamentals 9

1 Risk M

anagem ent

Fundam entals

Workstation Domain The workstation is the end user’s computer. The workstation is susceptible to malicious software, also known as malware. The workstation is vulnerable if it is not kept up to date with recent patches.

If antivirus software isn’t installed, the workstation is also vulnerable. If a system is infected, the malware can cause significant harm. Some malware infects a single system. Other malware releases worm components that can spread across the network.

Antivirus companies regularly update virus definitions as new malware is discovered. In addition to installing the antivirus software, companies must also update software regularly with new definitions. If the antivirus software is installed and up to date, the likelihood of a system becoming infected is reduced.

Bugs and vulnerabilities are constantly being discovered in operating systems and applications. Some of the bugs are harmless. Others represent significant risks.

Demystifying Social Engineering

Social engineering is a common technique used to trick people into revealing sensitive  information. Leonardo DiCaprio played Frank Abagnale in the movie Catch Me If You Can,  which demonstrated the power of social engineering. A social engineer doesn’t just say  “give me your secrets.” Instead, the attacker uses techniques such as flattery and conning.

A common technique used in vulnerability assessments is to ask employees to give their  user name and password. The request may come in the form of an e-mail, a phone call,   or even person-to-person. 

One common method used in vulnerability assessments is to send an e-mail requesting   a user name and password. The e-mail is modified so that it looks as if it’s coming from an  executive. The e-mail adds a sense of urgency and may include a reference to an important  project. From the user’s perspective here’s what they receive:

From: CEO

Subj: Project upgrade

All,

The XYZ project is at risk of falling behind. As you know this is integral to our success in the coming year. We’re having a problem with user authentication. We think it’s because passwords may have special characters that aren’t recognized.

I need everyone to reply to this e-mail with your user name and password. We must complete this test today so please respond as soon as you receive this e-mail.

Thanks for your assistance.

When employees are trained to protect their password, they usually recognize the risks   and don’t reply. However, it has been shown that when employees aren’t trained, as many  as 70 percent of the employees may respond. 

10 PART 1 | Risk Management Business Challenges

Microsoft and other software vendors regularly release patches and fi xes that can be applied. When systems are kept updated, these fi xes help keep the systems protected. When systems aren’t updated, the threats can become signifi cant.

LAN Domain The LAN Domain is the area that is inside the fi rewall. It can be a few systems connected together in a small home offi ce network. It can also be a large network with thousands of computers. Each individual device on the network must be protected or all devices can be at risk.

Network devices such as hubs, switches, and routers are used to connect the systems together on the local area network (LAN). The internal LAN is generally considered a trusted zone. Data transferred within the LAN isn’t protected as thoroughly as if it were sent outside the LAN.

As an example, sniffi ng attacks occur when an attacker uses a protocol analyzer to capture data packets. A protocol analyzer is also known as a sniffer. An experienced attacker can read the actual data within these packets.

If hubs are used instead of switches, there is an increased risk of sniffi ng attacks. An attacker can plug into any port in the building and potentially capture valuable data.

If switches are used instead of hubs, the attacker must have physical access to the switch to capture the same amount of data. Most organi­ zations protect network devices in server rooms or wiring closets.

LAN-to-WAN Domain The LAN­to­WAN Domain connects the local area network to the wide area network (WAN). The LAN Domain is considered a trusted zone since it is controlled by a company. The WAN Domain is considered an untrusted zone because it is not controlled and is accessible by attackers.

The area between the trusted and untrusted zones is protected with one or more fi rewalls. This is also called the boundary, or the edge. Security here is referred to as boundary protection or edge protection.

The public side of the boundary is often connected to the Internet and has public Internet Protocol (IP) addresses. These IP addresses are accessible from anywhere in the world, and attackers are constantly probing public IP addresses. They look for vul nerabilities and when one is found, they pounce.

A high level of security is required to keep the LAN­to­WAN Domain safe.

Remote Access Domain Mobile workers often need access to the private LAN when they are away from the company. Remote access is used to grant mobile workers this access. Remote access can be granted via direct dial­up connections or using a virtual private network (VPN) connection.

NOTE

Many organizations outlaw the use of hubs within the LAN. Switches are more expensive. However, they reduce the risk of sniffi ng attacks.

CHAPTER 1 | Risk Management Fundamentals 11

A VPN provides access to a private network over a public network. The public network used by VPNs is most commonly the Internet. Since the Internet is largely untrusted and has known attackers, remote access represents a risk. Attackers can access unprotected connections. They can also try to break into the remote access servers. Using a VPN is an example of a control to lessen the risk. But VPNs have their vulnerabilities, too.

Vulnerabilities exist at two stages of the VPN connection:

•  The fi rst stage is authentication. Authentication is when the user provides credentials to prove identity. If these credentials can be discovered, the attacker can later use them to imper­ sonate the user.

•  The second stage is when data is passed between the user and the server. If the data is sent in clear text, an attacker can capture and read the data.

WAN Domain For many businesses, the WAN is the Internet. However, a business can also lease semiprivate lines from private telecommunications companies. These lines are semi­ private because they are rarely leased and used by only a single company. Instead, they are shared with other unknown companies.

As mentioned in the LAN­to­WAN Domain, the Internet is an untrusted zone. Any host on the Internet with a public IP address is at signifi cant risk of attack. Moreover, it is fully expected that any host on the Internet will be attacked.

Semiprivate lines aren’t as easily accessible as the Internet. However, a company rarely knows who else is sharing the lines. These leased lines require the same level of security provided to any host in the WAN Domain.

A signifi cant amount of security is required to keep hosts in the WAN Domain safe.

System/Application Domain The System/Application Domain refers to servers that host server­level applications. Mail servers receive and send e­mail for clients. Database servers host databases that are accessed by users, applications, or other servers. Domain Name System (DNS) servers provide names to IP addresses for clients.

You should always protect servers using best practices: Remove unneeded services and protocols. Change default passwords. Regularly patch and update the server systems. Enable local fi rewalls.

One of the challenges with servers in the System/Application Domain is that the knowledge becomes specialized. People tend to focus on areas of specialty. For example, common security issues with an e­mail server would likely be known only by technicians who regularly work with the e­mail servers.

NOTE

VPN connections use tunneling protocols to reduce the risk of data being captured. A tunneling protocol will encrypt the traffi c sent over the network. This makes it more diffi cult for attackers to capture and read data.

TIP

You should lock down a server using the specifi c security requirements needed by the hosted application. An e-mail server requires one set of protections while a database server requires a different set.

1 Risk M

anagem ent

Fundam entals

12 PART 1 | Risk Management Business Challenges

Threats, Vulnerabilities, and Impact When a threat exploits a vulnerability it results in a loss. The impact identifi es the severity of the loss.

A threat is any circumstance or event with the potential to cause a loss. You can also think of a threat as any activity that represents a possible danger. Threats are always present and cannot be eliminated, but they may be controlled.

Threats have independent probabilities of occurring that often are unaffected by an organizational action. As an example, an attacker may be an expert in attacking Web servers hosted on Apache. There is very little a company can do to stop this attacker from trying to attack. However, a company can reduce or eliminate vulnerabilities to reduce the attacker’s chance of success.

Threats are attempts to exploit vulnerabilities that result in the loss of confi dentiality, integrity, or availability of a business asset. The protection of confi dentiality, integrity, and availability are common security objectives for information systems.

Figure 1­2 shows these three security objectives as a protective triangle. If any side of the triangle is breached or fails, security fails. In other words, risks to confi dentiality, integrity, or availability represent potential loss to an organization. Because of this, a signifi cant amount of risk management is focused on protecting these resources.

•  Confi dentiality—Preventing unauthorized disclosure of information. Data should be available only to authorized users. Loss of confi dentiality occurs when data is accessed by someone who should not have access to it. Data is protected using access controls and encryption technologies.

•  integrity—Ensuring data or an IT system is not modifi ed or destroyed. If data is modifi ed or destroyed, it loses its value to the company. Hashing is often used to ensure integrity.

•  availability—Ensuring data and services are available when needed. IT systems are commonly protected using fault tolerance and redundancy techniques. Backups are used to ensure the data is retained even if an entire building is destroyed.

Protecting Con�dentiality, Integrity, and Availability

C on �d en tia lity Integrity

Availability

FiguRe 1-2

Security objectives for information and information systems.

NOTE

Confi dentiality, integrity, and availability are often referred to as the security triad.

CHAPTER 1 | Risk Management Fundamentals 13

A vulnerability is a weakness. It could be a procedural, technical, or administrative weakness. It could be a weakness in physical security, technical security, or operational security. Just as all threats don’t result in a loss, all vulnerabilities don’t result in a loss. It’s only when an attacker is able to exploit the vulnerability that a loss to an asset occurs.

Vulnerabilities may exist because they’ve never been corrected. They can also exist if security is weakened either intentionally or unintentionally.

Consider a locked door used to protect a server room. A technician could intentionally unlock it to make it easier to access. If the door doesn’t shut tight on its own, it could accidentally be left open. Either way, the server room becomes vulnerable.

The impact is the amount of the loss. The loss can be expressed in monetary terms, such as $5,000.

The value of hardware and software is often easy to determine. If a laptop is stolen, you can use the purchase value or the replacement value. However, some losses aren’t easy to determine. If that same laptop held data, the value of the data is hard to estimate.

Descriptive terms instead of monetary terms can be used to describe the impact. You can describe losses in relative terms such as high, medium, or low. As an example, NIST SP 800­30 suggests the following impact terms:

High impact—If a threat exploits the vulnerability it may: •  Result in the costly loss of major assets or resources •  Signifi cantly violate, harm, or impede an organization’s mission, reputation,

or interest •  Or, result in human death or serious injury.

Medium impact—If a threat exploits the vulnerability it may: •  Result in the costly loss of assets or resources •  Violate, harm, or impede an organization’s mission, reputation, or interest •  Or, result in human injury.

Low impact—If a threat exploits the vulnerability it may: •  Result in the loss of some assets or resources •  Or, noticeably affect an organization’s mission, reputation, or interest.

Risk Management and Its Importance to the Organization

Risk management is the practice of identifying, assessing, controlling, and mitigating risks. Threats and vulnerabilities are key drivers of risk. Identifying the threats and vulnerabilities that are relevant to the organization is an important step. You can then take action to reduce potential losses from these risks.

It’s important to realize that risk management isn’t intended to be risk elimination. That isn’t a reasonable goal. Instead, risk management attempts to identify the risks that can be minimized and implement controls to do so. Risk management includes several elements:

TIP

The method used to take advantage of a vulnerability can also be referred to as an exploit.

1 Risk M

anagem ent

Fundam entals

14 PART 1 | Risk Management Business Challenges

•  Risk assessment—Risk management starts with a risk assessment or risk analysis. There are multiple steps to a risk assessment:

•  Identify the IT assets of an organization and their value. This can include data, hardware, software, services, and the IT infrastructure.

•  Identify threats and vulnerabilities to these assets. Prioritize the threats and vulnerabilities.

•  Identify the likelihood a vulnerability will be exploited by a threat. These are your risks.

•  Identify the impact of a risk. Risks with higher impacts should be addressed fi rst.

•  identify risks to manage—You can choose to avoid, transfer, mitigate, or accept risks. The decision is often based on the likelihood of the risk occurring, and the impact it will have if it occurs.

•  Selection of controls—After you have identifi ed what risks to address, you can identify and select control methods. Control methods are also referred to as counter­ measures. Controls are primarily focused on reducing vulnerabilities and impact.

•  implementation and testing of controls—Once the controls are implemented, you can test them to ensure they provide the expected protection.

•  evaluation of controls—Risk management is an ongoing process. You should regularly evaluate implemented controls to determine if they still provide the expected protection. Evaluation is often done by performing regular vulnerability assessments.

How Risk Affects an Organization’s Survivability Profi tability and survivability were presented earlier in the chapter. You should also consider them when identifying which risks to manage. Consider both the cost to implement the control and the cost of not implementing the control. As mentioned previously, spending money to manage a risk rarely adds profi t. The important point is that spending money on risk management can help ensure a business’s survivability.

As an example, consider data and backups. Data is often one of the most valuable assets a business owns. It can include customer data. It can include accounting data such as accounts payable and accounts receivable. It can include employee data. The list goes on and on. This data is integral to success of a business, so it is often backed up regularly.

Imagine that a business spends $15,000 a year on data backups. This cost will not increase revenue or profi ts. Imagine that in a full year’s time, data is never lost and the backups are never needed. If profi tability is the only consideration, management may decide to eliminate this cost. Backups are stopped. The next year, data could be lost, causing the company to fail.

The cost does need to be considered against profi tability, though. For example, if a company earns only $10,000 in profi t a year, it doesn’t make sense to spend $15,000 a year to protect the data.

NOTE

Risk assessment is covered in more depth in chapters 5 and 6.

CHAPTER 1 | Risk Management Fundamentals 15

1 Risk M

anagem ent

Fundam entals

On the other hand, imagine a company with $100,000 in annual profits. They choose not to spend the $15,000 on backups. Then a virus spreads through the enterprise, destroying all customer and accounting data. The company no longer has reliable records of accounts receivable. No one has access to the customer base. This can be a business­ ending catastrophe.

Reasonableness A company doesn’t need to manage every possible risk. Some risks are reasonable to manage while others are not.

Reasonableness is a test that can be applied to risk management to determine if the risk should be managed. It’s derived from the reasonable­person standard in law. In short, you should answer this question. “Would a reasonable person be expected to manage this risk?”

Risks that don’t meet the reasonableness test are accepted. For example, the threat of nuclear war exists. A company could spend resources on building bomb shelters for all employees and stocking them with food and water to last 30 years. However, this just isn’t reasonable.

As another example, consider a company located on the east coast of Florida. Hurri canes are a very real threat and should be considered. However, the likelihood of a major earthquake hitting the east coast of Florida is relatively minor and doesn’t need to be addressed. A business in San Francisco, however, has different concerns. An earthquake there is a real threat, but a hurricane is not. So, for San Francisco, the risk of a hurricane is readily accepted while risk of an earthquake may not be accepted.

Balancing Risk and Cost The cost to manage the risk must be balanced against the impact value. The costs can be measured in actual monetary values if they are available. You can also balance the costs using relative values such as low, medium, and high.

Table 1­1 shows an example of how the relative values can be assigned. This matrix was derived from NIST SP 800­30. Likelihood values are shown vertically, while impact values are shown horizontally. If a threat has a 10 percent likelihood of occurring it is assigned a value of Low. If the value is between 10 and 50 percent, the value is medium.

TabLe 1-1 A threat-likelihood-impact matrix.

LOW IMPACT 10 MEDIUM IMPACT 50 HIGH IMPACT 100

High threat likelihood 100 percent (1.0)

10  1 5 10 50  1 5 50 100  1 5 100

Medium threat likelihood 50 percent (.50)

10  .50 5 5 50  .50 5 25 100  .50 5 50

Low threat likelihood 10 percent (.10)

10  .10 5 1 50  .10 5 5 100  .10 5 10

16 PART 1 | Risk Management Business Challenges

If the value is between 51 and 100, the value is high. Similarly, the impact can be ranked as low, medium, and high.

The potential of some risks to occur is very high and the impact is high giving you an easy choice. For example, systems without antivirus software will become infected. The threat is common. The likelihood is high. If or when it happens, an infected system can result in the compromise or destruction of all the business’s data. The impact is also high. This risk needs to be mitigated. The cost of antivirus software is far less than the impact costs. Therefore, antivirus software is commonly used in business.

Other times, the likelihood is low but the impact is high. For example, the risk of fi re in a data center is low. However, the impact is high. A business will often have fi re detection and suppression equipment to prevent the impact if a fi re occurs. Insurance is also purchased to reduce the impact if a fi re does cause damage.

Role-Based Perceptions of Risk Ideally, all personnel within an organization will readily understand the threat to a company’s health if risk is not managed. Unfortunately, risks and risk management are often perceived quite differently.

One of the challenges with effective risk management is achieving a proper balance between security and usability. Consider Figure 1­3. In the diagram on the left, the computers are completely locked down with a high level of security. Users are unable to use them to adequately perform their job. On the right, the computers are easy to use but security is neglected. In the middle, a balance between the two has been achieved.

FiguRe 1-3

Balancing security and usability in an organization.

Balancing Security and Usability

Balanced Security and Usability

High Security

Low Usability Low

Secu rity

High

Usabi lity

TIP

You can create a more detailed likelihood-impact matrix. For example, instead of assigning values of low, medium, and high for the threat likelihood, you can assign actual percentages. This allows greater separation between the categories. Similarly, you can assign any number within a range to the impact. The matrix in the table uses a range of 10, 50, and 100, but you could use any numbers between 1 and 100, if desired.

CHAPTER 1 | Risk Management Fundamentals 17

1 Risk M

anagem ent

Fundam entals

Balanced security rarely satisfi es everyone. Security personnel want to lock systems down tighter. End users fi nd the security controls inconvenient and want more usability.

It is common for individuals in the followings roles to have different perceptions of risk:

•  Management—Management is concerned mostly with profi tability and surviv­ ability. Since attacks can result in loss of confi dentiality, integrity, or availability, management is willing to spend money to mitigate risks. However, their view of the risk is based on the costs of the risk and the costs of the controls. Management needs accurate facts to make decisions on which controls to implement to protect company assets.

•  System administrator—Administrators are responsible for protecting the IT systems. When they understand the risks, they often want to lock systems down as tight as possible. Administrators are often highly technical individuals. System adminis­ trators sometimes lose sight of the need to balance security costs with profi tability.

•  Tier 1 administrator—Tier 1 administrators are the fi rst line of defense for IT support (thus the “tier 1” part of the name). When a user needs assistance, a tier 1 admin­ istrator is often called. They may be more concerned with usability than security or profi tability. These administrators are given limited administrative permissions. They often view the security controls as hindrances to perform their job and don’t always recognize the importance of the controls. For example, the need to use a change management process isn’t always understood. A well­meaning technician may bypass a change management process to solve one problem but unintentionally create another problem. These unapproved changes can result in business losses.

•  Developer—Some companies have in­house application developers. They write applications that can be used in­house or sold. Many developers have adopted a secure computing mindset. They realize that security needs to be included from the design stage all the way to the release stage. When developers haven’t adopted a security mindset, they often try to patch security holes at the end of the development cycle. This patching mindset rarely addresses all problems, resulting in the release of vulnerable software.

•  end user—End users simply want the computer to work for them. They are most concerned with usability. They often don’t understand the reason for the security controls and restrictions. Instead, security is viewed as an incon­ venience. Well­meaning users often try to circumvent controls so they can accomplish their job. For example, USB thumb drives often transport viruses without the user’s knowledge. Companies frequently implement policies restricting the use of thumb drives. When a user needs to transfer a fi le from one computer to another, the USB thumb drive can be tempting.

TIP

You can restrict the use of thumb drives through a written policy telling people not to use them. You can also use technical controls to prevent use of thumb drives. Computer users can easily ignore a written policy, but they can’t easily bypass a technical control. A best practice is to create and enforce both types of policies— written and technical.

18 PART 1 | Risk Management Business Challenges

You can address the perceptions of these different role holders through targeted training. Some training can include all employees; other training should be targeted to specific roles. Targeted training helps each role holder better understand the big picture. It can also help them understand the importance of security and its value to the success of the company.

People responsible for managing risks must take all perceptions into account. This is especially true if any of the controls can be bypassed.

For example, theft of laptops is a common problem for some companies. An employee can leave the laptop to take a break at a conference only to come back and find the laptop gone. This risk can almost be eliminated if the company purchases hardware locks. The lock can secure the laptop to a desk or other furniture. However, if users don’t perceive the risk as valid, they may simply not use the lock. In addition to purchasing the lock, steps need to be taken to train the users.

Risk Identification Techniques

You learned about risk and losses earlier in this chapter. Risk is the likelihood that a loss will occur. Losses occur when a threat exposes a vulnerability. In order to identify risks, you’ll need to take three steps:

•  Identify threats •  Identify vulnerabilities •  Estimate the likelihood of a threat exploiting a vulnerability

The following sections explore these concepts.

Identifying Threats A threat is any circumstance or event with the potential to cause a loss. Said another way, it is any activity that represents a possible danger. The loss or danger is directly related to one of the following:

•  Loss of confidentiality—Someone sees your password or a company’s “secret formula.”

•  Loss of integrity—An e­mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site.

•  Loss of availability—An e­mail server is down and no one has e­mail access, or a file server is down so data files aren’t available.

“Threat identification” is the process of creating a list of threats. This list attempts to identify all the possible threats to an organization. This is no small task. The list can be extensive.

Threats are often considered in the following categories:

CHAPTER 1 | Risk Management Fundamentals 19

1 Risk M

anagem ent

Fundam entals

•  external or internal—External threats are outside the boundary of the organization. They can also be thought of as risks that are outside the control of the organization. Internal threats are within the boundary of the organization. They could be related to employees or other personnel who have access to company resources. Internal threats can be related to any hardware or software controlled by the business.

•  Natural or man-made—Natural threats are often related to weather such as hurri­ canes, tornadoes, and ice storms. Earthquakes and tsunamis are also natural threats. A human or man­made threat is any threat from a person. Any attempt to sabotage resources is a man­made threat. Fire could be man­made or natural depending on how the fi re is started.

•  intentional or accidental—Any deliberate attempt to compromise confi dentiality, integrity, or availability is intentional. Employee mistakes or user error are accidental threats. A faulty application that corrupts data could be considered accidental.

One method used to identify threats is through a brainstorming session. In a brain­ storming session, participants throw out anything that pops into their heads. All ideas are written down without any evaluation. This creative process helps bring up ideas that may be missed when a problem is only analyzed logically.

Some examples of threats to an organization include:

•  An unauthorized employee trying to access data •  Any type of malware •  An attacker defacing a Web site •  Any DoS or DDoS attack •  An external attacker trying to access data •  Any loss of data •  Any loss of services •  A social engineer tricking an employee into revealing a secret •  Earthquakes, fl oods, or hurricanes •  A lightning strike •  Electrical, heating, or air conditioning outages •  Fires

All these threats represent possible risks if they expose vulnerabilities. Of course, you will identify different threats and vulnerabilities depending on the

organization. Every organization has threats and vulnerabilities specifi c to them. In fact, a business with multiple locations may have some threats and vulnerabilities unique to one location.

Identifying Vulnerabilities You learned earlier that a vulnerability is a weakness. When a threat occurs, if there is a vulnerability the weakness is apparent. However, before threats occur, you’ll have to dig a little to identify the weaknesses. Luckily, most organizations have a lot of sources which can help you.

TIP

A denial of service (DoS) attack is an attack that attempts to disrupt a service. A DoS attack results in the service being unavailable. A distributed denial of service (DDoS) attack originates from multiple attackers.

20 PART 1 | Risk Management Business Challenges

Some of the sources you can use are:

•  audits—Many organizations are regularly audited. Systems and processes are checked to verify a company complies with existing rules and laws. At the completion of an audit, a report is created. These reports list fi ndings which directly relate to weaknesses.

•  Certifi cation and accreditation records—Several standards exist to examine and certify IT systems. If the system meets the standards, the IT system can be accredited. The entire process includes detailed documentation. This documentation can be reviewed to identify existing and potential weaknesses.

•  System logs—Many types of logs can be used to identify threats. Audit logs can determine if users are accessing sensitive data. Firewall logs can identify traffi c that is trying to breach the network. Firewall logs can also identify computers taken over by malware and acting as zombies. DNS logs can identify unauthorized transfer of data.

•  Prior events—Previous security incidents are excellent sources of data. As evidence of risks which already occurred, they help justify controls. They show the problems that have occurred and can show trends. Ideally, weaknesses from a security incident will be resolved right after the incident. In practice, employees are sometimes eager to put the incident behind them and forget it as soon as possible. Even if documentation doesn’t exist on the incident, a few key questions can uncover the details.

•  Trouble reports—Most companies use databases to document trouble calls. These databases can contain a wealth of information. With a little bit of analysis, you can use them to identify trends and weaknesses.

•  incident response teams—Some companies have incident response teams. These teams will investigate all the security incidents within the company. You can interview team members and get a wealth of information. These teams are often eager to help reduce risks.

Using the Seven Domains of a Typical IT Infrastructure to Identify Weaknesses Another way of identifying weaknesses is by examining the seven domains of a typical IT infrastructure. These domains were presented earlier in this chapter. Each domain can be examined individually. Further, each domain can be examined by experts in that domain. The following list gives you some examples in each of these domains:

•  user Domain—Social engineering represents a big vulnerability. Sally gets a call. “Hi. This is Bob from the help desk. We’ve identifi ed a virus on your computer.” Bob then attempts to walk Sally though a long detailed process and then says “Why don’t I just fi x this for you? You can get back to work. All I need is your password.”

TIP

Some malware can take control of multiple computers and control them as robots. The controlling computer issues attack commands and the computers attack. The individual computers are referred to as “zombies.” The network of controlled computers is called a “botnet.”

CHAPTER 1 | Risk Management Fundamentals 21

•  Workstation Domain—Computers that aren’t patched can be exploited. If they don’t have antivirus software they can become infected.

•  LaN Domain—Any data on the network that is not secured with appropriate access controls is vulnerable. Weak passwords can be cracked. Permissions that aren’t assigned properly allow unauthorized access.

•  LaN-to-WaN Domain—If users are allowed to visit malicious Web sites, they can mistakenly download malicious software. Firewalls with unnecessary ports open allow access to the internal network from the Internet.

•  WaN Domain—Any public­facing server is susceptible to DoS and DDoS attacks. A File Transfer Protocol (FTP) server that allows anonymous uploads can host Warez from black­hat hackers.

•  Remote access Domain—Remote users may be infected with a virus but not know it. When they connect to the internal network via remote access, the virus can infect the network.

•  System/application Domain—Database servers can be subject to SQL injection attacks. In a SQL injection attack, the attacker can read the entire database. SQL injection attacks can also modify data in the database.

This list certainly isn’t complete. The number of vulnerabilities discovered in IT is constantly growing. The MITRE Corporation catalog Common Vulnerabilities and Exposures (CVE) includes more than 40,000 items.

Using Reason When Identifying Vulnerabilities Reasonableness was covered earlier in this chapter. As a reminder, reasonableness answers the question, “Would a reasonable person be expected to manage this risk?” In this context, you can think of it as, “Would a reasonable person be expected to reduce this vulnerability?”

You should focus on vulnerabilities within the organization or within the system being evaluated. External vulnerabilities are often not addressed. For example, a server will likely fail if air conditioning fails. You would address this when identifying vulnerabilities for a server room. You wouldn’t address for each of the 50 servers in the server room. Similarly, the commercial power may fail. You may address this by having uninterruptible power supplies (UPS) and generators. However, you don’t need to identify alternatives for the commercial power company.

TIP

“Warez” (pro nounced as “wares”) is a term that describes pirated fi les. Examples included pirated games, MP3 fi les, and movies. A Warez site often includes hacking tools, which anyone can download, including hackers.

TIP

A “SQL injection attack” tries to access data from Web sites. SQL statements are entered into text boxes. If the Web site isn’t programmed defensively, these SQL statements can be executed against a database. Some programs are available that can launch a SQL injection attack and retrieve an entire database.

1 Risk M

anagem ent

Fundam entals

22 PART 1 | Risk Management Business Challenges

Pairing Threats with Vulnerabilities The third step when identifying risks is to pair the threats with vulnerabilities. Threats are matched to existing vulnerabilities to determine the likelihood of a risk.

The “Identifying Threats” section listed several threats. Table 1­2 takes a few of those threats and matches them to vulnerabilities to identify possible losses.

The following formula is often used when pairing threats with vulnerabilities.

Risk 5 Threat  Vulnerability

However, this isn’t a true mathematical formula. Compare this to the formula for area: Area 5 Length  Width. Length has a numerical value. Width has a numerical value. The result is a number for Area.

Threat and vulnerability often don’t have numerical values. The formula isn’t intended to give a number as a result. Instead, it is designed to show the relationship between the two.

If you can identify the value of the asset, the formula is slightly modified to:

Total Risk 5 Threat  Vulnerability  Asset Value

TabLe 1-2 Risk and trust levels of common network zones.

THrEAT VULnErAbILITy IMPACT

An unauthorized employee tries to access data hosted on a server.

The organization doesn’t use authentication and access controls.

The possible loss would depend on the sensitivity of the data and how it’s used. For example, if the unauthorized employee accessed salary data and freely shared it, this could impact morale and productivity.

Any type of malicious software, such as viruses or worms, enters the network.

Antivirus software doesn’t detect the virus.

The virus could be installed on systems. Viruses typically result in loss of confidentiality, integrity, or availability.

An attacker modifies or defaces a Web site.

The Web site isn’t protected.

Depending on how the attacker modifies the Web site, the credibility of the company could be affected.

A social engineer tricks an employee into revealing a password.

Users aren’t adequately trained.

Passwords could be revealed. An attacker who obtains a password could take control of the user’s account.

1 Risk M

anagem ent

Fundam entals

CHAPTER 1 | Risk Management Fundamentals 23

Risk Management Techniques

After risks have been identified, you need to decide what you want to do about them. Risk management can be thought of as handling risk. It’s important to realize that risk management is not risk elimination. A business that doesn’t take any risks doesn’t stay in business long. The cost to eliminate all risks will consume all the profits.

The ultimate goal of risk management is to protect the organization. It helps ensure a business can continue to operate and earn a profit. Risk management includes several steps. They include:

•  Identifying risks •  Assessing risks •  Determining which risks will be handled and which risks will accepted •  Taking steps to reduce risk to an acceptable level.

When deciding how to handle a risk you can choose to avoid, transfer, mitigate, or accept the risk. These techniques are explained in the following section.

Avoidance One of the ways you manage risk is by simply avoiding it. The primary reason to avoid a risk is that the impact of the risk outweighs the benefit of the asset.

An organization can avoid risk by:

•  eliminating the source of the risk—The company can stop the risky activity. For example, a company may have a wireless network that is vulnerable to attacks. The risk could be avoided by removing the wireless network. This can be done if the wireless network isn’t an important asset in the company.

•  eliminating the exposure of assets to the risk—The company can move the asset. For example, a data center could be at risk because it is located where earthquakes are common. It could be moved to an earthquake­free zone to eliminate this risk. The cost to move the data center will be high. However, if the risk is unacceptable and the value of the data center is higher it makes sense.

Transfer You can transfer risk by shifting responsibility to another party. This is most commonly done by purchasing insurance. It can also be done by outsourcing the activity.

•  insurance—You purchase insurance to protect your company from a loss. If a loss occurs, the insurance covers it. Many types of insurance are available, including fire insurance.

•  Outsourcing the activity—For example, your company may want to host a Web site on the Internet. The company can host the Web site with a Web hosting provider. Your company and the provider can agree on who assumes responsibility for security, backups, and availability.

24 PART 1 | Risk Management Business Challenges

Mitigation You reduce risk by reducing vulnerabilities, and risk mitigation is the primary strategy in this process. Risk mitigation is also known as reduction or treatment.

You reduce vulnerabilities by implementing controls or countermeasures. The cost of a control should not exceed the benefi t. Determining costs and benefi ts often requires a cost­benefi t analysis, which is covered later in this chapter.

Some examples of mitigation steps are:

•  alter the physical environment—Replace hubs with switches. Locate servers in locked server rooms.

•  Change procedures—Implement a backup plan. Store a copy of backups offsite, and test the backups.

•  add fault tolerance—Use Redundant Array of Independent Disks (RAID) for important data stored on disks. Use failover clusters to protect servers.

•  Modify the technical environment—Increase security on the fi rewalls. Add intrusion detection systems. Keep antivirus software up to date.

•  Train employees—Train technical personnel on how to implement controls. Train end users on social engineering tactics.

Often the goal is not to eliminate the risk but instead, to make it too expensive for the attacker. Consider the following two formulas.

•  attacker’s cost  attacker’s gain—When this is true, it is appealing to the attacker.

•  attacker’s cost  attacker’s gain—When this is true, the attacker is less likely to pursue the attack.

Cryptography is one of the ways to increase the attacker’s cost. If your company sends data across the network in clear text, it can be captured and analyzed. If the company encrypts the data, an attacker must decrypt it before analyzing it. The goal of the encryption isn’t to make it impossible to decrypt the data. Instead, the goal is to make it too expensive or too time­consuming for the attacker to crack it.

Acceptance You can also choose to accept a risk. A company can evaluate a risk, understand the potential loss, and choose to accept it. This is commonly done when the cost of the control outweighs the potential loss.

TIP

Controls are often referred to as either preventive or detective. A “preventive control” attempts to deter or prevent the risk from occurring. Examples include increasing physical security and training personnel. “Detective controls” try to detect activity that may result in a loss. Examples include antivirus software and intrusion detection systems.

CHAPTER 1 | Risk Management Fundamentals 25

For example, consider the following scenario: A company hosts a Web server used for e­commerce. The Web server generates about $1,000 per month in revenue. The server could be protected using a failover cluster. However, estimates indicate that a failover cluster will cost approximately $10,000. If the server goes down, it may be down for only one or two hours, which equates to less than $3. (Revenue per hour 5 $1,000  12  365  24 5 $1.37.)

The decision to accept a loss becomes easier if you have evaluated the costs against the benefi ts, which is known as a “cost­benefi t analysis.” A cost­benefi t analysis is useful when choosing any of the techniques to manage risk.

Cost-Benefi t Analysis You perform a cost-benefi t analysis (CBA) to help determine which controls or counter­ measures to implement. If the benefi ts outweigh the costs, the control is often selected.

A CBA compares the business impact with the cost to implement a control. For example, the loss of data on a fi le server may represent the loss of $1 million worth of research. Implementing a backup plan to ensure the availability of the data may cost $10,000. In other words, you would spend $10,000 to save $1 million. This makes sense.

A CBA starts by gathering data to identify the costs of the controls and benefi ts gained if they are implemented.

•  Cost of the control—This includes the purchase costs plus the operational costs over the lifetime of the control.

•  Projected benefi ts—This includes the potential benefi ts gained from implementing the control. You identify these benefi ts by examining the costs of the loss and how much the loss will be reduced if the control is implemented.

A control doesn’t always eliminate the loss. Instead, the control reduces it. For example, annual losses for a current risk may average $100,000. If a control is implemented, these losses may be reduced to $10,000. The benefi t of the control is $90,000.

You can use the following formula to determine if the control should be used:

Loss before control  loss after control 5 cost of control

Imagine the company lost $100,000 last year without any controls implemented. You estimate you’ll lose $10,000 a year if the control is implemented. The cost of the control is estimated at $10,000. The formula is:

$100,000  $10,000 (cost of control)  $10,000 (expected residual loss) 5 $80,000

This represents a benefi t of $80,000. One of the biggest challenges when performing a CBA is getting accurate data. While

current losses are often easily available, future costs and benefi ts need to be estimated. Costs are often underestimated. Benefi ts are often overestimated.

NOTE

A simple failover cluster could include two servers. One server provides the service to users and the other server acts as a spare. If the online server fails, the spare server can sense the failure and automatically take over.

1 Risk M

anagem ent

Fundam entals

26 PART 1 | Risk Management Business Challenges

The immediate costs of a control are often available. However, the ongoing costs are sometimes hidden. Some of the hidden costs may be:

•  Costs to train employees

•  Costs for ongoing maintenance

•  Software and hardware renewal costs

If the costs outweigh the benefits, the control may not be implemented. Instead, the risk could be accepted, transferred or avoided.

Residual Risk Residual risk is the risk that remains after you apply controls. It’s not feasible to eliminate all risks. Instead, you take steps to reduce the risk to an acceptable level. The risk that’s left is residual risk.

Earlier in this chapter, the following two formulas were given for risk:

Risk 5 Threat  Vulnerability

Total risk 5Threat  Vulnerability  Asset Value

You can calculate residual risk with the following formula:

Residual Risk 5Total Risk  Controls

Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any resulting loss due to their decisions falls on their shoulders.

CHAPTER 1 | Risk Management Fundamentals 27

1 Risk M

anagem ent

Fundam entalsRisks occur when threats exploit vulnerabilities, resulting in a loss. The loss can

com pro mise business functions and business assets. Losses also drive business costs. Risk management helps a company identify risks that need to be reduced. The fi rst steps in risk management are to identify threats and vulnerabilities. These can then be paired to help determine the severity of the risk.

You can manage risks by choosing one of four techniques: A risk can be avoided, transferred, mitigated, or accepted. The primary risk management technique is risk mitigation. Risk mitigation is also known as risk reduction or risk treatment. You reduce vulnerabilities by implementing controls.

Accept Availability Avoid Common Vulnerabilities and

Exposures (CVE) Confi dentiality Control Cost-benefi t analysis (CBA)

Impact Intangible value Integrity Mitigate Profi tability Reasonableness Residual risk Risk

Risk assessment Risk management Survivability Tangible value Threat Total risk Transfer Vulnerability

KEY CONCEPTS AND TERMS

CHAPTER SUMMARY

28 PART 1 | Risk Management Business Challenges

CHAPTER 1 ASSESSMENT

1. Which one of the following properly defi nes risk?

A. Threat  Mitigation B. Vulnerability  Controls C. Controls  Residual Risk D. Threat  Vulnerability

2. Which one of the following properly defi nes total risk?

A. Threat  Mitigation B. Threat  Vulnerability  Asset Value C. Vulnerability  Controls D. Vulnerability  Controls

3. You can completely eliminate risk in an IT environment.

A. True B. False

4. Which of the following are accurate pairings of threat categories? (Select two.)

A External and internal B. Natural and supernatural C. Intentional and accidental D. Computer and user

5. A loss of client confi dence or public trust is an example of a loss of ________.

6. A ________ is used to reduce a vulnerability.

7. As long as a company is profi table, it does not need to consider survivability.

A. True B. False

8. What is the primary goal of an information security program?

A. Eliminate losses related to employee actions B. Eliminate losses related to risk C. Reduce losses related to residual risk D. Reduce losses related to loss of confi dentiality,

integrity, and availability

9. The ________ is an industry­recognized standard list of common vulnerabilities.

10. Which of the following is a goal of a risk management?

A. Identify the correct cost balance between risk and controls

B. Eliminate risk by implementing controls C. Eliminate the loss associated with risk D. Calculate value associated with residual risk

11. If the benefi ts outweigh the cost, a control is implemented. Costs and benefi ts are identifi ed by completing a ________.

12. A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ________.

13. What can you do to manage risk? (Select three.)

A. Accept B. Transfer C. Avoid D. Migrate

14. You have applied controls to minimize risk in the environment. What is the remaining risk called?

A. Remaining risk B. Mitigated risk C. Managed risk D. Residual risk

15. Who is ultimately responsible for losses resulting from residual risk?

A. End users B. Technical staff C. Senior management D. Security personnel

10 CHAPTer Planning Risk Mitigation

Throughout Your Organization

250

A FTER COMPLETING THE BASICS of identifying assets, threats, and vulnerabilities, you can begin identifying controls. Controls mitigate risk throughout an organization. One of the ways to evaluate controls is to identify critical business operations and critical business functions. Controls should be in place to protect against risks for these critical areas of your business.

Compliance is an important topic in IT today. If any laws or guidelines govern your organization, you need to ensure you’re compliant. Noncompliance can be quite expensive. The fi rst step is identifying the relevant laws and guidelines to see if they apply to your organization. If they do apply, you need to assess the regulations to identify the impact on your organization.

Chapter 10 Topics

This chapter covers the following topics and concepts:

• Where your organization should start with risk mitigation

• What the scope of risk management for your organization is

• How to understand and assess the impact of legal and compliance issues on your organization

• How to translate legal and compliance implications for your organization

• How to assess the impact of legal and compliance implications on the seven domains of a typical IT infrastructure

• How to assess how security countermeasures and safeguards can assist with risk mitigation

• What the operational impacts of legal and compliance requirements are

• How to identify risk mitigation and risk reduction elements for an entire organization

• What a cost-benefi t analysis is

• What best practices for planning risk mitigation throughout an organization are

251

10

Planning Risk M

itigation

Chapter 10 Goals

When you complete this chapter, you will be able to:

• Describe how an organization should start with risk mitigation

• Identify the scope of risk management within an organization

• Apply risk management scope concepts to critical business operations

• Apply risk management scope concepts to customer service delivery

• Apply risk management scope concepts to mission-critical business systems, applications, and data access

• Apply risk management scope concepts to the seven domains of a typical IT infrastructure

• Apply risk management scope concepts to systems security gaps

• Assess the impact of legal and compliance issues within an organization

• List compliance laws, regulations, and mandates that apply to an organization

• Describe legal and compliance implications within an organization

• Describe the impact of legal and compliance implications on the seven domains of a typical IT infrastructure

• Evaluate security countermeasures and safeguards that can assist with risk mitigation

• Describe operational impacts of legal and compliance requirements

• List risk mitigation and risk reduction elements

• Describe a cost-benefi t analysis

• List best practices for planning risk mitigation throughout an organization

Where Should Your Organization Start with Risk Mitigation?

Your organization should start by identifying assets. An asset inventory helps you determine the value of your systems, services, and data. The value of the assets can be monetary, or it can be relative. For example, you may decide to assign values such as High, Medium, and Low for assets. These values do not necessarily equate to the cost of equipment. Rather, the value relates to the possible business impact if the assets are damaged or lost.

252 PART 2 | Mitigating Risk

As an example, your asset inventory could have resulted in the following priorities:

• Database servers—High • File servers—High • E-mail servers—High • Network infrastructure—High • Web server—Medium • User desktop systems—Medium • User laptops—Low

Next, you identify and analyze threats and vulnerabilities. Chapter 8 covered how to perform threat assessments, vulnerability assessments, and exploit assessments. You can perform a threat and vulnerability assessment on each asset.

For example, you can begin an assessment on the database servers. You can start several ways. One way is to consider the basics and ask yourself some questions:

• Loss of confi dentiality—Is the data sensitive? Are access controls in place? Should at-rest data be encrypted? Should data be encrypted when it’s transferred?

• Loss of integrity—Can the database recover from power loss? Are data versions required? Is confi guration of the database documented? Are change management practices followed?

• Loss of availability—Are reliable backups performed regularly? Are copies of backups stored offsite? What are the required hours for data availability? Are redundant drives used? Are failover clusters required?