SlideShare a Scribd company logo

CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx

Download as DOCX, PDF
A
Abhinav816839

This document provides an overview of risk response and mitigation concepts covered in Domain 3 of the CRISC exam. It discusses various risk response options such as mitigation, sharing, and acceptance. It also describes several risk management frameworks and standards that cover risk response, including the NIST RMF, ISACA Risk IT Framework, and COBIT. The document aims to help readers understand how to select, implement, and assess appropriate risk responses based on business needs and frameworks.

Education
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
CHAPTER 5 Risk Response and Mitigation In this chapter, you will: • Learn about the risk response process • Understand risk response options and how to align choices with business objectives • Become familiar with risk response standards and frameworks • Understand how risk appetite and tolerance affect risk response choices • Understand risk response action plans and how they are developed • Understand how controls are designed, implemented, and executed • Develop better project management skills to more effectively execute risk response plans • Learn methods to document and assess risk responses • Determine how to best train personnel on risk responses In this chapter, we will review the concepts that comprise Certified in Risk and Information Systems Control (CRISC) Domain 3, which is focused on risk response and mitigation. There is a natural progression from the risk assessment discussions in previous chapters that covered CRISC Domains 1 and 2, to the discussion on risk response in this chapter; you will see that many of the outputs from those processes lead directly to this chapter because an organization generally wants a positive response to any risk assessment findings. After discussing how risk responses are chosen, we will discuss how to implement those risk responses, including how to design, develop, and adjust controls. The CRISC exam objectives covered during this chapter include the following task statements: • 3.1 Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions
• 3.2 Consult with, or assist, risk owners on the development of risk action plans to ensure that the plans include key elements (e.g., response, cost, target date) • 3.3 Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level • 3.4 Ensure that control ownership is assigned to establish clear lines of accountability • 3.5 Assist control owners in developing control procedures and documentation to enable efficient and effective control execution • 3.6 Update the risk register to reflect changes in risk and management’s risk response • 3.7 Validate that risk responses have been executed according to the risk action plans Risk Response Every organization has risk. The leaders of smart organizations, however, have determined how they will deal with that risk appropriately for their business context. Will they accept all risks? Will they transfer some risks to a third party, such as an insurance company? These are some questions that need to be considered within the risk response process, discussed in this chapter. We will also discuss the major risk frameworks within the field and how they incorporate risk response determination and implementation. Please note that risk is different for every organization; risk within an educational context is different from a financial context, which is different from a government context. Also keep in mind that IT risks are different from business or mission-oriented risks. It’s important to note that the mission of the organization helps to shape risks and responses as well. This is why it’s so important that organizations conduct a thorough risk analysis and understand and prioritize the response options that are right for them. You should also remember that the risks to the business, the business goals and objectives, and the systems supporting those functions
should all be considered throughout the risk response process. It’s easy as an IT professional to forget that the business objectives are the top priority, but to maximize efficiency and effectiveness (and especially to pass the exam), you should keep that in mind. It’s a good idea to think about this risk response action plan in a Plan-Do-Check-Adjust (PDCA) life cycle, as shown in Figure 5-1. The PDCA model (often referred to as the Plan-Do-Check-Act or Deming cycle) promotes continuous improvement. In this case, you are planning (designing), doing (implementing), checking (assessing), and adjusting (adjusting and creating documentation) the quality controls that will respond to risk. Figure 5-1 Plan-Do-Check-Adjust cycle Risk Response Standards and Frameworks Standards and frameworks help provide a standardized, industry-accepted approach toward managing risk. While they’re certainly not perfect, they provide a baseline for an organization to recognize the key steps toward understanding and categorizing the risks to their business, implementing the appropriate security controls to lower risk to an acceptable level, and continually monitoring the residual risk and report status to the management. Each standard and framework has its own pluses and minuses, and we will discuss three of the most commonly used: the National Institute of Standards and Technology (NIST) Risk Management Framework, the ISACA Risk IT Framework, and the ISACA Control Objectives for Information and Related Technology (COBIT). Keep in mind that while we discussed these three frameworks in Chapter 1, our discussion there served only to introduce you to the frameworks. In this chapter, you will look at them from the perspective of risk response in particular.
NOTE You can find more general information on standards, frameworks, and best practices (and the differences between the three) in Chapter 1. NIST Risk Management Framework NIST Special Publication 800-37, revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems,” along with other supporting publications from NIST (part of the U.S. Department of Commerce), makes up the defining volumes of the Risk Management Framework (RMF). The RMF is comprised of six steps, as shown in Figure 5-2. Figure 5-2 The NIST Risk Management Framework (courtesy of NIST, from Special Publication 800-53, revision 4) 1. Categorize information systems. 2. Select security controls. 3. Implement security controls. 4. Assess security controls. 5. Authorize information systems. 6. Monitor security controls. Security categorization requires the information systems and associated information to be categorized based on an impact analysis. When selecting a set of security controls, the security categorization, as well as any previous assessments of risk, must be taken into account. Following this step, you implement
the security controls that were previously selected and then assess their effectiveness and the overall success of the controls of lowering the risk to the accepted level. Finally, the security controls need to be continually monitored to be sure they continue to operate as intended, as well as considering any changes that come into effect across the organization (think location, mission, security classification, or other underlying factors). You will notice many additional concepts within NIST Special Publication 800-37 that are germane to the CRISC exam; for example, the first two steps of the RMF discuss categorizing and selecting appropriate security controls (which we will discuss later in this chapter), while steps 3, 4, and 6 map cleanly to the implementation, assessment, and continuous monitoring of controls (covered throughout this book). For these reasons alone, it’s a great idea to read this document to understand how the steps work together and how they are similar to (and sometimes different from) other frameworks. From a response perspective, the key point that you need to understand about the NIST RMF, and what makes it so revolutionary within the Department of Defense (DoD) and associated organizations, is that risk response starts with steps 4 and 5 of the RMF. This is where authorizing the system (based upon the responsible authority’s acceptance of risk levels) and continuous monitoring take place. Continuous monitoring within the RMF context means near-real-time risk management through the implementation of a comprehensive set of controls that provide an up-to-date status of the current security posture of the organization. To achieve these ends, the RMF encourages automated mechanisms (such as Tenable Security Center and the McAfee Host-Based Security System, for example) to be implemented to support rapid analysis and reporting to management, and for organizations under the mandate of the standard, the RMF establishes a level of accountability and responsibility for the controls selected and implemented within supporting information systems.
Risk response is also covered in NIST Special Publication 800- 39, “Managing Information Security Risk,” and the different response options are discussed in Chapter 3 of that publication. They include risk acceptance, transfer, avoidance, sharing, and so forth, which make it a great reference document. They are similar to what the next framework, the ISACA Risk IT Framework, discusses in terms of risk response. We’ll discuss the risk response options in more depth later in this chapter. ISACA Risk IT Framework Published in 2009, the ISACA Risk IT Framework is another common risk management framework that you should be aware of. ISACA looked to create a framework that merges the traditional IT models with a more risk-focused mind-set. Within the ISACA model, the activities considered key are grouped into processes, which are grouped into three domains, as described in Table 5-1. Table 5-1 Domains and Associated Processes Within the ISACA Risk IT Framework There are three main domains to consider within the ISACA Risk IT Framework: Risk Governance, Risk Evaluation, and Risk Response. You will see many of the same concepts that you’ll find within this book (and even this chapter), so it’s definitely a worthwhile model to review. The Risk Governance domain discusses risk appetite, risk tolerance, and communicating risk to leadership (this should sound familiar!). The Risk Evaluation domain includes an understanding of the impacts to the business and the risk scenarios, developed through the inclusion of internal and external environmental factors, risk management capability, IT capability, and IT- related business capability.
Since we’ve already given you a general overview of the other domains of this framework in Chapter 1, we’ll focus on risk response in particular here. The Risk Response domain covers the risk response definition, risk response prioritization, and key risk indicators (KRIs). KRIs are those that show a potential for risk that is beyond the organization’s risk appetite level, and we will cover them in much more depth in Chapter 6. The framework also describes risk response options such as risk avoidance, risk mitigation, risk sharing and transfer, and risk acceptance. If these sound familiar to you, they are the same options described in NIST, as we mentioned earlier. Again, we’ll go into depth on them later in the chapter. TIP Understand the relationships between the Risk Governance, Risk Evaluation, and Risk Response domains; even though the Risk IT Framework is not covered on the CRISC exam, the framework provides a useful foundation of the concepts. You’ll see many areas of similarity between the ISACA Risk IT Framework and the CRISC exam, so it definitely wouldn’t hurt to include it in your study plan. COBIT While ISACA’s COBIT doesn’t focus solely on risk, it’s still important for you to have a cursory understanding of the framework and its supporting processes, inputs and outputs, and activities. Again, ISACA authored both the CRISC and COBIT frameworks, so you will see many of the same concepts interwoven across the two (as well as within the Risk IT Framework discussed previously, which is quite complementary and often grouped with the other two). To refresh your memory, COBIT was designed to help businesses take advantage of IT assets, increase compliance levels, and manage risk through an integrated framework. This
framework includes processes that have general inputs and outputs, objectives and activities, and associated measures. The most recent version, COBIT 5, was released in 2012, with two updates published in late 2012 and 2013, respectively covering information security and assurance. This should tip you off to the fact that while many IT professionals are familiar with the COBIT framework, it is not meant to be IT-centric or IT security–centric and was developed with organizational governance in mind as its primary goal. Within COBIT, the activities considered key are grouped into domains, which are broken down into processes, as described in Table 5-2. Table 5-2 Domains and Associated Processes Within the ISACA COBIT Framework The COBIT processes associated with risk response are Monitor and Evaluate and are used to ensure that risk response options are implemented and are consistent with the organization’s desired strategy for dealing with risk. Remember that with COBIT, we are talking governance, so this supports the governance perspective more so than an IT risk perspective. These processes could be used to fulfill governance and regulatory requirements with regard to risk response. Understanding Risk Response Options Having developed your understanding of risk, you should also develop an understanding of the corresponding risk response options. These options will help you bring your risk levels down to that vaunted level of risk tolerance that your organization can accept. Within this section, consider how you would recommend that your organization respond to risk effectively but with a balanced approach. Evaluating Risk Response Options Avoidance, mitigation, sharing, and acceptance are all valid options that you should consider using (sometimes at the same
time) to lower the risk level you face. The key is to use these options together; you want to balance risk and reward to maximize the benefits. These benefits can be financial or some other, perhaps difficult to quantify (for example, morale, partnerships, long-term strategy), benefit. We’ll discuss the different risk response options in the next few sections. Risk Mitigation Risk mitigation generally involves the application of controls that lower the overall level of risk by reducing the vulnerability, likelihood of the threat exploit, or impact to the asset if the risk were to be realized. Mitigation actions come in a number of forms; a policy requiring nightly off-site backups of critical data can mitigate the risk of data loss, for instance. Similarly, applying a newly released web browser patch can mitigate the risk of exploitation. The goal is to get the risk down to a level considered acceptable by the organization’s leadership. For the CRISC exam, you need to understand four main types of controls: managerial, technical, operational, and preparedness. The following are examples of each. Managerial • Requiring an acceptable use policy to dictate IT usage within the organization • Starting a risk management program to identify, lower, and monitor unacceptable risk levels within the organization Technical • Implementing additional firewalls to protect internal (non- public-facing) systems • Adding 802.1X port-based network access control to deter unapproved assets being added to the network • Installing an intrusion detection system/intrusion prevention system (IDS/IPS) to monitor for malicious activities or violations of policy Operational • Implementing delegation/separation of duties procedures to assure that one person does not have the sole control over key duties
• Mandating security training and certification requirements to increase the baseline knowledge of IT security-related issues and concepts Preparedness • Executing a tabletop exercise of the Continuity of Operations Plan to test its effectiveness and identify gaps that should be addressed TIP Remember that you’re looking for low-cost, high-reward solutions to offset risk. Sometimes this is just a plan you implement or a process improvement, rather than an expensive piece of hardware! Risk Sharing Risk sharing (often referred to as risk transference) entails the use of a third party to offset part of the risk. Risk sharing can involve the outsourcing of some activities to a third party to reduce the financial impacts of a risk event in many cases. Sharing off-site (co- location) assets and contractual obligations with other entities is one way that organizations implement risk sharing; a cloud service provider can be used within this scenario. The cloud provider might be contractually obligated to assume part of the financial impact in the event of a breach, but be aware that there is a potential loss of brand goodwill or other intangible assets that can be difficult to offload. Another example of risk sharing is the use of an insurance service to cover the financial impacts (at least partially) of a breach; however, the intangible losses mentioned previously would still be present. EXAM TIP Don’t forget that use of a risk-sharing scheme does not totally absolve an organization of its responsibilities; there may still be legal liabilities involved. Risk Acceptance
There will always be some level of residual risk, no matter how many controls you implement or the amount of insurance you purchase. Again, the goal is to get the risk down to a level considered acceptable by the leadership. Risk acceptance occurs when the active decision is made to assume the risk (either inherent or residual) and take no further action to reduce it. The word active is critical here; risk acceptance is different from being risk ignorant in that the risk is identified, alternatives are considered, and a conscious decision is made to accept it. A good example of this is when a person intentionally drives alone in the carpool lane during the hours where multiple people are required to be in the vehicle; if that person is pulled over and ticketed for their lawlessness, that would incur a financial impact. However, they knowingly took the risk of this action, understanding the consequences if caught and accepting it anyway. Similarly, a company might choose to willfully ignore government-mandated control implementation that would incur fines or other financial penalties, assuming that the financial cost incurred would be less than the controls would be to implement. Another common situation is an organization choosing to work in a developing country, knowing there is a high level of risk; the financial rewards of being adopted early could outweigh any potential losses. EXAM TIP It’s important to note that risk acceptance doesn’t insinuate ignorance; it’s an active acknowledgment and conscious decision to accept risk as it is. Risk Avoidance Risk can be avoided through a number of methods. Can you remove the source of risk by making a different choice? Perhaps you don’t need to conduct the activity at all. Avoiding risk can mean anything from eliminating risk associated with a particular activity through the careful analysis of risks and
subsequent changes to a plan to the complete avoidance of a risk by not performing a planned activity. Risk avoidance is the option taken when, after controls have been considered, the level of risk is still not acceptable. An organization might choose not to take on a proposed project because of the probability of failure and subsequent loss of capital, for example. Another scenario might be the organization choosing to not adopt a cloud solution because of the level of sensitivity of information that would be stored within the cloud. Selecting Risk Response Selecting a risk response entails more than just blind luck or uncanny good fortune. In selecting a risk response, you should consider all of the factors we’ve discussed previously, such as cost (both of the response and of the potential cost of not responding), organizational context and associated missions, risk tolerance, and the simple ease of implementation. Within this section we will discuss some of these considerations and how they should affect your final decision. Risk Response Parameters Cost is obviously a large factor in response determination. When you think about cost, think about not only the financial impacts of any decision but also the less easily quantified aspects such as loss of goodwill, loss of brand status, and other hard-to-define attributes. You also need to consider the cost to maintain the responsive mitigation over its required life span. For example, if you are required to apply a costly IT solution into your architecture to load balance and you don’t have an IT professional who is skilled or knowledgeable in that area, you may be required to hire a new professional or train an existing staff member. That also brings up your ability to plan for contingencies; is one person enough to complete this task? You may need more personnel in general to maintain your new security posture or to cross-train existing personnel as an alternative to hiring new people. Maintenance is a huge consideration that should not be shrugged off.
The ability (also defined as capability) for the organization to implement the response should also be considered. How mature is your company’s ability to implement the response? Do you have a small, untrained, ad hoc team (perhaps that sounds cynical, but it happens)? In that case, a more sophisticated measure might not be appropriate; perhaps you need a new team! In contrast, a sharp, well-trained, experienced team can handle more complicated mitigation measures and processes. How effective will the response be? Effectiveness can be measured as the extent to which the response reduces the likelihood or the impact of the risk event to the organization. If the effectiveness of the response activity is in question, that’s a strong reason to consider that path questionable as well. You should also consider the efficiency of a response. Efficiency can be described as the ability for a risk response to cover one or more objectives that our organization sets in front of them. Quite simply, solutions are more efficient if they lower more risks than if they lower only one risk. Consider low-cost, highly effective solutions your “nirvana” and work from there. You want to obviously avoid high-cost, ineffective solutions, but it’s shocking how often you will encounter them! We will talk about prioritizing risk responses in the following section, and these concepts go hand-in-hand. Prioritizing Risk Responses Now that you have a better understanding of what your risk response options are and how you will select them, you need to understand how they should be prioritized. Have you ever worked for a company that had too much money to spend on its security program? (Here’s a hint … we haven’t.) It’s unlikely that you’ll have the resources to complete all of your proposed risk mitigation and response strategies, so knowing the proper
priority is important. This will drive how you spend the money and apply the human resources that will lower your overall risk to an acceptable level. Figure 5-3 depicts the rankings of how you’d generally prioritize risk response options, and we’ll discuss that ranking in more depth within the next section. Figure 5-3 Prioritizing risk response options Risk Response Prioritization Options There are three prioritization options that you need to be aware of for the CRISC exam. They are quick wins, business cases, and deferrals. We will discuss each of these in this section and provide examples of both the options and the alternatives. Quick wins are actions that can be taken that really are winners; as we discussed earlier, you are looking to select risk responses that are high reward and low cost and that are both effective and efficient. Quick wins are just that; they meet those criteria and address a medium to high risk and look good doing it! You should always be looking for a quick win to address a scenario, though that’s easier said than done. Consider a scenario where an organization is having difficulties maintaining source code integrity across multiple teams of software developers. The developers are overwriting each other’s work and causing havoc with old or untested code being pushed into production. It’s a nightmare but one that happens regularly! An example of a quick win is the development of a configuration management board that immediately begins discussing and making decisions on source code changes and cross-pollinating projects among teams. The team might exist happily on its own, or the team might look at incorporating source code control software to force a developer to “check in” and “check out” software before it’s changed. This facilitates logging and improves the ability to
track and roll back from catastrophic implementations. A quick win is almost obvious in nature; why wouldn’t you want to take advantage of it? In contrast, making a business case is more difficult than pitching a quick win. A business case for a particular risk response must be made if the response can’t be quickly or easily implemented without a significant cost or change to the organization or the system. These changes might include processes, infrastructure, architecture, or design, and they are significant enough to warrant a business case to respond to a risk issue. A business case for a risk response justifies the expense and work required to make the response function properly. When you make a business case for a risk response, you must take a number of factors into account. For example, what projects are currently in the pipeline? Is there something that would conflict with your proposed response option, make it irrelevant, or make it more costly? How’s the business doing? If the bottom line is weak, it will be harder to sell any risk response solution that is costly, even if it would significantly improve the baseline level of risk. When a business case needs to be made, generally the risk response option is more costly in general, whether it is costly in terms of financial or personnel resources. It also might be attempting to address a low or medium risk that doesn’t have the attention of the leadership in the way a high risk would. Even an efficient and effective response to a low risk must be questioned and prioritized appropriately. Finally, you choose to defer when risk response options simply don’t make good business sense. A deferral is the polar opposite of the quick win; whereas a quick win is almost obvious in its ability to address a medium or high risk in an efficient and effective way, a deferral is the choice when you have a high cost of response associated with a low risk, one where even a business case can’t be made. In the scheme of prioritization, deferrals will be at the bottom of the list. We choose to accept risk, perhaps until the cost is reduced, or choose risk acceptance
as our permanent measure. At the end of the day, your prioritization should take into account a number of concerns. These include the regulatory mandates that are applicable to your organization, the impact to the business through implementation of the proposed measure (including costs both financial and nonfinancial), the market conditions you find yourself in, the culture and the climate of the organization (including the inherent resistance to change), and the ability to optimize resources. EXAM TIP Always remember that low-cost responses to high- risk scenarios are the goal of risk response prioritization. Identifying Business Opportunities Businesses of all types and markets are looking to create business opportunities. With opportunities, however, comes risk. Risk is not always a bad thing; in some cases, it allows you to get out ahead of your competitors and capitalize on forward-thinking ideas that may be out of your comfort zone. An example that we’ll use frequently is a business looking to move into a developing country; the risk is high, but the reward could also be great. We’ll identify these opportunities here and explore how they can be leveraged. Identifying business opportunities during the selection of risk responses requires the organization to understand its risk appetite and risk tolerance. As we discussed in Chapter 1, risk appetite is how much risk an organization is willing to deal with in any given endeavor, while risk tolerance is the acceptable level of deviation in risk for a particular endeavor or business pursuit. Remember, there’s a certain amount of risk in every business enterprise or pursuit, but the organization may not be able or willing to tolerate large deviations from what it considers its acceptable level of risk on an endeavor. The selection of risk responses will inevitably change the risk appetite/risk tolerance calculation within the organization, and any risk response should be examined against
these guiding factors. When the organization is able and willing to take a risk, it can be considered a business opportunity, and to identify those opportunities, you need to understand the areas that can withstand the risks. Cloud computing is a great example of an opportunity that many organizations consider worth the risk based on the rewards; operating within a difficult business area such as a developing country is another we discussed previously. In the end, to identify business opportunities, remember to look for areas of opportunities that can be leveraged through the creation of a competitive advantage or increased synthesis of activities and processes. Risk Mitigation Hooray! You’ve selected your risk responses carefully and prioritized them appropriately. You’re feeling good about how you’re going to positively capitalize on good risk and minimize bad risk, and you’re going to do it efficiently and effectively. You’re a risk response rock star! Alas, now comes another challenge: implementing those risk response options. In this section, we will talk a bit about how controls are implemented, as well as the concepts of exception management and residual risk. Even the best-laid risk response plan will need to account for these concepts. Have you ever seen a manager act with a knee-jerk reaction to a sudden problem that ends up costing more time and money implementing a solution than the actual issue itself would have? Implementing risk responses properly should consider a few key components, such as the ability to measure its success, proper documentation, and appropriate training. Earlier, we discussed a number of different risk response options, such as risk avoidance, risk sharing (or transference), and risk acceptance. In this chapter, we will focus on risk mitigation. Risk mitigation incorporates controls of varying types across an enterprise to lower risks to an appropriate level. These controls can be anything
from a written document to a sophisticated, comprehensive technical solution, but they should all be designed to most effectively and efficiently mitigate the risk they are associated with. At the end of the day, control should provide the organization with some level of assurance that they can meet their business objectives and deal with any events that occur in a manner that is acceptable to the leadership of the organization. Risk Response Action Plans Quite simply, the risk response action plan lists the risk responses that have been chosen and charts their progress and associated timeline, with an appropriate action owner. This ownership piece is critical because you need a “belly button” to push if things are not going as quickly or as smoothly as they should be. Without a proper risk response action plan, you will likely end up losing sight of where your risk responses are in their progress, if they’ve made any progress at all. Risk response action plans can contain any number of data points inside of them, but at a minimum, they should list the prioritized risk responses, their associated costs, a timeline for their implementation, the associated cost, and the owner of the risk response. The plan should be formally accepted by senior leadership, monitored continuously, and reviewed at regular intervals to ensure it does not deviate from a risk or response perspective. Any deviation should be reported immediately to the senior leadership. Control Development So, what is a control anyway? Quite simply, a control is some sort of measure, be it a document, a technical solution, a procedure, or some other remediation that is put into place to improve the overall security posture of your organization through correcting a gap or making up for a shortfall in another control. Controls can be technical solutions, such as firewalls or intrusion detection systems, but they can also be processes, procedures, policies, or physical controls. We talked in
Chapter 1 about the types of controls (administrative/managerial, technical/logical, and physical/operational), but controls also can be grouped in different families: access control, auditing, configuration management, contingency planning, personnel security, and so on. So, how do you determine new controls to apply to your system or whether your existing controls are good enough? We will discuss this in more depth in the following sections. Control Types As you may have gathered by now, there are many types of controls to choose from. However, you can generally group these controls into a number of broad categories by their intended function; the most common are compensating, corrective, detective, deterrent, directive, and preventative. You may notice some significant overlap between these categories, and that is why some experts do not distinguish between, for example, deterrent controls and preventative controls. Table 5-3 lists each control type, its definition, and an example control. Table 5-3 Controls Categorized by Function NIST 800-53 NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” is a key catalog of controls to be aware of if you are doing business in the U.S. government but is also a great resource even if you’re not. With its latest revision (revision 4, as of this writing), it includes controls for assuring privacy as well as security and is meant to be policy and technology neutral, meaning that the controls are broad enough to be applied to any architecture. If you’re looking for a document to tell you the steps of how to configure your router securely, this isn’t the document for you; it’s perfect, though, if you’re looking for a
comprehensive view of the scope and magnitude of a system- level control solution. Figure 5-4 lists the families of security controls and their unique identifiers from NIST 800-53. Figure 5-4 NIST 800-53 security controls identifiers and family names (courtesy of NIST, from Special Publication 800- 53, revision 4) ISO 27002 While NIST 800-53 is used heavily within the U.S. government, International Standards Organization (ISO) 27002 is used much more widely internationally. Much like 800-53, 27002 groups controls into families, such as the following: • Human resource security • Asset management • Access control • Cryptography • Physical and environmental security • Operation security • Communication security • System acquisition, development, and maintenance • Supplier relationships • Incident management • Business continuity management Since its birth, versions of 27002 specific to different industries, such as healthcare, have been developed that are tailored to their specific contexts, laws, and regulations. Designing Effective Controls The first step in designing an effective control is to determine who exactly owns the control; this is key because it will determine who actually designs the control, who tracks its care and feeding, and who creates the documentation that will follow the control well into its implementation and eventual disposition. This individual or group should be the party
responsible for determining the security categorization (SC) of the system or environment into which the control will be applied. NIST 800-53 recommends the determination of the SC of an information system as an equation, as described here: SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, or high Using this equation, a low-impact system would need to have most or all the confidentiality, integrity, and availability (CIA) elements with a low impact; a moderate-impact system would have a mixture of low and moderate and potentially high elements; and a high-impact system would have most or all of the CIA elements with a high impact. Note that higher-impact systems will usually have more controls applied to them, reflecting their higher sensitivity and criticality within the organization, and these controls will normally be applied with a higher degree of effort or rigor. It is important to understand the SC because it will help you determine how much money, time, and other resources you want to devote to any particular control. As discussed earlier, you are looking for low -risk, high-reward controls. Understanding the impact of the system allows you to plan and design more cost-effective controls. After determining your security category, you will want to understand the common controls. These are controls that are common across your organization and are shared between more than one information system. For example, you may have more than one information system being housed within the same server room in your headquarters building. Perhaps a previously accredited system review already ensured that you have a strong lock and a heavy door between those servers and the rest of the world. This would be a common control between the old system and your new system. Other possibilities could be continuity of operations, policies, and procedures; guards at entrances; biometrics; and so on. These should have already been documented in a plan (we hope!), so a great place to start is to
review the security plans for other systems within your organization. Don’t forget the advent of the cloud has created situations where you are sharing data and systems among more than one organization, often supported by another third-party organization, so you may have common controls among all of your organizations that need to be considered. Also, be constantly aware that any common controls that do not meet your specific requirements (let’s say there’s a strong door but no lock) will require you to add a compensating control to meet your standards. Selecting the appropriate controls for you and developing them often depend on your context (for example, governmen t, healthcare, banking, or some other specific context that mandates a certain regulatory or legal standard for your security). Further, you already developed your security category, as discussed earlier, so you know the impact of the system if it was lost for a period of time. After determining the common controls, you now know where the gaps between the two points are. Now is the time to begin documenting those gaps in the risk response action plan. Don’t forget, if you are dealing with a third party or cloud-based provider, you should also be considering any service level agreements or other legal documentation that will need to be drawn up as part of your risk response action plan. Control Implementation and Adjustment Now that you’ve selected the appropriate controls for your system, it’s time to implement them. You have unlimited time, money, and personnel available, so this shouldn’t be an issue, right? In a perfect world, that would be the case; however, we all know that we have to deal with constraints on a daily basis, so we will discuss how to deal with control implementation as a project using project management tools later in this chapter. This is a great time also to consider any current or future technology knowledge that you may want in your organization. Are the areas you are applying controls to grossly out of date?
Or are they stable and still widely used, causing your leadership to have an “if it ain’t broke, don’t fix it” approach to phasing them out? Consider how you could enable change in the organization through implementing new technologies. This could be anything from upgrading your core network infrastructure to implementing biometrics at critical entry points. Don’t forget to do a thorough review of your existing controls that are in place and how they may need to be adjusted. This will need to be factored into your project plan, both for time and for resources. Risk Response Assessment Security controls should be tested before the system is authorized or credited and at irregular intervals afterward. You assess a program or a project to determine whether it is meeting your specified objectives and to determine whether the controls you have selected to protect the system are performing their desired function to the level you need them to. Conducting an assessment early in the life cycle of control implementation allows for issues with the control to be determined and remediated as appropriate. Based on the rules and regulations that your organization must adhere to, you may be able to do an internal audit of your controls, or you may be required to use a third-party agency or other testing authority. Either way, be mindful that an assessment should be thorough, technical (as appropriate), and independent. Anyone conducting an assessment should be impartial, as free of bias as possible, and preferably not in the same part of the organization as the personnel charged with implementing the controls. You will often see two types of testing discussed within the community; developmental testing/evaluation is conducted in parallel with the development of a system (or in this case the controls for the system), and operational testing/evaluation is conducted before the system is released into final production (or operation). While both types of testing are required in some segments (such as major government systems), some organizations that do not
require developmental testing and evaluation fail to get elected, to their own peril. Quite simply, the time and money spent to assess iteratively along the life cycle of the project will save you dividends in the end. Just imagine the headache you will have if you find out that a major control you were betting on to reduce the risk of external breaches does not play well with your network infrastructure. You would have found that out much earlier if testing occurred sooner. Either way, you should have an assessor, inspector, agent, or other authority assigned to assess your system to detail any flaws found and allow you to better fill the gaps. So, what exactly occurs during control assessment? If you are using a formal set of controls, such as the NIST framework discussed throughout this chapter, you can expect each family of controls to be decomposed into specific requirements that can be assessed in a variety of ways. For example, if continuity of operations is one of the controls you have implemented, you could expect a review of your continuity of operations documentation, a visit to your off-site facility (as appropriate), and perhaps even a test of your backup solution. Another example is the door and lock combination that we discussed previously in this chapter; any assessor worth his or her salt will be checking to make sure you have a lock on all doors but that they are also adequate to meet the requirements to lower your organization’s risk posture. There will be a mixture of documentation review, technical assessments, and interviews that are conducted to determine whether you have adequately covered all the controls required. Table 5-4 lists some common assessment techniques. If you’ve done your due diligence in preparing for an assessment (through adequate documentation, thorough implementation, and appropriate analysis of the actual controls required), this should be no sweat. However, if formal assessment is required for an authorization or accreditation action and you did not diligently pursue these activities, you could be in for a major
headache when you receive your results. Table 5-4 Control Assessment Options Ever thorough, NIST has a guide to security assessment that aligns well with its other documents covering risk management. NIST Special Publication 800-115, “Technical Guide to Information Security Testing And Assessment,” was written with four points of focus: helping organizations establish an information security assessment policy, implementing a repeatable and documented assessment methodology, determining the objectives of the security assessment, and analyzing the findings and developing risk mitigation techniques to address weaknesses. An alternative to the NIST framework is the Open-Source Security Testing Methodology Manual (OSSTMM) from the Institute for Security and Open Methodologies (ISECOM). Currently in its fourth revision, the goal of the OSSTMM is to create a standard for thorough and practical security testing across the community with the following goals: • Quantifiable • Consistent and repeatable • Valid beyond the “now” timeframe • Thorough • Compliant to individual and local laws and the human right to privacy Even if you do not intend to use the OSSTMM framework, it is a useful reference document that contains handy rules of thumb for gauging testing time and sample rules of engagement. Documentation Risk response options must also be thoroughly documented, with a clear owner defined, whether it is a new process, control, team, policy, or any other solution. Just imagine a risk being uncovered that requires a set of procedures for storing, handling, and destroying sensitive information. The procedures
are developed and put on a shelf until an incident occurs. In the meantime, the procedures go stale (locations change, for example), and no clear owner was defined to be responsible for maintaining the documentation. The procedures, in this event, are as good as useless. Substitute any situation where documentation is not only helpful but necessary, and you can quickly see why this is so important. By this point, you’ve no doubt made a number of changes to your organizational security posture, and these changes should be documented within your security plan. You should write security plans assuming that the personnel who are currently active within your organization could leave at any time (the old story about someone being hit by a bus and was the only one who knew how to perform a specific function), so it’s best to always prepare for contingencies such as this by having your security plan as heavily documented as possible. You need to make sure to include a functional description of all controls that were applied to the system, any decisions that were made leading to these controls being implemented, any interdependencies, and any other relevant information. Finally, you also want to include any documentation from testing that occurred and remediations that were made based on testing results. Any risk response planning should outline a rough timeline for implementation, a rough estimate of costs, who is responsible for the implementation, and any required tools (such as software, hardware, and so on) required to complete the tasks. More detail is always better! A lack of clarity is not your ally, especially if the plan is handed over to a team that wasn’t involved in the initial planning process. Finally, you’ll want to track the status of your risk response implementation. This is usually done using a risk register, discussed previously in Chapter 3. To recap, the risk register is a document that tracks various elements of the identified risks, such as the risk name, risk impact, risk probability, risk mitigation, action
owner, and action suspense date. This risk register can be used to track the implementation of the mitigations and assure that timelines are met. Do you have any metrics in place that can determine the success of the risk response? Metrics help you quantify the effectiveness of your implemented risk response over its life. Monitoring comes into play here because it facilitates your ability to understand your performance against the metric. Monitoring can be done through a tool, through a team, or through a combination of both. Exception Management It’s easy to say that your risk response options should always be implemented. You carefully considered the risks to the organization through the risk analysis process, selected appropriate responses, and monitored your risk levels diligently. How could you possibly not implement a control? That would be crazy! However, there are exceptions, and you need to have a process in place to manage those exceptions and keep them minimized. Consider the situation where an operating system patch cannot be applied because of a legacy application that’s critical to the organization’s mission. This mitigation is important but less important than the legacy application and its associated mission. What to do? Exception management comes into play here; you need to document this as an accepted exception to the policy and track it. Perhaps the patch can be implemented in the future, or another mitigation could come along and make the exception moot. This is another aspect of risk acceptance; you are asking management to accept an ongoing risk, as an exception, because the response cannot be implemented for whatever reason. Either way, keeping a close eye is key to not letting these exceptions slip through the cracks. NOTE Don’t forget to track exceptions and remove any that
aren’t valid! It’s easy to let them slip through the cracks. Reporting the Risk Response Activities What are the reporting requirements for your organization? Are they bound by government regulations, international business partnerships, or other binding agreements? Understanding what is required of your organization is absolutely critical for your reporting requirements. You also need to understand what you should report in any of these contexts. For example, it is a good idea to report any issues you have ongoing, the status of any ongoing remediation actions, how your controls performed, any ongoing incidents, and how your overall risk response activities are performing, essentially the “Bottom Line, Up Front” of your risk response action plan. Along with understanding the underlying operational environment, it is key to understand your stakeholders and what their needs are. For example, your board of directors might want a high-level, quarterly presentation on compliance levels relative to the previously discussed operational environment, as well as performance relative to business goals and objectives. The risk committee, conversely, might want a much more “deep dive” into the individual risks identified previously, the new risks that could potentially come to the forefront, and how different business units are supporting the risk management program across the entire organization. It’s important that you understand how these different stakeholders need different reporting mechanisms and tools and that you identify clearly (preferably in writing) how they expect you to support them through timely and relevant reporting. When reporting, you can include a few standard items, such as measured control effectiveness (which can be rolled up to a higher level, as necessary, for management), any ongoing issues, any perceived gaps, the status of any remediation actions, any incidents or risk events that have occurred since the last report, and the overall trending status of the effectiveness of the risk management process. Also, identify ahead of time
whether your report will be included as an input to a greater enterprise report and work to include any appropriate information needed to facilitate that enterprise-level view. This will help garner support for the risk program supporting the business goals and objectives. You should review the results of any third-party analysis or audit that has taken place and incorporate the findings into your understanding of the organization’s risk posture. Has your organization conducted any type of internal audit or self- assessment? These will be important to review and to take a look at how they affect the risk profile and where they will need to be mapped. We’ll discuss the risk tolerance in many places throughout this book, so suffice it to say that the risk tolerance should be considered throughout the reporting process as a key input. NOTEChapter 1 has more information on the concept of risk tolerance and how it relates to risk acceptance. Training After all is said and done and the controls have been implemented and documented, it is important that you conduct regular and traceable training that covers a number of aspects. On top of the usual cyber security, privacy, and acceptable user training that most organizations (should) have in place, it is imperative that the employees responsible for the care and feeding of your controls are properly trained on both the content of the controls and the context of the controls. What does this mean? Content means that a network administrator in charge of your infrastructure, and the subsequent controls, understands the latest evolutions and revolutions in both current threats and vulnerabilities. Context means that the same network administrator in a highly sensitive government environment (think missiles, space, and so on) should know that they should be extra prudent and consider the limitations inherent to their systems and how they interact with other systems (if not the
larger Internet). Without both of these, content and context, as part of the training portfolio for all personnel charged with implementation of controls, you may well likely find that one or the other is neglected. System Development Life Cycle There are many assorted control-related life cycles; some deal with systems, and some are more specific to software or other project types. In this section, we’ll discuss a system development life cycle (SDLC), which is a generic framework used within NIST 800-64, “Security Considerations in the System Development Life Cycle.” The NIST SDLC has five phases: initiation, acquisition/development, implementation/assessment, operations/maintenance, and sunset (otherwise known as disposition). Be on the lookout in this section at how well many of these particular steps align with the concepts covered previously. You should see how important it is that controls are developed and implemented within each phase of this life cycle. In fact, NIST states that “an integrated security component (composed of milestones, deliverables, control gates, and interdependencies) that specifically addresses risk management…enables security to be planned, acquired, built-in, and employed as an integral part of a project or system.” Figure 5-5 depicts the SDLC covered in NIST 800-64. Figure 5-5 NIST 800-64 System Development Life Cycle (courtesy of NIST, from Special Publication 800-64) Initiation In the initiation phase, the need for a system is determined, and its purpose is documented formally. Within the initiation phase, it is critical to consider your control development and integration early and often. In fact, you will save yourself many headaches, time, and eventually money by considering your controls at every step along the way. Within the initiation
phase, security is often expressed as a business risk or a risk to project completion or the business itself. Outputs for the initiation phase could include the following: • Documentation of security roles and responsibilities • Documentation of controls required by regulation, law, or other guidance • Schedule of control activities or decisions throughout the project timeline Acquisition/Development Within the acquisition/development phase, the risk assessment is often conducted, along with any security testing and development of documentation for system certification and accreditation (as required). Risk assessment is covered in-depth in Chapter 2, but just note that an effective risk assessment is built on the initiation phase having been conducted appropriately and thoroughly. This is also the phase where the bulk of your control development will occur. Implementation/Assessment Within the implementation/assessment phase, the system is installed in its new environment and evaluated for its readiness, both operational and security. Here you do a final certification and accreditation review, and the authorizing official or other accrediting authority will take responsibility for the security posture of the system. Any documentation to connect the system to any external entity should be completed within this phase. Outputs for the implementation/assessment phase could include the following: • Accreditation package • System authorization • System security plan Operations/Maintenance Within the operations/maintenance phase of the SDLC, the system is actively operating, so you can leave it alone here, right? Not likely. You need to constantly be looking for ways to
improve and enhance the system, and any improvements or enhancements need to be considered for their security ramifications. Furthermore, the system must be assessed periodically based on regulatory, legal, or other guidelines to ensure that it continues to maintain a risk level that aligns with the company’s risk tolerance. Outputs for the operations/maintenance phase could include the following: • Updated plans of actions and milestones • Change control board documentation • Renewed accreditation and authorization documentation Sunset (Disposition) Every good thing must come to an end, and systems are no exception. The final phase of the SDLC requires a system to be disposed of properly, and in doing this you need to be aware of the controls required for securely disposing of a system and any corresponding data or other artifacts. As NIST points out, there is usually not a definitive end to a system; it is often merely rolled into the next generation of systems, and any data and associated requirements become the province of that group of personnel tasked with the care and feeding of the new shiny solution. However, you do need to be aware that, if required, it is important to have an orderly and safe disposal process on hand that includes migration of data or archival solutions as appropriate. Outputs for the implementation/assessment phase could include the following: • Logs of hardware and media sanitization/destruction • Transition plan Project Management Risk responses should be implemented in a controlled, defined, and monitored manner as discussed previously. One tried-and- true way to do this is through the tenets of project management. The Project Management Body of Knowledge (PMBOK), a publication of the Project Management Institute, defines a project as “a temporary endeavor to create a unique product, service, or result.” Project management, then, is “the application of knowledge, skills, tools, and techniques to
project activities to meet project requirements.” Note that a project in this context is indeed temporary in nature, with a defined beginning and end. Risk management is distinct from project management on this point because project management incorporates concepts to lower project risk but ends with the project, while risk management activities can continue indefinitely. Project management is a great concept to know as a professional because it can be helpful in completing any set of tasks, but for the CRISC exam, you obviously need to keep your risk hat on. In this section, we will discuss the most common project management frameworks and the vital concepts you need to understand for the exam. We’re not advocating for a particular standard to be adopted; in fact, you’ll notice a great deal of similarity among all of the major frameworks. Most importantly, you need to understand that implementing controls is like any other project, in that, as the PMBOK states, it is “the application of knowledge, skills, tools, and techniques to project activities to meet project requirements.” The project activities are the activities you are conducting to meet the project requirement: a set of controls implemented and functioning properly. Project Management Frameworks As we’ve said, a framework can be described as a set of laws, best practices, policies, procedures, and processes, all wrapped up in an implementable, established format. Project management frameworks help provide that standardized, industry-accepted approach toward managing projects. While all project management frameworks differ in their content (and sometimes context) slightly, they all contain basic steps comprising the project initiation, the design and planning phases of the project, the execution of that plan, the tracking of the progress (or monitoring), and project closeout. Each of these phases will have risks that need to be addressed, and some frameworks even have their own specified areas that address risk. An example is tracking the risks (perhaps using a risk
register) alongside the project goals and objectives to ensure that all are kept within organizationally accepted tolerance levels. PMI-PMBOK The Project Management Institute (PMI) Project Management Body of Knowledge is perhaps the most recognized project management framework internationally. The PMBOK divides project management into process groups, knowledge areas, and associated processes. The five process groups are as follows: • Initiating • Planning • Executing • Monitoring and Controlling • Closing Within the Initiating phase, you conduct your project kickoff. This is where you get authorization to move forward with the project, and you create the project charter. Next, you conduct the Planning phase, where the work plan is developed. The Executing phase is where all your hard work planning pays off; you implement your plan and watch it come to life. Monitoring and Controlling covers the critical points of tracking progress against established milestones, goals, and objectives, and conducting remediation actions as necessary. Finally, as discussed previously, all projects have a definite life span and must be closed out in the Closing phase, with appropriate lessons learned documented. There are also a number of certifications associated with the PMBOK framework, including the Project Management Professional (PMP), the Certified Associate in Program Management (CAPM), and the Program Management Professional (PgMP). While you don’t need to know about these certifications within the scope of the CRISC exam, it’s good to be aware of their existence because they are some of the more widely held and respected credentials within the Project Management field. CMMI
The Capability Maturity Model Integration (CMMI) framework is an internationally recognized standard for improving processes within organizations. Developed by Carnegie Mellon University, the CMMI is used to gauge the process maturity within the organization and to place it within a “maturity level.” There are CMMI frameworks for a number of sectors, including CMMI for Acquisition (CMMI-ACQ), CMMI for Services (CMMI-SVC), CMMI for Development (CMMI-DEV), Data Management Maturity (DMM), and the People CMM. You’ll see many large companies boasting about their CMMI level; it’s considered to be a solid gauge of the process maturity within an organization. Why does this matter? If you want to, for example, hire an external software developer to create and maintain an enterprise-wide budget tool, their CMMI rating would give you insight of how they deal with processes such as change management. The maturity levels range from 1 through 5. • Level 1 (Initial) Processes are poorly controlled and managed • Level 2 (Repeatable) Processes are repeatable, sometimes even with consistent results • Level 3 (Defined) Defined processes that can be improved over time • Level 4 (Quantitatively Managed) Finding ways to adapt without significant loss • Level 5 (Optimizing) Focus on continual improvement of processes
CMMI doesn’t discuss risk as overtly as the PMBOK, but you can see the same overarching elements of processes being used to manage the different aspects of a project, including the tracking and optimization. CMMI puts particular value on the concept of process improvement, and organizations operating at CMMI level 5 are actively reviewing and improving their processes—including dealing with risk—on a regular basis. Agile Agile project management frameworks have been used within the software development sector for some time. The Agile methodologies look to improve—you’ll never guess—agility by improving collaboration, reducing bureaucracy and red tape, and facilitating ad hoc groups creating products in a rapid fashion. The Agile Manifesto, released by the Agile Alliance, reflects the following principles: • The highest priority is to satisfy the customer through early and continuous delivery of valuable software. • Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage. • Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. • Businesspeople and developers must work together daily throughout the project. • Build projects around motivated individuals. Give them the environment and support they need and trust them to get the job done. • The most efficient and effective method of conveying information to and within a development team is face-to-face conversation. • Working software is the primary measure of progress. • Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
• Continuous attention to technical excellence and good design enhance agility. • Simplicity—the art of maximizing the amount of work not done—is essential. • The best architectures, requirements, and designs emerge from self-organizing teams. • At regular intervals, the team reflects on how to become more effective and then tunes and adjusts its behavior accordingly. Within this manifesto, you notice the concepts of welcoming change (not common within many project management frameworks) and a self-organized team (as opposed to having a project manager formalize team membership). Finally, the concept of iteration—from the team members reflecting regularly on their own effectiveness and tuning accordingly to the delivery of regular products—is central to the Agile mind- set. While its more flexible, ad hoc project management methodology might not be ideal for every organization, you can definitely see how it would appeal to a certain subset of company such as a startup. The Agile framework (as well as the Lean framework, discussed in the next section) differs from the PMBOK and the CMMI in its approach and rigidity. Both Agile and Lean value the ability to make quick changes and the ability to be more ad hoc through the use of self-organizing teams. There is much less emphasis on tracking through the use of metrics, and a discussion of project risk is almost nonexistent. Still, in an organization using these project management frameworks, risk should be considered and incorporated into the project processes from beginning to end. Lean The Lean mind-set is derived from the manufacturing sector and is looking to “lean” organizations through less waste; in this context, it means less waste within projects. Waste can be found within too much unnecessary time spent on a project or unnecessary personnel involved who could be utilized elsewhere. Anything that does not bring value to the project is a
target for “leaning” or improving, perhaps even removal. Value should be defined early in the project by the end customer and often means what they will be willing to pay in the end for any segment or part. Lean project management differs from other frameworks by focusing efforts on improving processes to compress the overall project schedule to reduce the project cost and improve the profitability of the project. A common tool used within Lean projects is the value stream map (VSM). Within the process of creating the VSM, the team will detail the steps, information flows, and any delays currently resident within existing processes. This will allow the team to better understand the current state of the processes within the company and look for areas to reduce waste. At this time, another, updated VSM is created to depict the leaner process. Project Management and Risk Management So, you’ve learned a good bit about project management within the previous sections, but how does it really interact with the discussions of risk? Remember, project management covers a defined project from start to finish and is looking to cut costs (time, scope, and overall project cost), and managing risks can often create new costs. However, as you read through the major frameworks, you’ll see a few concepts that are really central to effective risk response management: understanding the project requirements, tracking project progress, improving processes, and creating value. Look at how these align with the overall risk-focused mind-set. You understand the requirements for tracking risk so that you know the organizational contexts and values, overarching laws and regulations, and existing policies that you must consider when determining how you will approach risk management. You track the progress in implementing your chosen risk responses (and track exceptions to the policies using your exception management process). You improve the fundamental organizational processes by incorporating a calculation of risk throughout all of your projects. Finally, understanding risk creates real value for the
leadership because no project should be considered if the overall risk of failure, for example, outweighs the reward of success. Risk management helps your leadership succeed by helping quantify these concepts in a way that honest assessments can be made. Chapter Review In this chapter, we covered the risk response process from top to bottom. We discussed three major risk frameworks, the NIST RMF, the ISACA IT Risk Framework, and the ISACA COBIT. The NIST process is comprised of six steps: security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring, and it has an important consideration of continuous monitoring. The ISACA IT Risk Framework has three domains: Risk Governance, Risk Evaluation, and Risk Response. COBIT is not risk-centric or IT security–centric but is largely focused on governance. These frameworks all differ in their scope and content but have the same underlying goal of helping identify, deal with, and monitor risks within an organization. We discussed how risk response is an essential topic within all three frameworks. We then covered the risk response process that includes the selection of risk response options, the prioritization of risk response options, and the implementation of the risk response plan. Each of these facets contains a number of key steps involving analysis, proper communication, and consideration of the organizational risk tolerance and risk appetite. We then developed an understanding of the different risk response options, including risk avoidance, risk mitigation, risk sharing or transference, and risk acceptance. Each one of these options has advantages and disadvantages. We also discussed how risk responses should be selected and appropri ately prioritized. This requires an understanding of whether a response is a quick win (a situation where the response is high benefit and low cost), requires a business case to be made, or
necessitates a deferral (where the risk does not outweigh the potential cost). Each risk response choice requires careful consideration of these options to determine the best course of action; also, when it’s time to implement the risk responses, knowing how to incorporate metrics, document thoroughly, and manage exceptions to the plan is key. We also discussed how to implement the risk mitigations after they’ve been chosen, through the use of frameworks, both for controls and for the overarching project management. You learned how risk responses are assessed, through documentation review, technical assessment, and interviews. We discussed how to properly document risk responses and any exceptions and report the activities to leadership. Finally, we covered training for both content and context as a regular, repeatable activity for personnel charged with implementing any controls. image3.jpeg image4.jpeg image5.jpeg image6.jpeg image7.jpeg image8.jpeg image9.jpeg image10.jpeg image11.jpeg image12.jpeg image1.jpeg image2.jpeg Discussion 3 Purpose · Describe the risk response process. · Evaluate risk response options and align choices with business objectives. · Identify the bad actors in cyberspace and compare and contrast their resources, capabilities/techniques, motivations, and
aversion to risk. [NSA CTH 1] · Select the optimal methodology based on needs, advantages, and disadvantages. [NSA SRA 4] Responding to and Mitigating Risk When it comes to responding to risk, there is no one size fit all approach. Individuals, businesses, and governments will need to determine how they will deal with these risks, whether to accept, transfer, or mitigate such risks. Understanding the source of the risk, whether man-made or natural, will need to be considered when responding to risks. Several other factors will also need to be considered, including the organization’s mission, goals and objectives, risk appetite, resources, and capabilities. Risk response frameworks, as well as the Plan-Do- Check-Adjust (PDCA) life cycle are good references to consult when planning responses to risks. Whatever risk response is chosen, it’s important to remember that low-cost responses to high-risk scenarios are the goal of risk response prioritization. Overview This discussion is based on the same scenario as Discussion 2. You’ll remember that the scenario mirrors a natural event (world-wide pandemic), the COVID-19 outbreak, but is based on a fictitious company. Again, feel free to make some assumptions as you work on this module’s discussion. Note: For this assignment, you will not be able to see your classmates’ posts until after you post. The scenario (Discussion 2): You work for a U.S.-based company called Hintel, an IT company that manufactures computer chips. The company’s factories handle over 70 percent of its manufacturing operations. The factories are geographically located in China, Italy, and South Africa. In January 2020, the U.S. Centers for Disease Control (CDC) announced that they were responding to “an outbreak of respiratory disease caused by a novel (new) coronavirus that was first detected in China and which has now been detected in more than 100 locations internationally, including in the United
States. The virus has been named SARS-CoV-2 and the disease it causes has been named Coronavirus Disease 2019 (abbreviated COVID-19). On January 30, 2020, the International Health Regulations Emergency Committee of the World Health Organization (WHO) declared the outbreak a public health emergency on International concern.1 Since January 30, 2020 when the outbreak was declared a public health emergency, many businesses have suffered major financial losses due to a temporary loss of confidence in financial markets, restricted movements, and in the case of “Hintel”, the closures of its major factories in China and Italy. The company currently reports approximately $75m in losses per day as a result of this pandemic.” 1 https://www.cdc.gov/coronavirus/2019-ncov/cases- updates/summary.html Include the following in your post: · As the CIO of “Hintel”, you have been summoned by the organization’s board to share your response plans. Identify and explain 3 to 5 risk response options that you would share with the board. Note that these points could essentially be included in your disaster recovery plan. · Describe 3 to 5 factors that you would consider when evaluating the risk response options that you shared above, bearing in mind the importance of establishing and maintaining trust throughout the process. · Pandemics such as COVID-19 may enable bad actors in cyberspace to harm businesses. Identify and describe potential opportunities that these actors could exploit to harm businesses. · Describe technical controls “Hintel” could implement to reduce cybersecurity-related risks from these bad actors. Action Items 1. Create discussion post according to the directions in the overview. 2. Read the assignment rubric to understand how your work will
be assessed. Module: Here are the resources you need to prepare for this module: · Chapter 5, Risk Response and Mitigation (Links to an external site.), in Rogers & Dunkerley (2016) · The Phoenix Project: Remediation of a Cybersecurity Crisis at the University of Virginia (Links to an external site.) Case Study · NIST Guide for Conducting Risk Assessments (Links to an external site.) · The Three Ts of the Cyber Economy

More Related Content

PDF
Cyber Security Program Realization in the Mid Market - Executive Summary
Steve Leventhal
 
DOCX
Responses needed, a paragraph per bullet question (7-8 sentences).docx
ronak56
 
DOC
The security risk management guide
Sergey Erohin
 
DOC
The security risk management guide
Sergey Erohin
 
PPT
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
DOCX
Project 7 - Organization Security PlanChoose an organization fro.docx
anitramcroberts
 
DOCX
Project 7 Organization Security PlanChoose an organization from.docx
wkyra78
 
DOCX
Week 1Defining the Safety Management SystemSeveral years .docx
celenarouzie
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Steve Leventhal
 
Responses needed, a paragraph per bullet question (7-8 sentences).docx
ronak56
 
The security risk management guide
Sergey Erohin
 
The security risk management guide
Sergey Erohin
 
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Project 7 - Organization Security PlanChoose an organization fro.docx
anitramcroberts
 
Project 7 Organization Security PlanChoose an organization from.docx
wkyra78
 
Week 1Defining the Safety Management SystemSeveral years .docx
celenarouzie
 

Similar to CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx (20)

DOCX
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
DOCX
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
OllieShoresna
 
PDF
Risk Management Frameworks
Daniel Kapellmann Zafra
 
PDF
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
DOCX
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
healdkathaleen
 
PDF
A Practical Approach to Managing Information System Risk
amiable_indian
 
DOCX
Cmgt 582 Education Specialist -snaptutorial.com
DavisMurphyC37
 
DOCX
Cmgt 582 Effective Communication / snaptutorial.com
HarrisGeorg12
 
PDF
Risk Management & Information Security Management Systems
IT-Toolkits.org
 
PDF
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
PDF
abcd
Narendra Rawat
 
DOCX
 risk-based approach of managing information systems is a holistic.docx
odiliagilby
 
DOCX
Chapter 1The International Information Systems Security Certifi.docx
cravennichole326
 
PDF
SAFECode_Agile_Dev_Security0712
Vishal Asthana, CISSP
 
PPTX
800-37.pptx
AvniJain836319
 
DOCX
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
aryan532920
 
PDF
Toward a Trusted Supply Chain White Paper from Microsoft
David J Rosenthal
 
DOCX
Global Health Comparison Grid TemplateGlobal Health Co
MatthewTennant613
 
DOC
Management systems
melynch
 
DOCX
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
OllieShoresna
 
Risk Management Frameworks
Daniel Kapellmann Zafra
 
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
healdkathaleen
 
A Practical Approach to Managing Information System Risk
amiable_indian
 
Cmgt 582 Education Specialist -snaptutorial.com
DavisMurphyC37
 
Cmgt 582 Effective Communication / snaptutorial.com
HarrisGeorg12
 
Risk Management & Information Security Management Systems
IT-Toolkits.org
 
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
abcd
Narendra Rawat
 
 risk-based approach of managing information systems is a holistic.docx
odiliagilby
 
Chapter 1The International Information Systems Security Certifi.docx
cravennichole326
 
SAFECode_Agile_Dev_Security0712
Vishal Asthana, CISSP
 
800-37.pptx
AvniJain836319
 
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
aryan532920
 
Toward a Trusted Supply Chain White Paper from Microsoft
David J Rosenthal
 
Global Health Comparison Grid TemplateGlobal Health Co
MatthewTennant613
 
Management systems
melynch
 
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
Ad

More from Abhinav816839 (20)

DOCX
Clinical Reasoning Case Study Total Parenteral NutritionName ____.docx
Abhinav816839
 
DOCX
Correctional Health Care AssignmentCourse Objective for Assignme.docx
Abhinav816839
 
DOCX
Class Response 1 Making or implementing policies should ultima.docx
Abhinav816839
 
DOCX
Chapter 3 - Evaluation Rubric Criteria Does Not Meet 0.01 .docx
Abhinav816839
 
DOCX
Chapter 4 (Sexual Assault)Points Possible 20Deliverable Len.docx
Abhinav816839
 
DOCX
CS547 Wireless Networking and Security Exam 1 Questio.docx
Abhinav816839
 
DOCX
Communicating professionally and ethically is an essential ski.docx
Abhinav816839
 
DOCX
Case Study The HouseCallCompany.com Abstract The case.docx
Abhinav816839
 
DOCX
BiopsychologySensation and PerceptionInstructionsTake a mom.docx
Abhinav816839
 
DOCX
Chapter 2Historical Perspectives on Case ManagementChapter In.docx
Abhinav816839
 
DOCX
Compare and Contrast Systems Development Life Cycle (SDLC Mo.docx
Abhinav816839
 
DOCX
C H A P T E R F O U R PROBLEMS OF COMMUNICATIONCri.docx
Abhinav816839
 
DOCX
By Day 6 of Week Due 917Respond to at least two of your c.docx
Abhinav816839
 
DOCX
ASSIGNMENT 3 (CHAPTERS 8-9) QUESTIONS Name .docx
Abhinav816839
 
DOCX
3 pages excluding the title and reference page.Describe how Ph.docx
Abhinav816839
 
DOCX
91422, 1134 AM Printhttpscontent.uagc.eduprintMcNe.docx
Abhinav816839
 
DOCX
All details are posted in the documentPlease use this topics for.docx
Abhinav816839
 
DOCX
1, Describe the mind as a stream of consciousness, and what it revea.docx
Abhinav816839
 
DOCX
2Some of the ways that students are diverse in todays schools .docx
Abhinav816839
 
DOCX
40 CHAPTER 18 THE NEW SOUTH AND THE NEW WEST, 1865-1900 .docx
Abhinav816839
 
Clinical Reasoning Case Study Total Parenteral NutritionName ____.docx
Abhinav816839
 
Correctional Health Care AssignmentCourse Objective for Assignme.docx
Abhinav816839
 
Class Response 1 Making or implementing policies should ultima.docx
Abhinav816839
 
Chapter 3 - Evaluation Rubric Criteria Does Not Meet 0.01 .docx
Abhinav816839
 
Chapter 4 (Sexual Assault)Points Possible 20Deliverable Len.docx
Abhinav816839
 
CS547 Wireless Networking and Security Exam 1 Questio.docx
Abhinav816839
 
Communicating professionally and ethically is an essential ski.docx
Abhinav816839
 
Case Study The HouseCallCompany.com Abstract The case.docx
Abhinav816839
 
BiopsychologySensation and PerceptionInstructionsTake a mom.docx
Abhinav816839
 
Chapter 2Historical Perspectives on Case ManagementChapter In.docx
Abhinav816839
 
Compare and Contrast Systems Development Life Cycle (SDLC Mo.docx
Abhinav816839
 
C H A P T E R F O U R PROBLEMS OF COMMUNICATIONCri.docx
Abhinav816839
 
By Day 6 of Week Due 917Respond to at least two of your c.docx
Abhinav816839
 
ASSIGNMENT 3 (CHAPTERS 8-9) QUESTIONS Name .docx
Abhinav816839
 
3 pages excluding the title and reference page.Describe how Ph.docx
Abhinav816839
 
91422, 1134 AM Printhttpscontent.uagc.eduprintMcNe.docx
Abhinav816839
 
All details are posted in the documentPlease use this topics for.docx
Abhinav816839
 
1, Describe the mind as a stream of consciousness, and what it revea.docx
Abhinav816839
 
2Some of the ways that students are diverse in todays schools .docx
Abhinav816839
 
40 CHAPTER 18 THE NEW SOUTH AND THE NEW WEST, 1865-1900 .docx
Abhinav816839
 
Ad

Recently uploaded (20)

PDF
Trump Administration's workforce development strategy
Mebane Rash
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
PDF
LDMMIA Reiki Yoga Finals Review Spring Summer
LDMMia Reiki Lectures
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
PPTX
History, Philosophy and sociology of education (1).pptx
tmdth1
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
RTP_AR_KS1_Tutor's Guide_English [FOR REPRODUCTION].pdf
RobertMentino1
 
DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
Trump Administration's workforce development strategy
Mebane Rash
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
LDMMIA Reiki Yoga Finals Review Spring Summer
LDMMia Reiki Lectures
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
History, Philosophy and sociology of education (1).pptx
tmdth1
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
RTP_AR_KS1_Tutor's Guide_English [FOR REPRODUCTION].pdf
RobertMentino1
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 

CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx

  • 1. CHAPTER 5 Risk Response and Mitigation In this chapter, you will: • Learn about the risk response process • Understand risk response options and how to align choices with business objectives • Become familiar with risk response standards and frameworks • Understand how risk appetite and tolerance affect risk response choices • Understand risk response action plans and how they are developed • Understand how controls are designed, implemented, and executed • Develop better project management skills to more effectively execute risk response plans • Learn methods to document and assess risk responses • Determine how to best train personnel on risk responses In this chapter, we will review the concepts that comprise Certified in Risk and Information Systems Control (CRISC) Domain 3, which is focused on risk response and mitigation. There is a natural progression from the risk assessment discussions in previous chapters that covered CRISC Domains 1 and 2, to the discussion on risk response in this chapter; you will see that many of the outputs from those processes lead directly to this chapter because an organization generally wants a positive response to any risk assessment findings. After discussing how risk responses are chosen, we will discuss how to implement those risk responses, including how to design, develop, and adjust controls. The CRISC exam objectives covered during this chapter include the following task statements: • 3.1 Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions
  • 2. • 3.2 Consult with, or assist, risk owners on the development of risk action plans to ensure that the plans include key elements (e.g., response, cost, target date) • 3.3 Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level • 3.4 Ensure that control ownership is assigned to establish clear lines of accountability • 3.5 Assist control owners in developing control procedures and documentation to enable efficient and effective control execution • 3.6 Update the risk register to reflect changes in risk and management’s risk response • 3.7 Validate that risk responses have been executed according to the risk action plans Risk Response Every organization has risk. The leaders of smart organizations, however, have determined how they will deal with that risk appropriately for their business context. Will they accept all risks? Will they transfer some risks to a third party, such as an insurance company? These are some questions that need to be considered within the risk response process, discussed in this chapter. We will also discuss the major risk frameworks within the field and how they incorporate risk response determination and implementation. Please note that risk is different for every organization; risk within an educational context is different from a financial context, which is different from a government context. Also keep in mind that IT risks are different from business or mission-oriented risks. It’s important to note that the mission of the organization helps to shape risks and responses as well. This is why it’s so important that organizations conduct a thorough risk analysis and understand and prioritize the response options that are right for them. You should also remember that the risks to the business, the business goals and objectives, and the systems supporting those functions
  • 3. should all be considered throughout the risk response process. It’s easy as an IT professional to forget that the business objectives are the top priority, but to maximize efficiency and effectiveness (and especially to pass the exam), you should keep that in mind. It’s a good idea to think about this risk response action plan in a Plan-Do-Check-Adjust (PDCA) life cycle, as shown in Figure 5-1. The PDCA model (often referred to as the Plan-Do-Check-Act or Deming cycle) promotes continuous improvement. In this case, you are planning (designing), doing (implementing), checking (assessing), and adjusting (adjusting and creating documentation) the quality controls that will respond to risk. Figure 5-1 Plan-Do-Check-Adjust cycle Risk Response Standards and Frameworks Standards and frameworks help provide a standardized, industry-accepted approach toward managing risk. While they’re certainly not perfect, they provide a baseline for an organization to recognize the key steps toward understanding and categorizing the risks to their business, implementing the appropriate security controls to lower risk to an acceptable level, and continually monitoring the residual risk and report status to the management. Each standard and framework has its own pluses and minuses, and we will discuss three of the most commonly used: the National Institute of Standards and Technology (NIST) Risk Management Framework, the ISACA Risk IT Framework, and the ISACA Control Objectives for Information and Related Technology (COBIT). Keep in mind that while we discussed these three frameworks in Chapter 1, our discussion there served only to introduce you to the frameworks. In this chapter, you will look at them from the perspective of risk response in particular.
  • 4. NOTE You can find more general information on standards, frameworks, and best practices (and the differences between the three) in Chapter 1. NIST Risk Management Framework NIST Special Publication 800-37, revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems,” along with other supporting publications from NIST (part of the U.S. Department of Commerce), makes up the defining volumes of the Risk Management Framework (RMF). The RMF is comprised of six steps, as shown in Figure 5-2. Figure 5-2 The NIST Risk Management Framework (courtesy of NIST, from Special Publication 800-53, revision 4) 1. Categorize information systems. 2. Select security controls. 3. Implement security controls. 4. Assess security controls. 5. Authorize information systems. 6. Monitor security controls. Security categorization requires the information systems and associated information to be categorized based on an impact analysis. When selecting a set of security controls, the security categorization, as well as any previous assessments of risk, must be taken into account. Following this step, you implement
  • 5. the security controls that were previously selected and then assess their effectiveness and the overall success of the controls of lowering the risk to the accepted level. Finally, the security controls need to be continually monitored to be sure they continue to operate as intended, as well as considering any changes that come into effect across the organization (think location, mission, security classification, or other underlying factors). You will notice many additional concepts within NIST Special Publication 800-37 that are germane to the CRISC exam; for example, the first two steps of the RMF discuss categorizing and selecting appropriate security controls (which we will discuss later in this chapter), while steps 3, 4, and 6 map cleanly to the implementation, assessment, and continuous monitoring of controls (covered throughout this book). For these reasons alone, it’s a great idea to read this document to understand how the steps work together and how they are similar to (and sometimes different from) other frameworks. From a response perspective, the key point that you need to understand about the NIST RMF, and what makes it so revolutionary within the Department of Defense (DoD) and associated organizations, is that risk response starts with steps 4 and 5 of the RMF. This is where authorizing the system (based upon the responsible authority’s acceptance of risk levels) and continuous monitoring take place. Continuous monitoring within the RMF context means near-real-time risk management through the implementation of a comprehensive set of controls that provide an up-to-date status of the current security posture of the organization. To achieve these ends, the RMF encourages automated mechanisms (such as Tenable Security Center and the McAfee Host-Based Security System, for example) to be implemented to support rapid analysis and reporting to management, and for organizations under the mandate of the standard, the RMF establishes a level of accountability and responsibility for the controls selected and implemented within supporting information systems.
  • 6. Risk response is also covered in NIST Special Publication 800- 39, “Managing Information Security Risk,” and the different response options are discussed in Chapter 3 of that publication. They include risk acceptance, transfer, avoidance, sharing, and so forth, which make it a great reference document. They are similar to what the next framework, the ISACA Risk IT Framework, discusses in terms of risk response. We’ll discuss the risk response options in more depth later in this chapter. ISACA Risk IT Framework Published in 2009, the ISACA Risk IT Framework is another common risk management framework that you should be aware of. ISACA looked to create a framework that merges the traditional IT models with a more risk-focused mind-set. Within the ISACA model, the activities considered key are grouped into processes, which are grouped into three domains, as described in Table 5-1. Table 5-1 Domains and Associated Processes Within the ISACA Risk IT Framework There are three main domains to consider within the ISACA Risk IT Framework: Risk Governance, Risk Evaluation, and Risk Response. You will see many of the same concepts that you’ll find within this book (and even this chapter), so it’s definitely a worthwhile model to review. The Risk Governance domain discusses risk appetite, risk tolerance, and communicating risk to leadership (this should sound familiar!). The Risk Evaluation domain includes an understanding of the impacts to the business and the risk scenarios, developed through the inclusion of internal and external environmental factors, risk management capability, IT capability, and IT- related business capability.
  • 7. Since we’ve already given you a general overview of the other domains of this framework in Chapter 1, we’ll focus on risk response in particular here. The Risk Response domain covers the risk response definition, risk response prioritization, and key risk indicators (KRIs). KRIs are those that show a potential for risk that is beyond the organization’s risk appetite level, and we will cover them in much more depth in Chapter 6. The framework also describes risk response options such as risk avoidance, risk mitigation, risk sharing and transfer, and risk acceptance. If these sound familiar to you, they are the same options described in NIST, as we mentioned earlier. Again, we’ll go into depth on them later in the chapter. TIP Understand the relationships between the Risk Governance, Risk Evaluation, and Risk Response domains; even though the Risk IT Framework is not covered on the CRISC exam, the framework provides a useful foundation of the concepts. You’ll see many areas of similarity between the ISACA Risk IT Framework and the CRISC exam, so it definitely wouldn’t hurt to include it in your study plan. COBIT While ISACA’s COBIT doesn’t focus solely on risk, it’s still important for you to have a cursory understanding of the framework and its supporting processes, inputs and outputs, and activities. Again, ISACA authored both the CRISC and COBIT frameworks, so you will see many of the same concepts interwoven across the two (as well as within the Risk IT Framework discussed previously, which is quite complementary and often grouped with the other two). To refresh your memory, COBIT was designed to help businesses take advantage of IT assets, increase compliance levels, and manage risk through an integrated framework. This
  • 8. framework includes processes that have general inputs and outputs, objectives and activities, and associated measures. The most recent version, COBIT 5, was released in 2012, with two updates published in late 2012 and 2013, respectively covering information security and assurance. This should tip you off to the fact that while many IT professionals are familiar with the COBIT framework, it is not meant to be IT-centric or IT security–centric and was developed with organizational governance in mind as its primary goal. Within COBIT, the activities considered key are grouped into domains, which are broken down into processes, as described in Table 5-2. Table 5-2 Domains and Associated Processes Within the ISACA COBIT Framework The COBIT processes associated with risk response are Monitor and Evaluate and are used to ensure that risk response options are implemented and are consistent with the organization’s desired strategy for dealing with risk. Remember that with COBIT, we are talking governance, so this supports the governance perspective more so than an IT risk perspective. These processes could be used to fulfill governance and regulatory requirements with regard to risk response. Understanding Risk Response Options Having developed your understanding of risk, you should also develop an understanding of the corresponding risk response options. These options will help you bring your risk levels down to that vaunted level of risk tolerance that your organization can accept. Within this section, consider how you would recommend that your organization respond to risk effectively but with a balanced approach. Evaluating Risk Response Options Avoidance, mitigation, sharing, and acceptance are all valid options that you should consider using (sometimes at the same
  • 9. time) to lower the risk level you face. The key is to use these options together; you want to balance risk and reward to maximize the benefits. These benefits can be financial or some other, perhaps difficult to quantify (for example, morale, partnerships, long-term strategy), benefit. We’ll discuss the different risk response options in the next few sections. Risk Mitigation Risk mitigation generally involves the application of controls that lower the overall level of risk by reducing the vulnerability, likelihood of the threat exploit, or impact to the asset if the risk were to be realized. Mitigation actions come in a number of forms; a policy requiring nightly off-site backups of critical data can mitigate the risk of data loss, for instance. Similarly, applying a newly released web browser patch can mitigate the risk of exploitation. The goal is to get the risk down to a level considered acceptable by the organization’s leadership. For the CRISC exam, you need to understand four main types of controls: managerial, technical, operational, and preparedness. The following are examples of each. Managerial • Requiring an acceptable use policy to dictate IT usage within the organization • Starting a risk management program to identify, lower, and monitor unacceptable risk levels within the organization Technical • Implementing additional firewalls to protect internal (non- public-facing) systems • Adding 802.1X port-based network access control to deter unapproved assets being added to the network • Installing an intrusion detection system/intrusion prevention system (IDS/IPS) to monitor for malicious activities or violations of policy Operational • Implementing delegation/separation of duties procedures to assure that one person does not have the sole control over key duties
  • 10. • Mandating security training and certification requirements to increase the baseline knowledge of IT security-related issues and concepts Preparedness • Executing a tabletop exercise of the Continuity of Operations Plan to test its effectiveness and identify gaps that should be addressed TIP Remember that you’re looking for low-cost, high-reward solutions to offset risk. Sometimes this is just a plan you implement or a process improvement, rather than an expensive piece of hardware! Risk Sharing Risk sharing (often referred to as risk transference) entails the use of a third party to offset part of the risk. Risk sharing can involve the outsourcing of some activities to a third party to reduce the financial impacts of a risk event in many cases. Sharing off-site (co- location) assets and contractual obligations with other entities is one way that organizations implement risk sharing; a cloud service provider can be used within this scenario. The cloud provider might be contractually obligated to assume part of the financial impact in the event of a breach, but be aware that there is a potential loss of brand goodwill or other intangible assets that can be difficult to offload. Another example of risk sharing is the use of an insurance service to cover the financial impacts (at least partially) of a breach; however, the intangible losses mentioned previously would still be present. EXAM TIP Don’t forget that use of a risk-sharing scheme does not totally absolve an organization of its responsibilities; there may still be legal liabilities involved. Risk Acceptance
  • 11. There will always be some level of residual risk, no matter how many controls you implement or the amount of insurance you purchase. Again, the goal is to get the risk down to a level considered acceptable by the leadership. Risk acceptance occurs when the active decision is made to assume the risk (either inherent or residual) and take no further action to reduce it. The word active is critical here; risk acceptance is different from being risk ignorant in that the risk is identified, alternatives are considered, and a conscious decision is made to accept it. A good example of this is when a person intentionally drives alone in the carpool lane during the hours where multiple people are required to be in the vehicle; if that person is pulled over and ticketed for their lawlessness, that would incur a financial impact. However, they knowingly took the risk of this action, understanding the consequences if caught and accepting it anyway. Similarly, a company might choose to willfully ignore government-mandated control implementation that would incur fines or other financial penalties, assuming that the financial cost incurred would be less than the controls would be to implement. Another common situation is an organization choosing to work in a developing country, knowing there is a high level of risk; the financial rewards of being adopted early could outweigh any potential losses. EXAM TIP It’s important to note that risk acceptance doesn’t insinuate ignorance; it’s an active acknowledgment and conscious decision to accept risk as it is. Risk Avoidance Risk can be avoided through a number of methods. Can you remove the source of risk by making a different choice? Perhaps you don’t need to conduct the activity at all. Avoiding risk can mean anything from eliminating risk associated with a particular activity through the careful analysis of risks and
  • 12. subsequent changes to a plan to the complete avoidance of a risk by not performing a planned activity. Risk avoidance is the option taken when, after controls have been considered, the level of risk is still not acceptable. An organization might choose not to take on a proposed project because of the probability of failure and subsequent loss of capital, for example. Another scenario might be the organization choosing to not adopt a cloud solution because of the level of sensitivity of information that would be stored within the cloud. Selecting Risk Response Selecting a risk response entails more than just blind luck or uncanny good fortune. In selecting a risk response, you should consider all of the factors we’ve discussed previously, such as cost (both of the response and of the potential cost of not responding), organizational context and associated missions, risk tolerance, and the simple ease of implementation. Within this section we will discuss some of these considerations and how they should affect your final decision. Risk Response Parameters Cost is obviously a large factor in response determination. When you think about cost, think about not only the financial impacts of any decision but also the less easily quantified aspects such as loss of goodwill, loss of brand status, and other hard-to-define attributes. You also need to consider the cost to maintain the responsive mitigation over its required life span. For example, if you are required to apply a costly IT solution into your architecture to load balance and you don’t have an IT professional who is skilled or knowledgeable in that area, you may be required to hire a new professional or train an existing staff member. That also brings up your ability to plan for contingencies; is one person enough to complete this task? You may need more personnel in general to maintain your new security posture or to cross-train existing personnel as an alternative to hiring new people. Maintenance is a huge consideration that should not be shrugged off.
  • 13. The ability (also defined as capability) for the organization to implement the response should also be considered. How mature is your company’s ability to implement the response? Do you have a small, untrained, ad hoc team (perhaps that sounds cynical, but it happens)? In that case, a more sophisticated measure might not be appropriate; perhaps you need a new team! In contrast, a sharp, well-trained, experienced team can handle more complicated mitigation measures and processes. How effective will the response be? Effectiveness can be measured as the extent to which the response reduces the likelihood or the impact of the risk event to the organization. If the effectiveness of the response activity is in question, that’s a strong reason to consider that path questionable as well. You should also consider the efficiency of a response. Efficiency can be described as the ability for a risk response to cover one or more objectives that our organization sets in front of them. Quite simply, solutions are more efficient if they lower more risks than if they lower only one risk. Consider low-cost, highly effective solutions your “nirvana” and work from there. You want to obviously avoid high-cost, ineffective solutions, but it’s shocking how often you will encounter them! We will talk about prioritizing risk responses in the following section, and these concepts go hand-in-hand. Prioritizing Risk Responses Now that you have a better understanding of what your risk response options are and how you will select them, you need to understand how they should be prioritized. Have you ever worked for a company that had too much money to spend on its security program? (Here’s a hint … we haven’t.) It’s unlikely that you’ll have the resources to complete all of your proposed risk mitigation and response strategies, so knowing the proper
  • 14. priority is important. This will drive how you spend the money and apply the human resources that will lower your overall risk to an acceptable level. Figure 5-3 depicts the rankings of how you’d generally prioritize risk response options, and we’ll discuss that ranking in more depth within the next section. Figure 5-3 Prioritizing risk response options Risk Response Prioritization Options There are three prioritization options that you need to be aware of for the CRISC exam. They are quick wins, business cases, and deferrals. We will discuss each of these in this section and provide examples of both the options and the alternatives. Quick wins are actions that can be taken that really are winners; as we discussed earlier, you are looking to select risk responses that are high reward and low cost and that are both effective and efficient. Quick wins are just that; they meet those criteria and address a medium to high risk and look good doing it! You should always be looking for a quick win to address a scenario, though that’s easier said than done. Consider a scenario where an organization is having difficulties maintaining source code integrity across multiple teams of software developers. The developers are overwriting each other’s work and causing havoc with old or untested code being pushed into production. It’s a nightmare but one that happens regularly! An example of a quick win is the development of a configuration management board that immediately begins discussing and making decisions on source code changes and cross-pollinating projects among teams. The team might exist happily on its own, or the team might look at incorporating source code control software to force a developer to “check in” and “check out” software before it’s changed. This facilitates logging and improves the ability to
  • 15. track and roll back from catastrophic implementations. A quick win is almost obvious in nature; why wouldn’t you want to take advantage of it? In contrast, making a business case is more difficult than pitching a quick win. A business case for a particular risk response must be made if the response can’t be quickly or easily implemented without a significant cost or change to the organization or the system. These changes might include processes, infrastructure, architecture, or design, and they are significant enough to warrant a business case to respond to a risk issue. A business case for a risk response justifies the expense and work required to make the response function properly. When you make a business case for a risk response, you must take a number of factors into account. For example, what projects are currently in the pipeline? Is there something that would conflict with your proposed response option, make it irrelevant, or make it more costly? How’s the business doing? If the bottom line is weak, it will be harder to sell any risk response solution that is costly, even if it would significantly improve the baseline level of risk. When a business case needs to be made, generally the risk response option is more costly in general, whether it is costly in terms of financial or personnel resources. It also might be attempting to address a low or medium risk that doesn’t have the attention of the leadership in the way a high risk would. Even an efficient and effective response to a low risk must be questioned and prioritized appropriately. Finally, you choose to defer when risk response options simply don’t make good business sense. A deferral is the polar opposite of the quick win; whereas a quick win is almost obvious in its ability to address a medium or high risk in an efficient and effective way, a deferral is the choice when you have a high cost of response associated with a low risk, one where even a business case can’t be made. In the scheme of prioritization, deferrals will be at the bottom of the list. We choose to accept risk, perhaps until the cost is reduced, or choose risk acceptance
  • 16. as our permanent measure. At the end of the day, your prioritization should take into account a number of concerns. These include the regulatory mandates that are applicable to your organization, the impact to the business through implementation of the proposed measure (including costs both financial and nonfinancial), the market conditions you find yourself in, the culture and the climate of the organization (including the inherent resistance to change), and the ability to optimize resources. EXAM TIP Always remember that low-cost responses to high- risk scenarios are the goal of risk response prioritization. Identifying Business Opportunities Businesses of all types and markets are looking to create business opportunities. With opportunities, however, comes risk. Risk is not always a bad thing; in some cases, it allows you to get out ahead of your competitors and capitalize on forward-thinking ideas that may be out of your comfort zone. An example that we’ll use frequently is a business looking to move into a developing country; the risk is high, but the reward could also be great. We’ll identify these opportunities here and explore how they can be leveraged. Identifying business opportunities during the selection of risk responses requires the organization to understand its risk appetite and risk tolerance. As we discussed in Chapter 1, risk appetite is how much risk an organization is willing to deal with in any given endeavor, while risk tolerance is the acceptable level of deviation in risk for a particular endeavor or business pursuit. Remember, there’s a certain amount of risk in every business enterprise or pursuit, but the organization may not be able or willing to tolerate large deviations from what it considers its acceptable level of risk on an endeavor. The selection of risk responses will inevitably change the risk appetite/risk tolerance calculation within the organization, and any risk response should be examined against
  • 17. these guiding factors. When the organization is able and willing to take a risk, it can be considered a business opportunity, and to identify those opportunities, you need to understand the areas that can withstand the risks. Cloud computing is a great example of an opportunity that many organizations consider worth the risk based on the rewards; operating within a difficult business area such as a developing country is another we discussed previously. In the end, to identify business opportunities, remember to look for areas of opportunities that can be leveraged through the creation of a competitive advantage or increased synthesis of activities and processes. Risk Mitigation Hooray! You’ve selected your risk responses carefully and prioritized them appropriately. You’re feeling good about how you’re going to positively capitalize on good risk and minimize bad risk, and you’re going to do it efficiently and effectively. You’re a risk response rock star! Alas, now comes another challenge: implementing those risk response options. In this section, we will talk a bit about how controls are implemented, as well as the concepts of exception management and residual risk. Even the best-laid risk response plan will need to account for these concepts. Have you ever seen a manager act with a knee-jerk reaction to a sudden problem that ends up costing more time and money implementing a solution than the actual issue itself would have? Implementing risk responses properly should consider a few key components, such as the ability to measure its success, proper documentation, and appropriate training. Earlier, we discussed a number of different risk response options, such as risk avoidance, risk sharing (or transference), and risk acceptance. In this chapter, we will focus on risk mitigation. Risk mitigation incorporates controls of varying types across an enterprise to lower risks to an appropriate level. These controls can be anything
  • 18. from a written document to a sophisticated, comprehensive technical solution, but they should all be designed to most effectively and efficiently mitigate the risk they are associated with. At the end of the day, control should provide the organization with some level of assurance that they can meet their business objectives and deal with any events that occur in a manner that is acceptable to the leadership of the organization. Risk Response Action Plans Quite simply, the risk response action plan lists the risk responses that have been chosen and charts their progress and associated timeline, with an appropriate action owner. This ownership piece is critical because you need a “belly button” to push if things are not going as quickly or as smoothly as they should be. Without a proper risk response action plan, you will likely end up losing sight of where your risk responses are in their progress, if they’ve made any progress at all. Risk response action plans can contain any number of data points inside of them, but at a minimum, they should list the prioritized risk responses, their associated costs, a timeline for their implementation, the associated cost, and the owner of the risk response. The plan should be formally accepted by senior leadership, monitored continuously, and reviewed at regular intervals to ensure it does not deviate from a risk or response perspective. Any deviation should be reported immediately to the senior leadership. Control Development So, what is a control anyway? Quite simply, a control is some sort of measure, be it a document, a technical solution, a procedure, or some other remediation that is put into place to improve the overall security posture of your organization through correcting a gap or making up for a shortfall in another control. Controls can be technical solutions, such as firewalls or intrusion detection systems, but they can also be processes, procedures, policies, or physical controls. We talked in
  • 19. Chapter 1 about the types of controls (administrative/managerial, technical/logical, and physical/operational), but controls also can be grouped in different families: access control, auditing, configuration management, contingency planning, personnel security, and so on. So, how do you determine new controls to apply to your system or whether your existing controls are good enough? We will discuss this in more depth in the following sections. Control Types As you may have gathered by now, there are many types of controls to choose from. However, you can generally group these controls into a number of broad categories by their intended function; the most common are compensating, corrective, detective, deterrent, directive, and preventative. You may notice some significant overlap between these categories, and that is why some experts do not distinguish between, for example, deterrent controls and preventative controls. Table 5-3 lists each control type, its definition, and an example control. Table 5-3 Controls Categorized by Function NIST 800-53 NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” is a key catalog of controls to be aware of if you are doing business in the U.S. government but is also a great resource even if you’re not. With its latest revision (revision 4, as of this writing), it includes controls for assuring privacy as well as security and is meant to be policy and technology neutral, meaning that the controls are broad enough to be applied to any architecture. If you’re looking for a document to tell you the steps of how to configure your router securely, this isn’t the document for you; it’s perfect, though, if you’re looking for a
  • 20. comprehensive view of the scope and magnitude of a system- level control solution. Figure 5-4 lists the families of security controls and their unique identifiers from NIST 800-53. Figure 5-4 NIST 800-53 security controls identifiers and family names (courtesy of NIST, from Special Publication 800- 53, revision 4) ISO 27002 While NIST 800-53 is used heavily within the U.S. government, International Standards Organization (ISO) 27002 is used much more widely internationally. Much like 800-53, 27002 groups controls into families, such as the following: • Human resource security • Asset management • Access control • Cryptography • Physical and environmental security • Operation security • Communication security • System acquisition, development, and maintenance • Supplier relationships • Incident management • Business continuity management Since its birth, versions of 27002 specific to different industries, such as healthcare, have been developed that are tailored to their specific contexts, laws, and regulations. Designing Effective Controls The first step in designing an effective control is to determine who exactly owns the control; this is key because it will determine who actually designs the control, who tracks its care and feeding, and who creates the documentation that will follow the control well into its implementation and eventual disposition. This individual or group should be the party
  • 21. responsible for determining the security categorization (SC) of the system or environment into which the control will be applied. NIST 800-53 recommends the determination of the SC of an information system as an equation, as described here: SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, or high Using this equation, a low-impact system would need to have most or all the confidentiality, integrity, and availability (CIA) elements with a low impact; a moderate-impact system would have a mixture of low and moderate and potentially high elements; and a high-impact system would have most or all of the CIA elements with a high impact. Note that higher-impact systems will usually have more controls applied to them, reflecting their higher sensitivity and criticality within the organization, and these controls will normally be applied with a higher degree of effort or rigor. It is important to understand the SC because it will help you determine how much money, time, and other resources you want to devote to any particular control. As discussed earlier, you are looking for low -risk, high-reward controls. Understanding the impact of the system allows you to plan and design more cost-effective controls. After determining your security category, you will want to understand the common controls. These are controls that are common across your organization and are shared between more than one information system. For example, you may have more than one information system being housed within the same server room in your headquarters building. Perhaps a previously accredited system review already ensured that you have a strong lock and a heavy door between those servers and the rest of the world. This would be a common control between the old system and your new system. Other possibilities could be continuity of operations, policies, and procedures; guards at entrances; biometrics; and so on. These should have already been documented in a plan (we hope!), so a great place to start is to
  • 22. review the security plans for other systems within your organization. Don’t forget the advent of the cloud has created situations where you are sharing data and systems among more than one organization, often supported by another third-party organization, so you may have common controls among all of your organizations that need to be considered. Also, be constantly aware that any common controls that do not meet your specific requirements (let’s say there’s a strong door but no lock) will require you to add a compensating control to meet your standards. Selecting the appropriate controls for you and developing them often depend on your context (for example, governmen t, healthcare, banking, or some other specific context that mandates a certain regulatory or legal standard for your security). Further, you already developed your security category, as discussed earlier, so you know the impact of the system if it was lost for a period of time. After determining the common controls, you now know where the gaps between the two points are. Now is the time to begin documenting those gaps in the risk response action plan. Don’t forget, if you are dealing with a third party or cloud-based provider, you should also be considering any service level agreements or other legal documentation that will need to be drawn up as part of your risk response action plan. Control Implementation and Adjustment Now that you’ve selected the appropriate controls for your system, it’s time to implement them. You have unlimited time, money, and personnel available, so this shouldn’t be an issue, right? In a perfect world, that would be the case; however, we all know that we have to deal with constraints on a daily basis, so we will discuss how to deal with control implementation as a project using project management tools later in this chapter. This is a great time also to consider any current or future technology knowledge that you may want in your organization. Are the areas you are applying controls to grossly out of date?
  • 23. Or are they stable and still widely used, causing your leadership to have an “if it ain’t broke, don’t fix it” approach to phasing them out? Consider how you could enable change in the organization through implementing new technologies. This could be anything from upgrading your core network infrastructure to implementing biometrics at critical entry points. Don’t forget to do a thorough review of your existing controls that are in place and how they may need to be adjusted. This will need to be factored into your project plan, both for time and for resources. Risk Response Assessment Security controls should be tested before the system is authorized or credited and at irregular intervals afterward. You assess a program or a project to determine whether it is meeting your specified objectives and to determine whether the controls you have selected to protect the system are performing their desired function to the level you need them to. Conducting an assessment early in the life cycle of control implementation allows for issues with the control to be determined and remediated as appropriate. Based on the rules and regulations that your organization must adhere to, you may be able to do an internal audit of your controls, or you may be required to use a third-party agency or other testing authority. Either way, be mindful that an assessment should be thorough, technical (as appropriate), and independent. Anyone conducting an assessment should be impartial, as free of bias as possible, and preferably not in the same part of the organization as the personnel charged with implementing the controls. You will often see two types of testing discussed within the community; developmental testing/evaluation is conducted in parallel with the development of a system (or in this case the controls for the system), and operational testing/evaluation is conducted before the system is released into final production (or operation). While both types of testing are required in some segments (such as major government systems), some organizations that do not
  • 24. require developmental testing and evaluation fail to get elected, to their own peril. Quite simply, the time and money spent to assess iteratively along the life cycle of the project will save you dividends in the end. Just imagine the headache you will have if you find out that a major control you were betting on to reduce the risk of external breaches does not play well with your network infrastructure. You would have found that out much earlier if testing occurred sooner. Either way, you should have an assessor, inspector, agent, or other authority assigned to assess your system to detail any flaws found and allow you to better fill the gaps. So, what exactly occurs during control assessment? If you are using a formal set of controls, such as the NIST framework discussed throughout this chapter, you can expect each family of controls to be decomposed into specific requirements that can be assessed in a variety of ways. For example, if continuity of operations is one of the controls you have implemented, you could expect a review of your continuity of operations documentation, a visit to your off-site facility (as appropriate), and perhaps even a test of your backup solution. Another example is the door and lock combination that we discussed previously in this chapter; any assessor worth his or her salt will be checking to make sure you have a lock on all doors but that they are also adequate to meet the requirements to lower your organization’s risk posture. There will be a mixture of documentation review, technical assessments, and interviews that are conducted to determine whether you have adequately covered all the controls required. Table 5-4 lists some common assessment techniques. If you’ve done your due diligence in preparing for an assessment (through adequate documentation, thorough implementation, and appropriate analysis of the actual controls required), this should be no sweat. However, if formal assessment is required for an authorization or accreditation action and you did not diligently pursue these activities, you could be in for a major
  • 25. headache when you receive your results. Table 5-4 Control Assessment Options Ever thorough, NIST has a guide to security assessment that aligns well with its other documents covering risk management. NIST Special Publication 800-115, “Technical Guide to Information Security Testing And Assessment,” was written with four points of focus: helping organizations establish an information security assessment policy, implementing a repeatable and documented assessment methodology, determining the objectives of the security assessment, and analyzing the findings and developing risk mitigation techniques to address weaknesses. An alternative to the NIST framework is the Open-Source Security Testing Methodology Manual (OSSTMM) from the Institute for Security and Open Methodologies (ISECOM). Currently in its fourth revision, the goal of the OSSTMM is to create a standard for thorough and practical security testing across the community with the following goals: • Quantifiable • Consistent and repeatable • Valid beyond the “now” timeframe • Thorough • Compliant to individual and local laws and the human right to privacy Even if you do not intend to use the OSSTMM framework, it is a useful reference document that contains handy rules of thumb for gauging testing time and sample rules of engagement. Documentation Risk response options must also be thoroughly documented, with a clear owner defined, whether it is a new process, control, team, policy, or any other solution. Just imagine a risk being uncovered that requires a set of procedures for storing, handling, and destroying sensitive information. The procedures
  • 26. are developed and put on a shelf until an incident occurs. In the meantime, the procedures go stale (locations change, for example), and no clear owner was defined to be responsible for maintaining the documentation. The procedures, in this event, are as good as useless. Substitute any situation where documentation is not only helpful but necessary, and you can quickly see why this is so important. By this point, you’ve no doubt made a number of changes to your organizational security posture, and these changes should be documented within your security plan. You should write security plans assuming that the personnel who are currently active within your organization could leave at any time (the old story about someone being hit by a bus and was the only one who knew how to perform a specific function), so it’s best to always prepare for contingencies such as this by having your security plan as heavily documented as possible. You need to make sure to include a functional description of all controls that were applied to the system, any decisions that were made leading to these controls being implemented, any interdependencies, and any other relevant information. Finally, you also want to include any documentation from testing that occurred and remediations that were made based on testing results. Any risk response planning should outline a rough timeline for implementation, a rough estimate of costs, who is responsible for the implementation, and any required tools (such as software, hardware, and so on) required to complete the tasks. More detail is always better! A lack of clarity is not your ally, especially if the plan is handed over to a team that wasn’t involved in the initial planning process. Finally, you’ll want to track the status of your risk response implementation. This is usually done using a risk register, discussed previously in Chapter 3. To recap, the risk register is a document that tracks various elements of the identified risks, such as the risk name, risk impact, risk probability, risk mitigation, action
  • 27. owner, and action suspense date. This risk register can be used to track the implementation of the mitigations and assure that timelines are met. Do you have any metrics in place that can determine the success of the risk response? Metrics help you quantify the effectiveness of your implemented risk response over its life. Monitoring comes into play here because it facilitates your ability to understand your performance against the metric. Monitoring can be done through a tool, through a team, or through a combination of both. Exception Management It’s easy to say that your risk response options should always be implemented. You carefully considered the risks to the organization through the risk analysis process, selected appropriate responses, and monitored your risk levels diligently. How could you possibly not implement a control? That would be crazy! However, there are exceptions, and you need to have a process in place to manage those exceptions and keep them minimized. Consider the situation where an operating system patch cannot be applied because of a legacy application that’s critical to the organization’s mission. This mitigation is important but less important than the legacy application and its associated mission. What to do? Exception management comes into play here; you need to document this as an accepted exception to the policy and track it. Perhaps the patch can be implemented in the future, or another mitigation could come along and make the exception moot. This is another aspect of risk acceptance; you are asking management to accept an ongoing risk, as an exception, because the response cannot be implemented for whatever reason. Either way, keeping a close eye is key to not letting these exceptions slip through the cracks. NOTE Don’t forget to track exceptions and remove any that
  • 28. aren’t valid! It’s easy to let them slip through the cracks. Reporting the Risk Response Activities What are the reporting requirements for your organization? Are they bound by government regulations, international business partnerships, or other binding agreements? Understanding what is required of your organization is absolutely critical for your reporting requirements. You also need to understand what you should report in any of these contexts. For example, it is a good idea to report any issues you have ongoing, the status of any ongoing remediation actions, how your controls performed, any ongoing incidents, and how your overall risk response activities are performing, essentially the “Bottom Line, Up Front” of your risk response action plan. Along with understanding the underlying operational environment, it is key to understand your stakeholders and what their needs are. For example, your board of directors might want a high-level, quarterly presentation on compliance levels relative to the previously discussed operational environment, as well as performance relative to business goals and objectives. The risk committee, conversely, might want a much more “deep dive” into the individual risks identified previously, the new risks that could potentially come to the forefront, and how different business units are supporting the risk management program across the entire organization. It’s important that you understand how these different stakeholders need different reporting mechanisms and tools and that you identify clearly (preferably in writing) how they expect you to support them through timely and relevant reporting. When reporting, you can include a few standard items, such as measured control effectiveness (which can be rolled up to a higher level, as necessary, for management), any ongoing issues, any perceived gaps, the status of any remediation actions, any incidents or risk events that have occurred since the last report, and the overall trending status of the effectiveness of the risk management process. Also, identify ahead of time
  • 29. whether your report will be included as an input to a greater enterprise report and work to include any appropriate information needed to facilitate that enterprise-level view. This will help garner support for the risk program supporting the business goals and objectives. You should review the results of any third-party analysis or audit that has taken place and incorporate the findings into your understanding of the organization’s risk posture. Has your organization conducted any type of internal audit or self- assessment? These will be important to review and to take a look at how they affect the risk profile and where they will need to be mapped. We’ll discuss the risk tolerance in many places throughout this book, so suffice it to say that the risk tolerance should be considered throughout the reporting process as a key input. NOTEChapter 1 has more information on the concept of risk tolerance and how it relates to risk acceptance. Training After all is said and done and the controls have been implemented and documented, it is important that you conduct regular and traceable training that covers a number of aspects. On top of the usual cyber security, privacy, and acceptable user training that most organizations (should) have in place, it is imperative that the employees responsible for the care and feeding of your controls are properly trained on both the content of the controls and the context of the controls. What does this mean? Content means that a network administrator in charge of your infrastructure, and the subsequent controls, understands the latest evolutions and revolutions in both current threats and vulnerabilities. Context means that the same network administrator in a highly sensitive government environment (think missiles, space, and so on) should know that they should be extra prudent and consider the limitations inherent to their systems and how they interact with other systems (if not the
  • 30. larger Internet). Without both of these, content and context, as part of the training portfolio for all personnel charged with implementation of controls, you may well likely find that one or the other is neglected. System Development Life Cycle There are many assorted control-related life cycles; some deal with systems, and some are more specific to software or other project types. In this section, we’ll discuss a system development life cycle (SDLC), which is a generic framework used within NIST 800-64, “Security Considerations in the System Development Life Cycle.” The NIST SDLC has five phases: initiation, acquisition/development, implementation/assessment, operations/maintenance, and sunset (otherwise known as disposition). Be on the lookout in this section at how well many of these particular steps align with the concepts covered previously. You should see how important it is that controls are developed and implemented within each phase of this life cycle. In fact, NIST states that “an integrated security component (composed of milestones, deliverables, control gates, and interdependencies) that specifically addresses risk management…enables security to be planned, acquired, built-in, and employed as an integral part of a project or system.” Figure 5-5 depicts the SDLC covered in NIST 800-64. Figure 5-5 NIST 800-64 System Development Life Cycle (courtesy of NIST, from Special Publication 800-64) Initiation In the initiation phase, the need for a system is determined, and its purpose is documented formally. Within the initiation phase, it is critical to consider your control development and integration early and often. In fact, you will save yourself many headaches, time, and eventually money by considering your controls at every step along the way. Within the initiation
  • 31. phase, security is often expressed as a business risk or a risk to project completion or the business itself. Outputs for the initiation phase could include the following: • Documentation of security roles and responsibilities • Documentation of controls required by regulation, law, or other guidance • Schedule of control activities or decisions throughout the project timeline Acquisition/Development Within the acquisition/development phase, the risk assessment is often conducted, along with any security testing and development of documentation for system certification and accreditation (as required). Risk assessment is covered in-depth in Chapter 2, but just note that an effective risk assessment is built on the initiation phase having been conducted appropriately and thoroughly. This is also the phase where the bulk of your control development will occur. Implementation/Assessment Within the implementation/assessment phase, the system is installed in its new environment and evaluated for its readiness, both operational and security. Here you do a final certification and accreditation review, and the authorizing official or other accrediting authority will take responsibility for the security posture of the system. Any documentation to connect the system to any external entity should be completed within this phase. Outputs for the implementation/assessment phase could include the following: • Accreditation package • System authorization • System security plan Operations/Maintenance Within the operations/maintenance phase of the SDLC, the system is actively operating, so you can leave it alone here, right? Not likely. You need to constantly be looking for ways to
  • 32. improve and enhance the system, and any improvements or enhancements need to be considered for their security ramifications. Furthermore, the system must be assessed periodically based on regulatory, legal, or other guidelines to ensure that it continues to maintain a risk level that aligns with the company’s risk tolerance. Outputs for the operations/maintenance phase could include the following: • Updated plans of actions and milestones • Change control board documentation • Renewed accreditation and authorization documentation Sunset (Disposition) Every good thing must come to an end, and systems are no exception. The final phase of the SDLC requires a system to be disposed of properly, and in doing this you need to be aware of the controls required for securely disposing of a system and any corresponding data or other artifacts. As NIST points out, there is usually not a definitive end to a system; it is often merely rolled into the next generation of systems, and any data and associated requirements become the province of that group of personnel tasked with the care and feeding of the new shiny solution. However, you do need to be aware that, if required, it is important to have an orderly and safe disposal process on hand that includes migration of data or archival solutions as appropriate. Outputs for the implementation/assessment phase could include the following: • Logs of hardware and media sanitization/destruction • Transition plan Project Management Risk responses should be implemented in a controlled, defined, and monitored manner as discussed previously. One tried-and- true way to do this is through the tenets of project management. The Project Management Body of Knowledge (PMBOK), a publication of the Project Management Institute, defines a project as “a temporary endeavor to create a unique product, service, or result.” Project management, then, is “the application of knowledge, skills, tools, and techniques to
  • 33. project activities to meet project requirements.” Note that a project in this context is indeed temporary in nature, with a defined beginning and end. Risk management is distinct from project management on this point because project management incorporates concepts to lower project risk but ends with the project, while risk management activities can continue indefinitely. Project management is a great concept to know as a professional because it can be helpful in completing any set of tasks, but for the CRISC exam, you obviously need to keep your risk hat on. In this section, we will discuss the most common project management frameworks and the vital concepts you need to understand for the exam. We’re not advocating for a particular standard to be adopted; in fact, you’ll notice a great deal of similarity among all of the major frameworks. Most importantly, you need to understand that implementing controls is like any other project, in that, as the PMBOK states, it is “the application of knowledge, skills, tools, and techniques to project activities to meet project requirements.” The project activities are the activities you are conducting to meet the project requirement: a set of controls implemented and functioning properly. Project Management Frameworks As we’ve said, a framework can be described as a set of laws, best practices, policies, procedures, and processes, all wrapped up in an implementable, established format. Project management frameworks help provide that standardized, industry-accepted approach toward managing projects. While all project management frameworks differ in their content (and sometimes context) slightly, they all contain basic steps comprising the project initiation, the design and planning phases of the project, the execution of that plan, the tracking of the progress (or monitoring), and project closeout. Each of these phases will have risks that need to be addressed, and some frameworks even have their own specified areas that address risk. An example is tracking the risks (perhaps using a risk
  • 34. register) alongside the project goals and objectives to ensure that all are kept within organizationally accepted tolerance levels. PMI-PMBOK The Project Management Institute (PMI) Project Management Body of Knowledge is perhaps the most recognized project management framework internationally. The PMBOK divides project management into process groups, knowledge areas, and associated processes. The five process groups are as follows: • Initiating • Planning • Executing • Monitoring and Controlling • Closing Within the Initiating phase, you conduct your project kickoff. This is where you get authorization to move forward with the project, and you create the project charter. Next, you conduct the Planning phase, where the work plan is developed. The Executing phase is where all your hard work planning pays off; you implement your plan and watch it come to life. Monitoring and Controlling covers the critical points of tracking progress against established milestones, goals, and objectives, and conducting remediation actions as necessary. Finally, as discussed previously, all projects have a definite life span and must be closed out in the Closing phase, with appropriate lessons learned documented. There are also a number of certifications associated with the PMBOK framework, including the Project Management Professional (PMP), the Certified Associate in Program Management (CAPM), and the Program Management Professional (PgMP). While you don’t need to know about these certifications within the scope of the CRISC exam, it’s good to be aware of their existence because they are some of the more widely held and respected credentials within the Project Management field. CMMI
  • 35. The Capability Maturity Model Integration (CMMI) framework is an internationally recognized standard for improving processes within organizations. Developed by Carnegie Mellon University, the CMMI is used to gauge the process maturity within the organization and to place it within a “maturity level.” There are CMMI frameworks for a number of sectors, including CMMI for Acquisition (CMMI-ACQ), CMMI for Services (CMMI-SVC), CMMI for Development (CMMI-DEV), Data Management Maturity (DMM), and the People CMM. You’ll see many large companies boasting about their CMMI level; it’s considered to be a solid gauge of the process maturity within an organization. Why does this matter? If you want to, for example, hire an external software developer to create and maintain an enterprise-wide budget tool, their CMMI rating would give you insight of how they deal with processes such as change management. The maturity levels range from 1 through 5. • Level 1 (Initial) Processes are poorly controlled and managed • Level 2 (Repeatable) Processes are repeatable, sometimes even with consistent results • Level 3 (Defined) Defined processes that can be improved over time • Level 4 (Quantitatively Managed) Finding ways to adapt without significant loss • Level 5 (Optimizing) Focus on continual improvement of processes
  • 36. CMMI doesn’t discuss risk as overtly as the PMBOK, but you can see the same overarching elements of processes being used to manage the different aspects of a project, including the tracking and optimization. CMMI puts particular value on the concept of process improvement, and organizations operating at CMMI level 5 are actively reviewing and improving their processes—including dealing with risk—on a regular basis. Agile Agile project management frameworks have been used within the software development sector for some time. The Agile methodologies look to improve—you’ll never guess—agility by improving collaboration, reducing bureaucracy and red tape, and facilitating ad hoc groups creating products in a rapid fashion. The Agile Manifesto, released by the Agile Alliance, reflects the following principles: • The highest priority is to satisfy the customer through early and continuous delivery of valuable software. • Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage. • Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. • Businesspeople and developers must work together daily throughout the project. • Build projects around motivated individuals. Give them the environment and support they need and trust them to get the job done. • The most efficient and effective method of conveying information to and within a development team is face-to-face conversation. • Working software is the primary measure of progress. • Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
  • 37. • Continuous attention to technical excellence and good design enhance agility. • Simplicity—the art of maximizing the amount of work not done—is essential. • The best architectures, requirements, and designs emerge from self-organizing teams. • At regular intervals, the team reflects on how to become more effective and then tunes and adjusts its behavior accordingly. Within this manifesto, you notice the concepts of welcoming change (not common within many project management frameworks) and a self-organized team (as opposed to having a project manager formalize team membership). Finally, the concept of iteration—from the team members reflecting regularly on their own effectiveness and tuning accordingly to the delivery of regular products—is central to the Agile mind- set. While its more flexible, ad hoc project management methodology might not be ideal for every organization, you can definitely see how it would appeal to a certain subset of company such as a startup. The Agile framework (as well as the Lean framework, discussed in the next section) differs from the PMBOK and the CMMI in its approach and rigidity. Both Agile and Lean value the ability to make quick changes and the ability to be more ad hoc through the use of self-organizing teams. There is much less emphasis on tracking through the use of metrics, and a discussion of project risk is almost nonexistent. Still, in an organization using these project management frameworks, risk should be considered and incorporated into the project processes from beginning to end. Lean The Lean mind-set is derived from the manufacturing sector and is looking to “lean” organizations through less waste; in this context, it means less waste within projects. Waste can be found within too much unnecessary time spent on a project or unnecessary personnel involved who could be utilized elsewhere. Anything that does not bring value to the project is a
  • 38. target for “leaning” or improving, perhaps even removal. Value should be defined early in the project by the end customer and often means what they will be willing to pay in the end for any segment or part. Lean project management differs from other frameworks by focusing efforts on improving processes to compress the overall project schedule to reduce the project cost and improve the profitability of the project. A common tool used within Lean projects is the value stream map (VSM). Within the process of creating the VSM, the team will detail the steps, information flows, and any delays currently resident within existing processes. This will allow the team to better understand the current state of the processes within the company and look for areas to reduce waste. At this time, another, updated VSM is created to depict the leaner process. Project Management and Risk Management So, you’ve learned a good bit about project management within the previous sections, but how does it really interact with the discussions of risk? Remember, project management covers a defined project from start to finish and is looking to cut costs (time, scope, and overall project cost), and managing risks can often create new costs. However, as you read through the major frameworks, you’ll see a few concepts that are really central to effective risk response management: understanding the project requirements, tracking project progress, improving processes, and creating value. Look at how these align with the overall risk-focused mind-set. You understand the requirements for tracking risk so that you know the organizational contexts and values, overarching laws and regulations, and existing policies that you must consider when determining how you will approach risk management. You track the progress in implementing your chosen risk responses (and track exceptions to the policies using your exception management process). You improve the fundamental organizational processes by incorporating a calculation of risk throughout all of your projects. Finally, understanding risk creates real value for the
  • 39. leadership because no project should be considered if the overall risk of failure, for example, outweighs the reward of success. Risk management helps your leadership succeed by helping quantify these concepts in a way that honest assessments can be made. Chapter Review In this chapter, we covered the risk response process from top to bottom. We discussed three major risk frameworks, the NIST RMF, the ISACA IT Risk Framework, and the ISACA COBIT. The NIST process is comprised of six steps: security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring, and it has an important consideration of continuous monitoring. The ISACA IT Risk Framework has three domains: Risk Governance, Risk Evaluation, and Risk Response. COBIT is not risk-centric or IT security–centric but is largely focused on governance. These frameworks all differ in their scope and content but have the same underlying goal of helping identify, deal with, and monitor risks within an organization. We discussed how risk response is an essential topic within all three frameworks. We then covered the risk response process that includes the selection of risk response options, the prioritization of risk response options, and the implementation of the risk response plan. Each of these facets contains a number of key steps involving analysis, proper communication, and consideration of the organizational risk tolerance and risk appetite. We then developed an understanding of the different risk response options, including risk avoidance, risk mitigation, risk sharing or transference, and risk acceptance. Each one of these options has advantages and disadvantages. We also discussed how risk responses should be selected and appropri ately prioritized. This requires an understanding of whether a response is a quick win (a situation where the response is high benefit and low cost), requires a business case to be made, or
  • 40. necessitates a deferral (where the risk does not outweigh the potential cost). Each risk response choice requires careful consideration of these options to determine the best course of action; also, when it’s time to implement the risk responses, knowing how to incorporate metrics, document thoroughly, and manage exceptions to the plan is key. We also discussed how to implement the risk mitigations after they’ve been chosen, through the use of frameworks, both for controls and for the overarching project management. You learned how risk responses are assessed, through documentation review, technical assessment, and interviews. We discussed how to properly document risk responses and any exceptions and report the activities to leadership. Finally, we covered training for both content and context as a regular, repeatable activity for personnel charged with implementing any controls. image3.jpeg image4.jpeg image5.jpeg image6.jpeg image7.jpeg image8.jpeg image9.jpeg image10.jpeg image11.jpeg image12.jpeg image1.jpeg image2.jpeg Discussion 3 Purpose · Describe the risk response process. · Evaluate risk response options and align choices with business objectives. · Identify the bad actors in cyberspace and compare and contrast their resources, capabilities/techniques, motivations, and
  • 41. aversion to risk. [NSA CTH 1] · Select the optimal methodology based on needs, advantages, and disadvantages. [NSA SRA 4] Responding to and Mitigating Risk When it comes to responding to risk, there is no one size fit all approach. Individuals, businesses, and governments will need to determine how they will deal with these risks, whether to accept, transfer, or mitigate such risks. Understanding the source of the risk, whether man-made or natural, will need to be considered when responding to risks. Several other factors will also need to be considered, including the organization’s mission, goals and objectives, risk appetite, resources, and capabilities. Risk response frameworks, as well as the Plan-Do- Check-Adjust (PDCA) life cycle are good references to consult when planning responses to risks. Whatever risk response is chosen, it’s important to remember that low-cost responses to high-risk scenarios are the goal of risk response prioritization. Overview This discussion is based on the same scenario as Discussion 2. You’ll remember that the scenario mirrors a natural event (world-wide pandemic), the COVID-19 outbreak, but is based on a fictitious company. Again, feel free to make some assumptions as you work on this module’s discussion. Note: For this assignment, you will not be able to see your classmates’ posts until after you post. The scenario (Discussion 2): You work for a U.S.-based company called Hintel, an IT company that manufactures computer chips. The company’s factories handle over 70 percent of its manufacturing operations. The factories are geographically located in China, Italy, and South Africa. In January 2020, the U.S. Centers for Disease Control (CDC) announced that they were responding to “an outbreak of respiratory disease caused by a novel (new) coronavirus that was first detected in China and which has now been detected in more than 100 locations internationally, including in the United
  • 42. States. The virus has been named SARS-CoV-2 and the disease it causes has been named Coronavirus Disease 2019 (abbreviated COVID-19). On January 30, 2020, the International Health Regulations Emergency Committee of the World Health Organization (WHO) declared the outbreak a public health emergency on International concern.1 Since January 30, 2020 when the outbreak was declared a public health emergency, many businesses have suffered major financial losses due to a temporary loss of confidence in financial markets, restricted movements, and in the case of “Hintel”, the closures of its major factories in China and Italy. The company currently reports approximately $75m in losses per day as a result of this pandemic.” 1 https://www.cdc.gov/coronavirus/2019-ncov/cases- updates/summary.html Include the following in your post: · As the CIO of “Hintel”, you have been summoned by the organization’s board to share your response plans. Identify and explain 3 to 5 risk response options that you would share with the board. Note that these points could essentially be included in your disaster recovery plan. · Describe 3 to 5 factors that you would consider when evaluating the risk response options that you shared above, bearing in mind the importance of establishing and maintaining trust throughout the process. · Pandemics such as COVID-19 may enable bad actors in cyberspace to harm businesses. Identify and describe potential opportunities that these actors could exploit to harm businesses. · Describe technical controls “Hintel” could implement to reduce cybersecurity-related risks from these bad actors. Action Items 1. Create discussion post according to the directions in the overview. 2. Read the assignment rubric to understand how your work will
  • 43. be assessed. Module: Here are the resources you need to prepare for this module: · Chapter 5, Risk Response and Mitigation (Links to an external site.), in Rogers & Dunkerley (2016) · The Phoenix Project: Remediation of a Cybersecurity Crisis at the University of Virginia (Links to an external site.) Case Study · NIST Guide for Conducting Risk Assessments (Links to an external site.) · The Three Ts of the Cyber Economy