Information Security Concepts

In the context of Risk Management with new technologies, the main goal is to ensure the technology used within company is adequately protected.

When deploying new technology you need to address following areas:

  1. training,
  2. policies & procedures,
  3. backup schemes and continuity plans,
  4. risk ownership,
  5. consent of information owners,
  6. legal & regulatory requirements,
  7. monitoring and reporting.

Always, always have in mind the CIA Triad.

Confidentiality.
Integrity.
Availability.

Sometime add to the above:

Nonrepudiation.
System Authorization.

When working with Access Control the IAAA is the foundation:

Identification.
Authentication.
Authorization.
Accountability.

Public Key Encryption:

  1. Message Integrity and Hashing Algorithms
  2. Digital Signatures
  3. Certificates

Why is Enterprise Architecture important for Risk Management?

Enterprise Architecture delivers overview of the current state of IT,
establishes vision for a future state, and finally generates strategy to move from the current state to the desired state.

When analysing Enterprise Architecture you should answer following questions:

  • Are we doing the right things?
  • Are we doing them the right way?
  • Are we getting them done well?
  • Do we expected benefits?

Basically Enterprise Architecture delivers information on how an enterprise achieves its strategy.

Following key areas should be covered within Enterprise Architecture:

  • documentation,
  • notation,
  • process,
  • organization.

The most common EA frameworks are:

  • TOGAF,
  • Zachman Frameworks,
  • DODAF,
  • FEAF,
  • SABSA – Sherwood Applied Business Security Architecture.

Key Performance, Key Risk and Key Control Indicators

The most important thing is to remember that Key Performance Indicator should be based on the SMART concept:

  • Specific,
  • Measurable,
  • Attainable,
  • Relevant,
  • Timely.

It´s also crucial to remember that metrics need to be MARC:

  • Measurable,
  • Actionable,
  • Reproducible,
  • Comparable.

Example of the KPI would be e.g. network availability, customer satisfaction, number of complaints, number of employees that attended security awareness session…

Key Risk Indicators sets a threshold for an alert when risk level approaches unacceptable level.

This could be e.g.:

  • number of unauthorized equipment detected in scans,
  • number of instances of SLAs exceeding threshold,
  • number of business critical systems unable to meet recovery requirements,
  • number of systems missing critical patching,
  • number of business critical systems which are non-compliant with enterprise security standards.

Key Control Indicators:

  • number of phishing emails not blocked by filtering system,
  • number of user accounts with non-compliant passwords,
  • number of accounts with inappropriate level of access.

What´s the difference between KRI and KCI?

Key Risk Indicator is like an early-warning sign. It´s about spotting possible danger ahead of time.

Whereas Key Control Indicator are about checking if things we do to keep ourselves safe work properly. It´s something which had been already implemented to mitigate risk.

All in all KPIs measure activity goals.
KRIs measure increased risk level.
KCIs measure performance of control actions.

Risk and Control Monitoring

Risk Practitioner needs to ensure:

  • logs are enabled,
  • controls can be tested,
  • regular reporting procedures are developed.

In general the purpose of information security control monitoring function is to:

  • make sure IT security requirements are being met,
  • standards are being followed,
  • staff is complying with policies, practices and procedures.

Remember that the objectives is to monitor if control effectively addresses the risk, not to see whether a control works itself.

So… how to monitor controls?

  1. Identify controls owners and stakeholders.
  2. Communicate risk and information security requirements and objectives for monitoring and reporting.
  3. Align and continue maintaining.
  4. Establish information security monitoring processes and procedures.
  5. Determine Lifecycle Management and Change Control.
  6. Request, prioritize and allocate resources for information security monitoring.

Finally, what are the Control Assessment types?

  • self-assessment – e.g. workshops or discussions,
  • IS audit,
  • Vulnerability Assessment,
  • Penetration Testing,
  • Third-party assurance.

How to analyse data in Risk Management?

There are multiple useful techniques. Good starting point would be:

  • Cause-and-Effect Analysis – which enables you to identify a root cause,
  • Fault-Tree Analysis – exploring events which may lead to a top-level event. And then analysing reasons for those events to happen.
  • Sensitivity Analysis – assessing which risk factor might have the biggest impact.

There are several questions which you should ask when analyzing Log Data.

  1. Are the controls operating correctly?
  2. Is the level of risk acceptable?
  3. Are the controls aligned with the risk strategy, business strategy and key priorities?
  4. Are the controls flexible enough to meet changing threats?
  5. Are the correct risk data being provided in a timely manner?
  6. Is the risk-management effort benefitting corporate objectives (or at minimum not hindering them)?
  7. Is awareness of risk a compliance requirement reflected in user behavior?

Risk Treatment Plan – Template

Risk Treatment Plan addresses identified risks. The plan outlines actions to be taken to accept, mitigate, transfer or avoid risk.

Elements of a Risk Treatment Plan

  1. Risk Assessment Summary
    • how was a risk identified?
    • how was a risk analysed?
  2. Risk Treatment Options
    • accept – acknowledge a risk and proceed
    • mitigate – implement controls to reduce likelihood or impact
    • transfer – shift the risk to another party, e.g. insurance company
    • avoid – change business process to eliminate a risk
  3. Detailed Risk Treatment Plan
    • Risk ID
    • Risk Description
    • Risk Level
    • Treatment Option
    • Action Plan
    • Responsible Party
    • Target Date
    • Status
  4. Monitoring and Review Mechanisms
  5. Approval

While creating risk treatment plan one needs to consider:

  • public pressure,
  • current risk level,
  • applicable laws and regulations,
  • ongoing projects,
  • strategic plans and management priorities,
  • current and projected budgets,
  • availability of staff,
  • actions of competitors.

How to properly design, select, analyse and implement controls?

Well the beginning is no surprise – start with understanding the current state of IT Risk. Test the controls, understand incident management programs.

Then use the current state to create a reference point. This will enable you to understand a gap which needs to be addressed.

Once you know where is the gap, understand the reason behind it. This will help you in finding out a solution to address this gap.

When thinking about controls remember that there are two main types of them:

  • proactive – e.g. warning sign,
  • reactive – e.g. fire extinguisher.

When introducing controls remember about proper Control Management Procedures, it will make the life of the organization much easier. Below are the most important components of such procedures.

  1. Proper installation.
  2. Policies and procedures supporting operations.
  3. Change Management.
  4. Training of staff to monitor, manage and review controls.
  5. Assignment of responsibilities.
  6. Schedule for review and reporting.
  7. KPIs.

How about a situation when implemented controls are not enough? We can try to introduce compensating measures:

  • layered defense,
  • increased supervision,
  • increased audits,
  • logging of system activities.

Extras:

Changeover (Go-live) Techniques:

  • Parallel Changeover – both old and new system,
  • Phased Changeover – replacing individual components or modules,
  • Abrupt Changeover – single-instant movement from the old to the new one
    – abrupt may be used when the rollback is relatively assured or the impact is minor.

Rollback (fallback):

  • post-implementation review as soon as practical,
  • lessons learned,
  • second joint-review with already some time in production.

What types of controls we have? What standards are there? What frameworks?

The first thing to remember is that mitigation is the most common response to risk. Hence the controls.

It is essential for Risk Practitioner to ensure appropriate balance between managerial, technical and physical controls.

There are several different control categories.

  1. Preventive Controls – e.g. encryptions, user authentication, vault-style doors.
  2. Deterrent Controls – e.g. warning banners, security cameras, acceptable use policies, rewards for the arrest of hackers.
  3. Detective Controls – e.g. audit trails, Intrusion Detection Systems.
  4. Corrective Controls – e.g. data backups, error correction, automatic failover.
  5. Compensating Controls – which is something to make exploitation of the vulnerability harder, more difficult. However does not address this vulnerability directly.

Consequently we have 3 layers of controlling methods:

  1. Administrative/Managerial method – policies & procedures, training & awareness, configuration & change management, employee development. Heavily relying on people judgment.
  2. Technical method – through use of technology. E.g. firewalls, passwords, encryptions, Intrusion Detection Systems.
  3. Physical method – blocking access to particular room or building. Doors, fences, CCTV, security guards.

Ok, how about the standards? Nothing new under the sun. The best approach is to follow standards like:

  • ISO – e.g. ISO270001
  • National Institute of Standards and Technology – NIST – e.g. cybersecurity framework
  • Payment Card Industry Data Security Standard – PCI DSS
  • Cloud Security Standard – CSA

Obviously, there are many more of them.

Finally we can mention one of the framework, in particular Capability Mature Models (CMM). They take into consideration:

  • principles,
  • policies,
  • procedures, and
  • standards.

3 mitigation strategies for managing New Technology risks

They are not very complicated.

Start with automatic network scans – you need to know what sits within the network.

Then, make sure your staff is fully aware on how to submit new technology.

Finally, make sure you have well documented the process of exception of running the whole evaluation process.

Simple and effective.

What do you need to remember about 3rd-party risks?

The first thing is that relying on 3rd-party service provider results in risk of data exposure. There is one primary reason for that:

even though daily operations are conducted by the contractor, it´s the outsourcing enterprise which is the owner of the data.

Hence Risk Practitioner needs to be involved in the defining following aspects of the cooperation:

  1. Contracts and Service Level Agreements;
  2. Enterprise Accountability:
  3. Strategies of mitigation of non-compliance.

Risk Practitioner needs to:

  • ensure good practices and compliance with requirements are in place;
  • be aware where and how is the data stored.

Furthermore enterprises should include indemnity clauses that require the service provider to repay losses due to non-compliance

How about managing Issues, Findings and Exceptions? Formal approaches should be established.

Starting with Configuration Management. Which is basically about standardizing configuration.

Then there should Release Management in place. Coordinated with production staff and non-developers. Remember! Release Management sometimes can be part of the Change Management.

Obviously Exception Management practices should be in place as well.

Don´t forget about Change Management, which is more or less structured review and acceptance by designated committee.

Finally think about Issues and Findings Management. If you have all of them in place, you can relax and grab your beer!