8. Context and Purpose
Another aspect of this whole risk management is context and purpose. Now remember, managing risks is usually the responsibility of your information security manager. So the requirements of the risk management program then is pretty much to be able to determine what are the desired outcomes and what are the objectives. Knowing the outcomes and objectives helps the security manager understand what they need to do to be able to, to reach those desired outcomes. And again, it’s giving them a roadmap.
Now if I did not have formal risk management, then the program might become too broad and encompass all aspects of the organization. Meaning that I may, let not even look at the criticality of the assets that I’m trying to protect, be a part of what I would do as a security manager. I guess I can look at this way if I’m the security manager and I was just told make my network secure, that’s all I know. I didn’t know that a certain database server had information that if lost damage or destroyed would bankrupt this company because if I did, I might focus a little bit more on securing those aspects. So now I might say, okay, well, I’m going to go as security manager, I’m going to look at the door locks for the physical part of my security.
We’re going to upgrade the HVAC so that I keep the environmental part of security going well. And I guess I’ll buy some firewalls and install those in there and hopefully not jam up the bandwidth. Too bad for your voice over IP. And I’m just getting all over the place because my goal is to protect this stuff and I don’t have a priority, I don’t have a goal.I just have to start kind of shooting all over the place with different solutions. That means the program becomes too broad. Having the risk management in charge there, it gives me the desired outcomes and defines my objectives and that gives me an idea. Then it says, oh, that server and that database and that server, that’s of importance to you.
Okay, I get that. So I might start looking at segmentation of the network and restricting access to only certain servers to be able to make connections, to find ways to look at the integrity of the data, to have logs of who’s logged in and who’s retrieving information and who’s doing what and backing up that information. And now all of a sudden I’ve got a game plan and I’m focusing on that outcome. Now there of course could be some interactions between the different business units depending on your organization and that might be still a part of what you’re doing.
But that doesn’t then make it too broad because at that point I’ve still got a goal, I have an objective. And maybe part of keeping that data safe and secure is also in the training of the people who enter the data of having a good application that makes sure that the proper data is put in. Like if I’m putting in a customer information and it wants the date of sale and instead they’d type their last name, that’s going to just mess things up on the back end. So there’s a lot of things we can do and to look at as far as the context and purpose, but hopefully making a point here as to the importance of risk management.
9. Scope and Charter
Now, as I mentioned, the scope and charter part of this is that many parts of the organization might be involved with risk management and it’s important that we define the scope to understand the responsibility and authority, especially with overlaps. Now, some of the main areas in information security we deal with are going to be with physical security. Well, that very well could affect everybody that comes into that building having ID badges and the rest we may look at operational risk and It and business management. As far as understanding what their scope of their work and their responsibilities are, charter generally just means this is our contract, what we’re trying to achieve.
10. Assets
Now the assets are one of the key factors that we look at in risk management. All of our assets need to be identified, classified and determine the ownership of those assets. And the purpose of that is so that we can add that to the scope and the priorities for the risk management efforts. Now, as I mentioned, I talked about a database as far as information, if I lost it and I bankrupt the company. But part of the other assets is probably the server that is housing that database. Do I have backup copies of the software program for the database management system? Do I have backups for the network connectivity so that the information is available or highly available? And all of these, do I have the right types of access rules as far as who’s allowed to look at the information? These are all things that we do when we start having high priority of our assets and doing the classifications because we want to focus our efforts and prioritize what we do.
Now having said that, some of the other things I just talked about like network connectivity and the server that we’re using, those are assets as well. And you know what, the fact that I mentioned them wasn’t to say how would I secure them, but I’m asking the question, if the data is important, then the server that’s holding the data must be of some importance and the communication pipes to that server must be of some importance. We have to prioritize all of those connectivities and then I have to say those are going to be more critical to our functionality than whether or not somebody can turn on their workstation and open up Microsoft Word and make some sort of correspondence. I’m not saying that’s not important, but again, it’s back to the prioritization of the assets.
So down the road we might have the classification of some of those workstations as being a part of the network, but not of the first thing or the second thing we’re going to work with or have to worry about anyway. So there you go, you get some ideas. So what we say is when we classify is we’re asking about the sensitivity and the criticality and how those relate to the importance of the organization. And that’s what we have to do with our assets because it has to help us focus the resources that we’re using, which are part of risk management, and to give us the ideas of what we’re trying to accomplish. As far as the goal old as well.
11. Other Risk Management Goals
Now there are some other goals that we have with risk management. Of course, things like determining the objectives and priorities for your information, risk management is absolutely essential because without it right, you’re trying to go down the road and try to figure out what’s at risk and what’s important. And it’s just like you don’t have a game plan, so you need to have that. Now your priorities, of course, should be determined since most of the organizations can’t really afford to mitigate every single risk. That means that we’re going to focus our risk management on those things that are very important to us. And I know you’ve heard me say this over and over again about the classification and trying to figure out what those assets are and different business units may have different perspectives on that.
But then again, that’s part of the risk management team to come up with really coming along with the right priorities, with the right assets that they’re trying to look at and going from that process. It doesn’t mean that we can’t look at other assets. But again, if time is a constraint, if money is a constraint and we’re looking for those things that are essential, then that’s what we want to focus on. Now, you can determine the methodologies that you want to use for the risk assessment and we’ve talked about some of those already. But really those methodologies that you choose are going to be up to your program development team. And one of the things we will have to remember is that when we start using methodologies for things like risk assessment, we want to be consistent in those methodologies a lot of times as we’re going along the path of the roadmap to get to that desired state.
If we decide to suddenly change methodologies, then what we’re looking at as a desired state or the roadmap might begin to look different and it may cause some confusion. And of course, it’s also kind of hard when you’re doing these valuations with different methods, methodologies to really know then if you’ve made progress. Because suddenly the way in which you look at these different assets and the risks and the threats that are out there could potentially look quite a bit different to you. And then some, of course, cause some confusion in are you really getting to your benchmarks? Are you getting to those intermediate points on your way to the roadmap?
12. Roles and Responsibilities
We also have to look at the roles and responsibilities. Now information security, risk management, as we said, is an important part of the entire security governance and it’s important to remember that even risk management, that it is a management responsibility. Now ultimately the entire security governance is the responsibility of the board of directors. And as I said, risk management is a part of that management responsibility. There are many key roles besides, besides just the management and the upper management that we also need to address and what they’re responsible for. So as we talk about some of the roles, the roles of the governing boards or this new management, remember, they have the ultimate responsibility.
They are the ones ultimately liable for any loss or anything that happens negatively against that particular organization. Now from there you’ll have a chief information officer and I realize you might not go by that name, but there is that position. Their goal is to be in charge of the It planning, the budgeting and making sure that the department is performing as it should. Your information security manager is the one who will be working with the implementation and the development, I should say then the implementation, the managing of your security programs for that organization, your system and information owners, they’re the ones that are really there to ensure that the controls are in place and that they’re performing as they should.
Being the information owner or the system owner means that we have that responsibility to know that whatever we’re in charge of is performing well and that it is protected as it should be.Your business and functional managers are really out there to work with the It procurement and your business management.That means in the purchasing of hardware, the purchasing of software or whatever else we need to get the specific types of countermeasures in place. Overall, that’s their business management. Your It security practitioners are the ones who are actually going to be doing the implementation of controls. That means I could have people who specialize in working with firewalls and routers, with server and server technology.
They have their own particular expertise, but we have to remember that they are part of the security team and they need to be there to make sure that the controls are implemented and working the way they’re supposed to. And then we have the security awareness trainers whose jobs are to reach everybody else, to reach the employees. And that also can mean reaching the upper level management to make sure everybody understands the reason for the controls, the reasons for the way in which business is being done, why the policies, procedures, standards have been developed and making sure everybody has an understanding so that there’s not maybe a negative reaction to having to do things in a certain way. As long as people understand the purpose of it. And it’s not just something that was done because somebody said, hey, that sounds like busy work. Or it’s that there’s actually meaning behind the actions that they take.
13. Lesson 3: Information Security Risk Management Concepts
Now we’ll take a look at the Information Security risk Management concepts. And there are a number of concepts, things that we need to understand, key concepts, especially that as an Information Security Manager, we need to be aware of. Now, my goal here is to make sure you understand that it’s one thing to actually do the work versus understanding the concepts of what the work does so that you have an understanding of what to expect. Many times I enter into a lot of training, training environments where I’m teaching a class and I’ll ask students at the first day about their experience and what they do is their job functions.
And I’ll have some people tell me I remember just recently in a high end firewall class for one of the large vendors and the person there said it’s been years since I’ve configured a router or a firewall that I’ve gotten into the command line and told me right up front and says, I’m not really here to learn how to do these configurations and to actually do the hands on. And I was like, okay, so then what are you here for? And the answer was that they’re in the management position and what they need to do is understand how the product works, understand the capabilities of the product, know what they can ask as expectations in the management process of working with that technology.
And that’s kind of where we’re at here in the Information Security Manager. I don’t think it’s possible to know every single aspect of every part of your organization, but you should have an understanding of what it does rather than the hands on experience, perhaps. So when we introduce these key concepts and I give you some brief definitions or examples, it’s again, just so we understand at a high level what’s going on. So when we have threats and vulnerabilities, well, they kind of work in a way, hand in hand. First of all, the vulnerability is a weakness of some sort. If we focus on software, we often talk about bugs in the programs and having somebody do a buffer overflow attack and being able to remotely access this machine and give out system level commands and do what we call owning the box.
Other vulnerabilities could just be in things like physical security, finding points of entry that we might not have thought about. We talked about your server room, that the wall surrounding it should be true. Walls that go all the way from the real ceiling to the real floor so that somebody can’t just climb over through the ceiling panels, because that could be an example of a vulnerability. So it’s important that we look at vulnerabilities in general as weaknesses. Now, the threats, of course, are people or something taking advantage of that vulnerability.
I mean, certainly, yes, my brick and mortar building may be vulnerable to flame and fire, but there needs to be a threat. What would cause that it could be electrical shortages, it could be arson. But those are threats that we look at that are taking advantage of those vulnerabilities. And just because I have a vulnerability doesn’t mean that somebody is going to act on it. But we have to look at those potential threats. And of course the risk is that there is a threat that actually takes advantage of a vulnerability and when it does, we talk about that as an exploit. Exploiting the vulnerability. Exposures are, again, something we look at a lot of times.
We talk about the exposure factor which is kind of letting us know to the extent to which damage might be done. And again, damage doesn’t necessarily mean it was purposeful or malicious. It could be from accidental deletion of a database of files, of customer accounts. What would that exposure happen or what would it cost our company? Obviously, as we put all of these together, the threats and vulnerability somebody exploiting that causing an exposure, we call those risks. And obviously those risks have impacts into what happens to our organization. Ways of lowering those risks of the threats and the vulnerabilities is through the use of controls and countermeasures.
Now, we’re going to see a lot of use of the term controls. And when we talk about controls, it doesn’t necessarily mean it’s a device that I bought or a software program that I installed. I mean, those are more in the category of the actual countermeasures that we use. Sometimes we call them targeted controls. But as we talk about controls, they often start off with the policy. And the policy is giving us the guidance that creates the standards that help us put in the boundaries so we can stay on target to meeting that policy. And as we look at the actions, we may have a set of procedures we must follow. So controls put us into the ideas of having the policies, the standards and the guidelines and the procedures.
Now, we’ve made mention probably enough times that you’re tired of hearing about it, but asset classification is a part of one of these key concepts and I think we’ve hopefully discussed that well enough that you have the good understanding of what that means. Now, some other things that we look at are things like recovery time objectives and recovery point objectives. All right, those sound very similar other than the time and the point. So recovery time is our way of talking about the length of time it would take to come back from some sort of event happening. And that gets us into a lot of things where we talk about our backup procedures, our restore procedures, having hot sites that we can move equipment over to if we need to, or personnel to bring things back up.
Again, recovery time objectives. We want to understand conceptually what that means to us because that’s also going to probably be a part of our security program. The recovery point objectives is another interesting idea. If I use an example of a database and I realize that somebody has deleted perhaps a customer account and I need to recover that customer’s information, the question is, if I look at my backups, would I have to recover that customer information from, like, a year ago? Or can I recover that customer up to a certain point of time? Or if maybe I made a change and I just need to roll back the change, do I have the ability to go to a specific point so that’s part of the recovery points? And of course, our service delivery objectives really is kind of a part of sometimes what we’re expecting expecting either from our service providers or what’s expected of us to deliver. A lot of times that goes into our contractual agreements.