InfoDevSec

Personnel Security and Risk Management Concepts

  • Threat Assessment: Who’s out to get you? Why? How likely is an attack? How bad can it get?
  • Vulnerability Assessment: How easy is it to get you? What’s stopping people from doing it? What tools might they use?
  • Risk Analysis: Combine equal parts of threat assessment and vulnerability assessment. Mix, cook, and serve in the form of risk probability over time and potential business impact.
  • Risk Register: A go‐to menu of your risks, listing as much information as possible, including risk type (e.g., what, who, why), evaluation date, description, probability, impact, classification (e.g., low, medium, high), response (e.g., accept, insure, run for the hills), and risk owner (who’s on the hook for it?). It’s fine to go all in when creating your risk register, but keep in mind that throwing everything and the kitchen sink in a risk register will make it difficult to maintain and update. Think comprehensive, but not overwhelming.
  • Risk Evaluation: Compare your risk analysis to business‐specific reality. Deal only with pragmatic, real, and present risk. Avoid paranoid thinking and rabbit holes. To wit: Accept meteor strike as “risk I won’t worry about,” and sleep easier.
  • Risk Assessment: Using all of the preceding, identify the issues, rank them, and answer what happens if you stick your head in the sand and ignore them. I like my risk assessments to be short and sweet. For each identified risk, think Name, Rank, and Serial Number. Rank, of course, is the key here. Other than that, that’s it. If I want the details, I can always refer back to the source documents.
preventative (think: Stop signs)
detective (think: cameras)
corrective (think: backup)
compensating (think: failover sites). 


Vulnerability testing can help identify vulnerabilities present across the computing environment, to include potentially missing patches from software and operating systems, which would give an indication of how well patch management is being applied. Ideally, credentialed scans (with administrative access) will be conducted for less false positives and better coverage.

  • Asset: Anything of value
  • Risk: Likelihood of an event, multiplied by its impact
  • Mitigated risk: Existing risk after controls have been applied
  • Residual risk: What’s leftover after risks have been mitigated or transferred as much as possible
  • Accepted risk: Residual risk that has been accepted, aka the risk of doing business
  • Controls: Active countermeasures, be it processes, systems, or applications, that prevent, detect, correct, or compensate against the risk

Leveraging ISACA COBIT 5 Processes

  • evaluate, direct, and monitor (EDM)
    • Providing governance for cybersecurity and is focused on ensuring that the appropriate direction is provided and monitoring mechanisms are in place.
  • align, plan, and organize (APO)
    • Embed cybersecurity within the IT management framework. Architecture peace of cybersecurity to ensure It security is applied to the business
  • build, acquire, and implement (BAI)
    • Capabilities to assist in the execution of the cybersecurity program.
  • deliver, service, and support (DSS)
    • Process capabilities that provide operational support and “keep the cybersecurity lights on.”
  • monitor, evaluate, and assess (MEA)
    • Provides the cybersecurity monitoring, self-assessments, and ensuring that reporting requirements satisfying compliance with various laws and regulations are being executed properly.

The mission of the organization declares how it operates while the vision addresses the ideal future the organization is striving to achieve.

Organizational culture represents the collective values, beliefs, and principles of organizational members and is a product of such factors as history, product, market, technology, strategy, type of employees, management style, and national culture; culture includes the organization’s vision, values, norms, systems, symbols, language, assumptions, beliefs, and habits.

  • Cultural Profile
    • Organizational dominant characteristics
    • Organizational leadership
    • Employee management
    • Organizational glue
    • Strategic emphases
    • Criteria of success
  •  Bimodal IT to describe the keep the lights on and trains moving version of IT, and the go wild, innovate, and experiment version of IT.
  • Shadow IT  springs up as a result of unanswered (or frustrated) user needs

Performing a Threat assessment requires skill and expertise that you may not have readily available. It requires up‐to‐date threat intelligence access, and it requires understanding the threat behavior.

top three threats facing organizations are social engineering, insider threats, and advanced persistent threats

Checklists are important to have developed, and tested, as part of an incident response plan. When an incident occurs, it can be very stressful for all parties involved and tasks can easily be overlooked. A checklist can help the response team follow established procedures for responding to the incident. These checklists should be included in tabletops and other preparation exercises to ensure adequate coverage and can be adjusted as needed.

Cyber Risk Management Principles 

ISO 31000:2009 international risk management standard can support an organization that chooses to implement COBIT 5 GEIT and its five principles:

  1. Meeting stakeholder needs.
  2. Covering the enterprise end-to-end.
  3. Applying a single, integrated framework.
  4. Enabling a holistic approach.
  5. Separating governance from management.

Examples of stakeholders in the cyber risk assessment processes :

  • Customers, clients, stockholders, employees, contractors, and supply chain partners (e.g., outsourced partners and critical infrastructure suppliers);
  • Government and regulatory authorities;
  • Nongovernmental organizations;
  • Civil society groups; and
  • Members of the public (including the media)

Identifying, Analyzing, and Evaluating Cyber Risks

Neither of the insider threat types presented intentionally try to do harm. A negligent act may be someone that consciously chooses to continue to an unencrypted website, despite being warned about it. A common accidental act is sending an attachment to the wrong recipient. Malicious acts are those that are made by conscious decision with the intent to do harm.

The threat of an attacker (threat agent) gaining access to a system by using default credentials (vulnerability) is an example of a misconfiguration. Default credentials should always be changed as part of a secure configuration management process as these credentials are often available on the internet.

Compliant does not necessarily mean secure, as compliance checks are meant only to validate specific attributes. An internet search will yield examples of compliant organizations that have still suffered a security breach. In this scenario, the report should first be reviewed to see what the compliance checks are evaluating before making a decision on how best to move forward. While a penetration test could be used to test the security of the system, we need to first understand which security controls exist and have been evaluated.

Identify Evaluate and analyze the Risks

  1. generating an integrated view of information risk
  2. realistically assessing worst case
  3. mapping different types of threats, both malicious and accidental
  4. assessing vulnerabilities to different threat events and the strength of any controls already in place
  5. evaluating risk appetite and likelihood of a successful threat
  6. developing practical approaches to addressing the information risks that have been identified

Treating Cyber Risks

The starting point of the exploration of an organization’s cyber risk is the determination of that organization’s risk profile and risk appetite. 

Questions that are relevant in determining this risk profile include: “How interesting is the organization to potential cyber criminals?”; “How dependent is the organization on the services of other organizations”; and “How much risk is the organization willing to accept?

A good starting point when determining risk is the risk profile and risk appetite of the organization. If the board has decided that they are not willing to accept any amount of risk (no appetite), then it is likely going to take a substantial investment in security controls. On the other hand, if the organization has a larger appetite and higher tolerance level, then the controls can be eased back and prioritized appropriately.

Determining the Cyber Risk Profile

  1. What is the organization’s internal and external context and environment? In which markets is the organization active? To what extent is the organization dependent on the digitization of the organization’s service provision? To what extent is the organization linked to another organization that could form an additional risk in this framework?
  2. What could be relevant intended targets within the organization, and also within the chain in which the organization is active?
  3. To which group of cybercriminals, and why, is the organization an attractive target (threats)? Which resources could the attacker deploy?
  4. Which vulnerabilities in the organization could cybercriminals exploit? This concerns not only technical vulnerabilities but also human actions. More importantly, what is the level of resilience? How fast can an organization be back in business after a cyber attack?
  5. What are the regulatory and legislative requirements with regard to cybersecurity that pertain to the organization?

Threat actors are the entities responsible for carrying out an action as part of a threat. In determining potential threat actors, asking which groups of cybercriminals may target an organization will help identify those groups (such as hacktivists, nation state actors, or script kiddies) that are most likely to target the organization.

Treating Cyber Risk

An organization that has taken the time to properly prepare for cybersecurity risk is better prepared to not only prevent attacks from happening but to also be successful in lessening the overall impact to the organization if an attack is successful.

Risk decisions are often made by cyber risk professionals without consulting the appropriate people from the business. The business process owner should have in-depth knowledge about the business processes and can determine whether security controls are adequate enough to bring risk down within tolerance levels or whether additional controls are necessary.

ISO 31000:2009, Risk Management—Principles and Guidelines’ by:

  1. avoiding the activity that gives rise to the risk
  2. taking or increasing the risk in order to pursue an opportunity
  3. removing the risk source
  4. changing the likelihood
  5. changing the consequences
  6. sharing the risk with other parties (e.g., risk financing, contracts)
  7. retaining the risk by informed decision

Benchmarking

The use of internal or external points of reference or standards against which risk management system and effectiveness may be compared, checked, or assessed.

Cyber risk sources

Any root and other causes that give rise to a cyber risk such as supply chain, social media, ransomware, cloud computing/third-party vendors, Big Data analytics, the Internet of Things (IOT), and BYOD/mobile devices.

Crown jewels

The most valuable digital assets or information to an organization.

Risk treatment options

Controls and anything that modifies risk; if aligned with ISO 31000:2009, Risk management—Principles and guidelines, they will be tailored to (1) avoiding the activity that gives rise to the risk; (2) taking or increasing the risk in order to pursue an opportunity; (3) removing the risk source; (4) changing the likelihood; (5) changing the consequences; (6) sharing the risk with other parties (e.g., risk financing, contracts); and (7) retaining the risk by informed decision.

  • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
  • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.”