Professional Documents
Culture Documents
Chapter 4a Risk Management
Chapter 4a Risk Management
Risk Management
Prepared by:
Learning Content:
Introduction
As an aspiring information security professional, you will have a key role to play in risk management. It is
the responsibility of an organization’s general management to structure the IT and information security
functions to defend the organization’s information assets—information and data, hardware, software,
procedures, networks, and people. The IT community must serve the information technology needs of
the entire organization and at the same time leverage the special skills and insights of the information
security community. The information security team must lead the way with skill, professionalism, and
flexibility as it works with the other communities of interest to balance the usefulness and security of
the information system.
Consider for a moment the similarities between information security and warfare. Information security
managers and technicians are the defenders of information. The many threats discussed in Chapter 2
are constantly attacking the defenses surrounding information assets. Defenses are built in layers, by
placing safeguard upon safeguard. The defenders attempt to prevent, protect, detect, and recover from
a seemingly endless series of attacks. Moreover, those defenders are legally prohibited from deploying
offensive tactics, so the attackers have no need to expend resources on defense. In order to be
victorious, you, a defender, must know yourself and know the enemy.
Know Yourself
First, you must identify, examine, and understand the information and systems currently in place within
your organization. This is self-evident. To protect assets, which are defined here as information and the
systems that use, store, and transmit information, you must know what they are, how they add value to
the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you
can identify what you are already doing to protect it. Just because a control is in place does not
necessarily mean that the asset is protected. Frequently, organizations implement control mechanisms
but then neglect the necessary periodic review, revision, and maintenance. The policies, education and
training programs, and technologies that protect information must be carefully maintained and
administered to ensure that they remain effective.
All of the communities of interest must work together to address all levels of risk, which range from
disasters that can devastate the whole organization to the smallest employee mistakes. The three
communities of interest are also responsible for the following:
Evaluating the risk controls
Determining which control options are cost effective for the organization
Acquiring or installing the needed controls
Ensuring that the controls remain effective
It is essential that all three communities of interest conduct periodic management reviews. The first
focus of management review is asset inventory. On a regular basis, management must verify the
completeness and accuracy of the asset inventory.
A risk management strategy requires that information security professionals know their organizations’
information assets—that is, identify, classify, and prioritize them. Once the organizational assets have
been identified, a threat assessment process identifies and quantifies the risks facing each asset.
People comprise employees and nonemployees. There are two subcategories of employees:
those who hold trusted roles and have correspondingly greater authority and accountability,
and other staff who have assignments without special privileges. Nonemployees include
contractors and consultants, members of other organizations with which the organization has a
trust relationship, and strangers.
Procedures fall into two categories: IT and business standard procedures, and IT and business
sensitive procedures. The business sensitive procedures are those that may enable a threat
agent to craft an attack against the organization or that have some other content or feature that
may introduce risk to the organization.
Data components account for the management of information in all its states: transmission,
processing, and storage. These expanded categories solve the problem posed by the term data,
which is usually associated with databases and not the full range of modalities of data and
information used by a modern organization.
Software components are assigned to one of three categories: applications, operating systems,
or security components. Security components can be applications or operating systems, but are
categorized as part of the information security control environment and must be protected
more thoroughly than other systems components.
Hardware is assigned to one of two categories: the usual systems devices and their peripherals,
and those devices that are part of information security control systems.
Most organizations do not need the detailed level of classification used by the military or federal
agencies. However, a simple scheme, such as the following, can allow an organization to protect such
sensitive information as marketing or research data, personnel data, customer data, and general
internal communications.
Public: Information for general public dissemination, such as an advertisement or public release.
For Official Use Only: Information that is not particularly sensitive, but not for public release,
such as internal communications.
Sensitive: Information important to the business that could embarrass the company or cause
loss of market share if revealed.
Classified: Information of the utmost secrecy to the organization, disclosure of which could
severely impact the well-being of the organization.
Security Clearances
Corresponding to the data classification scheme is
the personnel security clearance structure. In
organizations that require security clearances,
each user of data must be assigned a single
authorization level that indicates the level of
classification he or she is authorized to view. This
is usually accomplished by assigning each
employee to a named role, such as data entry
clerk, development programmer, information
security analyst, or even CIO.
You should also include a dimension to represent the sensitivity and security priority of the data and the
devices that store, transmit, and process the data—that is, a data classification scheme. Examples of
data classification categories are confidential, internal, and public. A data classification scheme generally
requires a corresponding personnel security clearance structure, which determines the level of
information individuals are authorized to view, based on what they need to know. It is also important
that the categories be comprehensive and mutually exclusive. Comprehensive means that all
information assets must fit in the list somewhere and mutually exclusive means that an information
asset should fit in only one category.
Which information asset is the most critical to the success of the organization? When
determining the relative importance of each asset, refer to the organization’s mission statement
Which information asset generates the most revenue? You can also determine which
information assets are critical by evaluating how much of the organization’s revenue depends
on a particular asset, or for nonprofit organizations, which are most critical to service delivery. In
some organizations, different systems are in place for each line of business or service offering.
Which of these plays the biggest role in generating revenue or delivering services?
Which information asset generates the most profitability? Organizations should evaluate how
much of the organization’s profitability depends on a particular asset. For instance, at
Amazon.com, some servers support the sales operations and other servers support the auction
process, while other servers support the customer review database.
Which of these servers contribute most to the profitability of the business? Although important,
the customer review database server really does not directly add to profitability—at least not to
the degree that the sales operations servers do. Note, however, that some services may have
large revenue values, but are operating on such thin or nonexistent margins that they do not
generate a profit. Nonprofit organizations can determine what percentage of their clientele
receives services from the information asset being evaluated.
Which information asset would be the most expensive to replace? Sometimes an information
asset acquires special value because it is unique. If an enterprise still uses a Model-129
keypunch machine, for example, to create special punch card entries for a critical batch run, that
machine may be worth more than its cost, since there may no longer be spare parts or service
providers available for it. After the organization has identified this unique value, it can address
ways to control the risk of losing access to the unique asset. An organization can also control the
risk of loss for this kind of asset by buying and storing a backup device.
Which information asset would be the most expensive to protect? In this case, you are
determining the cost of providing controls. Some assets are by their nature difficult to protect.
Finding a complete answer to this question may have to be delayed beyond the risk
identification phase of the process, because the costs of controls cannot be computed until the
controls are identified, and that is a later step in this process. But information about the
difficulty of establishing controls should be collected in the identification phase.
Which information asset would most expose the company to liability or embarrassment if
revealed? Almost every organization is aware of its image in the local, national, and
international spheres. For many organizations, the compromise of certain assets could prove
especially damaging to this image. The image of Microsoft, for example, was tarnished when
one of its employees became a victim of the QAZ Trojan capability and the (then) latest version
of Microsoft Office was stolen.
……………….
4.3 ……
……………………..
~~~ End of Chapter 4 ~~~
Chapter Summary
……..
Review Questions
1. ………………..
Exercise 1
1. ……………….
In this chapter, teaching and learning is through the use of technology like print, audio, video and the
internet. Students interact with their Professor and each other through virtual classrooms, email, and
web conferencing. For the online modality, the Virtual Classroom shall be used for the purpose of
delivering a lecture and allowing a synchronous discussion with the students. For the remote modality,
Self-directed (SeDI) a learning management system shall be used to upload the module and to allow
asynchronous discussion with the students. This will also be used as platform for the submission of the
requirements, quizzes and examinations.
References:
Whitman. M., E. and Mattord, H. 2011. Principles of Information Security, 4th Edition, Course Technology,
CENGAGE Learning
Auerbach. Raggad, B.,G. 2010. Information Security Management: Concepts and Practice.