Risk Assessment Case Study

Chief Information Security Officer-Level Risk Assessment

The objective of this work in writing is to examine Chief Information Security Officer-Level Risk Assessment. Specifically, the scenario in this study is securing information for the local Emergency Management Agency in an Alabama County. The Director of Emergency Management in this County has tasked the Chief Information Security Officer with setting out a plan for information security of the Department's networking and computing systems.

Information Security Management involves the "identification of an organization's assets and the development, documentation, and implementation to policies, standards, procedures, and guidelines, which ensure their availability, integrity, and confidentiality." (Official ISC Guide to the CISSP Exam, nd) Threats are identified, assets classified and security controls implemented through use of "data classification, security awareness training, risk assessment, and risk analysis and as well their vulnerabilities are rated. (Official ISC Guide to the CISSP Exam, nd)

Risk management involves the "identification, measurement, control, and minimization of loss associated with uncertain events or risks." (Official ISC Guide to the CISSP Exam, nd) Included are over-all security reviews, risk analysis, evaluation, and selection of safeguards, cost/benefit analysis, management decisions, safeguard implementation, and effectiveness reviews." (Official ISC Guide to the CISSP Exam, nd)

I. Security Plans and Implementation

It is important that the CISSP understand the following:

(1) The planning, organization, and roles of individuals in identifying and securing an organization's information assets;

(2) The development of effective employment agreements; employee hiring practices, including background checks and job descriptions; security clearances; separation of duties and responsibilities; job rotation; and termination practices

(3) The development and use of policies stating management's views and position on particular topics and the use of guidelines, standards, baselines, and procedures to support those policies;

(4) The differences between policies, guidelines, standards, baselines, and procedures in terms of their application to information security management;

(5) The importance of security awareness training to make employees aware of the need for information security, its signi-cance, and the speci-c security-related requirements relative to the employees' positions;

(6) The importance of data classi-cation, including sensitive, con-dential, proprietary, private, and critical information;

(7) The importance of risk management practices and tools to identify, rate, and reduce the risk to speci-c information assets, such as:

(a) Asset identi-cation and evaluation

(b) Threat identi-cation and assessment

(c) Vulnerability and exposures identi-cation and assessment

(d) Calculation of single occurrence loss and annual loss expectancy

(e) Safeguards and countermeasure identi-cation and evaluation, including risk management practices and tools to identify, rate, and reduce the risk to speci-c information assets

(f) Calculation of the resulting annual loss expectancy and residual risk

(g) Communication of the residual risk to be assigned (i.e., insured against) or accepted by management

(h) The regulatory and ethical requirements to protect individuals from substantial harm, embarrassment, or inconvenience, due to the inappropriate collection, storage, or dissemination of personal information

(i) The principles and controls that protect data against compromise or inadvertent disclosure

(j) The principles and controls that ensure the logical correctness of an information system; the consistency of data structures; and the accuracy, precision, and completeness of the data stored

(k) The principles and controls that ensure that a computer resource will be available to authorized users when they need it

(l) The purpose of and process used for reviewing system records, event logs, and activities

(m) The importance of managing change and the change control process

(n) The application of commonly accepted best practices for system security administration, including the concepts of least privilege, separation of duties, job rotation, monitoring, and incident response

(o) The internal control standards reduce that risk; they are required to satisfy obligations with respect to the law, safeguard the organization's assets, and account for the accurate revenue and expense tracking;

(p) there are three categories of internal control standards -- general standards, speci-c standards, and audit resolution standards: (i) General standards must provide reasonable assurance, support the internal controls, provide for competent personnel, and assist in establishing control objectives and techniques (Official ISC Guide to the CISSP Exam, nd) (ii) Speci-c standards must be documented, clear, and available to personnel; they allow for the prompt recording of transactions, and the prompt execution of authorized transactions; speci-c standards establish separation of duties, quali-ed supervision, and accountability (Official ISC Guide to the CISSP Exam, nd) and (iii) Audit resolution standards require that managers promptly resolve audit ?ndings; they must evaluate the ?nding, determine the corrective action required, and take that action. (Official ISC Guide to the CISSP Exam, nd)

II. Risk Assessment

In the event that the Emergency Management Agency in the county at issue in this scenario is required to respond to a severe weather event, it is likely that the network and computing system of the agency will be using backup or generator power to run the system should the electrical power be knocked out during a severe weather event.The Information Security Manager is required to "establish and maintain a security program that ensures the "availability, integrity, and confidentiality of the organization's information resources. Availability is reported to be the assurance "that a computer system is accessible by authorized users whenever needed." (Official ISC Guide to the CISSP Exam, nd)

There are two aspects of availability including: (1) denial of service; and (2) loss of processing capabilities as a result of natural disasters, or human actions. (Official ISC Guide to the CISSP Exam, nd) Denial of service relates to user or intruder actions that result in computing services being tied up resulting in the system being unable to be utilized by users who are authorized to use the system. (Official ISC Guide to the CISSP Exam, nd, paraphrased)

III. Contingency Planning

Contingency planning is reported to involve: (1) business resumption planning; (2) alternative-site processing; or (3) simple disaster recovery planning results in another method of processing so that availability is ensured. (Official ISC Guide to the CISSP Exam, nd, paraphrased) Important aspects of security considerations are: (1) physical; (2) technical; and (3) administrative controls. (Official ISC Guide to the CISSP Exam, nd)

Physical controls include unauthorized persons coming into contact with computing resources and include "fault-tolerance mechanisms and access control software to prevent unauthorized users from disrupting services." (Official ISC Guide to the CISSP Exam, nd) Physical controls are those set in place to prevent individuals who are not authorized to come in contact with resources including computing resources, fire and water controls, as well as processing and off-site backup facilities used for storage. (Official ISC Guide to the CISSP Exam, nd, paraphrased)

Technical controls are reported to be inclusive of fault-tolerance mechanisms as well as electronic vaulting and access control software so that users that are not authorized are unable to disrupt services. Administrative controls include "access control policies, operating procedures, contingency planning, and user training." (Official ISC Guide to the CISSP Exam, nd) It is important that operators, programmers, and security personnel are trained so that they can assist in the avoidance of computing errors causing availability loss.

Integrity is reported as the "protection of system information or processes from intentional or accidental unauthorized changes." (Official ISC Guide to the CISSP Exam, nd) While the security program in place is unable to ensure or improve the data accuracy in terms of that which is input into the system, it is such that can assist in making sure that changes are intended and that intended changes are effectively applied to the system. There are three basic principles to the establishment of integrity controls including:

(1) Granting access on a need-to-know basis;

(2) Separation of duties; and (3) Rotation of duties. (Official ISC Guide to the CISSP Exam, nd)

The 'need-to-know' access principle is that users should be only granted access to files and programs that are required for the users to effectively perform their assigned tasks. The access of users to production data and programs should be restricted "through use of well-formed transactions" that serve to ensure that "users can change data or programs only in controlled ways that maintain integrity." (Official ISC Guide to the CISSP Exam, nd)

Separation of duties ensures that no one employee has control of a transaction "from beginning to end" and that at least two individuals or more are responsible for performing the transaction. Rotation of duties involves changing job assignments on a periodical basis so that users are not able to gain complete control of a transaction collaboratively subverting it for some fraudulent reason.

IV. Confidentiality

Confidentiality protects the system information barring users that are not authorized as well as barring resources and processes from information access. It is reported "Con-dentiality must be well de-ned, and procedures for maintaining con-dentiality must be carefully implemented. Crucial aspects of con-dentiality are user identi-cation, authentication, and authorization." (Official ISC Guide to the CISSP Exam, nd)

Threats to confidentiality are stated to be inclusive of the following threats:

(1) Hackers. A hacker or cracker is someone who bypasses the system's access controls by taking advantage of security weaknesses that the system's developers have left….....