Hello Prasanth,

Acceptable risk factors vary from organization to organization. It mainly depends on how much of risk the organization can take. Some of the organization have their own risk appetite or otherwise you will have define a risk appetite based on the outcome of your risk assessment exercise.

The output of the risk assessment will require to be discussed with your senior management to work out the risk appetite and understand what will be their acceptable level of the identified risks.

Regards,

Vinod Puthuseeri

Hi All Friends

Good to find you all

Vinod can throw some Light on Acceptable Risk Factor Limits

Thankyou

P
 

What is social engineering? What are the most common and most current tactics? And how can your organization prevent these scams? A guide on how to stop social engineering.

Read more at

http://www.csoonline.com/article/514063/Social_Engineering_The_Basics

Vinod,

Your approach makes sense. But the ground reality is that the practitioner or implementer is caught between 2 opposing forces. Force 1, is the desire to be creative and build an ISMS that makes sense for the business. Force 2, is the fear, or rather what I would call as "audit or certification" phobia. The implementer often feels that the auditor will not support his innovative and useful approach in the name of complying to the standard.

In fact, it is important that implementers become bolder and build an ISMS that they believe in. This may often lead to abandoning or minimizing existing practices and convincing the auditor that though their ISMS may not look like another company's ISMS, it still makes sense to them. Let me share some of my experiences that left me frustrated.

During an audit, the auditor asked for the "risk analysis methodology manual". The client mentioned that the risk analysis methodology is documented in the ISMS manual. The auditor said that the risk analysis methodology has to be a separate document. I went back to the standard and read the standard and it says, "the risk analysis methodology shall be documented". It does not say that it has to be a "separate document". So, what is the end result? Another piece of document is added to the ISMS which will not be opened or read till the next audit. In such situations, the client should have stood up to the auditor and said that they will not create an unnecessary piece of document which is not going to be used.

When I went back to the client, and mentioned this, the client said - "Let us not waste time and let us get over with this audit thingy....".

Similarly,for risk analysis, if the implementer absolutely believes in a new methodology, though it may be different, the implementer must not compromise his belief and position in the name of satisfying auditors. But, how many have the courage?

Thanks,

Anup

It is a common discussion during an information security risk assessment exercise at most of the organizations. As a general practice the asset value is derived by weighing the confidentiality ©, Integrity (I) and availability (A) value of an asset. While the assets are categorized into Information, Hardware, Software, Service and People, my argument always has been to say that C-I-A values can be assessed for Information Assets only and for all other it should just be the availability value.

Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

Fake Prediction #1: Organizations will pay greater attention to security in 2009
The reality in 2009: Breaches continue to plague enterprise security

Fake Prediction #2: IT security spending will increase in 2009
The reality for 2009: Depends on who you ask

Fake Prediction # 3: Employees will use IT with greater security awareness in 2009
The reality in 2009: The user is still the weakest link

Fake Prediction#4: Employees will not fall for phishing and social engineering attacks in 2009
The reality in 2009: Tricky tactics got even trickier

Fake Prediction #5: Employees will pay attention to company security policies in 2009
The reality in 2009: Fat chance

Fake Prediction #6: Facebook will be forgotten in 2009
The reality in 2009: Facebook exploded and more organizations allowed their employees to have access

Fake Prediction #7: Employees will not open files from people they don't know in 2009
The reality in 2009: Malicious files now seem legit

Fake Prediction# 8: Company devices and data will be never be lost again in 2009
The reality in 2009: More employees began using mobile devices, more data was lost. Kelleher said he was recently asked about his thoughts for 2010 with regard to data loss. Will we see more or less lost devices?

Fake Prediction #s 9 and 10: Vulnerabilities and threat vectors will decrease and you will have an easy life 2009.
The reality in 2009: Cybercriminals got savvier, stress levels in the security department soared
Just as Kelleher predicted 2009 would not be easy, 2010 is shaping up for more of the same.

Read more at: http://bit.ly/7MdV3t

CISSP, CISM Are Most Sought by Professionals
December 22, 2009 - Upasana Gupta, Contributing Editor

Based on survey results, here is a list of top 10 certifications most sought after by security professionals -

1. CISSP - Certified Information Systems Security Professional
Certified Information Systems Security Professional offered by ISC2 is generally the most recognized internationally and popular with information security professionals. For security practitioners planning to build a career in information security and holding at least five full years of experience in information security, the CISSP credential is an ideal career goal. Increasingly recruiters look for this credential in potential candidates as a validation of their commitment toward this profession. Thirty percent of survey respondents said they want to pursue CISSP certification in the next year.

2. CISM - Certified Information Security Manager
Certified Information Security Manager certification is offered by ISACA and is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages designs, oversees and/or assesses an enterprise's information security (IS). The CISM certification promotes international practices and provides executive management with assurance that those earning the CISM certification have the required experience and knowledge to provide effective security management and consulting services. In the survey, 22% of respondents said they want to pursue CISM certification in the next year.


3. GIAC - The Global Information Assurance Certification
The Global Information Assurance Certification validate the real-world skills of IT security professionals. GIAC currently offers certifications for over 20 job-specific responsibilities that reflect the current practice of information security including digital forensics, intrusion and incident handling, security administration, management, operations, legal, audit and software security. The demand for GIAC certifications is increasing as organizations today is driving the need for hands-on technical personnel. According to the survey, 19% of respondents said they want to pursue GIAC certification in the next year.

4. CISA - Certified Information Systems Auditor
Certified Information Systems Auditor designation demonstrates proficiency in information security audit, control and security skills. CISA has become a preferred certification program by individuals and organizations around the world. CISA certification signifies commitment to serving an organization and the IS audit, control and security industry with distinction.

5. CSFA - CyberSecurity Forensic Analyst
CyberSecurity Forensic Analyst is an emerging certification and skill within information security getting popular with increased cyber crimes and fraud taking place within organizations. Possessing the CSFA certification is proof that the analyst can conduct a thorough and sound forensic examination of a computer system and other digital/electronic devices, properly interpret the evidence, and communicate the examination results effectively and understandably. The CSFA designation is held exclusively by the most qualified digital forensic professionals and is a testament that the holder has the skills necessary to perform a comprehensive analysis within a limited time frame.

6. CEH - Certified Ethical Hacker
Certified Ethical Hacker is another certification gaining popularity as hacking and fraud activities are on the upswing. The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The CEH certification fortifies the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

7. CBCP - Certified Business Continuity Professional
Certified Business Continuity Professional is another specialization gaining prominence within information security, with the outbreak of H1N1 pandemic and with organizations increasingly focusing their efforts in effective crises management and business continuity planning efforts. The CBCP certification offers competency on business continuity and disaster recovery planning responsibilities and accomplishments.

8. CPP - Certified Protection Professional
Certified Protection Professional is a designation for individuals who have demonstrated competency in all areas constituting security management. As the emphasis on protecting people, property, and information increases, it has strengthened the demand for professional managers, to meet these needs. The ASIS International administers the Certified Protection Professional program.

9. CCE - Certified Computer Examiner
Certified Computer Examiner is a certification provided by the International Society of Computer Forensic Examiners (ISFCE). This certification focuses to increase the level of professionalism and further the field and science of computer forensics. The foundation of this certification maintains a fair, uncompromised process for certifying the competency of forensic computer examiners and sets high forensic and ethical standards for forensic computer examiners.

10. Vendor Certifications
CISCO and Microsoft specific certifications top the list as the demand for technical and hands-on professionals increase within organizations including security architects, security and network engineers and administrators.

Hi, Anup

I agree to your points.

As an Information Security practitioner it is easier to analyze and decide what could pose a risk and what need to be done to mitigate that risk. But for others, it might be difficult. I think it is a matter of convincing them to tell what the risk on using a USB drive is and how it would impact the business, which I think is been formalized by doing a micro level risk analysis where it details how and why.

Hi,

An ISMS/ ISO 27001 practitioner can follow different risk analysis models. But, the most popular model is the "Asset Based" risk analysis model that looks at the value of an asset in terms of C,I and A. This is followed by analysis of threat, vulnerability, probability of occurrence and business impact. A formula that considers all these before-mentioned values is used to arrive at the risk score.

But, I have a few observations to make based on "practicality", "usefulness", "repeatability" and

Practicality: Let me use an analogy here. Imagine a car and a car has around 10, 000 components. If you were to do a risk analysis for a car using the "asset based model", you would choose some components of the car. It is not possible to an analysis of all the 10, 000 components. You would find the risk score of each component. But, does this approach ultimately help you find simple and visible risks like - "This car can be stolen?"

I have seen ISO 27001 practitioners sacrifice "practicality" for the sake of "compliance" by following this model. The end result is that "REAL", "VISIBLE" and "LARGER" risks get ignored.

Usefulness: How useful is knowing the risk of a 100 different small components (assets). I have seen risk analysis spread sheets with assets like "Microsoft Office CD", "Network Cable" etc. I agree that they are useful information assets, but do they have to go through a spreadsheet and formula crunching for the risks to be understood?

Repeatability: How repeatable is this process.? During the first instance of the risk analysis exercise this exercise is doable. But from the 2nd instance onwards, you will notice that the risk analysis page or spreadsheet starts getting filled and it gets confusing and irritating. Ultimately it becomes tough just to just do risk analysis.

My suggestion would be to have two risk analysis model.

A MACRO level risk analysis model that identifies common risks in the organization. These do not have to asset specific and can be risks that you know from EXPERIENCE, INCIDENTS or AUDIT findings. Examples of these risks can be stated in plain English and controls can be applied. Examples are - Employees are using USB drives though it is banned by the policy. You don't have to do an asset based risk analysis to find this. You just have to look and it is there.

A MICRO level risk analysis or an asset based analysis using CIA principles which can be used for most valuable assets such as the authentication server, firewall, email host etc.

I would like to listen to the thoughts of other practitioners as well.

Thanks,

Anup Narayanan
Learn ISO 27001 through story telling - Register at http://www.isqworld.com/moodle
Get my security awareness tweets  on Twitter: http://twitter.com/AnupN

Hi,

CONTROLS have a broader definition. If you look at your original post, it was essentially focusing on a "human habit" or rather the lack of it. So, my answer was in context of the same.

Good security HABITS are good CONTROLS, but not all CONTROLS are habits. Regarding monitoring, yes, that goes without saying...

Anup