CISSP CBK 3 – Security Management Practices

Fundamental Principles of Security

Security objectives

Confidentiality: Provides the ability to ensure that the necessary level of secrecy is enforced.

Integrity: Is upheld when the assurance of accuracy and reliability of information and system is provided and unauthorized modification of data is prevented.

Availability: Prevents disruption of service of productivity.


Vulnerability: Is a software, hardware or procedural weakness that may provide the attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.

Threat: Is any potential danger to information or systems

Risk: Is the likelihood of a threat agent taking advantage of a vulnerability.

Exposure: Is an instance of being exposed to losses from a threat agent.

Countermeasure / safeguard: Mitigates the potential risk.

Top-down approach: The initiation, support and direction come from top management and work their way through middle management and then to staff members.

Bottom-up approach: Security program developed by IT without getting proper management support and direction.

Operational goals: Daily goals.
Tactical goals: Mid-term goals.
Strategic goals: Long-term goals.
Risk Management: Is the process of identifying, assessing and reducing risks to an acceptable level and implementing the right mechanisms to maintain that level of risk.

Risk Analysis

Is a method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards.

Three main goals:
– identify risks
– quantify the impact of potential threats
– provide an economic balance between the impact of the risk and the cost of the countermeasure.

Risks have a loss potential: The company would lose something if a threat agent actually exploits a vulnerability.

Delayed loss: Has a negative effect on a company after a risk is initially exploited.

Quantitative Approach: Attempts to assign real numbers to the costs of countermeasures and the amount of damage that can take place. Provides concrete probability percentages when determining the likelihood of threats and risks. Purely quantitative risk analysis is not possible because the method is attempting to quantify qualitative items.

Steps in risk analysis
– Assign value to information and assets
– Estimate potential loss per risk
– Perform a threat analysis
– Derive the overall loss potential per risk
– Choose remedial measures to counteract each risk
– Reduce, assign or accept the risk

Calculating risks
EF (Exposure Factor) = Percentage of asset loss caused by identified threat.
SLE (Single Loss Expectancy) = Asset value * Exposure Factor
ARO (Annualized Rate of Occurrence) = Estimated frequency a threat will occur within a
ALE (Annualized Loss Expectancy) = Single Loss Expectancy * Annualized Rate of Occurrence

Qualitative Approach: Walk through different scenarios of risk possibilities and rank the seriousness of the threats and the sensitivity of the assets.

Procedures in performing the scenario:
– A scenario is written that addresses each major threat
– The scenario is reviewed by business unit managers for a reality check
– The RA team recommends and evaluates the various safeguards for each threat
– The RA team works through each finalized scenario using a threat, asset and safeguard.
– The team prepares their findings and submits them to management.

Delphie Technique: Is a group decision method and is used to ensure that each member of a group gives an honest opinion of what he or she thinks the result to a particular risk will be.

Calculating countermeasures and risk:
Value of safeguard to the company = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
Total risk = threats * vulnerability * asset value
Residual risk = (threats * vulnerability * asset value) * control gap

Handling Risk:
Transfer risk -> Purchase an insurance
Reduce risk -> Implements countermeasures
Rejecting risk -> Denial of its risk or ignores it.
Accept the risk -> The company understands the level of risk they are under and the cost of damage that is possible and they decide to live with it.

Security Program

Categories of policy:
– Regulatory
– Advisory
– Informative

Security Policy:
Is a general statement produced by senior management to dictate what type of role security plays within the organization. Are written in broad and overview terms to cover many subjects in a general fashion.

– Organisational security policy: Provides scope and direction for all further security activities within the organization.

– Issue-specific policies: Addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply to these security issues.

– System-specific policy: Presents the management’s decision that are closer to the actual computers, networks, applications and data.

Standards: Specify how hardware and software products are to be used. They provide a means to ensure that specific technologies, applications, parameters and procedures are carried out in a uniform way across the organization. These rules are usually compulsory within a company and they need to be enforced.

Baselines: Provides the minimum level of security necessary throughout the organization.

Guidelines: Are recommendation actions and operational guides to users, IT staff, operations staff and others when a specific standard does not apply.

Procedures:Are step-by-step actions to achieve a certain task. Procedures are looked at as the lowest level in the policy chain.

Data Classification

The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information. It helps to ensure that the data is protected in the most cost-effective manner.

Common classification levels (from highest to the lowest level):
Commercial business ->
– Confidential
– Private
– Sensitive
– Public

Military ->
– Top secret
– Secret
– Confidential
– Sensitive but unclassified
– Unclassified

Layers of Responsibility

Senior Manager: Ultimately responsible for security of the organization and the protection of its assets.

Security professional: Functionally responsible for security and carries out sensitive manager’s directives.

Data Owner: Is usually a member of senior management and is ultimately responsible for the protection and use of the data. Decides upon the classification of the data he is responsible for and alters these classifications if the business needs arise. Will delegate the responsibility of the day-to-day maintenance of the data, which is the responsibility of the data custodian.

Data Custodian: Is given the responsibility of the maintenance and protection of the data.

User: Any individual who routinely uses the data for work-related tasks. Must have the necessary level of access to the data to perform the duties within her position and is responsible for following operational security procedures to ensure the data’s C/I/A to others.

Structure and practices

Separation of duties: Makes sure that one individual cannot complete a risky task by herself.
Collusion: More than one person would need to work together to cause some type of destruction or fraud and this drastically reduces its probability.

Nondisclosure agreements: To protect the company if and when this employee leaves for one reason or another.

Job rotation: No one person should stay in one position for a long period of time because it can end up giving too much control of a segment of the business to this one individual.

Security Awareness

Types of training:
– Security-related job training for operators
– Awareness training for specific departments or personnel groups with security sensitive positions
– Technical security training for IT support personnel and system administrators
– Advanced InfoSec training for security practitioners and information system auditors.
– Security training for senior managers, functional managers and business unit managers.