1. Solve the 12-question exercise in security management
cyber security exercise and need an explanation and answer to help me learn.
I would like to solve the questions based on the attached references
Please solve the questions in DETAILS !!
if the solution is not found in the reference, you can looking the answer from the Internet
search
Requirements: Details
Why is phishing so effective of an attack? explain?
What is ISO27001? What is its importance?
List and explain 5 recent breaches, explain what types of breaches these were and what was
the impact?
What are the 4 goals of controls management & why is each one important in your opinion?
Explain the methods for performing cost benefit analysis in managing risk?
List and explain 5 cyber risks that could be identified during an assessment?
What is the first step in performing a risk assessment ?
Assigning risks
Evaluate threats.
Determine impact.
Construct recommendations
What are the 7 goals of asset management? Explain each of the goals in your response and
why is it important?
List and explain the 5 risks control strategies for termination strategy?
What is tor and what can it be used for?
Which is not a CIS critical controls?
List and 3 examples for the risk control strategy for termination strategy?
Week 1 SECURITY MEASURES: POLICIES AND PROCEDURES CS-628-A Security
Management
Greg Kyrytschenko BioWork Experience•I have worked in Information Security industry for
nearly 20 years.•Active in the information security field•Hold several industry related
certificates including CISSP & CISM•I currently work at a Financial Services Firm. •I have
worked at several companies prior to my current location including -consulting, large
regional bank, and asset management firm, Stock Exchange, aerospace & defense•I have
2. worked in numerous positions –•Information security analyst/admin, •Infosec advisor,
•Infosec engineer, •Infosec architect, •IT Security managementEducation
Experience•Bachelors of Science in Information Technology•Masters in Business
Administration•Email Contact -kyrytschenkog@sacredheart.edu
Your Bio•Your Name•Why are you here?•What interests you about Cyber Security?•Where
are you currently in your educational career?•Do you have any cybersecurity experience? If
so what?•What would you like to get out of this class?
Course Objective•Provide students with an understanding of security management and how
to build a team that can manage security controls & processes that mitigate the risks in
today’s constantly changing dynamic threat landscape.
Security vs Convenience
Rules of Risk Calculation and Mitigating ControlsUnderstanding Impact & Likelihood Risk
=Consequence x Probability
ISO/IEC 27000Introduction What is an ISMS? ISMS family of standards OverviewProcess
approach Why an ISMS is importantEstablishing, monitoring, maintaining and improving an
ISMSISMS critical success factors Benefits of the ISMS family of standards
What is an ISMS?An ISMS (Information Security Management System) provides a model for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving
the protection of information assets to achieve business objectives based upon a risk
assessment and the organization's risk acceptance levels designed to effectively treat and
manage risks. Analyzing requirements for the protection of information assets and applying
appropriate controls to ensure the protection of these information assets, as required,
contributes to the successful implementation of an ISMS. The following fundamental
principles also contribute to the successful implementation of an ISMS: a) awareness of the
need for information security; b) assignment of responsibility for information security; c)
incorporating management commitment and the interests of stakeholders; d) enhancing
societal values; e) risk assessments determining appropriate controls to reach acceptable
levels of risk; f) security incorporated as an essential element of information networks and
systems; g) active prevention and detection of information security incidents; h) ensuring a
comprehensive approach to information security management; and i) continual
reassessment of information security and making of modifications as appropriate.
The ISMS family of standardsInternational Standards for management systems provide a
model to follow in setting up and operating a management system. This model incorporates
the features on which experts in the field have reached a consensus as being the
international state of the art. ISO/IEC JTC 1 SC 27 maintains an expert committee dedicated
to the development of international management systems standards for information
security, otherwise known as the Information Security Management System (ISMS) family
of standards. The ISMS standards -Information technology —Security techniques: ⎯ISO/IEC
27000:2009, Information security management systems —Overview and vocabulary
⎯ISO/IEC 27001:2005, Information security management systems —Requirements
⎯ISO/IEC 27002:2005, Code of practice for information security management ⎯ISO/IEC
27003, Information security management system implementation guidance ⎯ISO/IEC
3. 27004, Information security management —Measurement ⎯ISO/IEC 27005:2008,
Information security risk management ⎯ISO/IEC 27006:2007, Requirements for bodies
providing audit and certification of information security management systems ⎯ISO/IEC
27007, Guidelines for information security management systems auditing ⎯ISO/IEC 27011,
Information security management guidelines for telecommunications organizations based
on ISO/IEC 27002
Information Information is an asset that, like other important business assets, is essential to
an organization's business and consequently needs to be suitably protected. Information
can be stored in many forms, including: digital form (e.g. data files stored on electronic or
optical media), material form (e.g. on paper), as well as unrepresented information in the
form of knowledge of the employees. Information may be transmitted by various means
including: courier, electronic or verbal communication. Whatever form information takes,
or the means by which the information is transmitted, it always needs appropriate
protection. This information is exposed to a wider variety of threats and vulnerabilities.
Information security Information security includes three main dimensions: confidentiality,
availability and integrity. With the aim of ensuring sustained business success and
continuity, and in minimizing impacts, information security involves the application and
management of appropriate security measures that involves consideration of a wide range
of threats. Information security is achieved through the implementation of an applicable set
of controls, selected through the chosen risk management process and managed using an
ISMS, including policies, processes, procedures, organizational structures, software and
hardware to protect the identified information assets. These controls need to be specified,
implemented, monitored, reviewed and improved where necessary, to ensure that the
specific security and business objectives of the organization are met. Relevant information
security controls are expected to be seamlessly integrated with an organization's business
processes. Overview
Overview (cont’d)Management Management involves activities to direct, control and
continually improve the organization within appropriate structures. Management activities
include the act, manner, or practice of organizing, handling, directing, supervising, and
controlling resources. Management structures extend from one person in a small
organization to management hierarchies consisting of many individuals in large
organizations. In terms of an ISMS, management involves the supervision and making of
decisions necessary to achieve business objectives through the protection of the
organization's information assets. Management of information security is expressed
through the formulation and use of information security policies, standards, procedures and
guidelines, which are then applied throughout the organization by all individuals associated
with the organization. Management system A management system uses a framework of
resources to achieve an organization's objectives. The management system includes
organizational structure, policies, planning activities, responsibilities, practices, procedures,
processes and resources. In terms of information security, a management system allows an
organization to: a)satisfy the security requirements of customers and other stakeholders;
b)improve an organization's plans and activities; c)meet the organization's information
security objectives; d)comply with regulations, legislation and industry mandates; and
4. e)manage information assets in an organized way that facilitates continual improvement
and adjustment to current organizational goals and to the environment.
Plan –Do –Check –Act (PDCA) process. Process approach Organizations need to identify and
manage many activities in order to function effectively and efficiently. Any activity using
resources needs to be managed to enable the transformation of inputs into outputs using a
set of interrelated or interacting activities –this is also known as a process. The output from
one process can directly form the input to another process and generally this
transformation is carried out under planned and controlled conditions. The application of a
system of processes within an organization, together with the identification and
interactions of these processes, and their management, can be referred to as a “process
approach”. The process approach for the ISMS presented in the ISMS family of standards is
based on the operating principle adopted in ISO's management system standards commonly
known as the Plan –Do –Check –Act (PDCA) process. a) Plan –establish objectives and make
plans (analyze the organization's situation, establish the overall objectives and set targets,
and develop plans to achieve them); b) Do–implement plans (do what was planned to do);
c) Check–measure results (measure/monitor the extent to which achievements meet
planned objectives); and d) Act–correct and improve activities (learn from mistakes to
improve activities to achieve better results).
Establishing, monitoring, maintaining and improving an ISMS An organization needs to
undertake the following steps in establishing, monitoring, maintaining and improving its
ISMS: a) identify information assets and their associated security requirements b) assess
information security risks c) select and implement relevant controls to manage
unacceptable risks and d) monitor, maintain and improve the effectiveness of security
controls associated with the organization's information assets To ensure the ISMS is
effectively protecting the organization's information assets on an ongoing basis, it is
necessary for steps (a) –(d) to be continuously repeated to identify changes in risks or in
the organization's strategies or business objectives. Identify information security
requirements Within the overall strategy and business objectives of the organization, its
size and geographical spread, information security requirements can be identified through
an understanding of: a) identified information assets and their value; b) business needs for
information processing and storage; and c) legal, regulatory, and contractual requirements.
ISMS critical success factors A large number of factors are critical to the successful
implementation of an ISMS to allow an organization to meet its business objectives.
Examples of critical success factors include: a) information security policy, objectives, and
activities aligned with objectives; b) an approach and framework for designing,
implementing, monitoring, maintaining, and improving information security consistent with
the organizational culture; c) visible support and commitment from all levels of
management, especially top management; d) an understanding of information asset
protection requirements achieved through the application of information security risk
management (see ISO/IEC 27005); e) an effective information security awareness, training
and education program, informing all employees and other relevant parties of their
information security obligations set forth in the information security policies, standards
etc., and motivatingthem to act accordingly; f) an effective information security incident
5. management process; g) an effective business continuity management approach; and h) a
measurement system used to evaluate performance in information security management
and feedback suggestions for improvement. An ISMS increases the likelihood that an
organization will consistently achieve the critical success factors required to protect its
information assets.
Benefits of the ISMS family of standards The benefits of implementing an ISMS will
primarily result from a reduction in information security risks (i.e. reducing the probability
of, and/or impact caused by, information security incidents). Specifically, benefits realized
from the adoption of the ISMS family of standards include: a) support for the process of
specifying, implementing, operating and maintaining a comprehensive and cost-effective
integrated and aligned ISMS that meets the organization's needs across different operations
and sites; b) assistance for management in structuring their approach towards information
security management, within the context of corporate risk management and governance,
including educating and training business and system owners on the holistic management
of information security; c) promotion of globally-accepted good information security
practices in a non-prescriptive manner, giving organizations the latitude to adopt and
improve relevant controls that suit their specific circumstances and to maintain them in the
face of internal and external changes; and d) provision of a common language and
conceptual basis for information security, making it easier to place confidence in business
partners with a compliant ISMS, especially if they require certification against ISO/IEC
27001 by an accredited certification body.
ISO/IEC 27000Information technology —Security techniques —Information security
management systems —Overview and vocabulary Scope: This International Standard
provides to organizations and individuals: a) an overview of the ISMS family of standards;
b) an introduction to information security management systems (ISMS); c) a brief
description of the Plan-Do-Check-Act (PDCA) process; and d) terms and definitions used
throughout the ISMS family of standards. Purpose: ISO/IEC 27000 describes the
fundamentals of information security management systems, which form the subject of the
ISMS family of standards, and defines related terms.
ISO/IEC 27001 Information technology —Security techniques —Information security
management systems —RequirementsScope: This International Standard specifies the
requirements for establishing, implementing, operating, monitoring, reviewing, maintaining
and improving formalized information security management systems (ISMS) within the
context of the organization's overall business risks. It specifies requirements for the
implementation of security controls customized to the needs of individual organizations or
parts thereof. This International Standard is universal for all types of organizations (e.g.
commercial enterprises, government agencies, non-profit organizations). Purpose: ISO/IEC
27001 provides normative requirements for the development and operation of an ISMS,
including a set of controls for the control and mitigation of the risks associated with the
information assets which the organization seeks to protect by operating its ISMS.
Organizations operating an ISMS may have its conformity audited and certified. The control
objectives and controls from Annex A (ISO/IEC 27001) shall be selected as part of this ISMS
process as appropriate to cover the identified requirements. The control objectives and
6. controls listed in Table A.1 (ISO/IEC 27001) are directly derived from and aligned with
those listed in ISO/IEC 27002 Clauses 5 to 15.
ISO/IEC 27006 Information technology —Security techniques —Requirements for bodies
providing audit and certification of information security management systems Scope: This
International Standard specifies requirements and provides guidance for bodies providing
audit and ISMS certification in accordance with ISO/IEC 27001, in addition to the
requirements contained within ISO/IEC 17021. It is primarily intended to support the
accreditation of certification bodies providing ISMS certification according to ISO/IEC
27001. Purpose: ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements
by which certification organizations are accredited, thus permitting these organizations to
provide compliance certifications consistently against the requirements set forth in ISO/IEC
27001.
ISO/IEC 27002 Information technology —Security techniques —Code of practice for
information security management Scope: This International Standard provides a list of
commonly accepted control objectives and best practice controls to be used as
implementation guidance when selecting and implementing controls for achieving
information security. Purpose: ISO/IEC27002 provides guidance on the implementation of
information security controls. Specifically Clauses 5 to 15 provides specific implementation
advice and guidance on best practice in support of the controls specified in Clauses A.5 to
A.15 of ISO/IEC 27001.
ISO/IEC 27003 Information technology —Security techniques —Information security
management system implementation guidance Scope: This International Standard will
provide practical implementation guidance and provide further information for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving
an ISMS in accordance with ISO/IEC 27001. Purpose: ISO/IEC 27003 will provide a process
oriented approach to the successful implementation of the ISMS in accordance with ISO/IEC
27001.
ISO/IEC 27004 Information technology —Security techniques —Information security
management —Measurement Scope: This International Standard will provide guidance and
advice on the development and use of measurements in order to assess the effectiveness of
ISMS, control objectives, and controls used to implement and manage information security,
as specified in ISO/IEC 27001. Purpose: ISO/IEC27004 will provide a measurement
framework allowing an assessment of ISMS effectiveness to be measured in accordance
with ISO/IEC 27001.
ISO/IEC 27005 Information technology —Security techniques —Information security risk
management Scope: This International Standard provides guidelines for information
security risk management. The approach described within this International Standard
supports the general concepts specified in ISO/IEC 27001. Purpose: ISO/IEC27005 provides
guidance on implementing a process oriented risk management approach to assist in
satisfactorily implementing and fulfilling the information security risk management
requirements of ISO/IEC 27001.
ISO/IEC 27007Information technology —Security techniques —Guidelines for information
security management systems auditing Scope: This International Standard will provide
7. guidance on conducting ISMS audits, as well as guidance on the competence of information
security management system auditors, in addition to the guidance contained in ISO 19011,
which is applicable to managements systems in general. Purpose: ISO/IEC 27007 will
provide guidance to organizations needing to conduct internal or external audits of an ISMS
or to manage an ISMS audit program against the requirements specified in ISO/IEC 27001.
Standards describing sector-specific guidelines ISO/IEC 27011 Information technology —
Security techniques —Information security management guidelines for telecommunications
organizations based on ISO/IEC 27002 Scope: This International Standard provides
guidelines supporting the implementation of Information Security Management (ISM) in
telecommunications organizations. Purpose: ISO/IEC27011 provides telecommunications
organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry
sector which are additional to the guidance provided towards fulfilling the requirements of
ISO/IEC 27001ISO 27799 Health informatics —Information security management in health
using ISO/IEC 27002 Scope: This International Standard provides guidelines supporting the
implementation of Information Security Management (ISM) in health organizations.
Purpose: ISO/IEC 27799 provides health organizations with an adaptation of the ISO/IEC
27002 guidelines unique to their industry sector which are additional to the guidance
provided towards fulfilling the requirements of ISO/IEC 27001
Policies and Procedures•Policies and Procedures•Security Awareness•Security
Plan•Emergency Management Plan
Threat Analysis Group Risk Assessment ProcessThree types of security countermeasures to
prevent, mitigate, and eliminate risk:•Policies and procedures•Physical security
measures•Security personnel
Due Diligence•Documentation of the security program is a critical element and includes the
identification of critical assets, threats, and vulnerabilities. •A Security Program evolves
over time and the best way to demonstrate that is via due diligence that is documented
Due Diligence•Security policies and procedures refer to a wide variety of documents. In the
security arena, these documents may include security manuals, standard operating
procedures (SOPs), post orders, Occupant Emergency Plans (OEPs), security standards and
guidelines, training standards, workplace violence policies, emergency management plans,
and disaster recovery plans. •Procedures may include access control, weapon and other
contraband searches, including the employees' personal areas such as desks and lockers,
and incident reporting methods.
Reduce Liability•Formal, written policies and procedures save security decision makers
time, assist in adequate training, and reduce liability by demonstrating due diligence. •On a
practical level, security policies describe the security functions at a facility or for an
organization, including how security functions and measures are organized, deployed, and
managed.
Security Awareness•A security program is effective when all employees take ownership.
Security should be seen as a mission-critical element of the organization. •A top-down
approach, with a written policy statement from senior management is a good first step in
developing the requisite employee acceptance of the security program. •Management sets
the tone for the level of adherence to the security measures utilized at the facility or within
8. the organization. •Security is reinforced through employee orientation, continuing
education, and close monitoring by dedicated security personnel.
Challenges to Security AwarenessAcceptance? Challenges? Global Issues?
SECURITY PLAN•A written document that defines the organization's security mission,
provides an overview of the complete security program, and identifies all methods in use
for the protection of organizational assets.•The security plan documents the organization's
security policies, procedures, functions, measures, and strategies for providing a safe and
secure environment and preventing crime and other security incidents.
SECURITY PLAN•The security plan articulates how the security program is usually
organized through personnel and function organizational charts, flowcharts, and
descriptions of specific countermeasures. •Security plans also describe the common
security measures utilized throughout the facility or facilities, as the case may be, and how
these measures operate on a daily, routine basis. Security responsibilities are clearly
delineated, and regulatory compliance measures are described in detail.
Regulatory & Industry
Requirements•http://ithandbook.ffiec.gov/•http://ithandbook.ffiec.gov/it-
booklets.aspx•https://www.pcisecuritystandards.org•http://www.hhs.gov/ocr/privacy/•h
ttp://ec.europa.eu/justice/data-protection/•http://www.mas.gov.sg/regulations-and-
financial-stability/regulatory-and-supervisory-framework/risk-management/technology-
risk.aspx•https://www.gov.uk/government/publications/technology-and-information-
risk-management
Sample Org Chart
Security PlanChallenges?
EMERGENCY MANAGEMENT PLAN•An emergency management plan is a written document
that communicates the policies and procedures to be followed in the event of an emergency.
•It is typically referred to as a Business Continuity and/or Disaster Recovery Plan.•It is a
reactive plan and should address an emergency that is imminent or has already occurred
EMERGENCY MANAGEMENT PLANChallenges?
Questions ???
CybersecurityReview Business Riskshttps://www.us-cert.gov/ccubedvp/self-service-crr
Operational resilience and cyber security practicesAsset ManagementControls
ManagementConfiguration and Change ManagementVulnerability ManagementIncident
ManagementService Continuity ManagementRisk ManagementExternal Dependencies
ManagementTraining and AwarenessSituational Awareness
CIS Critical Controls
Asset ManagementPurpose: To identify, document, and manage assets during their life cycle
to ensure sustained productivity to support critical services.The Asset Management domain
establishes a method for an organization to plan, identify, document, and manage its assets.
Assets are the raw materials that services need to operate. The CRR organizes assets into
the following categories:• People to operate and monitor the service• Information and data
to feed the process and to be produced by the service• Technology to automate and support
the service• Facilities in which to perform services
•Goal 1 –Services are identified and prioritized.•Goal 2 –Assets are inventoried, and the
9. authority and responsibility for these assets is established.•Goal 3 –The relationship
between assets and the services they support is established.•Goal 4 –The asset inventory is
managed.•Goal 5 –Access to assets is managed.•Goal 6 –Information assets are categorized
and managed to ensure the sustainment and protection of the critical service.•Goal 7 –
Facility assets supporting the critical service are prioritized and managed.Asset
Management
1. Services are identified and prioritized.1. The organization’s services are identified.2. The
organization’s services are prioritized based on analysis of the potential impact if the
services are disrupted.2. Assets are inventoried, and the authority and responsibility for
these assets is established.1. The assets that directly support the critical service are
inventoried.2. Asset descriptions include protection and sustainment requirements.3.
Owners and custodians of assets are documented in asset descriptions.4. The physical
locations of assets (both within and outside the organization) are documented in the asset
inventory.3. The relationship between assets and the services they support is established.1.
The associations between assets and the critical service they support are documented.2.
Confidentiality, integrity, and availability requirements are established for each servicer
elated asset.4. The asset inventory is managed.1. Change criteria are established for asset
descriptions.2. Asset descriptions are updated when changes to assets occur.Asset
Management
5. Access to assets is managed.1. Access to assets is granted based on their protection
requirements.2. Access requests are reviewed and approved by the asset owner.3. Access
privileges are reviewed to identify excessive or inappropriate privileges.4. Access privileges
are modified as a result of reviews.6. Information assets are categorized and managed to
ensure the sustainment and protection of the critical service.1. Information assets are
categorized based on sensitivity and potential impact to the critical service (such as public,
internal use only, or secret).2. The categorization of information assets is monitored and
enforced.3. Policies and procedures for the proper labeling and handling of information
assets are created.4. All staff members who handle information assets (including those who
are external to the organization, such as contractors) are trained in the use of information
categories.5. High-value information assets are backed up and retained.6. Guidelines for
properly disposing of information assets are created.7. Adherence to information asset
disposal guidelines is monitored and enforced. 7. Facility assets supporting the critical
service are prioritized and managed. 1. Facilities are prioritized based on their potential
impact to the critical service, to identify those that should be the focus of protection and
sustainment activities.2. The prioritization of facilities is reviewed and validated.3.
Protection and sustainment requirements of the critical service are considered during the
selection of facilities.Asset Management
Controls Management Purpose: To identify, analyze, and manage controls in a critical
service’s operating environment.Internal control is a governance process used by an
organization to ensure effective and efficientachievement of organizational objectives and
to provide reasonable assurance of success. The ControlsManagement domain outlined in
the CRR presents a way for the organization to identify controlobjectives and establish
controls to meet those objectives. The Controls Management domain also addresses the
10. importance of analyzing and assessing those controls to ensure that the process is
constantly being improved.
Controls Management•Goal 1 –Control objectives are established.•Goal 2 –Controls are
implemented.•Goal 3 –Control designs are analyzed to ensure they satisfy control
objectives.•Goal 4 –The internal control system is assessed to ensure control objectives are
met.
The Controls Management domain comprises four goals and seven practices1. Control
objectives are established.1. Control objectives are established for assets required for
delivery of the critical service.2. Control objectives are prioritized according to their
potential to affect the critical service.2. Controls are implemented.1. Controls are
implemented to achieve the control objectives established for the criticalservice.3. Control
designs are analyzed to ensure they satisfy control objectives.1. Control designs are
analyzed to identify gaps where control objectives are not adequatelysatisfied.2. As a result
of the controls analysis, new controls are introduced or existing controls aremodified to
address gaps.4. The internal control system is assessed to ensure control objectives are
met.1. The performance of controls is assessed on a scheduled basis to verify they continue
tomeet control objectives.2. As a result of scheduled assessments, new controls are
introduced or existing controls aremodified to address problem areas.
Configuration and Change Management•Goal 1 –The life cycle of assets is managed.•Goal 2 –
The integrity of technology and information assets is managed.•Goal 3 –Asset configuration
baselines are established.
•Purpose: To establish processes to ensure the integrity of assets, using change control and
change control audits.•An organization’s asset infrastructure is constantly evolving as
technology changes, information is updated, and new personnel are hired. The
Configuration and Change Management domain addresses how an organization can
implement processes and procedures that manage assets and ensure that changes made to
those assets are minimally disruptive to the organization.Configuration and Change
Management domain
Configuration and Change Management domain1. The life cycle of assets is managed.1. A
change management process is used to manage modifications to assets.2. Resilience
requirements are evaluated as a result of changes to assets.3. Capacity management and
planning are performed for assets.4. Change requests are tracked to closure.5. Stakeholders
are notified when they are affected by changes to assets.2. The integrity of technology and
information assets is managed.1. Configuration management is performed for technology
assets.2. Techniques are used to detect changes to technology assets.3. Modifications to
technology assets are reviewed.4. Integrity requirements are used to determine which staff
members are authorized to modify information assets.5. The integrity of information assets
is monitored.6. Unauthorized or unexplained modifications to technology assets are
addressed.7. Modifications to technology assets are tested before being committed to
production systems.8. A process for managing access to technology assets is implemented.3.
Asset configuration baselines are established.1. Technology assets configuration baselines
are created.2. Approval is obtained for proposed changes to baselines.
•Purpose: To identify, analyze, and manage vulnerabilities in a critical service’s operating
11. environment.•Vulnerability is the susceptibility of an asset, and the associated critical
service, to disruption. Vulnerabilities can result in operational risks and must be identified
and managed to avoid disruptions to the critical service’s operating environment. A
vulnerability management process identifies and analyzes vulnerabilities before they are
exploited and informs the organization of threats that must be analyzed in the risk
management process to determine whether they pose tangible risk to the organization
based on the organization’s risk tolerance. Vulnerability Management
Vulnerability Management•Goal 1 –Preparation for vulnerability analysis and resolution
activities is conducted.•Goal 2 –A process for identifying and analyzing vulnerabilities is
established and maintained.•Goal 3 –Exposure to identified vulnerabilities is managed.•Goal
4 –The root causes of vulnerabilities are addressed.
Vulnerability Management domain1. Preparation for vulnerability analysis and resolution
activities is conducted.1. A vulnerability analysis and resolution strategy has been
developed.2. There is a standard set of tools and/or methods in use to identify
vulnerabilities in assets.2. A process for identifying and analyzing vulnerabilities is
established and maintained.1. Sources of vulnerability information have been identified.2.
The information from these sources is kept current.3. Vulnerabilities are being actively
discovered.4. Vulnerabilities are categorized and prioritized.5. Vulnerabilities are analyzed
to determine relevance to the organization.6. A repository is used for recording information
about vulnerabilities and their resolution.3. Exposure to identified vulnerabilities is
managed.1. Actions are taken to manage exposure to identified vulnerabilities.2. The
effectiveness of vulnerability mitigation is reviewed.3. The status of unresolved
vulnerabilities is monitored.4. The root causes of vulnerabilities are addressed.1.
Underlying causes for vulnerabilities are identified (through root-cause analysis or
othermeans) and addressed.
Incident Management•Goal 1 –A process for identifying, analyzing, responding to, and
learning from incidents is established.•Goal 2 –A process for detecting, reporting, triaging,
and analyzing events is established.•Goal 3 –Incidents are declared and analyzed•Goal 4 –A
process for responding to and recovering from incidents is established.•Goal 5 –Post-
incident lessons learned are translated into improvement strategies..
•Purpose: To establish processes to identify and analyze events, detect incidents, and
determine an organizational response.•Disruptions to an organization’s operating
environment regularly occur. The Incident Management domain examines an organization’s
capability to recognize potential disruptions, analyze them, and determine how and when to
respond.Incident Management domain
Incident Management domain1. A process for identifying, analyzing, responding to, and
learning from incidents is established.1. The organization has a plan for managing
incidents.2. The incident management plan is reviewed and updated.3. The roles and
responsibilities in the plan are included in job descriptions.4. Staff has been assigned to the
roles and responsibilities detailed in the incident management plan.2. A process for
detecting, reporting, triaging, and analyzing events is established.1. Events are detected and
reported.2. Event data is logged in an incident knowledgebase or similar mechanism.3.
Events are categorized.4. Events are analyzed to determine if they are related to other
12. events.5. Events are prioritized.6. The status of events is tracked.7. Events are managed to
resolution.8. Requirements (rules, laws, regulations, policies, etc.) for identifying event
evidence for forensic purposes are identified.9. A process to ensure event evidence is
handled as required by law or other obligations is followed.3. Incidents are declared.1.
Incidents are declared. 2. Criteria for the declaration of an incident are established.3.
Incidents are analyzed to determine a response.4. A process for responding to and
recovering from incidents is established.1. Incidents are escalated to stakeholders for input
and resolution.2. Responses to declared incidents are developed and implemented
according to pre-defined procedures.3. Incident status and response is communicated to
affected parties.4. Incidents are tracked to resolution.5. Post-incident lessons learned are
translated into improvement strategies.1. Analysis is performed to determine the root
causes of incidents.2. A link between the incident management process and other related
processes (problem management, risk management, change management, etc.) is
established.3. Lessons learned from incident management are used to improve asset
protection and service continuity strategies.
•Purpose: To ensure the continuity of essential operations of services and their associated
assets if a disruption occurs as a result of an incident, disaster, or other event.•The process
of assessing, prioritizing, planning and responding to, and improving plans to address
disruptive events is known as service continuity. The goal of service continuity is to mitigate
the impact of disruptive events by utilizing tested or exercised plans that facilitate
predictable and consistent continuity of the critical services.Service Continuity Management
domain
Service Continuity Management•Goal 1 –Service continuity plans for high-value services are
developed.•Goal 2 –Service continuity plans are reviewed to resolve conflicts between
plans.•Goal 3 –Service continuity plans are tested to ensure they meet their stated
objectives.•Goal 4 –Service continuity plans are executed and reviewed
Service Continuity Management domain1. Service continuity plans for high-value services
are developed.1. Service continuity plans are developed and documented for assets (people,
information, technology, and facilities) required for delivery of the critical service.2. Service
continuity plans are developed using established standards, guidelines, and templates.3.
Staff members are assigned to execute specific service continuity plans.4. Key contacts are
identified in the service continuity plans.5. Service continuity plans are stored in a
controlled manner and available to all those who need to know.6. Availability requirements
such as recovery time objectives and recovery point objectives are established.2. Service
continuity plans are reviewed to resolve conflicts between plans.1. Plans are reviewed to
identify and resolve conflicts.3. Service continuity plans are tested to ensure they meet their
stated objectives.1. Standards for testing service continuity plans have been implemented.
2. A schedule for testing service continuity plans has been established.3. Service continuity
plans are tested.4. Backup and storage procedures for high-value information assets are
tested.5. Test results are compared with test objectives to identify needed improvements to
service continuity plans.4. Service continuity plans are executed and reviewed.1. Conditions
have been identified that trigger the execution of the service continuity plan.2. The
execution of service continuity plans is reviewed.3. Improvements are identified as a result
13. of executing service continuity plans.
•Purpose: To identify, analyze, and mitigate risks to critical service assets that could
adversely affect the operation and delivery of services.•Risk management is a foundational
activity for any organization and is practiced at all levels, from the executives down to
individuals within business units. The CRR focuses on risks to cyber-dependent operations
that have the potential to interrupt delivery of the critical service being examined. While the
CRR focuses on operational risk, it is important to note that operational risk management
requires a comprehensive approach to be effective. Risk Management
Risk Management•Goal 1 –A strategy for identifying, analyzing, and mitigating risks is
developed.•Goal 2 –Risk tolerances are identified, and the focus of risk management
activities is established.•Goal 3 –Risks are identified.•Goal 4 –Risks are analyzed and
assigned a disposition.•Goal 5 –Risks to assets and services are mitigated and controlled.
Risk Management domain1. A strategy for identifying, analyzing, and mitigating risks is
developed.1. Sources of risk that can affect operations have been identified.2. Categories for
risks have been established.3. A plan for managing operational risk has been established.4.
The plan for managing operational risk has been communicated to stakeholders.2. Risk
tolerances are identified, and the focus of risk management activities is established.1.
Impact areas, such as reputation, financial health, and regulatory compliance, have
beenidentified.2. Impact areas have been prioritized to determine their relative
importance.3. Risk tolerance parameters have been established for each impact area.4. Risk
tolerance thresholds, which trigger action, are defined for each category of risk.3. Risks are
identified.1. Operational risks that could affect delivery of the critical service are
identified.4. Risks are analyzed and assigned a disposition.1. Risks are analyzed to
determine potential impact to the critical service.2. A disposition (accept, transfer, mitigate,
etc.) is assigned to identified risks.5. Risks to assets and services are mitigated and
controlled.1. Plans are developed for risks that the organization decides to mitigate.2.
Identified risks are tracked to closure.
•Purpose: To establish processes to manage an appropriate level of controls to ensure the
sustainment and protection of services and assets that are dependent on the actions of
external entities.•The outsourcing of services, development, and production has become a
normal and routine part of operations for many organizations because outsourcing can
engage specialized skills and equipment at a cost savings over internal options. The
External Dependencies Management domain of the CRR presents a method for an
organization to identify and prioritize those external dependencies and then focuses
on•managing and maintaining those dependencies.External Dependencies Management
External Dependencies Management•Goal 1 –External dependencies are identified and
prioritized to ensure sustained operation of high-value services. •Goal 2 –Risks due to
external dependencies are identified and managed.•Goal 3 –Relationships with external
entities are formally established and maintained.•Goal 4 –Performance of external entities
is managed.•Goal 5 –Dependencies on public services and infrastructure service providers
are identified.
External Dependencies Management domain1. External dependencies are identified and
prioritized to ensure operation of high-value services.1. Dependencies on external
14. relationships that are critical to the service are identified.2. A process has been established
for creating and maintaining a list of external dependencies.3. External dependencies are
prioritized.2. Risks due to external dependencies are identified and managed.1. Risks due to
external dependencies are identified and managed.3. Relationships with external entities
are formally established and maintained.1. Resilience requirements of the critical service
are established that apply specifically to each external dependency.2. These requirements
are reviewed and updated.3. The ability of external entities to meet resilience requirements
of the critical service are considered in the selection process.4. Resilience requirements are
included in formal agreements with external entities.4. Performance of external entities is
managed.1. The performance of external entities is monitored against resilience
requirements.2. The responsibility for monitoring external entity performance is assigned
(as related to resilience requirements).3. Corrective actions are taken as necessary to
address issues with external entity performance (as related to resilience requirements).4.
Corrective actions are evaluated to ensure issues are remedied.5. Dependencies on public
services and infrastructure service providers are identified.1. Public services on which the
critical service depends (fire response and rescue services, lawenforcement, etc.) are
identified.2. Infrastructure providers on which the critical service depends
(telecommunications andtelephone services, energy sources, etc.) are identified.
•Purpose: To promote awareness in and develop skills and knowledge of people in support
of their roles in attaining and sustaining operational sustainment and protection.•Training
and awareness focuses on the processes by which an organization plans, identifies needs
for, conducts, and improves training and awareness to ensure the organization’s
operational cyber resilience requirements and goals are known and met. An organization
plans for and conducts training and awareness activities that make staff members aware of
their role in the organization’s cyber resilience concerns and policies. Staff members also
receive specific training to enable them to perform their roles in managing organizational
cyber resilience. Training and Awareness
Training and Awareness•Goal 1 –Cyber security awareness and training programs are
established.•Goal 2 –Awareness and training activities are conducted.
Training and Awareness domain1. Cybersecurityawareness and training programs are
established.1. Cybersecurityawareness needs have been identified for the critical service.2.
Required skills have been identified for specific roles (administrators, technicians, etc.) for
the critical service.3. Skill gaps present in personnel responsible for cybersecurityare
identified.4. Training needs have been identified.2. Awareness and training activities are
conducted.1. Cybersecurityawareness activities for the critical service are conducted.2.
Cybersecuritytraining activities for the critical service are conducted.3. The effectiveness of
the awareness and training programs is evaluated.4. Awareness and training activities are
revised as needed.
•Purpose: To actively discover and analyze information related to immediate operational
stability and security and to coordinate such information across the enterprise to ensure
that all organizational units are performing under a common operating picture.•Situational
awareness activities are performed throughout the organization to provide timely and
accurate information about the current state of operational processes. Activities must
15. support communication with a variety of internal and external stakeholders to support the
resilience requirements of the critical service.Situational Awareness
Situational Awareness•Goal 1 –Threat monitoring is performed.•Goal 2 –The requirements
for communicating threat information are established.•Goal 3 –Threat information is
communicated.
Situational Awareness domain 1. Threat monitoring is performed.1. Responsibility for
monitoring sources of threat information has been assigned.2. Threat monitoring
procedures have been implemented.3. Resources have been assigned and trained to
perform threat monitoring.2. The requirements for communicating threat information are
established.1. Internal stakeholders (such as the critical service owner and incident
management staff) to whom threat information must be communicated have been
identified. 2. External stakeholders (such as emergency management personnel, regulators,
andinformation sharing organizations) to whom threat information must be
communicatedhave been identified.3. Threat information is communicated.1. Threat
information is communicated to stakeholders.2. Resources have been assigned authority
and accountability for communicating threatinformation.3. Resources have been trained
with respect to their specific role in communicating threatinformation.
Questions ????
What is an AssetSomething that has potential or actual value to an organization.So it can be
Tangent or Intangent.Can have Present or Future Value. Value is what left after paying the
price. And value created shall be in good fit with vision and strategic objectives of
organization.
Nature of assetsHuman assets: The behaviors , knowledge and Competence of the
workforce have a fundamental (influence on the performance of the physical
assets)Financial assets: financial resources are required for infrastructure investments,
operation, maintenance and materials;Information assets: good quality data and
information are essential to develop, optimize and implement asset management
plan(s);Intangible assets: the organization’s reputation and image can have a significant
impact on infrastructure investment, operating strategies and associated costs.Physical
Assets : Plants, Machinery, Building, vehicles, property and other items with distinct
values.
What Is Asset ManagementSystematic and coordinated activities and practices through
which an organization optimally and sustainably manages its assets and asset systems, their
associated performance, risks and expenditures over their life cycles for the purpose of
achieving its organizational strategic plan.
Enterprise Asset ManagementInfrastructure Asset ManagementPhysical Asset
ManagementStrategic Asset ManagementProperty Asset ManagementFacilities Asset
Management, and many othersThe emerging standards converge the opinion to the term
Asset Management
Evolution of Asset Management Discipline.Asset Management is not new. People have been
managing assets for thousands of years. What has changed, however, is the cumulative
recognition that good Asset Management involves optimizing (within any absolute
constraints) the mix of cost,riskand performance over whole asset life.The PAS 55 2004
16. British standard was originally produced in 2004 by a number of organizations under the
leadership of theInstitute of Asset Management.PAS 55:2008 was released in Dec 2008
along with a toolkit for self-assessment against the specification.The International Standard
ISO 55000/1/2 passed by international body in Dec 13 and likely to be released by Feb
2014.
ISO 55000 Standard Incorporated Guidance from Following Standards•ISO_20815-
Production assurance and reliability management•PAS55-2-2008 Asset management (a
specification)•API_RP_580 Risk Based Inspection•ISO 31000:2009 Risk management -
Principles and guidelines•ISO 9001-2008 Quality management systems –
Requirements•ISO/IEC15288:2008 Systems and software engineering -System life cycle
processes•ISO/IEC12207:2008 Systems and software engineering -Software life cycle
processes
Principles of Good Asset Management}Holistic: looking at the whole picture, i.e. the
combined implications of managing all aspects.}Systematic: a methodical approach,
promoting consistent, repeatable and auditable decisions and actions;}Systemic:
considering the assets in their asset system context and optimizing the asset systems
value}Risk-based: focusing resources and expenditure, and setting priorities, appropriate to
the identified risks and the associated cost/benefits;
Principles of Good Asset Management}Optimal: establishing the best value compromise
between competing factors, such as performance, cost and risk, associated with the assets
over their life cycles;}Sustainable: considering the long-term consequences of short-term
activities to ensure that adequate provision is made for future requirements and obligations
(such as economic or environmental sustainability, system performance, societal
responsibility and other long-term objectives)}Integrated: recognizing that
interdependencies and combined effects are vital to success. This requires a combination of
the above attributes, coordinated to deliver a joined-up approach and net value.
Asset Management SystemSource: PAS55-2-2008 Idea CreationApprovalDetail
DesignProcurementConstructionCommissionDecommissionAsset Life CycleProject Phase of
Life CycleProductive Phase of Life CycleEndFeasibilityOperationDisposalPreliminary Design
Asset Management System shall answer following questions}Do you understand the risk
profile associated with your asset portfolio and how this will changeover time?}Do you
understand the business consequences of reducing your capital investment or maintenance
budgets by 10% over the next five years?}Can you justify your planned asset expenditures
to external stakeholders?
}Can you easily identify which investment projects to defer when there are funding
problems or cash flow constraints?}Do you have the appropriate asset data and information
to support your Asset Management decision-making?}Do you know if your people have the
right competences and capabilities to manage your assets? }Do you know which Asset
Management activities to out-source?
Focus and business context of this International Standardin relation to other categories of
assets
Elements of Asset Management
PDCA CYCLE OF ASSET MANAGEMENT
17. Elements of Asset Management
Asset Management PolicyPrinciples and mandated requirements derived from, and
consistent with, the organizational strategic plan, providing a framework for the
development and implementation of the asset management strategy and the setting of the
asset management objectives.}The asset management policy plays a leading part in driving
the asset management system. The asset management policy is a means for top
management }to communicate to its managers, employees and stakeholders the
organization’s position and intentions with regard to asset management. }It provides a high
level statement of the organization’s principles, approach and expectations relating to asset
management. }The asset management policy should be seen as the same level of
commitment as an organization’s safety policy.
Asset Management StrategyThe organization shall establish, document, implement and
maintain a long term asset management strategy which shall be authorized by top
management.}The asset management strategy should set out how the asset management
policy will be achieved.}It is the coordinating mechanism for ensuring that activities carried
out on physical assets are aligned to optimally achieve the organizational strategic plan.
This requires a high level plan or scheme for converting the asset management policy into
specific asset management objectives and activity plans across the whole asset
portfolio.}Example
The Asset Management Decision-Making Group is made up of the following
Subjects:}Capital Investment Decision-Making}Operations and Maintenance Decision-
Making}Lifecycle Cost and Value Optimisation}Resourcing Strategy and
Optimisation}Shutdowns & Outage Strategy and Optimisation}Ageing Assets Strategy
Asset Management ObjectiveIt is necessary to ensure that measurable asset management
objectives are established throughout relevant parts of the organization to enable the asset
management policy to be implemented and the asset management strategy to be
achieved.}specific and measurable outcome or achievement required of asset system(s) in
order to implement the asset management policy and asset management strategy; }Detailed
and measurable level of performance or condition required of the assets; and/or}Specific
and measurable outcome or achievement required of the asset management system.
Asset management PlansThe organization shall establish, document and maintain asset
management plan(s) to achieve the asset management strategy and deliver the asset
management objectives across the following life cycle activities:}Creation, acquisition or
enhancement of assets;}Utilization of assets;}Maintenance of assets;}Decommissioning
and/or disposal of assets.}Example:
Asset management PlansThe Lifecycle Delivery Activities Group contains the following
Asset Management Subjects:}Technical Standards and Legislation}Asset Creation and
Acquisition}Systems Engineering}Maintenance Delivery}Reliability Engineering & Root
Cause Analysis}Asset Operations}Resource Management}Shutdown/Outage
Management}Incident Response}Asset Rationalization and Disposal
Asset Management contingency PlansThe organization shall establish, implement, and
maintain plan(s) and/or procedure(s) for identifying and responding to incidents and
emergency situations, and maintaining the continuity of critical asset management
18. activities.}significant failure of critical assets resulting in the loss of service or supply to
customers or a hazardous}condition arisingextreme weather conditions, e.g. strong winds,
floods, heavy snowfall, lightning strikes;}⎯unplanned release of hazardous liquids or
gases;}⎯explosion or fire;}⎯loss of power supply or control systems;}⎯a combination of
events or risks which may result in an emergency situation
Enablers of Asset Management
Asset management enablers and controlsStructure, Authority and ResponsibilitiesThe
organization shall establish and maintain an organizational structure of roles,
responsibilities and authorities, consistent with the achievement of its asset management
policy, strategy, objectives and plans. These roles, responsibilities and authorities shall be
defined, documented and communicated to the relevant individuals.
Asset management enablers and controlsOutsourcing of asset management activitiesWhere
an organization chooses to outsource any aspect of asset management that affects
conformity with the requirements , the organization shall ensure control over such aspects.
The organization shall determine and document how these parts will be controlled and
integrated into the organizations’ asset management system. The organization shall also
identify and document
Asset management enablers and controlsTraining, Awareness and CompetenceThe
organization shall ensure that any person(s) under its direct control undertaking asset
management related activities has an appropriate level of competence in terms of
education, training or experience.The organization shall establish, implement and maintain
process(es) and/or procedure(s) to make persons working under its control aware of:}the
asset management related risks associated with their work activities and the asset
management benefits of personal performance;}their roles and responsibilities and the
importance in complying with the asset management policy , process(es) and/or
procedure(s) and plan(s);}the potential consequences of departure from specified asset
management process(es) and/or procedure(s)
Asset management enablers and controlsAsset management system documentationThe
organization shall establish, implement and maintain up-to-date documentation to ensure
that its asset management system can be adequately understood, communicated and
operated.
Asset management enablers and controlsCommunication, participation and
consultationThe organization shall ensure that pertinent asset management information is
effectively communicated toand from employees and other stakeholders, including
contracted service providers.The organization shall ensure consultation with stakeholders
that is relevant and appropriate to theirinvolvement in:a) the development of the asset
management strategy, objectives and plan(s);b) the development of functional policies,
engineering standards, process(es) and/or procedure(s);c) risk assessments and
determination of controls;
Asset management enablers and controlsInformation managementThe organization shall
identify the asset management information it requires to meet the requirements of
specification considering all phases of the asset life cycle. The information shall be of a
quality appropriate to the asset management decisions and activities it supports}The
19. organization shall establish, implement and maintain procedure(s) for controlling all
information required of this specification. These procedures shall ensure:}The adequacy of
the information is approved by authorized personnel prior to use;}Information is
maintained and adequacy assured through periodic review and revision, including version
control where appropriate;}Allocation of appropriate roles, responsibilities and authorities
regarding the origination, generation ,capture, maintenance, assurance, transmission, rights
of access, retention, archiving and disposal of items of information;
Asset management enablers and controlsRisk managementThe organization shall establish,
implement and maintain documented process(es) and/or procedure(s) for the ongoing
identification and assessment of asset related and asset management-related risks, and the
identification and implementation of necessary control measures throughout the life cycles
of the assets .}Criticality, Risk Assessment and Management}Contingency Planning and
Resilience Analysis}Sustainable Development}Weather and Climate Change}Assets &
Systems Performance & Health Monitoring}Assets & Systems Change
Management}Management Review, Audit & Assurance}Stakeholder Relations
Asset management enablers and controlsLegal and other requirementsThe organization
shall establish, implement and maintain process(es)and/or procedure(s) for identifying and
accessing the legal, regulatory, statutory and other applicable asset management
requirements.
Asset management enablers and controlsManagement of change}Where existing
arrangements are revised, or new arrangements are introduced that could have an impact
on}Asset management activities, the organization shall assess the associated risks before
the arrangements are implemented. The new or revised arrangements to be considered
shall include}Revised organizational structure, roles or responsibilities;}Revised asset
management policy, strategy, objectives or plans.
Elements of ISO55000
Implementation of asset management plan(s)Life cycle activitiesThe organization shall
establish, implement and maintain process(es) and/or procedure(s) for the implementation
of its asset management plan(s) and control of activities across the whole life cycle,
including:}creation, acquisition or enhancement of assets;}utilization of
assets;}maintenance of assets;}decommissioning and/or disposal of assets.
Implementation of asset management plan(s)Tools, facilities and equipmentThe
organization shall ensure that tools, facilities and equipment are maintained and, where
appropriate, calibrated. The organization shall establish and maintain process(es) and
procedure(s) to control these maintenance and calibration activities, where such tools,
facilities and equipment are essential for:}The implementation of its asset management
plan(s);}Achieving the required function(s) and performance from its assets or asset
systems;}The monitoring and measurement of performance and/or condition
Elements of ISO55000
Performance assessment and improvementPerformance and condition monitoring}The
organization shall establish, implement and maintain process(es) and/or procedure(s) to
monitor and measure the performance of the asset management system and the
performance and/or condition of assets and/or asset systems. The process(es) and/or
20. procedure(s) shall provide for the consideration of:}Reactive monitoring to identify past or
existing nonconformities in the asset management system, and any asset-related
deterioration, failures or incidents;}Proactive monitoring to seek assurance that the asset
management system and assets and/or asset systems are operating as intended. This shall
include monitoring to ascertain that the asset management policy, strategy and objectives
are met, the asset management plan(s) are implemented, and that the process(es),
procedure(s) or other arrangements to control asset life cycle activities are effective;
Performance Assessment and ImprovementInvestigation of asset-related failures, incidents
and nonconformitiesThe organization shall establish, implement and maintain process(es)
and/or procedure(s) for the handlingand investigation of failures, incidents and
nonconformities associated with assets, asset systems and the asset management system.
These process(es) and/or procedure(s) shall define responsibility and authority for:•Taking
action to mitigate consequences arising from a failure, incident or
nonconformity;•Investigating failures, incidents and nonconformities to determine their
root cause(s);•Evaluating the need for preventive action(s) to avoid failures, incidents and
nonconformities occurring;•Communicating, as appropriate to relevant stakeholders, the
results of investigations and identified corrective action(s) and/or preventive action(s)
Performance Assessment and ImprovementEvaluation of compliance}The organization
shall establish, implement and maintain process(es) and/or procedure(s) for evaluation of
its compliance with applicable legal and other regulatory or absolute requirements, and
shall determine the frequency of such evaluations .The organization shall keep records of
the results of these evaluations.
Performance Assessment and ImprovementAuditThe organization shall ensure that audits
of the asset management system are conducted to determine whether the asset
management system:}Conforms to planned arrangements for asset management, including
the requirements .}Has been implemented and is maintained.}Is effective in meeting the
organization’s asset management policy, asset management strategy and asset management
objectives.
Performance Assessment and ImprovementImprovement actionsCorrective and preventive
action}The organization shall establish, implement and maintain process(es) and/or
procedure(s) for instigating:}Corrective action(s) for eliminating the causes of observed
poor performance and nonconformities}Identified from investigations, evaluations of
compliance and audits to avoid their recurrence;}Preventive action(s) for eliminating the
potential causes of nonconformities or poor performance.
Performance Assessment and ImprovementRecords}The organization shall establish and
maintain records as necessary to demonstrate conformance to the requirements of its asset
management system and Clause 4 of this International Standard.}Records shall be legible,
identifiable and traceable.}Records shall be maintained in accordance with the
requirements
Performance Assessment and ImprovementManagement reviewTop management shall
review at intervals that it determines appropriate the organization’s asset management
system to ensure its continuing suitability, adequacy and effectiveness. Reviews shall
include assessing the need for changes to the asset management system, including asset
21. management policy, asset management strategy and asset management objectives
Thank You
zRisk Management: Controlling Risk In information SecurityGreg Kyrytschenko
zThe purpose of risk managementEnsure overall business and business assets are safe
Protect against competitive disadvantageCompliance with laws and best business
practicesMaintain a good public reputation
zSteps of a risk management plan▪Step 1: Identify Risk▪Step 2: Assess Risk▪Step 3:
Control Risk▪Steps are similar regardless of context (InfoSec, Physical Security, Financial,
etc.)▪This presentation will focus on controlling risk within an InfoSec context
zzRisk Identification▪The steps to risk identification are:▪Identify your organization’s
information assets▪Classify and categorize said assets into useful groups▪Rank assets
necessity to the organization ▪To the right is a simplified example of how a company may
identify risksAssetAsset Type and SubcategoryAssetFunctionPriority Level (Low, Medium,
High, Critical)BobWorkerPersonnel: InfoSec•Secure Networks•Penetration Testing•Make
coffeeLowCisco UCSB460 M4 Blade ServerHardware: Networking•Database
ServerHighCustomerPersonally Identifiable Information (PII)Data: Confidential
Information•Provideinformation for all business transactionsCriticalWindows7 Software:
Operating System •Employeeaccess to enterprise softwareMedium
zzRisk Assessment ▪The steps to risk assessment are:▪Identify threats and threat
agents▪Prioritize threats and threat agents ▪Assess vulnerabilities in current InfoSec
plan▪Determine risk of each threat ▪R = P * V –M + U▪R = Risk▪P = Probability of threat
attack▪V = Value of Information Asset▪M = Mitigation by current controls▪U =
Uncertainty of vulnerability▪The table to the right combines elements of all of these in a
highly simplified formatThreat Agentand ThreatTargeted AssetThreat Level
PossibleExploitsRisk (Scale of 1-5)DisgruntledInsider: Steal company informationto
sellCompanydata (i.e. Customer PII)HighAccesscontrol credentials, knowledge of InfoSec
policies, etc. 4.16Fire:Burn the facility down or cause major damageCompanyFacility,
Personnel, EquipmentCriticalMishandledequipment2.78Hacktivists:Quality of service
deviationCompanyHardware/SoftwareLowLack of effectivefiltering1.39
zRisk control ▪The steps to risk control are: •Cost-Benefit Analysis (CBA)•Single Loss
Expectancy (SLE)•Annualized Rate of Occurrence (ARO)•Annual Loss Expectancy
(ALE)•Annual Cost of the Safeguard (ASG)•Feasibility Analysis•Organizational
Feasibility•Operational Feasibility•Technical Feasibility•Political Feasibility •Risk Control
Strategy Implementation
zzCost-Benefit analysis▪Determine what risk control strategies are cost effective ▪Below
are some common formulas used to calculate cost-benefit analysis ▪SLE = AV * EF▪AV =
Asset Value, EF = Exposure factor (% of asset affected)▪ALE = SLE * ARO▪CBA = ALE (pre-
control) –ALE (post-control) –ACE
zFeasibility analysis▪Organizational: Does the plan correspond to the organization’s
objectives? What is in it for the organization? Does it limit the organization’s capabilities in
any way? ▪Operational: Will shareholders (users, managers, etc.) be able/willing to accept
the plan? Is the system compatible with the new changes? Have the possible changes been
communicated to the employees? ▪Technical: Is the necessary technology owned or
22. obtainable? Are our employees trained and if not can we afford to train them? Should we
hire new employees? ▪Political: Can InfoSec acquire the necessary budget and approval to
implement the plan? Is the budget required justifiable? Does InfoSec have to compete with
other departments to acquire the desired budget?
zRisk control Strategies▪Defense ▪Transferal▪Mitigation▪Acceptance (Abandonment)
▪Termination
zzRisk control Strategy: defense▪Defense: Prevent the exploitation of the system via
application of policy, training/education, and technology. Preferably layered security
(defense in depth) ▪Counter threats▪Remove vulnerabilities from assess▪Limit access to
assets▪Add protective safeguards
zzRisk control Strategy: transferal▪Transferal: Shift risks to other areas or outside entities
to handle▪Can include:▪Purchasing insurance▪Outsourcing to other
organizations▪Implementing service contracts with providers▪Revising deployment
models
zzRisk control Strategy: Mitigation▪Mitigation: Creating plans and preparations to reduce
the damage of threat actualization▪Preparation should include a:▪Incidence Response
Plan▪Disaster Recovery Plan▪Business Continuity Plan
zzRisk control Strategy: Acceptance▪Acceptance: Properly identifying and acknowledging
risks, and choosing to not control them▪Appropriate when:▪The cost to protect an asset or
assets exceeds the cost to replace it/them▪When the probability of risk is very low and the
asset is of low priority▪Otherwise acceptance = negligence
zzRisk control Strategy: Termination▪Termination: Removing or discontinuing the
information asset from the organization ▪Examples include: ▪Equipment disposal
▪Discontinuing a provided service▪Firing an employee
zPros and cons of each strategyProsConsDefense: Preferred all round approachTransferal:
Easy and effectiveMitigation: Effective when all else failsAcceptance: Cheap and
easyTermination: Relatively cheap and safeDefense: Expensive and laboriousTransferal:
Dependence on external entitiesMitigation: Guarantees company lossAcceptance: Rarely
appropriate, unsafeTermination: Rarely appropriate, requires company loss
zstandard approaches to risk management▪U.S CERT’s Operationally Critical Threat
Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-
Allegro)▪ISO 27005 Standard for InfoSec Risk Management▪NIST Risk Management Model
▪Microsoft Risk Management Approach▪Jack A. Jones’ Factor Analysis of Information Risk
(FAIR)▪Delphi Technique
zRisk management
software▪https://www.youtube.com/watch?v=zovrF9F_C5s▪https://www.youtube.com/
watch?v=x8BcE7T_Nb4
zRegulatory Organization18The organization’s objectives in its’ risk management plan are :
:▪To face any risk ▪concerned with loss of customer confidence, as well as monetary and
productivity losses.▪Risk assessments have always been a part of doing business that leads
to determine the level of risk associated with a business function or process in order to
determine the applicable security controls.▪The organization consists of a ▪central
officewho issues organization wide information security risk assessment guidelinesand
23. establishes minimum control requirements▪regional officesthroughout the United States
with , who facilitates the process in its geographic area; and individual business units are
responsible for conducting the assessments.▪The organization’s policy guidelines require
▪business units to conduct risk assessment at least once a year. ▪when a new business
operation is established or when significant operational changes occur.
zzRisk Assessment Process19
z01/10/144320Conducting and Documenting the AssessmentThe central office has
incorporated these elements into a set of detailed guidelines for conducting information
security risk assessments , complementary training manual elaborating on the
guidelinesand providing more detailed step-by-step procedures.
zDetermining Risk Level21▪The team's first step is to evaluate possible threats to
information security that may affect the unit's operations.▪The team assigns a risk level of
high, moderate, or low for each area of vulnerability to show the possible effect of damage if
the threat were to occur. ▪The team uses a matrix to assist in its analysis of risk as shown
in the following table:
z22Risk AssessmentMatrix
zRisk Assessment Table2301/10/1443▪After completing the matrix, the team summarizes
its findings by assigning a composite risk level to each of the five areas of vulnerability on
the matrix.
zIdentifying Needed Controls Based on Predetermined Requirements24▪After determining
the overall risk level for each area of vulnerability, the team identifies the minimum
applicable controls that are prescribed in its organizational guidelines.
z25Reporting and Ensuring That Agreed Actions Are TakenAfter determining the minimum
set of controls, the team compares those required controls with controls already in place
and identifies any gaps. The team prepares a short statement summarizing the outcome and
documenting its decisions and decision making process. It then provides the regional office
a copy of the risk assessment table.
z01/10/144326Identification and Assessment of Risks to Customer
Information▪Organization recognizes that it has both internal and external risks. These
risks include, but are not limited to:▪Unauthorized access of protected Information by
someone other than the owner of the covered data and information ▪Unauthorized access
of covered data and information by employees ▪Unauthorized requests for covered data
and information ▪Unauthorized access through hardcopy files or reports ▪Unauthorized
transfer of covered data and information through third parties ▪Compromised system
security as a result of system access by an unauthorized person ▪Interception of data
during transmission ▪Loss of data integrity▪Errors introduced into the system
▪Corruption of data or systems ▪Physical loss of data in a disaster Human( internal &
External)
z27Who has the responsibility of assessing the risk ▪The Security Technology Officer, in
consultation with an advisory committee, is responsible for the maintenance of information
security and privacy. ▪The advisory committee will include representatives from the
departments primarily responsible for safeguarding Protected Information. ▪Each
department responsible for safeguarding Protected Information will provide an annual
24. update report indicating the status of its safeguarding procedures. ▪The Coordinators, in
conjunction with the advisory committee, are responsible for assessing the risks associated
with unauthorized transfers of Protected Information and implementing procedures to
minimize those
z28Design and Implementation of Safeguards Program▪Minimizing risk and safeguarding
covered data and information security can be achieved by Employee Management and
Training▪Physical Security can be achieved by limiting access to only those employees who
have a business reason to know such information and requiring signed acknowledgement of
the requirement to keep Protected Information private▪Information systems include
network and software design, as well as information processing, storage, transmission,
retrieval, and disposal. Organizations have policies, standards, and guidelines governing the
use of electronic resources and firewall and wireless policies ▪The Organization maintain
effective systems to prevent, detect, and respond to attacks, intrusions and other system
failures. Such systems may include maintaining and implementing current anti-virus
software; checking with software vendors and others to regularly obtain and install patches
to correct software vulnerabilities; maintaining appropriate filtering or firewall
technologies …
zNSF CSF Risk Assessment
zNIST CSF Risk
Assessment▪https://www.nist.gov/document/supplementnicespecialtyareasandworkrole
ksasandtasksxlsx
zSources▪M. Whitman, H. Mattford. ,Management of information security, Fourth Edition,
Stamford, CT: Cengage Learning, 2014, p. 279-
313.▪www.youtube.com▪www.bing.com/images▪www.duckduckgo.com
