UNIT 3

Cyber security
Management
.

Cyber security Management

=
Risk assessment & management + Business
Continuity planning

Risk Management and assessment

What is Risk??
The uncertainty that potential or known events may impact a
projects outcome.
The measure of the probability and severity of adverse effects.
The product of the probability of
an event not occurring and
the consequence of not succeeding.

What is Risk??

Two Parts:
1. Probability of Event Occurring
2. Consequences of Event Occurring (including level of severity)

Consequences can be expressed in many units

Severity is subjective, so be careful

Why Implement Risk Management??

Identify potential problem areas early

Prevent them from occurring
Develop a plan for dealing with the situations, if they occur

Reduces chances of costly changes or reduces impact of

unavoidable events: schedule delays, unexpected failures, etc.
Increases the likelihood of success!!

When Should Risk Management Be Implemented??

Planning begins before/at project startup
Preliminary identification and assessment start at the earliest technical phase
(Problem/need defn, Ops Con, Arch, etc)
Risks are tracked and managed throughout the project/program life cycle
Plans for reporting should be established early to avoid confusion in
responsibilities later

 What a Risk Analysis Analyzes ??

Risk analysis can be used to review any task, project, or
idea.
With proper risk analysis an organization can decide
if
if
if
if

a project should be undertaken

a specific product should be purchased,
a new control should be implemented,
the enterprise is at risk from some threat.

 Who Should Review the Results of a Risk

Analysis??
A risk analysis is rarely conducted without a senior
management sponsor.
The results are geared to provide management with the
information it needs to make informed business
decisions.
The results of a risk analysis classified as confidential
and are provided to only the sponsor and to those
deemed appropriate by the sponsor.

 How Is the Success of the Risk Analysis Measured?

A tangible way to measure success is to see a lower bottom line
for cost.
It should take less time.
It should be integrated with SDLC ( A, D ,C, T , M) of organization.
Analysis, Development, Construction, Test, Maintenance.
National Institute of Standards and Technology (NIST) uses the
following terms:
Initiation, Development or Acquisition, Implementation,
Operation or Maintenance, and Disposal.

Simple Project Life Cycle

Requirements
Development

Problem/need
definition

Functional
Analysis &
Allocation

Design

Verification
&
Validation

Delivery

 Risk management activities include:

Analysis:
identified risks are used to support the development of system
requirements, including security needs.
Design:
security needs lead to architecture and design trade-offs.
Development:
the security controls and safeguards are created or implemented as part of
the development process.
Test:
safeguards and controls are tested to ensure that decisions regarding risks
identified are reduced to acceptable levels prior to movement to production.
Maintenance:
controls and safeguards are reexamined when changes or updates occur, or
at regularly scheduled intervals.

Risk Types
Three Most Recognized Types of Risk in Government and Commercial
Practice
1. Technical
2. Cost
3. Schedule

Risk Types
1. Technical
The degree to which technology is sufficiently mature and
has been demonstrated as capable of satisfying program
objectives.
Technical risk is frequently the driver in development phase
of a program.

Risk Types
2. Cost
Availability and sufficiency of funding for the program.
Government appropriations and funding cycles are also subject
to political risks.
Commercial programs are subject to market risks.

Risk Types
3. Schedule
Adequacy of time allocated for the defined tasks.
Includes effects of changes due to unpredictable events such as:
program and technical decisions,
time-to-market pressure,
labor problems,
weather and customer directed changes.

Risk Types
Others
Adequate staffing, resources
Professional/Enterprise reputation
External
Political
Social
Regulatory/legislative

Information Security Life Cycle

 With any business process, the information security life cycle

starts with risk analysis.
A formal risk analysis provides the documentation that risk
analysis is performed properly.
A risk analysis also lets an enterprise take control of its own
destiny & needed controls and safeguards are installed.
risk analysis results will be used on two occasions:
(1)when a decision needs to be made and
(2)when there arises a need to examine the decision-making
process.

 A risk analysis should be conducted whenever money or

resources
are to be spent.
Once a risk analysis has been conducted, its necessary to
conduct cost benefit analysis so that we can decide which
safeguards are necessary in mitigating risk, than of
installing all.
Once the controls or safeguards have been implemented, it
is appropriate to conduct an vulnerability assessment to
determine if the controls are working.

 Risk Analysis Process

Risk analysis has three deliverables:
(1)identify threats
(2) establish a risk level by determining probability that a
threat will occur and the impact if the threat does occur;
(3)identification of controls and safeguards that can
reduce the risk to an acceptable level.

Asset Definition
First step in the risk analysis process , asset that is going to have the risk
analysis performed upon it.
establish the boundaries of what is to be reviewed, if not risk analysis will fail
Gather relevant information about the asset or process under review,
The risk management team can use a number of techniques these include
questionnaires, on-site interviews, documentation review.
(1)Threat Identification
floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and
other such events.
Human threats: events that are either enabled by or caused by human beings
(error, fraud, malicious software use, unauthorized access).
Environmental threats: long-term power outages, pollution, chemical spills, or
liquid leakage.
Historical data

(2) Determine Probability of Occurrence

determine how likely that threat is to occur, The risk management
team have to probability calculation based on previous hits or if its
new threat random probability to be calculated
Determine the Impact of the Threat

(3) Controls Recommended

The RM team will identify controls or safeguards that could possibly eliminate the
risk or at least reduce the risk to an acceptable level.
Number of factors that need to be considered when recommending controls and
alternative solutions.
1.operational impact on the organization
2.Expenditure, productivity and turn-around time
3.safety and reliability
Expenditure on controls must be balanced against the actual business harm.
Rule of thumb: If the control costs more than the asset it is designed to protect,
then the return on investment will probably be low
Documentation
the results should be documented in a standard format and a report issued to the
asset owner.

Risk Mitigation
A systematic methodology used by senior management to
reduce organizational risk.
Risk assumption : after completing the risk analysis process, management decides to
accept the risk/not.

Risk alleviation: Senior management approves the implementation of the controls

recommended by the risk management team that will lower the risk to an acceptable level.

Risk avoidance:

RA & mgmt team chooses to avoid the risks by eliminating the process
that could cause the risks

Risk limitation:

To limit the risk by implementing controls that minimize the adverse

impact of a threat that would exercise a vulnerability

Risk planning:
implements, and

to manage risk by developing an architecture that prioritizes,

maintains controls.

Risk transference: management transfers the risk using other options to compensate
for a loss such as purchasing an insurance policy

Business Continuity Planning

Business continuity planning is the process of ensuring that your
organization can continue doing business even when its normal
facilities or place of business is unavailable.
Ex1: Earlier days companies equipped disaster recovery plan
computers can resume work quickly even though data center
they were depend on were unavailable.
Ex2: Fire accident to office
BCP hard to sell to management as it involves CSO continuous
testing of BCP.
Solution is to sell BCP dividing as modules and sell them with
their importance values

Business Continuity Planning Policy

Information security program depend for their legitimacy on a policy
statement, like that Business continuity planning policy must serve the
same purpose and must conform to the same requirements as every other
information security policy.
A policy is a high-level statement of beliefs and objectives for the enterprise,
which should be readable and implementable.
A organizations policy will almost certainly go through a rigorous process of
review and comment by the organizations senior management therefore
the contents of the policy should remain unchanged for as long as possible.
A BCP should be easily understandable and applicable to organization needs

A policy should contain four sections:

1. Policy statement
2. Scope
3. Responsibilities
4. Compliance
Policy statement:
This is where we say what our policy is regarding business continuity planning,
organizations do publish policies that lack any discernable statement of what the
policy actually is.
Scope
Establishes to whom the policy applies( for all/ some).
Ex: policy applies to certain employee (full time/part time)

Responsibilities:
The policy states who does what in relation to applying the policy
throughout the organization, but while creating policy we stay away
from naming individuals and stick to talking about positions Senior
Management, Information Security, etc.
Compliance
How best CBP applicable, what if if CBP not handle breaches

Conducting a Business Impact Analysis (BIA)

We conduct BIA to understand maximum tolerable outage for
organization.
After conducting BIA we can see when we start to choose what our
continuity planning strategy will be.
1.Identify Sponsor(s)
We need a sponsor for the BIA as we will be taking up time with members
of staff in every business department.
Sponsor must carry some authority over the organization, and involve in
BIA review the results.
2. Scope
If organization is too large, its difficult to conduct BIA for each unit, so
organization has to define limit (physically) based on importance

3. Information Meeting
The information meeting should tell managers in detail what is going to happen, what
is required, what will be done with the information gathered and what the managers need to
do.
4. Information Gathering
The success of the BIA depends on gathering accurate information about the business
processes in the organization.
Organization and people:
Locations and numbers
Constraints:
5. Questionnaire Design
The use of a questionnaire is critical because it ensures that everyone participating will be
answering the same set of questions about their business.
Questionnaire covers following:
1.complete information about themselves,
2.the department in which they work,
3.the business function they are about to describe

 The next part of the questionnaire deals with business processes

1.describe each business process,
2.how often the process is performed(hourly, daily, etc.),
3. what critical time periods exist for each process.
The last section requires that the respondent complete information on time that are
particularly important to the completion of each process.
1.closing dates for payroll entry,
2.lead times for check printing
The respondent asked to judge what would happen if the process did not execute
for given periods of time (four hours, twelve hours, etc.). It is important that the
respondent is encouraged to think about the process from end-to-end.
the respondent to list resources required to carry out the process in normal
business circumstances and those required to carry out the process in a recovery
situation.

Scheduling the Interviews.

Conducting Interviews.

Tabulating information.

Presenting the results.