Security and Risk Management

In this article we can understand the information about the Security Risk Management (SRM) certification, which is a professional certification offered by the Information Security Institute (InfoSec). Security and Risk Management is the first of 8 domains covered on the CISSP certification exam.

---

In order to have a good security model you should have controls in place to support the mission of the organization and all the decisions should be based on the risk tolerance of the organization. A good strategy for that is separate it in 3 phases, operational goals (daily goals to focus on productivity and task-oriented activities to ensure the company’s functionality in a smooth and predictable manner), tactical goals (mid-term goals that could could involve moving computers into domains, installing firewalls and segregating the network by creating a demilitarized zone) and strategic goals (long-term goals that may involve moving all the branches from dedicated communication lines to frame relay, implementing IPSec virtual private networks (VPNs) for all remote users instead of dial-up entry, and integrating wireless technology with the comprehensive security solutions and controls existing within the environment).

CIA

• Confidentiality refers to the protection of sensitive information from unauthorized disclosure. This includes keeping information confidential by restricting access to it to authorized individuals or groups, as well as encrypting data in transit or at rest to prevent it from being intercepted or accessed by unauthorized parties.

• Integrity refers to the accuracy and completeness of information. It involves protecting data from unauthorized modifications or tampering, whether intentional or accidental, to ensure that it remains reliable and accurate.

• Availability refers to ensuring that information is accessible and usable when needed. This means ensuring that systems and data are available to authorized users when they need them, as well as ensuring that systems and data are resilient and can withstand attacks or disasters that could cause disruption or downtime.

---

Why Risk management is important for CISSP?

Risk management is an essential component of the Certified Information Systems Security Professional (CISSP) certification, as it plays a critical role in protecting information systems and data. Here are some reasons why risk management is important for CISSP: Identifying risks; Assessing risks; Prioritizing risks; Mitigating risks; Monitoring risks. Risk management is critical to the success of the CISSP certification, as it allows security professionals to identify, assess, prioritize, mitigate, and monitor risks to protect an organization's information assets. By effectively managing risks, CISSP professionals can help organizations to maintain the confidentiality, integrity, and availability of their critical data and systems.

Lifecycle of risk management

The lifecycle of risk management is a process that involves identifying, assessing, responding to, and monitoring risks.

• Risk identification: In this stage, potential risks to an organization's assets are identified. This may involve conducting risk assessments, reviewing historical data, and consulting with subject matter experts.

• Risk assessment: Once risks have been identified, they are assessed to determine their likelihood and potential impact. This involves analyzing the probability of a risk occurring and the potential consequences if it were to occur.

• Risk response: After risks have been assessed, appropriate responses are developed and implemented to mitigate or reduce the impact of identified risks. This may include implementing security controls, developing policies and procedures, or transferring the risk through insurance.

• Risk monitoring: Once risk responses have been implemented, risks are monitored on an ongoing basis to ensure that they are being managed effectively. This involves reviewing risk assessments, monitoring security controls, and updating risk management plans as needed.

• Risk reporting: Finally, risk management reports are prepared to document the organization's risk management activities. This includes documenting the results of risk assessments, outlining risk response strategies, and providing status updates on risk management activities.

The risk management lifecycle is a continuous process, with each stage building upon the previous one. By effectively managing risks, organizations can minimize the impact of potential threats and ensure the continuity of their operations.

Questions

• Consider a bank ATM that allows users to access bank account balances. What measures can the ATM incorporate to cover the principles of the CIA triad? Firstly in terms of confidentiality the ATM can incorporate measures to protect the secretness of user account information by for example suing a PIN to access their account. In terms of integrity it can ensure that the account balance displayed to the user is accurate and up-to-date. And for availability the ATM should be designed to prevent denial-of-service (DoS) attacks, which can cause the service to become unavailable.

• Name three best practices that support the CIA triad. Access control; Data encryption; Incident response planning.

• What are the three stages of the risk management lifecycle? What is each stage’s main goal or objective?

You can see the answer in the Risk Management Lifecycle above and we can reduce those 5 points into 3: Risk Assessment; Risk Mitigation; Risk Monitoring.