CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Gibson Darril

Чтение книги онлайн.

СКАЧАТЬ Table 2.2 Comparison of quantitative and qualitative risk analysis

Risk Assignment/Acceptance

      The results of risk analysis are many:

      ■ Complete and detailed valuation of all assets

      ■ An exhaustive list of all threats and risks, rate of occurrence, and extent of loss if realized

      ■ A list of threat-specific safeguards and countermeasures that identifies their effectiveness and ALE

      ■ A cost/benefit analysis of each safeguard

      This information is essential for management to make educated, intelligent decisions about safeguard implementation and security policy alterations.

      Once the risk analysis is complete, management must address each specific risk. There are four possible responses to risk:

      ■ Reduce or mitigate

      ■ Assign or transfer

      ■ Accept

      ■ Reject or ignore

      You need to know the following information about the four responses:

      Risk Mitigation Reducing risk, or risk mitigation, is the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Picking the most cost-effective or beneficial countermeasure is part of risk management, but it is not an element of risk assessment. In fact, countermeasure selection is a post-risk-assessment or post-risk-analysis activity. Another potential variation of risk mitigation is risk avoidance. The risk is avoided by eliminating the risk cause. A simple example is removing the FTP protocol from a server to avoid FTP attacks, and a larger example is to move to an inland location to avoid the risks from hurricanes.

      Risk Assignment Assigning risk or transferring risk is the placement of the cost of loss a risk represents onto another entity or organization. Purchasing insurance and outsourcing are common forms of assigning or transferring risk.

      Risk Acceptance Accepting risk, or acceptance of risk, is the valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized. In most cases, accepting risk requires a clearly written statement that indicates why a safeguard was not implemented, who is responsible for the decision, and who will be responsible for the loss if the risk is realized, usually in the form of a sign-off letter. An organization’s decision to accept risk is based on its risk tolerance. Risk tolerance is the ability of an organization to absorb the losses associated with realized risks. This is also known as risk tolerance or risk appetite.

      Risk Rejection A final but unacceptable possible response to risk is to reject or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.

      Once countermeasures are implemented, the risk that remains is known as residual risk. Residual risk comprises threats to specific assets against which upper management chooses not to implement a safeguard. In other words, residual risk is the risk that management has chosen to accept rather than mitigate. In most cases, the presence of residual risk indicates that the cost/benefit analysis showed that the available safeguards were not cost-effective deterrents.

      Total risk is the amount of risk an organization would face if no safeguards were implemented. A formula for total risk is as follows:

      threats * vulnerabilities * asset value = total risk

      (Note that the * here does not imply multiplication, but a combination function; this is not a true mathematical formula.) The difference between total risk and residual risk is known as the controls gap. The controls gap is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows:

      total risk – controls gap = residual risk

      As with risk management in general, handling risk is not a one-time process. Instead, security must be continually maintained and reaffirmed. In fact, repeating the risk assessment and analysis process is a mechanism to assess the completeness and effectiveness of the security program over time. Additionally, it helps locate deficiencies and areas where change has occurred. Because security changes over time, reassessing on a periodic basis is essential to maintaining reasonable security.

Countermeasure Selection and Assessment

      Selecting a countermeasure within the realm of risk management relies heavily on the cost/benefit analysis results. However, you should consider several other factors when assessing the value or pertinence of a security control:

      ■ The cost of the countermeasure should be less than the value of the asset.

      ■ The cost of the countermeasure should be less than the benefit of the countermeasure.

      ■ The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack.

      ■ The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound cool.)

      ■ The benefit of the countermeasure should not be dependent on its secrecy. This means that “security through obscurity” is not a viable countermeasure and that any viable countermeasure can withstand public disclosure and scrutiny.

      ■ The benefit of the countermeasure should be testable and verifiable.

      ■ The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on.

      ■ The countermeasure should have few or no dependencies to reduce cascade failures.

      ■ The countermeasure should require minimal human intervention after initial deployment and configuration.

      ■ The countermeasure should be tamperproof.

      ■ The countermeasure should have overrides accessible to privileged operators only.

      ■ The countermeasure should provide fail-safe and/or fail-secure options.

      Keep in mind that security should be designed to support and enable business tasks and functions. Thus countermeasures and safeguards need to be evaluated in the context of a business task.

Implementation

Security controls, countermeasures, and safeguards can be implemented administratively, logically/technically, or physically. These three categories of security mechanisms should be implemented in a defense-in-depth manner in order to provide maximum benefit (Figure 2.6).

Figure 2.6 The categories of security controls in a defense-in-depth implementation

      Technical

      Technical or logical access involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. As the name implies, it uses technology. Examples СКАЧАТЬ