step by-step-guide risk-security-dunn_firth_v.1.8
TRANSCRIPT
Understanding Risk & Cybersecurity for the Up & Coming CISO
A Step by Step Guide Contents Cybersecurity CISO’s Security Risk Responsibilities ...................................................................................... 2
The CISO and the Organization Structure ..................................................................................................... 6
The Four Cybersecurity CISO Risk Domains .................................................................................................. 7
Protect, Shield, Defend, Prevent ............................................................................................................... 7
Monitor, Detect, and Hunt ........................................................................................................................ 7
Respond, Recover, and Sustain ................................................................................................................. 7
Govern, Manage, Comply, Educate, and Manage Risk .............................................................................. 7
Examples of Risk and Mitigation in the Four Domains ............................................................................. 7
The Two Sides of Cyber Security Risk ............................................................................................................ 9
NIST CSF: The Cybersecurity CISO Risk Compass ........................................................................................ 10
An example of how to use the CSF Framework ...................................................................................... 10
The CIS CSC Controls: Where to Start ......................................................................................................... 11
How to Do a Risk Assessment ..................................................................................................................... 12
A Risk Assessment is a Snapshot in Time ................................................................................................ 12
A Quantitative vs Qualitative approach .................................................................................................. 13
The Elements of Cybersecurity Risk Management ................................................................................. 14
Risk Strategy ............................................................................................................................................ 14
Risk Tactical ............................................................................................................................................. 14
Risk Execution ......................................................................................................................................... 14
Risk Register ............................................................................................................................................ 14
Securing Awareness Programs: The Foundation for Building a Culture that Balances Risk and Security .. 14
Summary ..................................................................................................................................................... 15
Glossary ....................................................................................................................................................... 16
Cybersecurity CISO’s Security Risk Responsibilities
You’ve taken the most important step to becoming a Chief Information Security Officer (CISO) which is
deciding you want to be one!
The CISO, once a rare role and found mostly in financial institutions, is now found in proportionally
more of today’s organizations. In a CISO and Balancing Risk Survey with 99 responses from December
2016, targeting IT and Security professionals, 66 % of the responders’ organizations had a CISO. 67 %
were in organizations with 2,000 or more employees. 51 % of the organizations with 2,000 or less
employees have a CISO.
Now you have chosen the CISO role as your career path, you face the more challenging part of the
journey, developing the skills to lead the business through an increasingly dangerous cyber universe. As
a CISO you will be expected to help the business avoid a myriad of dangerous and evolving threats, meet
compliance and regulatory objectives, and still maintain maximum business profitability.
Building a culture that successfully embeds the balance of risk and security into their decisions is built on
a foundation of communication. That communication qualifies what the security risk are, where they
are, and how to avoid them. How to communicate involves a clear, consistent message through
executive briefings, an established risk decision process, and a frequently provided security awareness
training that provides clear messaging of the risk, what the security rules are, and who to ask if they are
unsure.
The professionals responding to the survey were from organizations that ranged from less than 100
employees, to organizations with over 100,000 employees. 56 % of the total number of responses
were individuals from 2,000 or more employees and 44 % of the responses were from organizations
with 2,000 or less employees.
44 Organizations with over 2,000 employees have a CISO
Yes No
22 Organizations with 2,000 or less employees have a CISO
Yes No
The CISO role has been evolving since 1995 when Steve Katz (Brocaglia, 2016), recognized as the first
CISO, was offered the newly minted role with Citibank. This first generation of CISO’s frequently arrived
in the role by being the most security conscious IT person who could represent security to the business.
The second generation of CISO will be expected to have a much broader range of skills. These skills
include business acumen, a deep understanding of governance, risk, compliance and an ability to see the
big picture so the business can strategically prepare for the next wave of cyber space disaster.
Many factors impact how the CISO role is defined such as the type of organization, the cyber security
maturity in the organization, the CISO’s charter, and the CISO’s reporting structure. If the CISO role is
seen as a traditional IT CISO role they often report through the Chief Technology Officer (CTO) or The
Chief Information Officer (CIO). If the CISO’s role is viewed as the more evolved CISO role that manages
risk resilience they often report through the Chief Financial Officer (CFO) or directly to the Chief
Executive Officer CEO. (Bonney, Hayslip, & Stamper, 2016)
It is important to consider not only where there CISO role fits in the organization, but also how the
breadth of their corporate leadership, responsibilities are defined. Being part of the C‐Suite, the slang
term for an organizations most senior executive roles, is an important step forward for the CISO role. It
Survey Responses Size of Organization
<100 101 ‐ 500 500 ‐ 2000 2000 ‐ 10000 10000 +
Survey Responses Type of Organzation
Financial Technology
Mil/Gov/Law enforcment Energy
Insurance Other
enables them to have a bigger influence on the final risk and business decisions made be the
oranizations. With this increased influence is increased accountablity which is visible in the many CISO
firings that happen after a major security event at highly impacted organizations. The CISO role viewed
as either “Information Security” or all of “Cyber Security” have much different responsibilities. The
Information Security CISO is responsible for “The protection of information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction to provide
confidentiality, integrity, and availability” (CIA Triangle)(NIST, 2013). A Cyber Security CISO includes a
much broader scope of tasks, protecting information, as well as protecting and defending the use of
cyberspace from cyber‐attacks (NIST, 2013).
Information from the CISO and Balancing Risk Survey found even with this increased visibility and
responsibility, a CISO had the authority to make the final decision on business value related to
security risk in only 30 % of the surveyed organizations with CISOs.
The United States Computer Emergency Response Team (CERT) Software Engineering Institute
categorizes the CISO’s role as responsible as “Risk Reliance” role and breaks their guidance for CISO into
four domains of responsibility (Allen, et al., 2015).
1. Protect, Shield, Defend, and Prevent
2. Govern, Manage, Comply, Educate, Manage Risk
3. Respond, Recover
4. Monitor, Hunt, and Detect
Who Makes the Final Call on Risk Decisions
CISO CEO Manager Other
Figure 1 The Four Areas of CISO Responsibility
A C‐suite risk resilience CISO who reports to the CEO impacts security and risk across the entire
organization. This is an important difference from the IT focused CISO who views risk only from an IT
perspective. If risks are viewed too narrowly it’s possible that a business/security risk decision is made
that accepts a risk that appears to have a minor risk impact and positive business results that in reality
has a much broader impact and the risk versus business value is unacceptable high.
The Target breach in 2013 through a third party vendor, which had an estimated cost to Target of over
$291 Million dollars, is a case where this may have happened. Using and a more holistically business risk
may have prevented or controlled the impact of compromised third party vendor. (Daly, 2016)
Assignments to increase your knowledge and skill on how to balancing risk and business are
highlighted in blue boxes throughout this step by step guide. Actively developing these skills will make
sure you are ready when the success of your organization depends on you making the right decisions
to ensure they are both protected and profitable.
Communicating the ideal balance between risk and security is a critical skill for the successful CISO. It
requires understanding risk and security throughout their organization and across the Four Areas of
responsibilities. This communication should be to the executive team and employees and externally to
business partners, customers, shareholders and compliance bodies. Effectively using tools such as the
NIST Cybersecurity Framework (CSF) will guide you through the process and ensure your view of risk and
security and your guidance is comprehensive. Using the CSF Framework or similar type framework
CISO Security Risk Assignment 1: Study and Learn from The Post Mortems of breach Cases to
understand how organizations were compromised and where assumptions or security control
gaps occurred.
allows you to accurately scope, measure, and prioritize all the necessary components of a risk
assessment and remediation plan.
The CISO and Balancing Risk Survey provided evidence of good business communicaition in
organizations with CISOs. Security was not viewed at having an increased level of hindering or
preventing the business from achieving their goals. On a scale of 1, not hindering business success at
all, to 10 of success being dramatically hindered, organizations with and without CISOs had an average
score of 5.
A successful CISO understands the business and the organization’s financial objectives. Building a top
notch security program that is costly is pointless if the business is forced into bankruptcy.
The CISO and the Organization Structure
Organizations that view the CISO’s role as responsible for risk resilience see the CISO as a ship captain
successfully guiding them on their business journey. The CEO gives them the authority to prioritize
security initiatives to protect the business, and reduce security risk in the overall organization. The CISO
watches the forecast for big dangerous storms and guides the business through potential disasters. For
good risk resilience cyber security should be viewed as a business risk and be reported to the CEO with
the other risks of doing business such as the risks in the economy, risk in supplies, and financial risk.
CISO Security Risk Assignment 2: Look for opportunities to build your communication and
presentation skills by leading lunch and learns, presenting at security conferences, or
leading security teaching events. Be sure to ask for open and honest feedback from your
audience so you sharpen any of the presentation or communication skill areas that need
more work.
CISO Security Risk Assignment 3: As a CISO you will be asked to build a technical strategy for
the organization to protect the business. This will require a constant investment in
understanding the technical changes in technology, the associated security risks, and
potential security benefits. Prioritize keeping on top of your technical skills and
understanding new technology.
Establishing a Cyber Security charter between the CISO, the CEO, and the other members of
management ensures the CISO role and responsibility are clear to the rest of the organization. The CISO
charter grants authority to the CISO, provides boundaries for their authority and mandates performance
the CISO and their security organization is held accountable for.
As a new CISO you may not have a choice where you sit in the organization but may be able to influence
the reporting structure as both you and the organization’s cyber security program mature.
The Four Cybersecurity CISO Risk Domains
Protect, Shield, Defend, Prevent The Protect, Shield, Defend, and Prevent domain defends the enterprise from cyber threats and prevent
cybersecurity incidents within the expected risk resilience threshold.
Monitor, Detect, and Hunt The Monitor, Detect, and Hunt domain actively validates the security controls in the protect, shield,
defend, and prevent domain. This domain is responsible for looking for any threats that may have
evaded the protect, shield, defend, and prevent controls and reports and suspicious or unauthorized
events as quickly as they are detected.
Respond, Recover, and Sustain If a cybersecurity incident happens, the Respond, Recover, and Sustain domain minimizes the impact
and ensures that people follow the established policy and process so the organization can recover and
sustain operation with minimal impact to the organization, its users, or its customers.
Govern, Manage, Comply, Educate, and Manage Risk The Govern, Manage, Comply, Educate, and Manage Risk Domain provides continuous oversight,
management, security control prioritization, and performance metrics. This domain is responsible for
internal and external requirements compliance and ensuring how risk is mitigated aligns with the
organization’s risk tolerance.
Examples of Risk and Mitigation in the Four Domains Example Risk Example Mitigation / Control
Protect, Shield, Defend, Prevent
Prevent information leaking Employees are using Dropbox to share information with business partners.
Block the ports Dropbox uses and provide employee training
CISO Security Risk Assignment 4: Start practicing your business communication now. When
communicating risk always include the impact business impact and represented by positive
or negative financial value.
on the approved type and methods of data sharing.
Defend the network Employees are using their own devices on a corporate network.
Provide guest access network for employee personal devices and NAC address white listing for network access.
Shield Research and development teams are downloading resources from open source sites onto their corporate laptops.
Isolate the Research and Development activity from the corporate network and issue the team separate laptops for Research and Development and daily business use.
Monitor, Detect, and Hunt
Incident Management An IT engineer discovers ransomware on a system and immediately wipes the hard drive.
Ensure the proper steps for incident response are visible throughout the organization and included in the regularly training.
Data Leak An IT engineer discovers ransomware on a system and immediately wipes the hard drive.
Ensure the proper steps for incident response are visible throughout the organization and included in the regularly training.
Log Correlation Teams activate log capture but events are not tracked for related events or patterns.
Implement a SIEM that aggregates information on all events on the networks and alerts on anything suspicious.
Respond, Recover, and Sustain
Asset Management Assets are discarded without erasing company data.
Create a process for discarding assets and perform regular audits to ensure data is being properly erased.
Business Continuity Recovery from backup is not tested on a regular basis and when implemented fails.
Have regularly scheduled exercises and testing.
Sustain Main telecom provider is taken down by DDOS attack.
Engage with a second Telecom provider either splitting the Telecom business or splitting the engagement so that the second provider provides enough support to maintain basic functionality of the business.
Govern, Manage, Comply, Educate, and Manage Risk
Compliance Organizations process credit cards without compliance checks
Formal PCI Compliance Audit
Documentation No documented Acceptable Use Policy
Create Formal Policy Document
Human Resource Management Train only full time employees on secure development principles but majority of development provided by in house contractors
Ensure protection of the asset or customer drives the strategy and holistically considers all types of employees.
The Two Sides of Cyber Security Risk
IT centric CISO’s often view risk only in a negative context. Even worse these CISO’s have found
themselves forced to use dramatic examples and impacts to receive the appropriate amount of
attention. This forced hyperbole can damage their relationship with the rest of the business team who
view them as the security version of chicken little, constantly raising false alarms of the “ The sky is
falling, the sky is falling” and preventing them from achieving their business objectives.
A CISO who is business risk‐focused views risk from a balanced perspective. Seeing the potential for a
positive outcome, a negative outcome, and uses both potential outcomes to make a calculated risk
decision.
CISO Security Risk Assignment 5: Practice tracking the current security events in your
organization. What CISO domain do they fall into? What security control would reduce the
risk? What is the business trade off?
CISO Security Risk Assignment 6: Create a list of IT and business processes that are common
within an organization such as having a web storefront, using cloud services for a data
center, or allowing personal devices in your offices. List the positive risk, the negative risk,
the calculated risk, and examples of the various security controls used to reduce risk.
NIST CSF: The Cybersecurity CISO Risk Compass The NIST Cybersecurity Framework (CSF) was developed to help organizations better manage and
reduce Cybersecurity risk by identifying the highest risk and biggest impact areas and address those
areas as a top priority.
This diagram illustrates the flow of information between the business executives, business process, and
business operations. This information flow ensures budgets and risk are communicated, prioritized, and
aligned.
Figure 2 Framework for Improving Critical Infrastructure Cybersecurity v 1.0
The Framework Core identifies a set of activities to achieve specific cybersecurity results and the
security controls needed to implement them. The Frameworks is composed of Functions, Categories,
Subcategories, and alignment with individual frameworks such as COBIT or NIST.
An example of how to use the CSF Framework:
In this example from a completed CSF profile, we see that from the function Protect under the Category
of Access Control and the subcategory PR.AC‐5 the organization lists the security control of network
segmentation and references NIST 800‐53 for Informative reference.
Figure 3 CSF Framework Example 1
After completing the framework a profile is a created of the current organization. This profile is used to
prioritize activities as well as a benchmark for future assessments. The profile can be used to generate a
“target profile” for a risk profile target to use for future assessments and progress toward the risk target
profile.
The CIS CSC Controls: Where to Start
The CSF Framework refers to standards identified as “Informative References”. Standards guide an
organization on what security controls should be in place. Organizations use different standards based
on the organization, compliance requirements, and prior experience of the security team. The Center for
Internet Security (CIS) Critical Security Controls (CSC) are one of the most used standards and is provided
in a numbered priority order based on the effectiveness of the controls to reduce risk. Using the CSF
1 http://www.balisage.net/Proceedings/vol17/html/Lubell01/BalisageVol17‐Lubell01.html
CISO Security Risk Assignment 8: Read the Framework for Improving Critical Infrastructure
Cybersecurity v.1 and become familiar with the CSF methodology.
Framework and the CSC controls together provides a starting point to evaluate business risk and which
security controls to implement first.
How to Do a Risk Assessment The simplest way of thinking about risk in your organization is to consider:
What needs to be protected
Who does it need to be protected from
The likelihood of something happening
The impact if it does
What actions need to be taken if it does if an incident happens
A Risk Assessment is a Snapshot in Time A risk assessment provides a static look at a dynamic environment. One way to think about a risk
assessment is to compare it to a person receiving a physical. A physical is a person’s snapshot in time of
how healthy they are. The physical provides accurate health information for a limited window and
another physical is required to confirm the person is issue free. Unplanned events can impact how
healthy we are and a risk free healthy person can immediately become unhealthy due to an insect bite
or a car accident. In the same way, a physical is frequently required to confirm the individual health, a
risk assessment should be a continual dynamic process with new business, new environments, and new
risks continuously being pulled into the overall risk profile of the organizations.
CISO Security Risk Assignment 9: Frameworks and standards overlap and complement each
other. Become familiar with all the popular frameworks and standards. Knowing other
standards beyond the one your organization is using as a baseline is helpful if there is a
discrepancy in how a standard is interpreted or additional details determine a clearer plan of
action.
CIS CSC https://www.cisecurity.org/critical‐controls/
COBIT http://www.isaca.org/cobit/pages/default.aspx
ISO/IEC 270001:2013 http://www.iso.org/iso/catalogue_detail?csnumber=54534
NIST SP 800‐53 Rev.4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800‐53r4.pdf
HITRUST https://hitrustalliance.net/csf‐license‐agreement/
OpenSAMM http://www.opensamm.org/
BSIMM v.7 https://www.bsimm.com/
A Quantitative vs Qualitative approach There are two different methods for capturing risk information. Quantitative which captures
information mathematically such as the number of vulnerabilities on a network and Qualitative which
uses descriptions based on a defined label such as “high”, “medium”, or “low”. Qualitative metrics are
often used for Risk Assessments when they are at first stages or when it’s difficult to find mathematical
information to compare such as when trying to qualify a loss of business due to “brand damage”.
Most risk assessments use a combination of quantitative or qualitative information for a risk profile.
CISO Security Risk Assignment 9: Start Small: OpenSAMM (Open Software Assurance
Maturity Model) is a great place to start evaluating the security maturity within your
organization. OpenSamm provides metrics, scorecards, and example organizations to
compare your organizations to for the software development process. It exposes you as
the risk assessor to the challenges of using metrics and scorecards and how to develop
metrics that are meaningful to the organization.
CISO Security Risk Assignment 10: Read and Review NIST SP 800‐30, NIST 800‐37, and
NIST SP 800‐39. These are the baseline that most people reference when discussing
strategies for risk assessments and a basic understanding of the NIST methodology and
process will ensure good communication.
The Elements of Cybersecurity Risk Management
Risk Management has multiple layers and it’s important to address risk at all of them
Risk Strategy Risk Strategy is alignment is where all the business leaders agree and align on risk about the business
strategy, risk appetite, and overall business goals vs all the types of business risk.
Risk Tactical The tactical layer is where the risk strategy is prioritized and aligned with a deliverable roadmap.
Positive negative risks are documented, and risk is managed with risk management tools that provide
reports and executive insight.
Risk Execution In the risk execution stage the roadmap is delivered on through budgeted resources. Policies are
developed and followed, and continuous reporting is provided to the executive team to ensure any
necessary adjustments are made on the tactical risk or strategic risk plan.
Risk Register A Risk Register contains details the risks to the organization. It captures, describes and assesses risks as
they are identified. A Risk Register can be a formal application or something simple such as a SharePoint
designed to restrict access.
When capturing a risk in a Risk Register it should include:
Who owns the risk? This should be a manager who has the authority to assign and allocate
budget and the person who is held accountable if there is an incident.
The actions required to remediate the risk.
A timeline for remediation and a future review date.
Dates when actions were completed and the risk item closed.
Securing Awareness Programs: The Foundation for Building a Culture
that Balances Risk and Security
A security awareness programs educate and empower employees as the organization's first protective
shield from security threats and layering information security resilience into the organization ensures it
is part of every business decision.
Any amount of Security Awareness training provides a positive benefit to an organization but the most
effective programs are frequent and use many different methods to deliver their message such as lunch
and learns, email, online video training, and in classroom training.
The training should highlight established basics as well as new information on evolving threats such as
Ransomware.
The CISO and Balancing Risk Survey found that 88 % of the organizations surveyed had formal Security
Awareness programs. The Survey also provided positive insight that 64 % of companies are providing
more frequent training and 28 % of the more frequent training being on going or monthly.
Summary
Organizations With Security Awareness Programs
Yes No
The Frequency that Security Awareness Training is Provided
Annual Frequent On going
CISO Security Risk Assignment 11:
Start building your security awareness program skills. Attend classes on building a
security awareness and use those skills to educate your co‐workers, friends, and
family on how good security hygiene and how to protect themselves. What risky
security behavior do they do that puts them in harm’s way?
Use their experiences and knowledge to help you build a broader knowledge of all
the potential organizational risks such as foothold information for an attacker
trying to compromise your organization's network. These could include:
o Schools that name parents and where they work,
o Churches that build databases of all extended family members, their ages,
and addresses.
o Sports programs that have poorly protected websites with personal
employee information.
Being a CISO is a challenging and important career. It will put you in the pilot seat of protecting your
organization. The keys to your success for managing the enormous number of threats, risk decisions,
and appropriate business guidance discussion will be building your technical, communication, and
business acumen skills.
Building a foundation of communication in your organizations embeds the balance of risk and security
into every decision. Your communication must clearly explain what the security risk are, where they are,
and how to avoid them.
How to communicate involves a clear, consistent message through executive briefings, an established
risk decision process, and a frequently provided security awareness training that provides clear
messaging of the risk, what the security rules are, and who to ask if they are unsure.
One area a new CISO should focus on is the change in risk tolerance after an event. The CISO and
Balancing Risk Survey found that the organizations view on risk tolerance was only moderately
changed after an event. On a scale of 1 representing no change, to 10, representing a dramatic change
in risk tolerance, the survey found that on average individuals responded only a moderate change of
behavior of 5 instead of a higher score that would indicate events changed the risk tolerance in the
organization.
The CISO role continues to dynamically change, be ready for the new exepectations from the CISO role
and the demanding environment. Build your business l business acumen, your knowledge of a
governance, general risk principles and what compliance your organization and industry must compy to
avoid fines and other negative consequences. It is important to consider not only where there CISO role
fits in the organization, but also how the breadth of responsibilities is defined so you meet expectations
and avoid any assumed gaps of accountability. Use the appropriate frameworks and standards to
effectively cover the CISO domains of:
1. Protect, Shield, Defend, and Prevent
2. Govern, Manage, Comply, Educate, Manage Risk
3. Respond, Recover
4. Monitor, Hunt, and Detect
And most important inspire the rest of your organization to join the cyber security team in protecting
the business and making sure every decision understands the security risk to the business and makes
the best possible decision that aligns with the organization's risk tolerance and financial objectives.
Glossary2
Attack An attempt to gain unauthorized access to system services, resources, or information, or an
attempt to compromise system integrity.
2All Glossary terms from NISTIR 7290 Revision 2 Glossary of Key Information Security Terms, download from http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf for a complete glossary list.
Audit Independent review and examination of records and activities to assess the adequacy of system
controls, to ensure compliance with established policies and operational procedures, and to recommend
necessary changes in controls, policies, or procedures.
Baseline Hardware, software, databases, and relevant documentation for an information system at a
given point in time.
Boundry Physical or logical perimeter of a system.
Common Vulnerability Scoring System (CVSS) An SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.
Cyber Incident Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.
Compensating Security Control A management, operational, and/or technical control (i.e., safeguard or
countermeasure) employed by an organization in lieu of a recommended security control in the low,
moderate, or high baselines that provides equivalent or comparable protection for an information
system.
Cyberattack An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of
disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or
destroying the integrity of the data or stealing controlled information.
Cybersecurity The ability to protect or defend the use of cyberspace from cyber attacks.
Cyberspace A global domain within the information environment consisting of the interdependent
network of information systems infrastructures including the Internet, telecommunications networks,
computer systems, and embedded processors and controllers.
Data Security Protection of data from unauthorized (accidental or intentional) modification,
destruction, or disclosure
Exploit Code A program that allows attackers to automatically break into a system.
Firewall A gateway that limits access between networks in accordance with local security policy
Impact The magnitude of harm that can be expected to result from the consequences of unauthorized
disclosure of information, unauthorized modification of information, unauthorized destruction of
information, or loss of information or information system availability.
Incident A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices
Information Security Risk The risk to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations, and the Nation due to the potential
for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or
information systems.
Information Security The protection of information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and
availability
Information security encompasses people, processes, and technologies. It concentrates on how
to protect:
• Confidentiality ‐ protecting information from unauthorized access and disclosure. For example,
what would happen to your company if customer information such as usernames, passwords, or
credit card information was stolen?
• Integrity ‐ protecting information from unauthorized modification. For example, what if your
payroll information or a proposed product design was changed?
• Availability ‐ preventing disruption in how you access information. For example, what if you
couldn’t log in to your bank account or access your customer’s information, or your customers
couldn’t access you? (Paulsen & Toth, 2016)
Least Privilege The security objective of granting users only those accesses they need to perform their official duties.
Likelihood of Occurrence In Information Assurance risk analysis, a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.
Metrics Tools designed to facilitate decision‐making and improve performance and accountability through collection, analysis, and reporting of relevant performance‐related data. Passive Security Testing Security testing that does not involve any direct interaction with the targets, such as sending packets to a target. Phishing Tricking individuals into disclosing sensitive personal information through deceptive computer‐based means. Remediation The act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application. Resilience The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning Risk The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Risk Management The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. Risk Response Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. Risk Tolerance The level of risk an entity is willing to assume in order to achieve a potential desired result. Security Control Baseline The set of minimum security controls defined for a low‐impact, moderate‐impact, or high‐impact information system. Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Security Policy The statement of required protection of the information objects. Security Requirements Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
Security Testing Process to determine that an information system protects data and maintains
functionality as intended.
Technical Security Controls Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Threat Any circumstance or event with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or the Nation through an information system via unauthorized access, destruction,
disclosure, modification of information, and/or denial of service.
Unauthorized Access Occurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.
Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Work Factor Estimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure. Zombie A program that is installed on a system to cause it to attack other systems.