Risk is a crucial element in all our lives. In every action we plan to take in our personal and professional lives, we need to analyze the risks associated with it. From a cybersecurity perspective, industries such as energy, healthcare, banking, insurance, retail, etc., involves a lot of risks which impedes the adoption of technology and which needs to be effectively managed. The associated risks which need to be addressed evolve quickly and must be handled in a short period of time.
Computing technology is not restricted to Mainframes and PCs anymore.
Risk management involves comprehensive understanding, analysis, and risk-mitigating techniques to ascertain that organizations achieve their information security objective. Risk is inherent fundamentally in each and every aspect of information security decisions and thus risk management concepts help aid each decision to be effective in nature. If you wish to gain a more thorough knowledge of this module, you are required to gain the prep courses, which are being offered at
SPOTO.
The major components of Security and Risk Management crucial for CISSP are:
- Security Model / Information security within the organization
- The triad of information security – Confidentiality, Integrity, and Availability
- Security governance principles
- Business continuity requirements
- Policies, standards, procedures, and guidelines
- Risk management concepts
- Threat modeling
Security Fundamentals
Confidentiality, integrity, and availability (the CIA triad) is a typical security framework intended to guide policies for information security within an organization.
-
Confidentiality: Prevent unauthorized disclosure
Confidentiality of information would be referring to grant protecting the information from disclosure to unauthorized parties.
Key areas for maintaining confidentiality:
- Social Engineering: Training and awareness, defining Separation of Duties at the tactical level, enforcing policies and conducting Vulnerability Assessments
- Media Reuse: Proper Sanitization Strategies
- Eavesdropping: Use of encryption and keeping sensitive information off the network with adequate access controls
-
Integrity: Detect modification of information
The integrity of information denotes protecting the sensitive information from being modified by unauthorized parties.
Key areas for maintaining confidentiality:
- Encryption – Integrity based algorithms
- Intentional or Malicious Modification
- Message Digest (Hash)
- MAC
- Digital Signatures
-
Availability: Provide timely and reliable access to resources
The availability of information signifies ensuring that all the required or intended parties are able to access the information when needed.
Key areas for maintaining availability:
- Prevent a single point of failure
- Comprehensive fault tolerance such as Data, Hard Drives, Servers, Network Links, etc.
Risk Management
Risk management is the process of identifying, examining, measuring, mitigating, or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as Assessment, Analysis, Mitigation, and Ongoing Risk Monitoring which we will discuss in the latter part of this article.
The success of a security program can be traced to a thorough understanding of risk. Without proper consideration and evaluation of risks, the correct controls may not be implemented. The risk assessment would be ensuring that we identify and evaluate our assets, then identify threats and their corresponding vulnerabilities.
Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. And at the end, as with all elements of a security policy, the ongoing evaluation would be considered as essential. New attacks and other threats are always emerging, and security professionals must stay informed and up to date.
These were some basic details which would be going to cover in the Security and Risk Management module of the CISSP. If you wish to have more knowledge regarding the
CISSP exam, you should join the courses which would be offered by the SPOTO.