CISSP Essentials Lesson 1: Security management practices

In this CISSP Essentials Security School lesson, Shon Harris of Logical Security details security management practices.

Read the full transcript from this video below:  

CISSP Essentials Lesson 1: Security management practices

Host: Welcome to SearchSecurity’s CISSP Essentials: Mastering the Common Body of Knowledge. This is the first in a series of ten classes exploring the fundamental concepts, technologies and practices of information systems security as it corresponds to CISSP’s common body of knowledge.

Today we’ll examine topics covered in the first domain of the common body of knowledge, security management practices. Our instructor, Shon Harris, will lead us through an examination of security management responsibilities, the core components of security management including risk management, security policies, and security education, administrative, technical and physical controls, and more.

Shon Harris is a CISSP MCSE and president of Logical Security, a firm specializing in security education and training. Logical Security provides training to corporations, individuals, government agencies and many organizations. You can visit Logical Security at www.logicalsecurity.com.

Shon is also a security consultant, a former engineer in the Air Force's information warfare unit, and an established author. She has authored two best-selling CISSP books, including "CISSP All-in-One Exam Guide” and was a contributing author to the book "Hacker’s Challenge."

Shon is currently finishing her newest book, "Gray Hat Hacking: Ethical Hacker’s Handbook." Thank you for joining us today, Shon.

Shon: Absolutely. Thank you for having me.

Host: Before we get started, I’d like to point out the links on your screen. The first points to the library of our CISSP Essentials classes, where you can register to attend other classes as they become available.

You will also find at the library additional class materials, including a link to print out Shon’s presentation with space to jot down your own notes. The second link on your screen allows you to test what you’ve learned with the helpful practice quiz on today’s class materials.

Finally, you’ll find the link to an executive briefing. And now we’re ready to get started. It’s all yours, Shon.

Shon: Thank you. Today we will be looking at the security management practices domain. This is always a good domain to start with when you’re studying for the CISSP exam. This really looks at the core functions and roles within an organization on how to set up the security program and all the components that fall underneath that.

Here we have the actual objective of the domain that we cover in class. We’ll start with the definition, like most of the different domains do. What’s important to know is that especially for the exam and for real life, not only memorizing the definitions but understanding the core concepts behind the words and the terms that we use in information security is extremely important. Because you can only implement and practice things you truly understand.

We’re going to look at some of those definitions. We’ll look at the different types of controls, which are really types of counter-measures that can be implemented in environments. A majority of this domain looks at security management and different risk management and risk analysis processes. And we’ll look at the different components of the security program, along with information classifications.

The one thing that we won’t cover in this one hour long class is roles and responsibilities in the security program, but it’s very important. A security program which we’ll look at is within an organization is the core of what needs to be developed and maintained for a company to be compliant with what it’s set out to be compliant with, either regulations or laws, best practices in the industry.

A very large portion of that is identifying the necessary roles and mapping the responsibilities to those roles within the security program. Although we won’t cover all the roles in this one hour section, the exam does cover those roles and they’re important within organizations to know what a data owner is. What a system owner is. What application owners are. What are these roles, who should fulfill them, and how do they play in the overall organization security program?

We’ll closely look at the employee management issues and awareness training. What’s interesting is that although it’s a common mantra within security professionals is the whole 80/20 issue with employees and the insider threat is the biggest threat for corporations today.

But I don’t believe that even though we continually say this 80/20, meaning that our largest threats come from internal instead of external, I do not believe that organizations today actually treat that the way that they should and train the employees and get them the knowledge that they need to understand, to be able to participate in protecting the company’s assets.

Awareness training, although we understand what that is, is that we need to make sure that the employees know what they’re supposed to do. You’re not going to follow any rules if you don’t know the rules. There’s also legal issues surrounding awareness training.

There’s been several successful court cases where employees who would be doing something that you and I would consider wrong, and then the employer would fire this employee. The employee would come back and say, "I didn’t know that I wasn’t supposed to do that."

The employee can actually win the case if the employer has not done all that they’re supposed to do. Which is set up a security program, set up security policies, carry out awareness training to tell these employees what they’re supposed to do and what they’re not supposed to do and what the ramifications of those are.

Even though we understand what awareness training is, there’s different reasons as to actually implement awareness training, legal protection being one of them. If you can prove I did tell this individual what expectations the company had of them and that they went against them they could be terminated or prosecuted, you have more of a legal standing within that type of a case.

We do have security definitions here. These seem very simplistic, and when you read through them they’re not too difficult. A vulnerability is just a weakness or lack of a counter-measure. A threat is that somebody’s going to identify a vulnerability, exploit it, and use it against you. The risk is determining the probability of this activity taking place and the business impact of this.

What I find is that people don’t truly understand these definitions. Not only for the exam but in the industry. Because today we have some common, very overly used words like vulnerability identification and vulnerability management. Threat management. Risk management.

I believe that risk is really a word that’s used way too much in the industry today. Mainly because people don’t truly understand the differences and the relationships between vulnerability, threats and risk.

Again, what a vulnerability is, a company can have a long list of vulnerabilities. As a security professional, it’s important that you recognize all the possible vulnerabilities a company can face. Unfortunately, today we mainly think of hackers and crackers and somebody coming through a port to carry out some type of attack electronically.

Companies have an amazing amount of vulnerabilities. Social engineering, legal issues, downstream liabilities, civil and criminal cases, your internal threats, personnel not having the right level of knowledge. These are different types of vulnerabilities that most people forget about, but the cause of a majority of security compromises and breaches that happen today.

Vulnerability is that there’s a weakness and the threat is that somebody’s going to uncover that and use it against you. The first step is to identify the vulnerability, but is there some type of threat that associates with that vulnerability.

A company has a whole bunch of vulnerabilities, but if it doesn’t have an associated threat, it’s not as important. That’s part of risk. Actually identifying these components, their relationship, but then calculating the probability of someone exploiting this vulnerability, being successful, and the business impact.

That’s why I feel the word risk is being overused today. Because risk is really being able to understand all of the things the company faces and the potential dangers to the company if one of these threats becomes realized.

Today, risk analysis and management is a mix between an art form and a science. Mainly because the maturity of the process within information security. We’re going to look at risk management and different analysis approaches.

Then we have another definition, of exposure. It just means that there’s a vulnerability and it was exploited, so now there’s an actual exposure and then you’re going to put a counter-measure in place to make sure that that doesn’t happen again.

Even though these words seem very simplistic and straightforward on this, on the CISSP exam you can see questions that will really force you to show that you understand the concepts of these definitions. It’s not just these definitions in this one domain, but this is why a lot of people feel that the CISSP exam is difficult, because it’s not one where you can just memorize definitions and regurgitate. You really have to understand the concept behind the terms, how they interrelate with each other and the outcome of them.

Here we see that we have a threat agent. A threat agent is the component that will actually exploit a vulnerability. When we want to risk management and risk analysis, whoever’s carrying these processes out has to understand, intimately, how all of these things work and their relationships.

Through the different domains, you’ll see the different control types. Administrative, technical, physical. For the exam you’re responsible to know the differences between controls where administrative is really management’s responsibility.

Some examples of administrative controls would be development of the security program, development of the security policy, standards, guidelines. Ensuring that testing and drills take place, employee management. Developing roles and delegating tasks, risk management. These are the things that fall under administrative control, and they’re senior management and middle management’s responsibility.

This is different than technical controls. Technical controls would be just what we would think of, a firewall, intrusion detection systems, access controls, encryption. Then physical controls, not too difficult. Examples could be security guards, fencing, lighting, those types of things.

Even though that’s not very difficult, you will be responsible for knowing the differences of them but also examples of them and when to use the right control in the right situation. Several different controls provide different services, which we’ll look at in another domain. A control can be preventative in nature. It could be deterrent in nature, it could be corrective in nature.

You’d not only have to know maybe that encryption is a technical control, it’s also a preventative technical control because you’re trying to prevent somebody from accessing confidential information.

Now a common mantra within security is defense in depth and the layered approach. A majority of the people understand what that means, which is the bad guy needs to go through a lot of work before they get to your company’s critical assets.

For example, if somebody is able to compromise your border router, they must now go through other steps before they get into a database that holds all of your customer credit cards. You can have different layers. If they get through the router, then they have to go through the firewalls. If they do that, then they have to bypass the intrusion detection systems. Then they have to compromise access controls. Then they have to actually break encryption.

These are different layers that provide a higher level of protection than of course if you’re just relying on one layer. What I find interesting in most companies is that we have, and really in the industry, we have so much of an emphasis on technical controls that we don’t realize that a layered approach and defense in depth should be a mix of administrative, technical and physical controls.

If you think about it within your organization, you know the group of people who’s responsible for administrative controls, who’s developing the security program and the policies and employee management. You have another group that’s responsible for technical controls, which is usually IT or security officers. Then you have physical controls that’s responsible for the security guards and the fencing and lighting.

What’s too bad is that all of these different groups have the same goal of protecting the company’s assets, but they have a different focus. So they don’t talk to each other and they don’t understand what each other’s doing, which really a lot of times ends up in being these holes within the overall security posture of the company.

Defense in depth should not only be technical but it should be a proper mixture of the administrative, technical and physical controls.

Okay. This domain really looks at the core components of the security program. I think the term "security program" is really the least well-defined and understood concept in information security, which is very ironic because it’s actually the most critical component in organizations’ security.

I find when I talk to a lot of C-level individuals, especially ones that are now under new regulations and they have what I refer to as the liability ball thrown into their lap, like a lot of CIOs are now responsible for meeting government regulations they never had to before. They’re constantly being told, "You have to develop and implement a security program."

They hear this all the time, but they have no idea really what a security program means. That’s what this domain really gets into, is all the components necessary for the security program. And we’ll look at a few of them in a few minutes.

The security program should encompass and meet the business objectives and how it relates to security. The company needs to set an acceptable risk level, which means we’re willing to accept this amount of risk and no more. A lot of companies don’t really understand how to do that, how to set that acceptable risk level.

Different organizations that are in different industries and have different types of threat are going to have different risk levels. Financial institutions will have a different acceptable risk level than a hospital.

The security program also needs to be developed to understand the legal ramifications, the regulations, compliances, the roles that need to be laid out. How auditing, accountability will be set up and continual assessments.

This is really the meat of this first domain. I think it’s extremely critical, but a lot of corporations do not properly carry this out. They don’t understand what a real security program needs from the top to bottom. Security within a company should be carried out through a top down approach, meaning that a security program is developed, maintained, overseen and run by senior management.

If it’s not a top down approach then it’s a bottom up approach, which means that there’s staff members that understand that the company has vulnerabilities and there’s certain types of threats, and they’re going to try to push for some level of security. Now that approach is usually doomed to fail, because people at the staff level don’t have access to the purse strings so they can’t get the money necessary to protect the company.

They can enforce security standards and enforcement. But also people that work in the IT department, they don’t see the full vision of the company. Senior management should be driving security from the top because the senior management should understand all of the risks that a company faces, which has a lot more to do than just with hackers coming in through ports.

Today we’re going through evolutionary steps in our understanding of information security and we’re maturing in the process. To understand that it’s not just technical issues. This is where we started, a lot of companies may think security is a technical issue and may focus their whole security program on IDS and active control and firewalls.

It’s important to understand the technology. It’s just one component of security overall.

Here we show a security road map. This is the different steps that we go through in this domain. It’s how to actually develop a security program, how do you start and how does it go through its lifecycle? This is a very mature approach, an approach that uses specific methods.

Again, it’s starting with what are the business needs, what are the business objectives? Then going from there to develop the security architecture. That security architecture includes all of the components within the security program, some of them that I’ve already mentioned.

Then the program has to be properly integrated into the organization’s structure, because unfortunately today because information security is confusing to people, it’s new, it’s a theory, it’s not integrated within the company overall. It’s not treated as a business process. It’s not integrated into the organization. It usually stands off by itself as an island over in the corner and people think it’s just a technology issue.

When the security program is being developed, it’s not just developing a policy but how do we integrate it into our business processes? Then we start looking at a technical framework. Then we look at how our technical counter-measures or technical controls map to what we’ve set up in our policies and our overall security architecture.

How does it support our security policies? How does it enforce the security policies? And we have a specific baseline of security for our organization overall. The baseline is a minimum level of security. It’s not just a technical issue. It’s administrative and it’s also physical. You need to have a certain baseline for your whole organization.

During this process, these things are established. The controls are identified and put into place to ensure that this baseline is always kept, and then your day is not done. Then you need to make sure how do we stay at this level of baseline? Which happens through risk management and carrying out assessments, carrying out analysis and having a level of confidence and assurance that no matter how much our environment changes, we are still supporting in [inaudible] to the security policy that acceptable risk level that we set off in the beginning.

These are all of the components. It’s a one two three four step. Unfortunately a lot of companies just start in the middle where they’re looking at technical issues and keep their head down on those problems.

Now in this domain, we go through several of the components that are necessary within the security program. There’s security policy. A security policy is management’s directive on the role of security within the corporation.

It sets the tone. It means that management is saying this is the role of security within the corporation, this is the expectations of the employees. These are the ramifications for not meeting these expectations. And really, it’s the head of the whole security program.

What falls under this policy, because the policy is very general in nature. It’s not specific. It’s very general so it can be wide-reaching and can cover a lot of different aspects of the organization. But to implement a solid security, we need more meat. We need more definition, we need more specifics.

Under the policy we have standards and guidelines and baselines that we cover in this domain. There’s different types of policies companies can use. They can be regulatory in nature. Different industries have to be compliant with different types of regulation, so these policies would map out how the compliancy is actually met.

It could be advisory policies which specify what the expectations of the employees are, and informative that don’t give us too much information but are tools to instruct employees on what they should do in different instances.

Now data classification is very important. A lot of companies don’t necessarily understand the data classification procedures or why it’s important. The reason it’s important today is because data and information are some of the most critical assets of a company compared to years and years ago, where the assets may have been more physical, tangible assets.

Today, the things that we need to protect the most are mainly intangible. They’re data. We have to have a program set up to identify the different data sub-sets. How important these sub-sets are to the company and what we need to do to properly protect them, since they are our most critical assets.

The company has to come up with the classification theme you’re going to use. You’re going to use top secret, secret, confidential, public, internal use only. It’s up to the company. These aren’t set by standards bodies that we have to use specific sets.

The company needs to determine what theme you’re actually going to use. If we’re going to use maybe confidential, public and then internal use only, the company has to decide what that actually means. What does confidential mean?

That’s where the criteria comes into place. Is that if something, if data is going to be dropped in the confidential bucket, then it has to meet that specific criteria. If another data set is going to go into the public bucket, meaning it’s going to have the classification of public, it’s got to meet this criteria.

You can’t just leave it up to different individuals to make their own decisions on how critical certain types of data is. That’s not a standardized approach. So the company needs to come out with an actual criteria, and we’ll look at an example in just a second.

It’s not only criteria. Once you define if we’re going to use top secret, secret, classified, what does that mean, and then what level of protection does that actually require? That indicates what types of counter-measures and controls we’re going to put in place to protect the information that falls within these different buckets.

You have to identify the counter-measures and controls you’ll put in place. Who’s responsible for classifying data? That’s one of the roles that falls within security programming, it’s referred to as data owner. Data owner is responsible for a sub-set of data.

The senior management and company is the overall data owner because they’re responsible for all of the data within a company. What happens usually is it gets delegated. You’d have different department heads that could be different data owners of the information that’s in their department. You have to have somebody who’s responsible for classifying the data.

And then how is that data maintained? That comes under the custodian responsibilities, which usually goes to the IT department. Then there’s other things that need to be mapped out. What happens when somebody has to take over ownership of data? What happens when we need to declassify data? The data won’t stay at this certain level of sensitivity through its whole lifecycle.

Although a lot of people can read through these bullets on a screen and it makes a lot of sense, kind of a one two three, corporations have a hard time of actually understanding and practicing in put this in place.

The military has done this for a long time because their emphasis is protecting critical information and always has been. The military has their system down, but corporations today are struggling with it. It’s very important to understand the steps, why the steps are carried out.

We could try to protect all of our data at a high level of protection. Just call everything top secret and put all the necessary mechanisms in place, but there’s not a cost-benefit analysis going on there. You’d have to make sure security makes sense as a business decision, which means that we have to understand what are our most critical assets that we need to protect.

Now throughout the different domains, we talked about due diligence and due care. These are common legal terms. They don’t exist within information security. These are legal terms that are used all the time.

Due diligence means that somebody is doing what they’re supposed to uncover what they’re supposed to be afraid of. In information security due diligence, the company will carry out due diligence if they do risk analysis. They do the assessments, if they understand their vulnerabilities, their threats and do calculation of risk.

Due diligence is doing your research, understanding what could happen. Due care is doing something about that. Acting upon the outcome of the analysis, acting upon outcome of the assessments. Due care is doing the right thing.

Now how it comes into play is if the company is sued, and it’s usually through a civil court where a company is sued on negligence and being liable for something bad that took place.

When whoever’s being held responsible, senior management, goes to court, the court is going to look at if the company practiced due diligence. Meaning it took the necessary steps to understand all the negative things that could happen to the company, and if it practiced due care which means doing the right thing, implementing the necessary controls. Implementing data classification, putting a security program in place.

Because if a company does not go through all the expectations outlined in due care, then they can be held negligent. In CISSP in your materials, if you go to a class, if you read books, it goes much deeper into due care and it’s very important to understand the relationship and examples of each one.

Within a security program, core components are risk management and risk analysis. Risk management is something that’s ongoing, meaning that the company needs to set the acceptable risk level that I talked about. The company’s senior management needs to identify how much risk the company is willing to take on.

You can’t get rid of all risk. But you have a balancing act between how much money it’s going to cost to mitigate risk, and how much risk the company can actually handle. Once senior management sets the acceptable risk level, then there’s a risk management team that’s delegated to ensure that that baseline or that threshold is never exceeded.

Risk management is an issue that should go on for the lifetime of the company. Which is different than risk analysis. Risk analysis is a tool that’s used by risk management. It has a finite time period, because it’s comprised of an assessment. There’s an assessment and then the results of that assessment is analyzed.

Risk analysis. There’s different ways of carrying out a risk analysis, and we’ll look at a couple of them. But the cool pieces of it is what we have listed here. Whoever’s carrying out the risk analysis needs to identify the company’s assets, assign values to those assets.

I think everything that is taught within CISSP, for example when I teach these courses, it seems as though everything is very conflicted. You can put something on a PowerPoint and have bullet items. It seems as though everything is kind of neat and tidy and easy. If you’ve been involved in trying to do risk management or carrying out a risk analysis, you understand that this is not a clean and easy task.

If you think about it, you’ve got to identify the company’s assets. A lot of people go right to tangible assets. Servers and facilities and hardware. But there’s other company assets that not only have to be identified but a valuable has to be assigned to them.

It may be easy to assign values to servers and hardware, but what about other more intangible assets as in reputation. The reputation is one of the most valuable assets of the company. How do you assign a value to that? Your customer base and your data information, all of these things have to be identified and values assigned to them.

The reason that values have to be assigned to them is because you have to figure out how much money to put in place to protect these things. A lot of the assets are intangible in nature, which makes it much more difficult to assign quantitative values to them. Which again makes it much more difficult to set a security budget and understand the true ROI on a security budget.

We’ve laid these things out in just bullet items, but it’s just not always this easy. In analysis, we need to do these first two steps. Then we need to identify all of the vulnerabilities and threats. Again, I listed just a few vulnerabilities and threats. It could be hackers and crackers, the internal threats, distributed denial of service attacks, there’s all of these things.

The best analysis will come up with the best outputs if it has the best inputs. The people who specialize in carrying out analysis will think outside the box, think about all of the possible vulnerabilities that could take place.

Then you have to go to the calculation of risk, which we’ll look at how to do that and come up with the potential and delayed losses that a company can face. Potential loss is something that can happen as soon as a security breach takes place. But the delayed losses are things that are secondary in nature, that can happen down the road.

For example if somebody broke into our database, got our customers’ credit cards, posted them on the Internet, we have potential losses right away. Which is operation, everybody running around like chickens with their heads cut off trying to figure out how to patch the hole. You can have instant response forensics.

Those are all the things that will happen right off the bat. But then you have secondary losses. For example, how bad that’s going to hurt your reputation, all of the customers that you may lose because this actually went public. Analysis looks at all of these possible things and that’s why it’s not so implicit.

Now there’s two main approaches to analysis, which is quantitative and qualitative. Quantitative means that we’re actually assigning monetary and numeric values to the components, equating, figuring out our risk.

If we’re doing a quantitative risk analysis, we’re using percentages. We’re saying that an asset costs $200,000. We’re saying that a potential loss could end up in half a million dollars. Those are the terms that we’re using in quantitative approach.

Management usually likes quantitative results from an analysis because it helps them map back to how to outline a security budget. Okay, these are our potential losses. How much do I have to spend to try to mitigate those potential losses?

Qualitative is not using those numeric values, but it’s referred to as opinion based but it’s using people’s experience and their gut feel on what could take place. A qualitative risk analysis will usually use the industry’s best practices to compare what a company is doing to these best practices to see what level of protection that they need. It’s not masked in percentages and monetary values.

Today a lot of our risk analysis is carried out through qualitative means because it’s very hard to quantify a lot of the qualitative components that go into understanding risk and information security arenas.

Qualitative process would be a ratings system. It could you have experts that are carrying out this analysis and they might use a one through five and say that you have a three. Or they may use a rating system of one through ten.

In a quantitative risk analysis, you would be using SLE and ALE values. You have to understand these for the exam, but they’re core components of information security in the real world also.

Here we have a basic example of how to understand if a vulnerability was exploited, what are the potential damages that the company can go through? The reason that you would go through these exercises that’s coming up with SLE and ALE is we need to understand how bad something can hurt us. What are the true business impacts, so we know how much money should we spend to properly protect against these threats?

In this example, we’re looking at an e-commerce site. We have to assign a value to it. Again, that’s not as easy to do as it may seem. We say that our value of this site is $300,000. If there’s a compromise, if an attacker carried out some kind of a compromise, we’re going to estimate that it’ll cost 40% damage.

Those damages, how do we come up with that 40%? We have to look at the liability costs. What are the issues if confidential data was uncovered or corrupted? How bad is that going to affect our revenue stream? This is how we come up with potential loss.

Our site has an asset value for $300,000. We think that this type of vulnerability that we’ve identified is exploited by a threat agent, it’s going to cost 40% damage. $300,000 times 40%, we have an SLE value of $120,000. That’s a single loss expectancy value.

What that means is if this one threat became realized against this one asset, it could cost us $120,000. That’s just one asset and one threat. We need to do this for all of the threats for all of the assets to really get an understanding of what our company can be faced with.

We have $120,000 as our SLE value. We also need to look at how often do we think this threat will become realized? That’s where the ALE formula comes into play. We take the SLE and we multiply it times the ARO, which is annualized rate of occurrence. Annualized rate of occurrence is just another name for frequency. How often do we think that this thing could take place?

ARO is an annualized value, meaning that if we think it’s going to definitely take place once within 12 months, the value would be 1.0. If we think it’s going to take place one in ten years, it’s 0.1. We think it’s going to take place one in 100 years, it’s 0.01.

We take that SLE value, multiply it by ARO and we come up with $120,000. If our ARO was one in ten years, we only think this is going to happen one in ten years, then our ALE value would be $12,000.

Now what do we do with this? We have to say ALE value. We’re not done yet. All this tells us is that if this one vulnerability is exploited, we could potentially lose $120,000. This goes into a cost-benefit analysis. The senior management knows that they could spend up to $120,000 trying to protect this asset, but that they should not spend over that. It’s a tool to help them set their security budget.

What’s important is to understand that there’s still residual risk, even after you put counter-measures in place. Before a company does anything, before they put any type of counter-measures, and remember the counter-measure is the same thing as controls. It can come in different forms. It’s not just a firewall, it’s administrative, physical and technical controls.

You can look at your total risk before you put a security program in, before you put enforcement in, before you put security guards in, before you put fencing and lighting in. Total risk is before you actually do something, before you put a counter-measure in place.

But you cannot get rid of all risk, so you mitigate the risk to a residual level. What the company needs to understand is this residual risk still acceptable? Is it higher than the acceptable risk level that was set in the beginning?

This is something that’s very hard for companies to understand and carry out properly, because we think well we’ve spent money, we’ve put the control in place, so we must be safe now. But are you safe enough?

The formulas we have here are conceptual in nature. It just means you’re not going to be able to drop values in and calculate your total risk. They’re conceptual. To understand what your total risk is, you have to understand your vulnerabilities to threats and what assets are in danger.

The residual risk, we multiply it times its control gap which just means what controls we’ve put in place, what they can’t cover. Because your controls that you do implement can only provide a certain level of protection, but they can’t provide all of the protection.

Understanding residual risk is critical for companies, because they may still need to put yet another type of control to reduce that residual risk to actually meet the acceptable risk level that they’ve identified in the beginning.

I said that we went through that SLE and ALE exercise to then go into a cost-benefit process. Because we have to realize that we’re trying to run a business. A business is not just about being secure, it’s about making money. We have to understand our potential and our delayed losses and how much we can spend to try to protect our assets.

What happens in the cost-benefit analysis is you look at the potential loss, but you also look at the cost of the counter-measure. Now a lot of times people make the mistake of thinking that the cost of the counter-measure is what you fill out maybe on a purchase order. A counter-measure really looks at all the things that are involved with that actual product or whatever type of counter-measure’s in place.

For example, if you’ve been involved with an intrusion detection system roll out, you know that there’s actually a lot more involved with that process other than just buying that product and implementing it. The actual cost of an intrusion detection system is what you pay for the product, the maintenance of the product, the man hours necessary to maintain that product.

And that’s what a lot of companies fall into. They don’t realize the man hours that’s required to keep up with the intrusion detection system, all of the alerts it kicks out. To understand how much a counter-measure costs the company, this is a formula that we need to walk through.

What is the ALE before we put the counter-measure in place? Which means what is our potential loss before we put any control in place? How much can we lose before we do anything? We look at that value, we subtract the ALE value of after we put the counter-measure in place.

The ALE needs to be mitigating or reducing our risk. What is the ALE after we put that in place? Then we subtract the annual cost of that counter-measure, and that will help us determine if it really makes sense to put this counter-measure in place.

In our example here, we’ve come up with the ALE is $78,000. That means the one asset that we’ve identified and the one vulnerability that we’ve identified, if that happens, if that threat becomes realized, we could lose $78,000.

Now we’ve identified a control to put in place which will mitigate that potential loss, and that will bring it down to $20,000. What this tells us is that our counter-measure that we’ve identified can be saving us $58,000.

Do we stop there? It sounds like a great idea. Let’s go ahead and put it in place. But we would need to look at how much this counter-measure costs on a year to year basis. Right now this is the annualized cost, we’re looking at a 12 month period. The counter-measure may save us $58,000, but it actually costs us $60,000 so it’s not a good business decision.

These are all the things that within risk management or risk analysis that we go through in this domain. Of course we only have one hour to cover all these components and you need to know a lot more for the actual CISSP exam.

If you see so far that the different pieces, if companies and security professionals and whoever’s responsible for information security, if they really understood how to set up a security program, if they really understood all of the components within it. How it matched to the business needs, how it matched to regulations and legal issues, how to identify all of the vulnerabilities and threat agents that can exploit these vulnerabilities.

If companies really knew how to do data classification procedures, how to maintain that, how to come up with the right roles within their security product program and map the right paths to these roles. If companies really understood this, we wouldn’t be where we are today with information security.

Because we have spent so much time on the technology aspect of information security. I think we have that down pretty good. We’ve got that unbelievable technology to prevent a lot of the security compromises that are going on. But where we’re really lacking, where we’re really immature, is from the top down understanding all the components that are much more important than just the technology piece.

Now I mentioned the employee issue. A lot of people just brush past employee issues and don’t think it’s that important. But then in another breath they’ll say, "Yes, we realize that the insider threat is the most damaging."

It’s very ironic and it doesn’t make sense. Corporations today will spend a lot of money on firewalls and new shiny intrusion detection systems and all this perimeter protection even though they nod their heads, saying that they understand the internal threat is more dangerous. The logic doesn’t make sense there.

We need to understand that the people who are carrying out the tasks in the corporation have privileged access to the assets that we’re trying to protect. It’s not that your internal employees are all devious, they’re all going to try to do something malicious. It’s that they have the assets, and a lot of the issues come down to mistakes. Their mistakes can be very critical because of the level of access that they do have.

Even though a lot of people say yes, we understand that internal threat is the largest, we don’t see anybody acting on that properly. Employees need to be properly trained. What that means is who’s responsible for what within a corporation? And we’re saying employees, we don’t need these staff members who have nothing to do with security.

It means the different roles within the security program overall. Who is the data owner? Who’s the system owner, who’s the security officer? Who has been delegated these tasks? Do they really, really understand what they’re supposed to do? In most times the answer’s no. Because that answer is no, because they do not understand really what security means within the corporation, that’s where a lot of the breaches take place.

So employee issues are very important. Enforcement is critical. A lot of companies have security policies and things that security consultants have told them that they need, but they don’t things in place as an instant response. They don’t have enforcement.

What happens is companies think that they need to plan, you need to set up a security program. They don’t come up with a plan for okay, what happens when things go bad? Because things will go bad. You’re not going to properly survive them or survive them without as many knocks as you could if it’s properly planned.

Enforcement is one of them. Security has to have teeth, otherwise nobody’s going to worry about it. There’s different hiring and termination practices that companies need to follow. I talked about security [inaudible].

This was pretty quick, one hour over a domain within the common body of knowledge. But it’s a very good domain to start with when you start studying for the exam, because it sets the stage within an organization or corporation. This overall structure that sets the framework for the security.

Then the other domains that we look at, telecommunication, laws and investigation, access control, all of these components plug into the framework that is to be developed in security management practices.

I went pretty quick. We hit only some of the core concepts, but there’s a lot of other concepts that you need to understand and know in great depth if you’re going to take the CISSP exam.

Host: Thank you, Shon. This concludes class one of CISSP Essentials: Mastering the Common Body of Knowledge, Security Management Practices. Be sure to visit www.searchsecurity.com/cisspessentials for additional class materials based on today’s lesson and to register for our next class on access controls.

Thanks again to today’s sponsor and thank you for joining us. Have a great rest of the day.