One of the most important things to sort out, aside from preparing all the documentation needed and confirming support from management, is to have a list of all the entity’s assets. In this chapter, we will be covering risk management, data classification, and the controls defined within ISO 27001.
An asset is a resource having economic worth that a person, business, or nation owns or manages with the idea that it will produce future benefits. The balance sheet of a firm lists its assets. They are acquired or established to raise the value of a company or to boost its operations. In our context, an asset is defined as any goods or services, tangible or intangible, that are considered part of an entity.
So a firewall, for instance, is an asset; a pen is an asset; but also the documents on the local or online repository of the company are considered to be an asset, as well as that server that they were supposed to dismiss five years ago, but for some reasons as unknown as the Bermuda triangle, is still there.
Why in the world is a document (MS Word, Excel, PowerPoint, you name it) considered an asset? Well, of course it’s not due to the document(s) themselves, but because of what those documents are worth: let’s suppose that you are the King of Reign1 and your plans for invading Reign2 and therefore becoming Emperor of the Galaxy are in your safe waiting to be used – how much are they worth? Or let’s suppose that you’ve got 50 kilos of bearer shares? What is their value? Or all the notebooks that you used while at primary school, how much are they worth, according to your parents?
You got the point: if the shape of water depends on the container that encloses it, the value of a document does not depend on the physical document but on the information it contains.
In this chapter, we will cover the following topics:
Project risk management is an essential project management strategy that aims to minimize the number of surprises that occur during a project’s execution. Despite the fact that it is impossible to forecast the future with absolute certainty, a straightforward and simplified risk management method may be used to anticipate uncertainties and reduce their occurrence or effect. This raises the probability that the project will be completed successfully and decreases the implications of these risks.
The basic processes for project risk management are therefore the following:
Risk reporting in particular has a dual purpose: in the immediate term, it enhances communication within the project, and in the long term, it generates historical precedents that may be utilized to produce more accurate risk forecasts in future projects.
During my career, also as a risk manager, I learned some fundamentals of risk management:
Risk management is uninteresting to 99 percent of the population of the globe. They see no value in it.
I developed a risk register strategy that was as straightforward as I deemed it needed to be in order to assist conversations and decision-making. It worked well, and after a few years as a general risk manager, I transitioned into the information security field, carrying the strategy with me to the current day.
A few broad views on risk management
Risk management is a management method that helps your organization accomplish its goals by concentrating on helping you understand some of the undesirable events that might prevent you from reaching your goals. It then assists you in deciding what you might do to handle these negative events, and perhaps prevent them from occurring. It is a managerial approach designed to aid in decision-making; if it is not aiding in decision-making, then it is a waste of time. Risk management is a subpar method for managing hazards, but it is the best method available, and like other management method, it sometimes works and sometimes does not. Again, like any management strategy, it requires some talent to be effective, and the more you practice, the better you get at it. Like the finest management strategies, it is fundamentally straightforward.
To select the most effective risk reduction approach, it is necessary to analyze risks. There are three stages involved:
These are the 10 characteristics that each risk should be ascribed:
(Optional) Should you be pleased with this result? Yes, if the current risk score is within the risk tolerance. Otherwise, the answer is no. This characteristic is optional, however it may facilitate thought.
Hopefully, this was clear enough to let you understand the list of characteristics that a risk should have. Next stop, heatmaps.
Risk heatmaps are often used in operational risk management and are especially beneficial for visually representing a company’s risks and emphasizing those that need closer supervision. Typically, while analyzing operational risk, the risk manager will utilize a spreadsheet to record the company’s important hazards and estimate their effect and likelihood (or probability).
Some entities still use spreadsheets to manage broader risks and display heatmaps, which are typically included in management information reports for senior management and other senior executives. Despite the fact that many companies have risk management systems that provide this functionality, some companies still rely on spreadsheets to manage broader risks and display heatmaps.
The total risk score is the product of the likelihood (or probability) and effect ratings. The formula for calculating the risk score is as follows:
Risk Score = Likelihood Score x Impact Score
When the list of risks is broad, often spanning many departments or business sectors, it is a significant difficulty for the risk manager to plot these risks on a heatmap, ensuring that all relevant hazards are shown appropriately. The hazards will be shown on a heatmap based on their respective scores. According to their individual scores, the hazards on the heatmap will be colored red, amber, or green (RAG).
The first example demonstrates how a comprehensive variety of hazards may be displayed using Excel in an understandable manner (the data sheet feeding into this chart has more than 100 risks).
Figure 7.1 – Risk assessment heatmap
The second example illustrates a summarized heatmap in tabular format.
LIKELIHOOD | ||||||
10 Low |
20 Medium |
30 High |
40 Very High | |||
IMPACT |
10 |
Low |
4 |
1 |
1 |
3 |
20 |
Medium |
4 |
5 |
7 |
7 | |
30 |
High |
7 |
7 |
10 |
6 | |
40 |
Very High |
7 |
12 |
14 |
9 |
NOTE
The figure shows the total number of identified risks per probability and impact score (e.g., P=10 and I=10, P=10 and I=20, and so on)
Figure 7.2 – Heatmap in tabular format
Well, now that we have defined how much a risk is hot, we need to find a way to take care of these risks, or, using the proper jargon, to mitigate them.
Risk mitigation refers to the methods to decrease risk and lessen the chance of an event happening. Risk mitigation is ensuring that your organization is completely safeguarded, which necessitates a continual focus on your main risks and concerns. The processes that govern and direct an organization are sometimes referred to as controls or mitigation activities.
To further comprehend this, let’s examine it in connection to the overall Enterprise Risk Management (ERM) process. The objective of your controls is to avoid certain hazards from materializing. This results in the development of policies and procedures designed to reduce the probability of risks materializing, remove the possibility that they will materialize, or raise the likelihood that your processes will protect you should the risk materialize.
At any one given time, every firm confronts a plethora of hazards. They incur more risks when doing anything new (such as a project or initiative) or experiencing any form of organizational change. These inherent hazards are often related to the procedures involved in achieving the final objective. However, there are ways to reduce the likelihood (possibility) of occurrences that may be used to identify and guide better risk mitigation plans.
Consequently, the four most prevalent strategies are as follows:
Tip – What is the most effective risk management strategy?
Obviously, the optimal technique depends on the risk you want to avoid. A solid rule of thumb for deciding which strategy to pursue is to undertake a risk assessment first. This will allow you to detect policy and activity gaps. Based on this input, you may effectively rank your efforts.
Just remember: there is no one size fits all formula here. 99.9% of the entities I have consulted for use the preceding strategies in conjunction with each other, according to their business needs.
All risks and benefits are evaluated differently based on your company’s particular objectives. To effectively create risk reduction measures, you must engage in the following:
Not every risk requires a mitigating strategy: as stated previously, it is occasionally preferable to take risk. Recognize that this is an option, and that some risks need no strategic response at all.
I tried my best here to give you all the basic (and non-basic) notions, but if you want to continue exploring the interesting world of risk management, you will find a plethora of books in your favorite bookstore that can help you to dig into the matter. For us, it’s time to move on to data classification.
We started this chapter talking about assets, and data classification is the process of organizing data assets, so it’s worth a mention here.
Data classification involves building a classification scheme and defining one or more taxonomies for the whole organization. A categorization system facilitates the efficient determination of data action priorities and intensities. Data classification depends on characteristics such as criticality, security, access and usage, privacy, ethics, data quality, and storage needs.
Classification of data offers businesses with an interface for implementing rules and processes across data types, structures, and storage systems. Classified data enables an organization to create and apply a single handling policy for sensitive data across numerous systems and data items. Defining many rules for each sort of data item is impractical in contexts with plentiful data today.
The categorization of data provides a corporate context to applications and processes. On the basis of data categorization, for instance, an organization might identify apps that handle sensitive data and specify stronger security criteria for such applications:
In information security, there are commonly four categorization levels for data:
While data is categorized depending on the requirements of each organization, there are a few typical methods of data classification:
While data categorization is necessary for performing a variety of operations, information security focuses primarily on sensitive data. In the majority of businesses, sensitive data is categorized into various sensitivity levels and then mapped to distinct sensitive data categories (e.g., personal information).
Typically, companies confront the following obstacles when categorizing data:
Many legislation and compliance requirements mandate that enterprises classify their data. Depending on the kind of data used, processed, collected, sent, and stored by an organization, each compliance standard may have varying requirements.
Here are several common compliance standards and their data classification requirements:
Preciousness of data is heavily dependent of the value we attribute to it.
Let’s use an example to better understand this concept: let’s suppose there is a country named XYZ and their king wants to conquer the adjacent country of ZYX. He calls all his counselors, ministries and advisers and prepares a war plan and puts it in the safe. This plan, as you may imagine, has enormous value. But, for some reason, the king never decides to use this plan and, instead, he agrees a long-lasting peace agreement with the other country. When his successor (or an opponent, or a revolution, you name it) ascends to the throne and finds the attack plan, what will the plan's value be then?
The answer is I don’t know, and you probably don’t know either. But for sure its value will be different than in the past because of the successful peace agreement, because the old king is dead, and many other different reasons. Data classification is the technique of ascribing value to some information.
Data sensitivity levels assist in establishing how to handle each form of classified data. For instance, the Center for Internet Security (CIS) proposes three information classes:
With seven categories of data sensitivity, the US Government has a more comprehensive categorization system:
Using more than three layers might complicate data categorization and make it difficult to monitor and maintain. Using less than three tiers is deemed too basic and may result in inadequate protection and privacy. As recommended by the CIS, the majority of enterprises employ three categorization levels.
Here is a simplified version of the CIS classification definitions that you can use in your efforts to classify data:
A data categorization policy outlines the manner in which your business manages its information life cycle. The objective is to guarantee that sensitive data is handled according to the amount of risk it presents. A data categorization policy should handle access and authorization, taking the data structure and its typical business applications into consideration.
Here are numerous important aspects that your policy should address:
Here are a few recommended practices that may help you enhance your organization’s data categorization:
This procedure may be automated via the use of intelligent categorization systems. Using specified criteria, for instance, a data classification system may automatically recognize and categorize data, and then tag it with the relevant categorization label. Throughout the entire data lifespan, these systems may continually monitor data to ensure that it is always appropriately categorized.
Now that we have exhaustively dealt with data and its classification, it’s time to move to ISO 27001 controls and why they are so important.
The ISO 27001 standard is comprised of the standard itself, plus a second part, called Annex A, where all the controls (114 divided into 14 categories) exist:
Each of the 14 categories provide you with a clear explanation of the primary objective(s) of that category.
This category’s aim is to give management guidance and assistance on information security in accordance with the organization’s needs and applicable laws and regulations. This is accomplished by the documentation of a set of information security rules that must be authorized, publicized, disseminated, and reviewed at certain intervals.
The first purpose is to develop a management structure that starts and regulates the implementation and operation of information security. This involves ensuring the following:
No matter the kind of project, information security is developed and handled in project management. The second purpose is to protect the security of mobile devices and remote work.
This is accomplished by developing and executing a policy and supplementary security measures to control the risks associated with the usage of mobile devices and to safeguard information remotely accessed, processed, or stored.
The primary purpose is to ensure that employees understand their obligations and are qualified for the positions for which they are being evaluated. This is accomplished by completing adequate background checks on all applicants and including information security duties in employment contracts.
The second purpose is to ensure that employees are aware of and comply with their information security duties. To do this, they must implement information security in accordance with organizational rules and procedures. The organization is responsible for ensuring that personnel get proper training and frequent updates.
A structured and disclosed disciplinary procedure must also be developed so that any person who violates information security may be punished. The end purpose of this category is to safeguard an organization’s interests when employees change jobs or leave the organization by defining, communicating, and enforcing restrictive covenants.
The first aim requires the identification of information assets and the assignment of suitable protection tasks. This is accomplished by developing an asset inventory that identifies asset owners. Document and execute rules on the permissible use of these assets. When recovered, assets must also be secured and maintained. The subsequent purpose is to guarantee that data is adequately safeguarded.
To do this, it is necessary to develop a categorization system and classify the assets properly. Therefore, all electronic and physical assets must be labeled in line with the categorization system, and procedures for managing assets must also be designed and executed. The final purpose is to prevent unauthorized disclosure, alteration, deletion, or destruction of information stored on media. This can be accomplished by employing removable-media management methods. These processes must address the safe disposal and transit of storage media holding sensitive information.
The primary goal is to restrict access to information and data processing resources: this is accomplished in part by developing and enforcing an access control policy and limiting user access to just the systems and network regions they require to execute their jobs.
The second goal is to guarantee authorized user access and prevent unauthorized access.
The following controls are used for this purpose:
The third purpose is to hold users responsible for protecting their passwords, PINs, tokens, and so on. As a result, it is necessary to adhere to prescribed procedures for the usage of secret authentication information. This category’s end purpose is to prevent unauthorized access to systems and applications. To fulfill this purpose, controls must limit access to information and systems and, where applicable, implement secure login processes. In addition to restricting utility applications that may circumvent system and application constraints, access to program source code must also be controlled. For this purpose, password management solutions are often used.
This category’s purpose is to guarantee that cryptography is utilized properly to safeguard the confidentiality, integrity, and validity of information.
This is accomplished by creating and implementing a cryptographic policy that includes information on the usage, protection, and lifespan of cryptographic keys.
The primary purpose of this category is to prevent unauthorized physical access to, damage of, and interference with data- and information-processing infrastructure.
Controls used to achieve these aims include the following:
The second purpose is to avoid the loss, theft, compromise, or destruction of assets and the disruption of activities.
Controls to achieve this purpose include the following:
The first objective is to guarantee that information processing facilities are properly and securely managed.
To do this, operational procedures must be recorded and made accessible.
Change management is included in these procedures to govern modifications to business processes, information processing facilities, and systems.
Capacity management must also be used to monitor and forecast capacity requirements.
Additionally, it should be highlighted that the development, testing, and operational environments must be segregated in order to decrease the danger of unauthorized access or modifications to operational environments.
The following purpose is to safeguard information and information-processing facilities against malware. This is done by implementing anti-malware software to identify, prevent, and recover from attacks.
Users must be aware of the organization’s anti-malware software and its guidelines on permissible and undesirable use.
The third objective is to defend against data loss by ensuring that frequent backups of information, software, and systems are performed and tested in accordance with an established backup strategy.
The subsequent aim involves documenting occurrences and producing proof. This is achieved by generating, storing, evaluating, and preserving user activity logs, including those of administrators and ordinary users, exception reports, and information security event logs.
All pertinent information-processing system clocks must be synchronized to a single reference time source, such as the network time protocol (NTP).
The fifth objective is to ensure the integrity of operating systems.
Implementing and using control processes to oversee the installation of software on operating systems accomplishes this objective.
The following purpose is to avoid the exploitation of technological flaws and may be achieved by collecting data about technological vulnerabilities, assessing the dangers they may cause, and implementing corrective measures.
Additionally, regulations controlling software installation must be defined and enforced. This category’s end purpose is to minimize the effect of audit operations on operating systems.
In order to minimize interruptions, strategies must be agreed upon regarding audit requirements and actions requiring verification of operating systems.
The second purpose is to preserve the security of both internal and external information transfers, and this may be accomplished by creating formal transfer rules, processes, and controls to secure information being transmitted across all kinds of communication facilities, including electronic messaging via email, communications platforms, and social media.
Therefore, information transfer agreements must include provisions for the safe sharing of business information.
The primary purpose is to guarantee that information security is an intrinsic component of information systems throughout their entire lifespan, including the requirements for information systems that provide services via public networks. This implies that information security needs must be included into the specifications for any new or upgraded information systems.
Protecting data involved in application services that traverse public networks is a further control that may assist in achieving this purpose. Information involved in application service transactions must also be safeguarded to avoid incomplete transmission, misrouting, unauthorized message modification, unauthorized message disclosure, unauthorized message duplication, and unauthorized message replay.
The subsequent purpose is to guarantee that information security is established and executed within the development life cycle, which is closely related to design and development activities.
The following controls may assist in achieving this goal:
The final objective is to ensure the security of data used for testing by carefully choosing data, encrypting or otherwise safeguarding it, and restricting access to only authorized employees.
It is necessary to create and apply guidelines for software and system development. Changes made to systems during the lifespan of development must be managed by defined change control methods.
When operating systems are updated, mission-critical applications must be analyzed for adverse implications on operations and security. It is necessary to discourage software package change. If alterations are necessary, they must be limited to the bare minimum and strictly regulated. Any operations involving the development of an information system must define, document, and execute secure system engineering principles.
Any outsourced development activities need management and oversight. Security functionality must be examined throughout the development process. For new information systems, updates, and new versions, programs and criteria for system acceptability testing must be devised.
The ultimate goal is to secure the data used for testing by selecting data with care, encrypting or otherwise protecting it, and limiting access to only authorized personnel.
The primary purpose of this category is to safeguard supplier-accessible assets. To achieve this, information security standards to limit risks associated with suppliers having access to assets must be exhaustively specified in a policy for supplier management.
As a result, written agreements must be negotiated and executed with each supplier, including all pertinent criteria outlined in the supplier management policy. Information security risks linked with information and communications technology services and the supply chain must be addressed in these formal agreements.
The second goal is to maintain an established degree of information security and service delivery in accordance with supplier contracts. To do this, suppliers must be watched, examined, and in certain instances audited on a regular basis. Changes to supplier services must also be handled, along with the maintenance and improvement of current information security policies, procedures, and controls; taking into account the importance of corporate information, systems, processes, and reassessment of risks.
This category has a single aim, which is to establish a uniform and effective approach to the management of information security incidents, including communications on security events and vulnerabilities.
The following controls may assist in achieving this objective:
The initial purpose of this category is to prevent violations of legal, legislative, regulatory, or contractual information security duties and security requirements.
To achieve this purpose, it is necessary to identify the needs for information security and the continuity of information security management under bad scenarios. Processes, procedures, and controls must then be created, documented, implemented, and maintained. Once in place, these arrangements must be frequently evaluated and validated to guarantee their efficacy.
The second purpose is to guarantee that information processing facilities are available. This is performed by establishing redundant information-processing facilities to satisfy availability needs.
The primary purpose of this category is to prevent violations of legal, legislative, regulatory, or contractual information security duties and security standards. Identifying and recording pertinent legal, statutory, regulatory, and contractual requirements, as well as the strategy for satisfying them, are examples of controls that might assist in achieving this purpose:
The second purpose is to guarantee that information security is established and managed in compliance with the rules and procedures of the organization. This is accomplished by conducting independent evaluations of the strategy for managing information security and its execution at predetermined intervals or in response to substantial changes.
The compliance of information processing and processes within their areas of responsibility of given managers must also be routinely reviewed by them; finally, information systems must undergo frequent compliance reviews, which may be accomplished via penetration testing.
There are two essential considerations for addressing this question.
Less than forty percent of ISO 27001 Annex A controls are technology-based. Information security vulnerabilities are often caused by human behavior. Therefore, contrary to popular belief, IT cannot and should not be the only answer.
Information security is, in reality, about constructing a system of mature, resilient rules. The present Annex A framework applies the following percentages to control locations inside an organization:
Consequently, applying the controls stated in Annex A is and must always be the responsibility of a number of persons and departments within an organization, the number of which is dependent on the size and complexity of the organization.
The controls outlined in Annex A of ISO 27001 are a vital component of risk treatment and must be chosen based on a comprehensive analysis of an organization’s information security threats.
Typically, chosen controls must be justified by one of the following:
Once controls have been identified, organizations must submit a Statement of Applicability (SoA) that must contain, at a minimum, all 114 controls listed in Annex A of ISO 27001, along with reasons for inclusions and, preferably, concise descriptions of how they have been implemented. The SoA acts as a tool for providing senior management with accurate information on the degree of risk to which their organizations are exposed and the status of risk treatment efforts.
Only after a thorough evaluation of an organization’s inherent information security threats can it be determined which measures should be adopted. Once the risks are known, the appropriate countermeasures may be determined. Possibly, the greater the number of controls adopted, the greater the likelihood that the organization can minimize or at least mitigate exposure to recognized risks.
Nonetheless, Annex A controls may be omitted if deemed irrelevant. An example of this would be a company that does not produce software.
Obviously, there would be no need for a strategy of secure growth. If a control is to be omitted, a complete rationale must be included in the SoA.
This chapter was very discursive, but we talked about risk management, data classification (still, as part of risk management) and all the controls within Annex A of ISO 27001.
In the next chapter, we will discuss preparing foolproof policies and procedures to avoid internal risks. We will examine security systems and devices, cybersecurity vulnerabilities, social engineering, common pain points, and critical success factors.
13.59.154.143