Uncategorized

A business impact assessment (BIA) identifies an organization’s most critical resources and the threats against those resources.  The BIA is one of four phases of the business continuity planning (BCP) process. The assessment evaluates each threat in terms of the probability of an event occurring and the impact of an event should it occur.  The outputs of the BIA provide quantitative measures that help to prioritize the allocation of business continuity resources.Business impact assessments are an important component of an effective security program.  If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to understand the role of the business impact assessment in the business continuity planning process.  You need to make sure you understand the quantitative formulas associated with the BIA process and the concepts of asset value, exposure factor, annualized rate of occurrence, single loss expectancy, and annualized loss expectancy. Quantitative versus Qualitative Analysis There are two types of analyses used in making business impact assessments.Quantitative decision-making is based on data that can be measured or counted and is driven by the use of numbers and calculations. The results of a quantitative analysis are often in the form of dollar values.Qualitative decision-making is based on data that is descriptive in nature, answering questions such as “What would be the potential impact of an employee theft of data.”  It is frequently based at least in part on the opinions of members of the security team and other subject matter experts on topics like reputation, investor/customer confidence, or workforce stability.  The results of a qualitative analysis are often in the form of categories of prioritization such as high, medium, and low. Determining Asset Value and Exposure Factor Determining the value of the organization’s assets is fundamental to establishing the business priorities of the BCP and is typically the first step in the quantitative assessment of the business impact assessment.  In determining value, the BCP team creates a list of the organization’s assets and then assigns an asset value (AV) to each one.In addition to the asset value list, the BCP also compiles a list of risks to the organization.  This list should be as comprehensive as possible and includes both natural and man-made events. A few examples include earthquakes, violent storms, fire, power failures and theft.The exposure factor (EF) is a measure of the potential damage that a specific risk poses to a specific asset.  EF is expressed as a percentage of an asset’s value. For example, the theft of a laptop might have an EF of 100% because the laptop would be a complete loss, while a hurricane making a direct hit on the building might have an EF of 60% if the BCP team concludes that a hurricane would only destroy 60% of the building. Computing the Single Loss Expectancy The single loss expectancy (SLE) is the financial loss that is expected each time a risk is realized. The SLE is calculated using the following formula:SLE = AV × EFContinuing with the previous examples.  If a laptop’s AV is $1,500 and its EF from theft is 100% then:SLE = $1,500 x 100% = $1,500Likewise if the facility’s AV is $1,000,000 and its EF from hurricane is 60% than:SLE = $1,000,000 x 60% = $600,000. Computing the Annualized Loss Expectancy A likelihood assessment evaluates the probability of risks becoming realized.  Some events are more likely than others to occur. Earthquakes, for example, are rare in New England but rather common in Southern California.For each of the events that have been identified as potential risks to the organization, the BCP makes a determination as to how likely it is that the risk will be realized.  The likelihood is generally stated in terms of an annualized rate of occurrence (ARO) reflecting how many times an organization expects to experience the event each year.  Best practices for determining the ARO for an event include referencing historical data, the experience of the BCP members and others in the organization, and advice from outside experts.The annualized loss expectancy (ALE) is the financial loss that an organization expects to suffer as the result of realized risks harming assets over the course of one year.  The ALE is calculated using the ARO, which tells us the likelihood of an event impacting an asset, and the SLE, which tells us what the loss will be if the event occurs. The ALE formula itself is simple:ALE = SLE × AROAs an example consider that a magnitude 4 earthquake impacting a facility in New York has been given an SLE of $450,000 and an ARO of 2%:ALE = $450,000 x 2% = $9,000Having made the ALE calculation the BCP now has an a quantifiable dollar value to assign to the associated risk of an earthquake impacting the facility.  The ALE can be used to understand risk and help set priorities for the protection of assets.Understanding the business impact assessment is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

The security policy framework is the unifying structure that ties together an organization’s security documentation.  Ensuring security is multi-layered process that extends throughout a business, agency or institution. Accordingly, an organization’s security policy framework encompasses the vision of its senior leadership, the laws and regulations that apply to its operations, and all of the specific guidance necessary to successfully achieve the security goals.By giving structure to the variety of documents necessary for security, the framework helps to ensure that all of the important elements of a security process are in place, and that there is a vehicle for communicating these elements across the organization.  There is a general hierarchy of documentation that organizations follow when establishing security policy frameworks. The different levels of the hierarchy address specific types communication needs and focus on a category of information and issues.The security documentation hierarchy At the top of the hierarchy are security policies, followed by standards, guidelines and procedures.   If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding the security policy framework.  You should be able to explain each level in the hierarchy, the types of information communicated at that level, and the importance of that type of communication to providing comprehensive security.One important distinction to be made, is that compliance with policies, standards, and procedures is mandatory, guidelines are optional. Security Policies Security policies are high level documents that describe an organization’s security goals.  They provide an overview of security needs, discussing the scope of the security that is needed and the resources required to provide that security.There are three types of security policy:Organizational security policies Issue specific security policies System specific security policiesEvery organization should have an organizational (or master) security policy.  This policy is a strategic plan that presents the value of security to the organization and discusses the importance of security in all of the various activities within the organization.  Features of an organizational security policy include defining roles, audit requirements, enforcement procedures, compliance requirements, and acceptable risk levels.An issue-specific security policy focuses on a function or service within the organization that has distinct security requirements.  Examples of issue-specific policies include an email policy, a media disposal policy, or a physical security policy.A system-specific security policy is concerned with specific systems or types of system.  It describes hardware and software approved for that system and how that system is to be protected.In addition to the three focused types of security policy, there are three broad categories of policy: regulatory, advisory, and informative.As its name implies, a regulatory policy discusses compliance issues for any regulatory frameworks that might apply to an organization, such as the Sarbanes-Oxley Act (SOX) of 2002 for finance firms, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for healthcare organizations, or any number of state and federal regulations that guide the way an organization manages security.An advisory policy is used to communicate an organization’s internally driven standards for behaviors and activities.  It presents the security ideals of the organization’s leadership and the consequences of security violations.An informative policy is designed to enlighten employees about a specific security topic.  Informative policies frequently provide background information in support of other security policies without any prescriptive actions or requirements.Adherence to policies is mandatory. Security Standards Standards occupy the layer below policies in the hierarchy.  They add specificity to the guidance, defining the instructions or methods that are necessary to achieve the objectives articulated in the security policies.  Where policies are considered strategic documents, standards are tactical documents which provide a course of action. Compliance with standards is mandatory.Baselines are related to standards and are sometimes considered an additional layer in the hierarchy.  Baselines specify minimum levels of security that all systems must meet. They are often system specific and frequently refer to an industry or government standard.  Common standards include the Trusted Computer System Evaluation Criteria (TCSEC), the Information Technology Security Evaluation and Criteria (ITSEC), and the NIST (National Institute of Standards and Technology) standards. Security Guidelines Guidelines are recommendations and practical guidance to help staff implement standards and baselines.  Guidelines target all levels of staff including both security professionals and general users. They are intentionally flexible and are designed to be customized for new equipment and emerging situations.Guidelines are considered suggested actions and compliance is therefore optional. Security Procedures Procedures make up the bottom layer of the documentation hierarchy.  They are the most detailed and prescriptive of all the documentation.  Procedures provide step-by-step instructions which guide staff in exactly how to correctly implement specific security controls.  Procedures are very specific to the system or function they relate to and range from administrative duties to advanced hardware configuration.  Examples of procedures include detailed instructions for configuring a router, installing antivirus software or sending an encrypted email.Compliance with security procedures is mandatory.Understanding the security policy framework is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

Data classification is the process by which data is evaluated for its risk and sensitivity and then assigned a label which determines the level of security that will be used to protect that data.  Simply put, less sensitive data is protected at a lower level and more sensitive data is protected at a higher level. There are two different classifications schemes in general use, one scheme is used in government and military settings and the other in commercial, private sector settings.Data classification is an important component of an effective security program, giving organizations a mechanism to appropriately direct the effort, money and resources required to protect data.   If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of why and how data is classified.  You should make sure you know the five levels of government/military classification and the four levels of commercial, private sector classification. Benefits of Classification Having a data classification scheme in place provides necessary structure to the protection of an organization’s data.  It provides guidance for identifying which assets are most critical or valuable to the organization and helps to define access levels and permissible use.  A complete system also provides guidance for data lifecycle management and includes parameters for the declassification and/or destruction of resources that are no longer valuable.With few exceptions, most organizations have data that varies in its sensitivity.  A single private sector IT system, for example, might house everything from benign marketing flyers and cafeteria menus to personally identifiable employee payroll data and proprietary strategic planning documents.While it might be tempting to secure all systems at the highest level to avoid any accidental release of sensitive data, there are a number of factors that make such a broad-brush approach not only impractical, but actually detrimental to the organization.  More rigorous security controls tend to be more expensive, so providing high security to items which are not sensitive wastes resources that would be better applied to the more sensitive data. Also, keeping data secure involves putting restrictions on how that data is accessed.  Securing data at too high a level places an unnecessary burden on the organization, making it more difficult and time consuming for employees to do their jobs.In addition to providing structure to data security, data classification provides important signals to an organization and its employees.  By labeling data as sensitive and needing protection, all employees will be aware that steps need to be taken to prevent its release. If no classification system were in place, employees would need to evaluate each item individually every time it is accessed.  Not only would such a system be inefficient, the risk of mishandling sensitive data would be unacceptably high. U.S. Government Classification System The United States government classification system is established under executive order and federal regulations which describe the classification, declassification, and handling of national security information generated by the U.S. government and contractors. Improper handling of classified data can have severe legal consequences.There are five levels of classification used by the United States government and military, as shown below:Let’s dive into the definitions of each of these classification levels:Top Secret: Disclosure of top secret data would cause grave damage to national security.  Top secret data is given the highest levels of protection and access is restricted to persons with a “need to know.” Secret: Disclosure of secret data would cause serious damage to national security. While this data is considered less sensitive than data classified as top secret, it is nonetheless given a high level of protection with many safeguards and procedures that must be followed. Confidential: Confidential is the lowest level of government classified data.  Its release would cause some harm to national security. Sensitive But Unclassified (SBU): The SBU designation is used for data that is not classified, but there are reasons to protect the information from release.  The SBU designation is often used when release of data could violate the privacy rights of citizens. Unclassified: Unclassified is data that has no classification or is not sensitive.Corporate Classification Systems There is no single classification system in use by private sector entities.  For security certification exam preparation you will want to focus on four designations commonly used in businesses and other private sector organizations:Highly Sensitive: In many schemes, highly sensitive information is the highest level of private sector classification. Confidential data is highly sensitive and significant harm could come to the company if it is disclosed.  Examples of highly sensitive information include Social Security numbers, health records, credit card information and other highly regulated and valuable data elements. Sensitive: Sensitive information is information that does not reach the highly sensitive level, but could cause serious harm to the company if disclosed to unauthorized individuals.  Examples of sensitive information might include employee records or secret business plans. Internal: Internal information is information that the company does not intend to disclose publicly, but would cause minimal harm if accidentally or maliciously disclosed.  A company directory might fit into this category. Public: Public is the lowest level of classification. It is used for data which is intended for public disclosure, such as marketing materials or a company website.Understanding data classification is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....