Nov 25 2024

Adding Value with Adding Value with Risk-Based Information Security

The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.

An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.

The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.

Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.

For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.

Best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.

In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.

  • The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
  • The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.

More details and considerations on pros and cons are described in recent ISACA Journal article, “Adding Value With Risk-Based Information Security.”

Source: National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0, USA, 2024, https://www.nist.gov/informative-references

Information Security Risk Management for ISO 27001/ISO 27002

Information Security Risk Assessment Workshop

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Risk-Based Information Security


Nov 05 2024

ISO 27001 clauses 6.1.2 and 6.1.3 on information security risk assessment should be relocated to clause 8

Category: ISO 27k,Risk Assessment,Security Risk Assessmentdisc7 @ 9:03 am

Clause 6.1.1 is often misunderstood and frequently overlooked. It requires organizations to assess risks and opportunities specifically related to the Information Security Management System (ISMS)—focusing not on information security itself, but on the ISMS’s effectiveness. This is distinct from the information security risk assessment activities outlined in 6.1.2 and 6.1.3, which require different methods and considerations.

In practice, it’s rare for organizations to assess ISMS-specific risks and opportunities (per 6.1.1), and certification auditors seldom address this requirement.

To clarify, it’s proposed that the information security risk assessment activities (6.1.2 and 6.1.3) be moved to clause 8. This aligns with the structure of other management system standards (e.g., ISO 22301 for Business Continuity Planning). Additionally, a note similar to ISO 22301’s should be included:

“Risks in this sub clause relate to information security, while risks and opportunities related to the effectiveness of the management system are addressed in 6.1.1.”

Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: clauses 6.1.2, clauses 6.1.3


Nov 04 2024

The Risk Assessment Process and the tool that supports it

Category: ISO 27k,Risk Assessment,Security Risk Assessmentdisc7 @ 12:00 pm

The “Risk Assessment analysis” covers key areas of risk assessment in information security:

  1. Risk Assessment Process: The core steps include identifying assets, analyzing risks, and evaluating the value and impact of each risk. This process helps determine necessary controls and treatments to mitigate or accept risks.
  2. Types of Risk:
    • Asset-Based Risk: Focuses on assessing risks to tangible assets like data or hardware.
    • Scenario-Based Risk: Evaluates hypothetical risk scenarios, such as potential data breaches.
  3. Risk Analysis:
    • Impact Analysis: Measures the financial, operational, and reputational impact of risks, assigning scores from 1 (very low) to 5 (very high).
    • Likelihood Analysis: Assesses how likely a risk event is to occur, also on a scale from 1 to 5.
  4. Risk Response Options:
    • Tolerate (accept risk),
    • Treat (mitigate risk),
    • Transfer (share risk, e.g., via insurance),
    • Terminate (avoid risk by ceasing the risky activity).
  5. Residual Risk and Risk Appetite: After treatments are applied, residual risk remains. Organizations determine their acceptable level of risk, known as risk appetite, to guide their response strategies.

These structured steps ensure consistent, repeatable risk management across information assets, aligning with standards like ISO 27001.

The Risk Assessment Process involves systematically identifying and evaluating potential risks to assets. This includes:

  • Identifying Assets: Recognizing valuable information assets, such as data or physical equipment.
  • Risk Analysis: Analyzing the potential threats and vulnerabilities related to these assets to assess the level of risk they pose.
  • Evaluating Impact and Likelihood: Measuring the potential impact of each risk and estimating how likely each risk is to occur.
  • Implementing Controls: Deciding on control measures to mitigate, transfer, accept, or avoid each risk, based on organizational risk tolerance.

To streamline this process, organizations often use risk assessment tools. These tools assist by automating data collection, calculating risk levels, and supporting decision-making on risk treatments, ultimately making the assessment more consistent, thorough, and efficient.

CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable.

  • Manage all your cybersecurity and data privacy obligations
  • Accelerate certification and supercharge project effectiveness
  • Get immediate visibility of critical data and key performance indicators
  • Stay ahead of regulatory changes with our scalable compliance solution
  • Reduce errors and improve completeness of risk management processes
  • Identify and treat data security risks before they become critical concerns

Reduce data security risks with agility and efficiency

  • Quickly identify and treat data security risks before they become critical concerns with the intuitive, easy-to-use risk manager tool
  • Keep track of data security compliance requirements and the security controls you have in place in conjunction with critical laws and information security frameworks
  • Demonstrate compliance with ISO 27001, the leading information security management standard, with powerful built-in reports
  • The software includes control sets from ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27032, NIST, CSA CCM, the PCI DSS, SOC 2, and the CPRA

Need expert guidance? Book a free 30-minute consultation with a Risk assessment specialist.

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Risk Assessment analysis, Risk Assessment Process


Oct 30 2024

A step-by-step guide to risk management following ISO 27001 and ISO 27005 standards

Category: ISO 27k,Risk Assessment,Security Risk Assessmentdisc7 @ 9:44 am

The ISO 27001 risk management guide provides a structured methodology for managing information security risks aligned with ISO standards. It first covers setting risk criteria, helping organizations define their risk appetite and identify high-priority assets and vulnerabilities. Risk assessment follows, where risks are quantified based on their likelihood and impact, allowing for prioritization.

The guide emphasizes the importance of treatment planning, advising on risk responses: avoidance, transfer, mitigation, or acceptance, with decisions documented for compliance. Documentation ensures transparency and traceability, forming a record of risk decisions.

A key component is regular review, where organizations reassess risks as threats change, supporting ISO 27001’s principle of continuous improvement. This cyclical approach helps keep the risk management framework adaptable and responsive to evolving security needs.

Additionally, the guide underscores the role of management, recommending their involvement in review and support of risk processes. Management buy-in ensures that security efforts align with strategic goals, encouraging organization-wide commitment.

In summary, the guide helps organizations maintain a robust, adaptive risk management system that meets ISO 27001 standards, enabling proactive risk control. For more detail, you can access the document here.

some commonly adopted approaches:

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: guide to risk management, iso 27001, iso 27005


Oct 16 2024

Not all information security risks translate directly to business risks

There is a misconception among security professionals: the belief that all information security risks will result in significant business risks. This perspective is misleading because not every information security incident has a severe impact on an organization’s bottom line. Business decision-makers can become desensitized to security alerts if they are inundated with generalized statements, leading them to ignore real risks. Thus, it is essential for security experts to present nuanced, precise analyses that distinguish between minor and significant threats to maintain credibility and ensure their assessments are taken seriously.

There are two types of risks:

  1. Information Security Risk: This occurs when a threat (e.g., a virus) encounters a vulnerability (e.g., lack of antivirus protection), potentially compromising confidentiality, availability, or integrity of information. Depending on the severity, it can range from a minor issue, like a temporary power outage, to a critical breach, such as theft of sensitive data.
  2. Business Risk: This affects the organization’s financial stability, compelling decision-makers to act. It can manifest as lost revenue, increased costs (e.g., penalties), or reputational damage, especially if regulatory fines are involved.

Not all information security risks translate directly to business risks. For example, ISO27001 emphasizes calculating the Annual Loss Expectation (ALE) and suggests that risks should only be addressed if their ALE exceeds the organization’s acceptable threshold.

Example:

Small Business Data Breach: A small Apple repair company faced internal sabotage when a disgruntled employee reformatted all administrative systems, erasing customer records. The company managed to recover by restoring data from backups and keeping customer communication open. Despite the breach’s severity, the company retained its customers, and the incident was contained. This case underscores the importance of adequate data management and disaster recovery planning.

Several factors to consider when assessing the relationship between information security and business risk:

  • Business Model: Certain businesses can withstand breaches with minimal financial impact, while others (e.g., payment processors) face more significant risks.
  • Legal Impact: Fines and legal costs can sometimes outweigh the direct costs of a breach. Organizations must assess regulatory requirements and contractual obligations to understand potential legal implications.
  • Direct Financial Impact: While breaches can lead to financial loss, this is sometimes treated as a routine cost of doing business, akin to paying for regular IT services.
  • Affected Stakeholders: It is crucial to identify which parties will bear the brunt of the damage. In some cases, third parties, like investors, may suffer more than the organization experiencing the breach.

Ultimately, information security risks must be evaluated within the broader business context. A comprehensive understanding of the company’s environment, stakeholders, and industry will help in prioritizing actions and reducing overall breach costs.

Information Risk Management: A practitioner’s guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: business risks, Information Risk Management: A practitioner's guide


Oct 09 2024

Pragmatic ISO 27001 Risk Assessments

Category: ISO 27k,Risk Assessment,Security Risk Assessmentdisc7 @ 1:33 pm

Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.

He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.

To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.

Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.

For more information on Andrew Pattison interview, you can visit here

ISO 27k Chat bot

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: iso 27001, ISO 27001 Risk Assessment, ISO27k


Apr 12 2024

An Adoption Guide
For FAIR

Category: Risk Assessment,Security Risk Assessmentdisc7 @ 8:44 am

Via RiskLens

Measuring and Managing Information Risk: A FAIR Approach

Factor Analysis of Information Risk (FAIR), a powerful methodology for assessing and quantifying information risks. Here’s a comprehensive overview:

1. What Is FAIR?
a. FAIR, short for Factor Analysis of Information Risk, is a quantitative risk quantification methodology designed to help businesses evaluate information risks.
b. It stands out as the only international standard quantitative model framework that addresses both operational risk and information security.
c. Mature organizations that utilize Integrated Risk Management (IRM) solutions significantly benefit from FAIR.

2. Objective of FAIR:
a. The primary goal of FAIR is to support existing frameworks and enhance risk management strategies within organizations.
b. Unlike cybersecurity frameworks (such as NIST CSF), FAIR is not a standalone framework. Instead, it complements other industry-standard frameworks like NIST, ISO 2700x, and more.
c. As organizations shift from a compliance-based approach to a risk-based approach, they need a quantitative risk methodology to support this transition.

3. How FAIR Differs from Legacy Risk Quantification Methods:
a. FAIR is not a black-box approach like traditional penetration testing. Instead, it operates as a “glass-box” method.
b. Legacy methods focus on penetration testing without internal knowledge of the target system. While they identify vulnerabilities, they cannot provide the financial impact of risks.
c. In contrast, FAIR translates an organization’s loss exposure into financial terms, enabling better communication between technical teams and non-technical leaders.
d. FAIR provides insights into how metrics were derived, allowing Chief Information Security Officers (CISOs) to present detailed information to board members and executives.

4. Benefits of FAIR:
a. Financial Context: FAIR expresses risks in dollars and cents, making it easier for decision-makers to understand.
b. Risk Gap Identification: FAIR helps organizations efficiently allocate resources to address risk gaps.
c. Threat Level Scaling: Unlike other frameworks, FAIR scales threat levels effectively.
d. Board Engagement: FAIR fosters interest in cybersecurity among board members and non-technical leaders.

5. Drawbacks of FAIR:
a. Complexity: FAIR lacks specific, well-defined documentation of its methods.
b. Complementary Methodology: FAIR is not an independent risk assessment tool; it complements other frameworks.
c. Probability-Based: While FAIR’s probabilities are not baseless, they may not be entirely accurate due to the unique nature of cyber-attacks and their impact.

In summary, FAIR revolutionizes risk analysis by providing a quantitative, financially oriented perspective on information risk. It bridges the gap between technical and non-technical stakeholders, enabling better risk management decisions.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: A FAIR Approach


Mar 21 2024

HACK-PROOF YOUR CLOUD: THE STEP-BY-STEP CONTINUOUS THREAT EXPOSURE MANAGEMENT CTEM STRATEGY FOR AWS & AZURE

Continuous Threat Exposure Management (CTEM) is an evolving cybersecurity practice focused on identifying, assessing, prioritizing, and addressing security weaknesses and vulnerabilities in an organization’s digital assets and networks continuously. Unlike traditional approaches that might assess threats periodically, CTEM emphasizes a proactive, ongoing process of evaluation and mitigation to adapt to the rapidly changing threat landscape. Here’s a closer look at its key components:

  1. Identification: CTEM starts with the continuous identification of all digital assets within an organization’s environment, including on-premises systems, cloud services, and remote endpoints. It involves understanding what assets exist, where they are located, and their importance to the organization.
  2. Assessment: Regular and ongoing assessments of these assets are conducted to identify vulnerabilities, misconfigurations, and other security weaknesses. This process often utilizes automated scanning tools and threat intelligence to detect issues that could be exploited by attackers.
  3. Prioritization: Not all vulnerabilities pose the same level of risk. CTEM involves prioritizing these weaknesses based on their severity, the value of the affected assets, and the potential impact of an exploit. This helps organizations focus their efforts on the most critical issues first.
  4. Mitigation and Remediation: Once vulnerabilities are identified and prioritized, CTEM focuses on mitigating or remedying these issues. This can involve applying patches, changing configurations, or implementing other security measures to reduce the risk of exploitation.
  5. Continuous Improvement: CTEM is a cyclical process that feeds back into itself. The effectiveness of mitigation efforts is assessed, and the approach is refined over time to improve security posture continuously.

The goal of CTEM is to reduce the “attack surface” of an organization—minimizing the number of vulnerabilities that could be exploited by attackers and thereby reducing the organization’s overall risk. By continuously managing and reducing exposure to threats, organizations can better protect against breaches and cyber attacks.

CTEM VS. ALTERNATIVE APPROACHES

Continuous Threat Exposure Management (CTEM) represents a proactive and ongoing approach to managing cybersecurity risks, distinguishing itself from traditional, more reactive security practices. Understanding the differences between CTEM and alternative approaches can help organizations choose the best strategy for their specific needs and threat landscapes. Let’s compare CTEM with some of these alternative approaches:

1. CTEM VS. PERIODIC SECURITY ASSESSMENTS

  • Periodic Security Assessments typically involve scheduled audits or evaluations of an organization’s security posture at fixed intervals (e.g., quarterly or annually). This approach may fail to catch new vulnerabilities or threats that emerge between assessments, leaving organizations exposed for potentially long periods.
  • CTEM, on the other hand, emphasizes continuous monitoring and assessment of threats and vulnerabilities. It ensures that emerging threats can be identified and addressed in near real-time, greatly reducing the window of exposure.

2. CTEM VS. PENETRATION TESTING

  • Penetration Testing is a targeted approach where security professionals simulate cyber-attacks on a system to identify vulnerabilities. While valuable, penetration tests are typically conducted annually or semi-annually and might not uncover vulnerabilities introduced between tests.
  • CTEM complements penetration testing by continuously scanning for and identifying vulnerabilities, ensuring that new threats are addressed promptly and not just during the next scheduled test.

3. CTEM VS. INCIDENT RESPONSE PLANNING

  • Incident Response Planning focuses on preparing for, detecting, responding to, and recovering from cybersecurity incidents. It’s reactive by nature, kicking into gear after an incident has occurred.
  • CTEM works upstream of incident response by aiming to prevent incidents before they happen through continuous threat and vulnerability management. While incident response is a critical component of a comprehensive cybersecurity strategy, CTEM can reduce the likelihood and impact of incidents occurring in the first place.

4. CTEM VS. TRADITIONAL VULNERABILITY MANAGEMENT

  • Traditional Vulnerability Management involves identifying, classifying, remediating, and mitigating vulnerabilities within software and hardware. While it can be an ongoing process, it often lacks the continuous, real-time monitoring and prioritization framework of CTEM.
  • CTEM enhances traditional vulnerability management by integrating it into a continuous cycle that includes real-time detection, prioritization based on current threat intelligence, and immediate action to mitigate risks.

KEY ADVANTAGES OF CTEM

  • Real-Time Threat Intelligence: CTEM integrates the latest threat intelligence to ensure that the organization’s security measures are always ahead of potential threats.
  • Automation and Integration: By leveraging automation and integrating various security tools, CTEM can streamline the process of threat and vulnerability management, reducing the time from detection to remediation.
  • Risk-Based Prioritization: CTEM prioritizes vulnerabilities based on their potential impact on the organization, ensuring that resources are allocated effectively to address the most critical issues first.

CTEM offers a comprehensive and continuous approach to cybersecurity, focusing on reducing exposure to threats in a dynamic and ever-evolving threat landscape. While alternative approaches each have their place within an organization’s overall security strategy, integrating them with CTEM principles can provide a more resilient and responsive defense mechanism against cyber threats.

CTEM IN AWS

Implementing Continuous Threat Exposure Management (CTEM) within an AWS Cloud environment involves leveraging AWS services and tools, alongside third-party solutions and best practices, to continuously identify, assess, prioritize, and remediate vulnerabilities and threats. Here’s a detailed example of how CTEM can be applied in AWS:

1. IDENTIFICATION OF ASSETS

  • AWS Config: Use AWS Config to continuously monitor and record AWS resource configurations and changes, helping to identify which assets exist in your environment, their configurations, and their interdependencies.
  • AWS Resource Groups: Organize resources by applications, projects, or environments to simplify management and monitoring.

2. ASSESSMENT

  • Amazon Inspector: Automatically assess applications for vulnerabilities or deviations from best practices, especially important for EC2 instances and container-based applications.
  • AWS Security Hub: Aggregates security alerts and findings from various AWS services (like Amazon Inspector, Amazon GuardDuty, and IAM Access Analyzer) and supported third-party solutions to give a comprehensive view of your security and compliance status.

3. PRIORITIZATION

  • AWS Security Hub: Provides a consolidated view of security alerts and findings rated by severity, allowing you to prioritize issues based on their potential impact on your AWS environment.
  • Custom Lambda Functions: Create AWS Lambda functions to automate the analysis and prioritization process, using criteria specific to your organization’s risk tolerance and security posture.

4. MITIGATION AND REMEDIATION

  • AWS Systems Manager Patch Manager: Automate the process of patching managed instances with both security and non-security related updates.
  • CloudFormation Templates: Use AWS CloudFormation to enforce infrastructure configurations that meet your security standards. Quickly redeploy configurations if deviations are detected.
  • Amazon EventBridge and AWS Lambda: Automate responses to security findings. For example, if Security Hub detects a critical vulnerability, EventBridge can trigger a Lambda function to isolate affected instances or apply necessary patches.

5. CONTINUOUS IMPROVEMENT

  • AWS Well-Architected Tool: Regularly review your workloads against AWS best practices to identify areas for improvement.
  • Feedback Loop: Implement a feedback loop using AWS CloudWatch Logs and Amazon Elasticsearch Service to analyze logs and metrics for security insights, which can inform the continuous improvement of your CTEM processes.

IMPLEMENTING CTEM IN AWS: AN EXAMPLE SCENARIO

Imagine you’re managing a web application hosted on AWS. Here’s how CTEM comes to life:

  • Identification: Use AWS Config and Resource Groups to maintain an updated inventory of your EC2 instances, RDS databases, and S3 buckets critical to your application.
  • Assessment: Employ Amazon Inspector to regularly scan your EC2 instances for vulnerabilities and AWS Security Hub to assess your overall security posture across services.
  • Prioritization: Security Hub alerts you to a critical vulnerability in an EC2 instance running your application backend. It’s flagged as high priority due to its access to sensitive data.
  • Mitigation and Remediation: You automatically trigger a Lambda function through EventBridge based on the Security Hub finding, which isolates the affected EC2 instance and initiates a patching process via Systems Manager Patch Manager.
  • Continuous Improvement: Post-incident, you use the AWS Well-Architected Tool to evaluate your architecture. Insights gained lead to the implementation of stricter IAM policies and enhanced monitoring with CloudWatch and Elasticsearch for anomaly detection.

This cycle of identifying, assessing, prioritizing, mitigating, and continuously improving forms the core of CTEM in AWS, helping to ensure that your cloud environment remains secure against evolving threats.

CTEM IN AZURE

Implementing Continuous Threat Exposure Management (CTEM) in Azure involves utilizing a range of Azure services and features designed to continuously identify, assess, prioritize, and mitigate security risks. Below is a step-by-step example illustrating how an organization can apply CTEM principles within the Azure cloud environment:

STEP 1: ASSET IDENTIFICATION AND MANAGEMENT

  • Azure Resource Graph: Use Azure Resource Graph to query and visualize all resources across your Azure environment. This is crucial for understanding what assets you have, their configurations, and their interrelationships.
  • Azure Tags: Implement tagging strategies to categorize resources based on sensitivity, department, or environment. This aids in the prioritization process later on.

STEP 2: CONTINUOUS VULNERABILITY ASSESSMENT

  • Azure Security Center: Enable Azure Security Center (ASC) at the Standard tier to conduct continuous security assessments across your Azure resources. ASC provides security recommendations and assesses your resources for vulnerabilities and misconfigurations.
  • Azure Defender: Integrated into Azure Security Center, Azure Defender provides advanced threat protection for workloads running in Azure, including virtual machines, databases, and containers.

STEP 3: PRIORITIZATION OF RISKS

  • ASC Secure Score: Use the Secure Score in Azure Security Center as a metric to prioritize security recommendations based on their potential impact on your environment’s security posture.
  • Custom Logic with Azure Logic Apps: Develop custom workflows using Azure Logic Apps to prioritize alerts based on your organization’s specific criteria, such as asset sensitivity or compliance requirements.

STEP 4: AUTOMATED REMEDIATION

  • Azure Automation: Employ Azure Automation to run remediation scripts or configurations management across your Azure VMs and services. This can be used to automatically apply patches, update configurations, or manage access controls in response to identified vulnerabilities.
  • Azure Logic Apps: Trigger automated workflows in response to security alerts. For example, if Azure Security Center identifies an unprotected data storage, an Azure Logic App can automatically initiate a workflow to apply the necessary encryption settings.

STEP 5: CONTINUOUS MONITORING AND INCIDENT RESPONSE

  • Azure Monitor: Utilize Azure Monitor to collect, analyze, and act on telemetry data from your Azure resources. This includes logs, metrics, and alerts that can help you detect and respond to threats in real-time.
  • Azure Sentinel: Deploy Azure Sentinel, a cloud-native SIEM service, for a more comprehensive security information and event management solution. Sentinel can collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

STEP 6: CONTINUOUS IMPROVEMENT AND COMPLIANCE

  • Azure Policy: Implement Azure Policy to enforce organizational standards and to assess compliance at scale. Continuous evaluation of your configurations against these policies ensures compliance and guides ongoing improvement.
  • Feedback Loops: Establish feedback loops using the insights gained from Azure Monitor, Azure Security Center, and Azure Sentinel to refine and improve your security posture continuously.

EXAMPLE SCENARIO: SECURING A WEB APPLICATION IN AZURE

Let’s say you’re managing a web application hosted in Azure, utilizing Azure App Service for the web front end, Azure SQL Database for data storage, and Azure Blob Storage for unstructured data.

  • Identification: You catalog all resources related to the web application using Azure Resource Graph and apply tags based on sensitivity and function.
  • Assessment: Azure Security Center continuously assesses these resources for vulnerabilities, such as misconfigurations or outdated software.
  • Prioritization: Based on the Secure Score and custom logic in Azure Logic Apps, you prioritize a detected SQL injection vulnerability in Azure SQL Database as critical.
  • Mitigation: Azure Automation is triggered to isolate the affected database and apply a patch. Concurrently, Azure Logic Apps notifies the security team and logs the incident for review.
  • Monitoring: Azure Monitor and Azure Sentinel provide ongoing surveillance, detecting any unusual access patterns or potential breaches.
  • Improvement: Insights from the incident lead to a review and enhancement of the application’s code and a reinforcement of security policies through Azure Policy to prevent similar vulnerabilities in the future.

By following these steps and utilizing Azure’s comprehensive suite of security tools, organizations can implement an effective CTEM strategy that continuously protects against evolving cyber threats.

IMPLEMENTING CTEM IN CLOUD ENVIRONMENTS LIKE AWS AND AZURE

Implementing Continuous Threat Exposure Management (CTEM) in cloud environments like AWS and Azure involves a series of strategic steps, leveraging each platform’s unique tools and services. The approach combines best practices for security and compliance management, automation, and continuous monitoring. Here’s a guide to get started with CTEM in both AWS and Azure:

COMMON STEPS FOR BOTH AWS AND AZURE

  1. Understand Your Environment
    • Catalogue your cloud resources and services.
    • Understand the data flow and dependencies between your cloud assets.
  2. Define Your Security Policies and Objectives
    • Establish what your security baseline looks like.
    • Define key compliance requirements and security objectives.
  3. Integrate Continuous Monitoring Tools
    • Leverage cloud-native tools for threat detection, vulnerability assessment, and compliance monitoring.
    • Integrate third-party security tools if necessary for enhanced capabilities.
  4. Automate Security Responses
    • Implement automated responses to common threats and vulnerabilities.
    • Use cloud services to automate patch management and configuration adjustments.
  5. Continuously Assess and Refine
    • Regularly review security policies and controls.
    • Adjust based on new threats, technological advancements, and changes in the business environment.

IMPLEMENTING CTEM IN AWS

  1. Enable AWS Security Services
    • Utilize AWS Security Hub for a comprehensive view of your security state and to centralize and prioritize security alerts.
    • Use Amazon Inspector for automated security assessments to help find vulnerabilities or deviations from best practices.
    • Implement AWS Config to continuously monitor and record AWS resource configurations.
  2. Automate Response with AWS Lambda
    • Use AWS Lambda to automate responses to security findings, such as isolating compromised instances or automatically patching vulnerabilities.
  3. Leverage Amazon CloudWatch
    • Employ CloudWatch for monitoring and alerting based on specific metrics or logs that indicate potential security threats.

IMPLEMENTING CTEM IN AZURE

  1. Utilize Azure Security Tools
    • Activate Azure Security Center for continuous assessment and security recommendations. Use its advanced threat protection features to detect and mitigate threats.
    • Implement Azure Sentinel for SIEM (Security Information and Event Management) capabilities, integrating it with other Azure services for a comprehensive security analysis and threat detection.
  2. Automate with Azure Logic Apps
    • Use Azure Logic Apps to automate responses to security alerts, such as sending notifications or triggering remediation processes.
  3. Monitor with Azure Monitor
    • Leverage Azure Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments, helping you detect and respond to threats in real-time.

BEST PRACTICES FOR BOTH ENVIRONMENTS

  • Continuous Compliance: Use policy-as-code to enforce and automate compliance standards across your cloud environments.
  • Identity and Access Management (IAM): Implement strict IAM policies to ensure least privilege access and utilize multi-factor authentication (MFA) for enhanced security.
  • Encrypt Data: Ensure data at rest and in transit is encrypted using the cloud providers’ encryption capabilities.
  • Educate Your Team: Regularly train your team on the latest cloud security best practices and the specific tools and services you are using.

Implementing CTEM in AWS and Azure requires a deep understanding of each cloud environment’s unique features and capabilities. By leveraging the right mix of tools and services, organizations can create a robust security posture that continuously identifies, assesses, and mitigates threats.

AWS Security

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: AWS, AWS security, Azure, Azure Security, cloud security


Sep 20 2023

Balancing budget and system security: Approaches to risk tolerance

Category: Risk Assessment,Security Risk Assessmentdisc7 @ 10:56 am

Recently, it was revealed that Nickelodeon, an American TV channel and brand, has been the victim of a data leak. According to sources, the breach occurred at the beginning of 2023, but much of the data involved was “related to production files only, not long-form content or employee or user data, and (appeared) to be decades old.” The implication of this ambiguous statement: because the data is old and not related to individuals’ personally identifiable information (PII) or any proprietary information that hasn’t already been publicly released, this is a non-incident.

Let’s say Nickelodeon didn’t suffer any material harm because of this incident — great! It’s probable, though, that there are facts we don’t know. Any time proprietary data ends up where it shouldn’t, warning bells should go off in security professionals’ heads. What would be the outcome if the “decades old” files did contain PII? Some of the data would be irrelevant, but some could be crucial. What if the files contained other protected or private data? What if they compromised the integrity of the brand? All organizations need to think through the “what ifs” and apply the worst and base case scenarios to their current security practices.

The Nickelodeon case raises the question of whether keeping “decades old” data is necessary. While holding onto historical data can, in some cases, benefit the organization, every piece of kept data increases the company’s attack surface and increases risk. Why did Nickelodeon keep the old files in a location where it could be easily accessed? If the files were in a separate location, the security team likely did not apply adequate controls to accessing the files. Given that the cost of securing technology and all its inherent complexity is already astronomically high, CISOs need to prioritize budgetary and workforce allocation for all security projects and processes, including those for all past, present, and future data protection.

In a slow economy, balancing system security and budget requires skill and savvy. Even in boom times, though, throwing more money at the problem doesn’t always help. There is no evidence that an increase in security spending proportionately improves an organization’s security posture. In fact, some studies suggest that an overabundance of security tools leads to more confusion and complexity. CISOs should therefore focus on business risk tolerance and reduction.

Approaches to cyber risk management

Because no two organizations are alike, every CISO must find a cyber risk management approach that aligns with the goals, culture, and risk tolerance of the organization. Budget plays an important role here, too, but securing more budget will be an easier task if the security goals align with those of the business. After taking stock of these considerations, CISOs may find that their organizations fall into one or more core approaches to risk management.

Risk tolerance-based approach

Every company– and even every department within a company– has a tolerance for the amount and type of risk they’re willing to take. Security-specific tolerance levels must be based on desired business outcomes; cyber security risk cannot be determined or calculated based on cybersecurity efforts alone, rather how those efforts support the larger business.

To align cybersecurity with business risk, security teams must address business resilience by considering the following questions:

  • How would the business be impacted if a cybersecurity event were to occur?
  • What are the productivity, operational, and financial implications of a cyber event or data breach?
  • How well equipped is the business to handle an event internally?
  • What external resources would be needed to support internal capabilities?

With answers to these types of questions and metrics to support them, cyber risk levels can be appropriately set.

Maturity-based approach

Many companies today estimate their cyber risk tolerance based on how mature they perceive their cybersecurity team and controls to be. For instance, companies with an internal security operations center (SOC) that supports a full complement of experienced staff might be better equipped to handle continuous monitoring and vulnerability triage than a company just getting its security team up and running. Mature security teams are good at prioritizing and remediating critical vulnerabilities and closing the gaps on imminent threats, which generally gives them a higher security risk tolerance.

That said, many SOC teams are too overwhelmed with data, alerts, and technology maintenance to focus on risk reduction. The first thing a company must do if it decides to take on a maturity-based approach is to honestly assess its own level of security maturity, capabilities, and efficacy. A truly mature cybersecurity organization isbetter equipped to manage risk, but self-awareness is vital for security teams regardless of maturity level.

Budget-based approach

Budget constraints are prevalent in all aspects of business today, and running a fully staffed, fully equipped cybersecurity program is no bargain in terms of cost. However, organizations with an abundance of staff and technology don’t necessarily perform better security- or risk-wise. It’s all about being budget savvy for what will be a true compliment to existing systems.

Invest in tools that move the organization toward a zero trust-based architecture, focusing on security foundation and good hygiene first. By laying the right foundations, and having competent staff to manage them, cybersecurity teams will be better off than having the latest and greatest tools implemented without mastering the top CIS Controls: Inventory and control of enterprise and software assets, basic data protection, secure configuration management, hardened access management, log management, and more.

Threat-based approach

An important aspect of a threat-based approach to risk management is understanding that vulnerabilities and threats are not the same thing. Open vulnerabilities can lead to threats (and should therefore be a standard part of every organization’s security process and program). “Threats,” however, refer to a person/persons or event in which a vulnerability has the potential to be exploited. Threats also rely on context and availability of a system or a resource.

For instance, the Log4Shell exploit took advantage of a Log4j vulnerability. The vulnerability resulted in a threat to organizations with an unpatched version of the utility running. Organizations that were not running unpatched versions — no threat.

It is therefore imperative for organizations to know concretely:

  • All assets and entities present in their IT estates
  • The security hygiene of those assets (point in time and historical)
  • Context of the assets (non-critical, business-critical; exposed to the internet or air-gapped; etc.)
  • Implemented and operational controls to secure those assets

With this information and context, security teams can start to build threat models appropriate for the organization and its risk tolerance. The threat models used will, in turn, allow teams to prioritize and manage threats and more effectively reduce risk.

People, process and technology-based approach

People, process, and technology (PPT) are often considered the “three pillars” of technology. Some security pros consider PPT to be a framework. Through whatever lens PPT is viewed, it is the most comprehensive approach to risk management.

A PPT approach has the goal of allowing security teams to holistically manage risk while incorporating an organization’s maturity, budget, threat profile, human resources, skill sets, and the entirety of the organization’s tech stack, as well as its operations and procedures, risk appetite, and more. A well-balanced PPT program is a multi-layered plan that relies evenly on all three pillars; any weakness in one of the areas tips the scales and makes it harder for security teams to achieve success — and manage risk.

The wrap up

Every organization should carefully evaluate its individual capabilities, business goals, and available resources to determine the best risk management strategy for them. Whichever path is chosen, it is imperative for security teams to align with the business and involve organizational stakeholders to ensure ongoing support.

RISK ASSESSMENT: AN INDEPTH GUIDE TO PRINCIPLES, METHODS, BEST PRACTISE, AND INTERVIEW QUESTIONS AND ANSWERS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: risk tolerance


Mar 12 2023

Security Risk Assessment Services

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:16 pm

Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:

  1. Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
  2. Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
  3. Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
  4. Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
  5. Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
  6. Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.

By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.

In what situations would a vCISO Service be appropriate?

Transition plan from ISO 27001 2013 to ISO 27001 2022

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Security Risk Assessment


Mar 01 2023

Best GRC tools in 2023

Category: GRC,Security Risk AssessmentDISC @ 1:28 pm

Best GRC tools

GRC (Governance, Risk, and Compliance) online tools are designed to help organizations manage their internal processes, risk assessments, compliance, and audits. Here are some of the best GRC online tools available:

  1. ZenGRC: ZenGRC is a cloud-based GRC tool that offers risk management, compliance management, and vendor management solutions. It allows users to streamline compliance tasks, track risks, and manage third-party vendors.
  2. LogicManager: LogicManager is a GRC platform that helps businesses identify, assess, and manage risks. It offers a variety of modules, including regulatory compliance, vendor risk management, and incident management.
  3. RSA Archer: RSA Archer is an enterprise GRC platform that helps businesses manage risk, compliance, and audit processes. It offers a variety of modules, including risk management, compliance management, and policy management.
  4. SAP GRC: SAP GRC is a suite of GRC tools that helps businesses manage risk, compliance, and audit processes. It offers a variety of modules, including access control, process control, and risk management.
  5. MetricStream: MetricStream is a cloud-based GRC platform that helps businesses manage compliance, risk, and audit processes. It offers a variety of modules, including regulatory compliance, risk management, and quality management.
  6. NAVEX Global: NAVEX Global is a GRC platform that helps businesses manage compliance, risk, and ethics. It offers a variety of modules, including policy management, incident management, and third-party risk management.
  7. Compliance 360: Compliance 360 is a GRC platform that helps businesses manage compliance, risk, and audit processes. It offers a variety of modules, including risk management, compliance management, and incident management.

Each of these tools offers unique features and benefits, so it’s important to evaluate your organization’s specific needs before choosing the best GRC tool for your business.

Cybersecurity Risk and Strategy

Gain the frameworks and vocabulary to make better strategic decisions that boost your organization’s cyber resilience from top to bottom.

ISO 27001/ISO 22301 RISK ASSESSMENT TOOLKIT

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: GRC, GRC tools


Feb 27 2023

Understanding Cyber Risk Quantification: The Buyer’s Guide” by Jack Jones

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:42 am

Version 2 Updated for Release – February 2023. 

From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn’t), its value proposition and limitations, and facts regarding the misperceptions that are commonplace. 

If you’re considering or are actively shopping for an analysis solution that treats cyber risk in financially-based business terms, Jack’s extensive, jargon-free guide — including an evaluation checklist — will give you the objective and practical advice you need.

And just in time. There’s never been more interest or, frankly, confusion in the marketplace over what exactly is cyber risk quantification. As you’ll read in this buyer guide, many solutions may count vulnerabilities, provide ordinal values, or deliver numeric “maturity” scores but don’t measure risk, let alone put a financial value on it to help make business decisions.

This paper answers questions such as:

  • What does CRQ provide that I’m not already getting from other cyber risk-related measurements?
  • What makes CRQ reliable? Why should I believe the numbers?
  • Do I have enough data to run an analysis?

Jack also provides red flags to look out for in CRQ solutions, such as:

  • Mis-identification of risks.
  • Mis-use of control frameworks as risk measurement tools.
  • Over-simplification that can result in poorly-informed decisions, especially when performed at scale.

The ‘Understanding Cyber Risk Quantification’ guide is designed to be of use to security and risk executives, industry analysts, consultants, auditors, investors, and regulators–essentially anyone who has a stake in how well cyber risk is managed.

Download Below

DOWNLOAD NOW

Tags: CRQ, cyber risk quantification


Feb 26 2023

10 Best selling information security risk management books

Here are some of the best-selling books on information security risk management:

  1. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler
  2. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice” by Jason Andress and Steven Winterfeld
  3. Security Risk Assessment: Managing Physical and Operational Security” by John M. White
  4. IT Risk: Turning Business Threats into Competitive Advantage” by George Westerman and Richard Hunter
  5. Information Security Risk Management: Understanding ISO 27001” by Alan Calder and Steve Watkins
  6. Risk Management Framework: A Lab-Based Approach to Securing Information Systems” by James Broad and Andrew Green
  7. Cybersecurity and Infrastructure Protection: Background, Policy, and Issues” by Thomas A. Johnson
  8. The Manager’s Guide to Cybersecurity Law: Essentials for Today’s Business” by Tari Schreider
  9. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems” by National Institute of Standards and Technology
  10. Information Security: Principles and Practices” by Mark Merkow and Jim Breithaupt.

InfoSec Risk Assessment

ISO 27001/ISO 22301 RISK ASSESSMENT TOOLKIT

Tags: Security Risk Assessment, security risk management


Nov 28 2022

Best practices for implementing a company-wide risk analysis program

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:36 pm

The associated risk management programs are also constantly evolving, and that’s likely due to outside influences such as client contract requirements, board requests and/or specific security incidents that require security teams to rethink and strengthen their strategy. Not surprisingly, CISO’s today face several dilemmas: How do I define the business impact of a cyber event? How much will it cost to protect our company’s most valuable assets? Which investments will make the business most secure? How do we avoid getting sidetracked by the latest cyber breach headline?

A mature risk analysis program can be thought of as a pyramid. Customer-driven framework compliance forms the base (PCI/ISO frameworks required for revenue generation); then incident-driven infrastructure security in the middle (system-focused security based on known common threats and vulnerabilities); with analysis-driven comprehensive coverage at the pinnacle (identification of assets, valuations, and assessment of threat/vulnerability risk).

risk analysis

How do you kickstart that program? Here are five steps that I’ve found effective for getting risk analysis off the ground.

Determine enterprise-specific assets

The first step is determining what is critical to protect. Unlike accounting assets (e.g., servers, laptops, etc.), in cybersecurity terms this would include things that are typically of broader business value. Often the quickest path is to talk with the leads for different departments. You need to understand what data is critical to the functioning of each group, what information they hold that would be valuable to competitors (pricing, customers, etc.) and what information disclosures would hurt customer relationships (contract data, for instance).

Also assess whether each department handles trade secrets, or holds patents, trademarks, and copyrights. Finally, assess who handles personally identifiable information (PII) and whether the group and its data are subject to regulatory requirements such as GDPR, PCI DSS, CCPA, Sarbanes Oxley, etc.

When making these assessments, keep three factors in mind: what needs to be safe and can’t be stolen, what must remain accessible for continued function of a given department or the organization, and what data/information must be reliable (i.e., that which can’t be altered without your knowledge) for people to do their jobs.

Value the assets

Once you’ve identified these assets, the next step is to attach a value. Again, I make three recommendations: keep it simple, make (informed) assumptions, and err on the side of overestimating. The reason for these recommendations is that completing a full asset valuation for an enterprise would take years and wouldn’t ever be finished (because assets constantly change).

Efficient risk analysis requires a more practical approach that uses broad categories, which can then be prioritized to understand where deeper analysis is needed. For instance, you might use the following categories, and assign values based on informed assumptions:

  • Competitive advantage – the items/processes/data that are unique to your company and based on experience. These are items that would be of value to a competitor to build on. To determine value, consider the cost of growing a legitimate competitor in your dominant market from scratch, including technology and overhead.
  • Client relationships – what directly impacts customer relationships, and therefore revenue. This includes “availability” impacts from outages, SLAs, etc. Value determination will likely be your annual EBIT goal, and impact could be adjusted by a Single Loss Exposure.
  • Third-party partnerships – relating to your ability to initiate, maintain or grow partner networks, such as contractors, ISPs or other providers. When valuing, consider the employee labor cost needed to recruit and maintain those partners.
  • Financial performance – items that impact your company’s ability to achieve financial goals. Again, valuation might equate to annual EBIT.
  • Employee relations – the assets that impact your ability to recruit and retain employees. Valuation should consider the volume of potential losses and associated backfill needs, including base salaries, bonuses, benefit equivalencies, etc.

Determine relevant threats, assess vulnerability, and identify exposures

When it comes to analyzing risk from threats, vulnerabilities and exposures, start with the common security triad model for information security. The three pillars – Confidentiality, Integrity and Availability (CIA) – help guide and focus security teams as they assess the different ways to address each concern.

Confidentiality touches on data security and privacy; it entails not only keeping data safe, but also making sure only those who need access, have it.

Integrity reflects the need to make sure data is trustworthy and tamper-free. While data accuracy can be compromised by simple mistakes, what the security team is more concerned with is intentional compromise that’s designed to harm the organization.

Availability is just what it sounds like – making sure that information can be accessed where and when needed. Availability is an aspect of the triad where security teams need to coordinate closely with IT on backup, redundancy, failover, etc. That said, it also involves everything from secure remote access to timely patches and updates to preventing acts of sabotage like denial of service or ransomware attacks.

In undertaking this part of the risk assessment, you’re using this security triad to determine threats, and then identifying exposure and assessing vulnerability to better estimate both the potential impact and probability of occurrence. Once these determinations are made, you’re ready for the next step.

Define risk

AV = assigned Asset Value (quantitative/qualitative) as identified above.
EF = the Exposure Factor, a subjective assessment of the potential percentage loss to the asset if a specific threat is realized. For example, an asset may be degraded by half, giving an EF of 0.50.

From this we can calculate the Single Loss Expectancy (SLE) – the monetary value from one-time risk to an asset – by multiplying AV and EF. As an example, if the asset value is $1M, and the exposure factor from a threat is a 50% loss (0.50) then the SLE will be $500,000.

Risk definition also takes this one step further by using this SLE and multiplying it by a potential Annualized Rate of Occurrence (ARO) to come up with the Annualized Loss Expectancy (ALE). This helps us understand the potential risk over time.

When working through these figures, it’s important to recognize that potential loss and probability of occurrence are hard to define, and thus the potential for error is high. That’s why I encourage keeping it simple and overestimating when valuing assets – the goal is to broadly assess the likelihood and impact of risk so that we can better focus resources, not to get the equations themselves perfectly accurate.

Implement and monitor safeguards (controls)

Now that we have a better handle on the organizational risks, the final steps are more familiar territory for many security teams: implementing and monitoring the necessary and appropriate controls.

You’re likely already very familiar with these controls. They are the countermeasures – policies, procedures, plans, devices, etc. – to mitigate risk.

Controls fall into three categories: preventative (before an event), detective (during) and corrective (after). The goal is to try to stop an event before it happens, quickly react once it does, and efficiently get the organization back on its feet afterward.

Implementing and monitoring controls are where the rubber hits the road from a security standpoint. And that’s the whole point of the risk analysis, so that security professionals can best focus efforts where and how appropriate to mitigate overall organizational risk.

Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

Tags: risk analysis program


Nov 16 2022

Risk Management Toolkit

“By implementing sound #management of our #risks and the threats and opportunities that flow from them we will be in a stronger position to deliver our organisational objectives, provide improved services to the community, achieve better value for money and demonstrate compliance with the Local Audit and Accounts Regulations. #Riskmanagement will therefore be at the heart of our good management practice and corporate governance arrangements.”

Tags: Risk Management Toolkit


Oct 20 2022

Why chasing risk assessments will have you chasing your tail

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:07 am

Third-party risk assessments are often described as time-consuming, repetitive, overwhelming, and outdated. Think about it: organizations, on average, have over 5,000 third parties, meaning they may feel the need to conduct over 5,000 risk assessments. In the old school method, that’s 5,000 redundant questionnaires. 5,000 long-winded Excel sheets. No wonder they feel this way.

The reason why risk assessments have become so dreaded is that it has always been a process of individual inspection and evaluation. For perspective, that’s roughly 14 risk assessments completed per day in the span of one year. How can we expect security, risk, and procurement professionals to get any other work done with this type of task on their plate? With the state of today’s threat landscape, wouldn’t you rather your security team be focused on actual analysis and mitigation, rather than just assessing? And, not to mention the fact that a tedious risk assessment process will contribute to burnout that can lead to poor employee retention within your security team. With how the cybersecurity job market is looking now, this isn’t a position any organization wants to be in.

So, now that you know how the people actually with their ‘hands in the pot’ feel about risk assessments, let’s take a look at why this approach is flawed and what organizations can do to build a better risk assessment process.

The never-ending risk assessment carousel ride

The key to defeating cybercriminals is to be vigilant and proactive. Not much can be done when you’re reacting to a security incident as the damage is already done. Unfortunately, the current approach to risk management is reactive, and full of gaps that do not provide an accurate view into overall risk levels. How so? Current processes only measure a point-in-time and do not account for the period while the assessment is being completed–or any breaches that occurred after the assessment was submitted. In other words, assessments will need to be routinely refilled out, a never-ending carousel ride, which is not feasible.

It should come to no surprise that assessments are not updated nearly as much as they should be, and that’s to no one’s fault. No one has the time to continually fill out long, redundant Excel sheets. And, not to mention, unless the data collected is standardized, very little can be done with it from an analysis point of view. As a result, assessments are basically thrown in a drawer and never see the light of day.

Every time a third-party breach occurs there is a groundswell of concern and company executives and board members immediately turn to their security team to order risk assessments, sending them on a wild goose chase. What they don’t realize is that ordering assessments after a third-party breach has occurred is already too late. And the organizations that are chosen for a deeper assessment are most likely not the ones with the highest risk. Like a never-ending carousel ride, the chase for risk assessments will never stop unless you hop off the ride now.

Show me the data!

The secret ingredient for developing a better risk management collection process is standardized data. You can’t make bread without flour, and you can’t have a robust risk management program without standardized data. Standardized data is the process of gathering data in a common format, making it easier to conduct an analysis and determine necessary next steps. Think of it this way, if you were looking at a chart comparing student test grades and they were all listed in various formats (0.75, 68%, 3/16, etc.), you would have a difficult time comparing these data points. However, if all the data is listed in percentages (80%, 67%, 92%, etc.), you could easily identify who is failing and needs more support in the classroom. This is the way using standardized data in the risk assessment process works. All data collected from assessments would be in the same format and you can understand which third parties are high risk and require prioritized mitigation.

CISOs who are still focused on point-in-time assessments are not getting it right. Organizations need to understand that risk assessment collection alone does not in fact equal reduced risk. While risk assessments are important, what you do with the risk assessment after it is complete is what really matters. Use it as a catalyst to create a larger, more contextual risk profile. Integrate threat intelligence, security ratings, machine learning, and other data sources and you’ll find yourself with all the data and insights you need and more to proactively reduce risk. You’ll be armed with the necessary information to mitigate risk and implement controls before the breach occurs, not the rushed patchwork after. A data-driven approach to third-party risk assessment will provide a more robust picture of risk and put an end to chasing assessments once and for all.

risk assessment

Security Risk Assessment

How to do an information security risk assessment for ISO27001

Tags: data breach, Risk Assessment, Third Party Risk


Sep 14 2022

Risk Management document templates

Risk Assessment and Risk Treatment Methodology

The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately

Risk Assessment Table

The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Treatment Table

The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Assessment and Treatment Report

The purpose of this document is to give a detailed overview of the process and documents used during risk assessment and treatment.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Statement of Applicability

The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Risk Treatment Plan

The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Toolkit below contains all the documents above

Tags: Risk Assessment, Security Risk Assessment


Sep 14 2022

Top 3 data security risks facing businesses

Category: data security,Security Risk AssessmentDISC @ 10:35 am

There are many ways that data security risks can occur, and it is important to be aware of them in order to protect our information.

Data security issues, continuous data breaches, and advanced cyber-criminal activity make it harder for businesses to stay updated with the latest strategy to keep their accounts and customer data protected.

We continue to see companies small or large being targeted by cybercriminals, according to Nexor, the UK experienced a 31% rise in cyber-attacks  during the height of the pandemic in May and June 2020.  

Cybercrimes from malware, insider threats, and stolen data to hacked systems will always be a threat so how can companies ensure they are prepared for security risks as technology and cyber criminals continue to advance? We take a look at the top 3 data security risks business are facing.

1)  Lack of resources to deter cyber threats

Hackers and companies are aware of issues concerning IT infrastructures and computer systems, but it is the responsibility of the business to ensure systems are guarded and secure from unauthorised access and that they are not vulnerable to cybercriminal threats through unsecure internal networks and software. 

A report in partnership with the office of cyber security and information assurance in the cabinet office, estimates the cost of cybercrime to the UK to be £27bn per annum

As the pressure for cyber professionals rises, panic in business also increases as there is a shortage of IT security professionals with skills in IT and cyber security. The ISC 2021 Cybersecurity Workforce Study states that the global cybersecurity skills shortage has fallen for the second consecutive year, but the size of the workforce is still 65% below what it needs to be. CEO, Clar Rosso at ISC shares her thoughts:

“Any increase in the global supply of cybersecurity professionals is encouraging, but let’s be realistic about what we still need and the urgency of the task before us…The study tells us where talent is needed most and that traditional hiring practices are insufficient. We must put people before technology, invest in their development, and embrace remote work as an opportunity. And perhaps most importantly, organizations must adopt meaningful diversity, equity, and inclusion practices to meet employee expectations and close the gap.”

UK government report published last year found that 48% of organisations lacked the expertise to complete routine cyber security practices, and 30% of organisations had skills gaps in more advanced areas, such as penetration testing, forensic analysis, and security architecture.

With a high demand for security professionals and a shortage in skills, could cyber criminals be a few steps ahead? 

Many businesses, especially most small businesses lack the capability and expertise to withstand a cyber security attack. Finding the right talent and investing in the skills can be a challenge, but there are consultants that specialise in working with various types of businesses that can add value and help place the right data protection strategies and provide businesses with the best tools and training.

Guard Wisely are independent data security specialists that are trusted by organisations to solve their biggest compliance, security, operations, and BAU challenges. They have delivered many successful security projects to a large variety of Enterprise Customers Globally and over 180,000 employees. 

2) Technology continues to accelerate 

The pandemic fast-forwarded the need for digitalisation, and the sudden change to remote working meant that more data was being shared across unsecure cloud environments, kept on networks and employee desktops. This meant an increased risk for businesses as they figured out how to maintain data security in a hybrid work environment.

We have seen that everything and everyone is connecting through the Internet, and wireless capabilities are bringing innovation to all areas of business and general life at unprecedented speed. 

With remote and hybrid working being a part of the future of work, data needs to be regularly monitored and controlled. Large enterprises need to manage their customers’ and employees’ data to remain compliant, to do this they need to understand where that data resides to secure it.  

Across the world, there are now nearly two billion internet users and over five billion mobile phone connections; every day, we send 294 billion emails and five billion SMS messages; every minute, we post 35 hours of video to YouTube, 3,000 photos to Flickr and nearly 35,000 ‘tweets’ according to this report .

Over 91 percent of UK businesses and 73 percent of UK households have internet access and £47.2 billion was spent online in the UK alone in 2009.

The issue arises for data security as the embedded operating system in any device is deployed in its firmware, and these operating systems are rarely designed with security as their prime focus. This means that many systems have flaws and vulnerabilities, which is a gateway for many hackers and cybercriminals. 

3) Weak passwords encourage cyber-attacks and “insider breaches” 

With so many passwords to remember for a variety of devices, sites, and networks, we will continue to see a security risk in passwords. In most cases, hackers do not find it difficult to figure out corporate passwords and, employee passwords tend to be easier to work out.  

Not only this, but once you know the password for a device, you’ll most likely be able to have access to other accounts. People tend to keep the same password across many of the accounts they hold, for the ease of remembering but this as much as we know it, is a security issue that needs to be addressed. 

Unsecure passwords could increase ‘insider’ breaches at the workplace. Organisations often overlook the threats residing inside their ecosystems which can have devastating effects. These companies, although they are aware of threats don’t usually have an insider threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.

Having access to anyone’s computers or devices at work can mean that systems will be at a higher risk of attack from insider threats. Hackers are always looking for opportunities to steal passwords and break them into private and corporate accounts.

To minimise these risks, companies must evaluate and introduce measures to ensure access to certain files and folders is in place. They will have to make sure individuals have unique passwords to enter their computers so that other people cannot access or abuse computer activity. 

Tracking which files and folders are being used and accessed on individual machines will also be beneficial in a lot of cases. As a short-term fix, they can also ensure they turn on two-factor authentication (2FA), also known as multi-factor authentication where possible for important accounts, as a secondary method of authentication.

Top 3 data security risks facing businesses

Business Data Networks and Security 

Tags: data security risks


Mar 31 2022

How to read a SOC 2 Report

how to read a SOC 2 report
https://fractionalciso.com/how-to-read-a-soc-2-report/

The following conversation about reviewing a SOC 2 report is one to avoid. 

Potential Customer: “Hi Vendor Co., do you have a SOC 2?”

Vendor Co. Sales Rep: “Yes!”

Potential Customer: “Great! We can’t wait to start using your service.” 

The output of a SOC 2 audit isn’t just a stamp of approval (or disapproval). Even companies that have amazing cybersecurity and compliance programs have a full SOC 2 report written about them by their auditor that details their cybersecurity program. SOC 2 reports facilitate vendor management by creating one deliverable that can be given to customers (and potential customers) to review and incorporate into their own vendor management programs.

Vendor security management is an important part of a company’s cybersecurity program. Most mature organizations’ process of vendor selection includes a vendor security review – a key part of which includes the review of a SOC 2 report.

SOC 2 reports can vary greatly in length but even the most basic SOC 2 report is dense with information that can be difficult to digest, especially if you aren’t used to reading them. This article will teach you how to read a SOC 2 report by providing a breakdown of the report’s content, with emphasis on how to pull out the important parts to look at from a vendor security review perspective.

Please note that you should not use this as a guide to hunt and peck your way through a SOC 2 report. It is important to read through the entire report to gain a full understanding of the system itself. However, this should help draw attention to the particular points of interest you should be looking out for when reading a report. 

Many different auditing firms perform SOC 2 audits, some reports may look a little different from the others but the overall content is generally the same.

How to read a SOC 2 report: the Cover Page

Even the cover page of a SOC 2 report has a lot of useful information. It will have the type of SOC 2 report, date(s) covered, the relevant trust services criteria (TSC) categories, and the auditing firm that conducted the audit. 

What Type of SOC 2 Report?

There are two types of SOC 2 reports that can be issued: A SOC 2 Type I and a SOC 2 Type II. The type of report will be denoted on the cover page. The key difference is the timeframe of the report:

A SOC 2 Type I is an attestation that the company complied with the SOC 2 criteria at a specific point in time. 

A SOC 2 Type II is an attestation that the company complied with the SOC 2 criteria over a period of time, most commonly a 6 or 12 month period. 

SOC 2 Type II reports are more valuable because they demonstrate a long-term commitment to a security program – and any issues over the time frame will be revealed. It’s possible for a company to get a SOC 2 Type I report then fail to adhere to their controls. 

Key takeaway: If a company only has a SOC 2 Type I, ask if and when they are working on achieving a SOC 2 Type II. If they say they are not getting a Type II, this is indicative of a lower commitment to security. 

Trust Services Criteria

Cybersecurity for Executives in the Age of Cloud 

Tags: SOC 2 report, SOC2


Mar 12 2022

Integrating Cybersecurity and Enterprise Risk Management (ERM)

Source: https://

/10.6028/NIST.IR.8286-draft2

ISO 31000: 2018 Enterprise Risk Management (CERM Academy Series on Enterprise Risk Management)

Tags: ERM, ISO 31000


Next Page »