IAAC Directors’ Guides
Jul 08 2020
Google open-sources Tsunami vulnerability scanner
Google says Tsunami is an extensible network scanner for detecting high-severity vulnerabilities with as little false-positives as possible.
Source: Google open-sources Tsunami vulnerability scanner | ZDNet
The scanner has been used internally at Google and has been made available on GitHub
Google Tsunami Security Scanner – Quick install an example run
httpv://www.youtube.com/watch?v=Xims19547gs
InfoSec Threats, Books and Training Courses
Download a Security Risk Assessment Steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Jun 06 2020
5 principles for effective cybersecurity leadership in a post-COVID world
As more people work from home due to COVID-19, cybersecurity operations are facing tremendous challenges. These five principles can help Chief Information Security Officers (CISOs) and cybersecurity leaders ensure effective business continuity in the “new normal.”
Source: 5 principles for effective cybersecurity leadership in a post-COVID world
7 Security Risks and Hacking Stories for Web Developers
httpv://www.youtube.com/watch?v=4YOpILi9Oxs
Download a Security Risk Assessment steps paper!
Subscribe to DISC InfoSec blog by Email
Oct 06 2019
A CISO’s Guide to Bolstering Cybersecurity Posture
When It Come Down To It, Cybersecurity Is All About Understanding Risk
Risk Management Framework for Information Systems
How to choose the right cybersecurity framework
Improve Cybersecurity posture by using ISO/IEC 27032
httpv://www.youtube.com/watch?v=NX5RMGOcyBM
Cybersecurity Summit 2018: David Petraeus and Lisa Monaco on America’s cybersecurity posture
httpv://www.youtube.com/watch?v=C8WGPZwlfj8
CSET Cyber Security Evaluation Tool – ICS/OT
httpv://www.youtube.com/watch?v=KzuraQXDqMY
Subscribe to DISC InfoSec blog by Email
Jul 21 2019
When It Come Down To It, Cybersecurity Is All About Understanding Risk
Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk.
Source: When It Come Down To It, Cybersecurity Is All About Understanding Risk
An Overview of Risk Assessment According to
ISO 27001
Mar 17 2019
Risk Management Framework for Information Systems
Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy
NIST 800-37r2
Subscribe to DISC InfoSec blog by Email
Mar 07 2019
How to choose the right cybersecurity framework
Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.
Source: How to choose the right cybersecurity framework
Apr 21 2017
vsRisk™ risk assessment
|
|
Jun 29 2016
5 Must Read Books to Jumpstart Your Career in Risk Management
FAIR Institute blog by Isaiah McGowan
Read Books to Jumpstart Your Career in Risk Management
What are the must have resources for people new to operational and cyber risk? This list outlines what books I would recommend to new analyst or manager.
They’re not ranked by which book is best. Instead, I list them in the recommended reading order. Let’s take a look at the list.
#1 – The Failure of Risk Management: Why It’s Broken and How to Fix It (Douglas Hubbard)
In The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.
#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)In Measuring and Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.
With that foundation in place, they move on to the FAIR approach to risk analysis. Finally, they lay out foundational concepts for risk management.
This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.
Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.
#3 – Superforecasting: The Art and Science of Prediction (Phillip Tetlock & Dan Gardner)
We require Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.
If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.
#4 – Expert Political Judgment: How Good Is It? How Can We Know? (Phillip Tetlock)
Yes, another book by Tetlock appears in our list. Published first, tackled second. His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishing Expert Political Judgment.
Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.
#5 – Thinking, Fast and Slow (Daniel Kahneman)
Rounding out the list is Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdom before tackling more advanced risk management and analysis concepts.
There it is…
This is my go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?
Apr 21 2016
Fundamentals of Information Risk Management Auditing
An introductory guide to information risk management auditing, giving an interesting and useful insight into the risks and controls/mitigations that you may encounter when performing or managing an audit of information risk. Case studies and chapter summaries impart expert guidance to provide the best grounding in information risk available for risk managers and non-specialists alike.
For any modern business to thrive, it must assess, control, and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise’s risk management strategy, not in isolation. They must be identified, documented, assessed, and managed, and assigned to risk owners so that they can be mitigated and audited.
Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.
Book overview
Fundamentals of Information Risk Management Auditing – An Introduction for Managers and Auditors has four main parts:
- What is risk and why is it important? An introduction to general risk management and information risk.
- Introduction to general IS and management risks An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity, and availability of information.
- Introduction to application controls An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
- Life as an information risk management specialist/auditor A guide for those considering, or undergoing, a career in information risk management.
Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.
Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.
The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.
Topics covered
Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defense; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT®5, CRAMM, PRINCE2®, ITIL®, and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301, and ISO 38500; the UK Government’s Cyber Essentials scheme; IT security controls; and application controls.
Download your copy of Fundamentals of Information Risk Management Auditing
Dec 21 2015
Assessing Information Security
Assessing Information Security – Strategies, Tactics, Logic and Framework draws on the work of Clausewitz and Sun Tzu, and applies it to the understanding of information security that the authors have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict.
| Assessing Information Security – Strategies, Tactics, Logic and Framework, Second edition |
- Shows how to use principles of military strategy to defend against cyber attacks, enabling organizations to have a more structured response to malicious intrusions.
- Explains the priorities for robust cybersecurity , helping readers to decide which security measures will be the most effective.
- Buy today and discover how to integrate cybersecurity into your organization’s normal operations.
Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001.
“Gives you new practical perspective and new way how to think about infosec, many views nicely packed in one book.” Ivan Kopacik
Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.
Product overview:
-
Information Security Auditing and Strategy
-
Security Auditing, Governance, Policies and Compliance
-
Security Assessments Classification
-
Advanced Pre-Assessment Planning
-
Security Audit Strategies and Tactics
-
Synthetic Evaluation of Risks
-
Presenting the Outcome and Follow-Up Acts
-
Reviewing Security Assessment Failures and Auditor Management Strategies
Available in: Softcover, Adobe eBook, ePub, Kindle ===>>> Buy now
Related articles
Feb 18 2014
Comprehensive Cyber Security Risk Management Toolkit
Govern and manage Cyber Security risk with this unique comprehensive toolkit suite
Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular
There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.
• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.
Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.
This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.
Included in this comprehensive toolkit suite is:
- Cyber Security Governance & Risk Management Toolkit.
- PAS 555
- ISO 27032 Guidelines for Cybersecurity
- vsRisk (Standalone or Network Enabled user )
Related articles
Aug 07 2013
vsRisk – The Cyber Security Risk Assessment Tool
vsRisk – The Cyber Security Risk Assessment Tool
httpv://www.youtube.com/watch?v=M8acvay4FmU
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.
There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.
It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.
5 reasons why vsRisk is the definitive risk assessment tool:
- This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
- Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
- Gives comprehensive best-practice alignment
- It’s easy and straight-forward to use
- Cost-effective route to assessing risks within your business
Download the definite risk assessment tool >>
Related articles
Apr 23 2013
Cyber Security and Risk Assessment
Cyber security is the protection of systems, networks and data in cyber space.
If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.
To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.
Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.
Tools and techniques which work in mitigating cyber risks
The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management
Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.
The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.
Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks
Related articles
Jan 29 2013
Impact of an Effective Risk Assessment to ISO 27001
First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.
The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.
To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:
1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance
Risk Assessment Basic Steps for ISO 27001:
o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods
Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store
Related articles
Related articles
Jan 11 2013
Why SoD should be reviewed in every assessment
Similar to other controls SoD (Segragation of Duties) plays an important role in reducing certain potential risk of an organization.
SoD minimize certail risks, by deviding a task so it will take more than one individual to complete a task or a critical process. SoD control has been traditionally used in accounting to minimize risk of collusion. For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.
Separation of Duties (SoD) is not only an important principle of security but SoD control A10.1.3 of ISO 27001 wants organizations to implement this control.
Possible Controls to Implement SoD:
- * Separate the IT Dept from user function, meaning user should not be able to perform its own IT duties.
- * Separate the InfoSec and IT Dept. The individual responsible for the InfoSec has unique knowledge of organization security infrastructure, basically a knowledgeable InfoSec individual will have keys to the knigdom and should be segregated from the rest of the IT department. Also InfoSec individual should not be reporting to the IT director which is not only independence issue but conflict of interest. IT Dept is responsible for the avaiability of service whereas security professional is responsible for security (adding controls) to the same service.
- * The development and testing of application should be segregated. There should be a complete segregation of App development and App testing function. Also the person who put the App into production/operation and maintain should be a different individual.
- * Operation of IT should be seprate from maintenance of IT function in different teirs, meaning avaiability of the information should be separated from support & maintenance.
- * The database admin should be segregated from other IT function. DBA individuals are very knowledgeable super user and should not have any other IT duties.
- * Last but not the least about the main Uber user the Sys Admin (router, FW, Server, DT) should have a separate account when performing regular user function. These super users should be logged and audited on regular basis.
Related reference topics on DISC InfoSec
Related reference topics on eBay
Nov 19 2012
PCI view of Risk Assessment
Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).
PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.
Key recommendations include:
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization
PCI view of things:
The announcement
https://www.pcisecuritystandards.org/pdfs/pr_121116_risk_sig.pdf
And the V1 document (also attached)
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information
Information Security Risk Management for ISO 27001
Aug 22 2012
5 reasons why vsRisk v1.6 is the definitive risk assessment tool
by Melanie Watson
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.
There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.6 – the Cybersecurity Risk Assessment Tool.
It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.
5 reasons why vsRisk is the definitive risk assessment tool:
- This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
- Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
- Gives comprehensive best-practice alignment
- It’s easy and straight-forward to use
- Cost-effective route to assessing risks within your business
Download the definite risk assessment tool >>
Related articles
- Staff awareness training – an essential component of ISO27001 (deurainfosec.com)
- ISO 27001 Information Security Incident Management (deurainfosec.com)
- Download the full version of the ITIL and/or ISO27001 toolkit today! (deurainfosec.com)
May 13 2012
The Cybersecurity Risk Assessment Tool
With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure
vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
• Assessing key areas such as Groups, Assets and Owners
• Capturing your IS policy, objectives and ISMS scope
• In-built audit trail and comparative history
• Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
• Comprehensive reporting and gap analysis
Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>
This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>
vsRisk and Security Risk Assessment
Apr 18 2012
Risk Assessment control selection and cost savings
In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks
• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)
Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.
Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.
On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.
Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.
Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system
« Previous Page — Next Page »
