Home > Articles > Security > Network Security

This chapter is from the book

This chapter is from the book

Security Program and Policies: Principles and Practices, 2nd EditionSecurity Program and Policies: Principles and Practices, 2nd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

Security Program and Policies: Principles and Practices, 2nd EditionSecurity Program and Policies: Principles and Practices, 2nd Edition

Learn More Buy

Information Security Risk

Three factors influence information security decision making and policy development:

  • Guiding principles
  • Regulatory requirements
  • Risks related to achieving their business objectives.

Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction. The motivation for “taking a risk” is a favorable outcome. “Managing risk” implies that other actions are being taken to either mitigate the impact of the undesirable or unfavorable outcome and/or enhance the likelihood of a positive outcome.

For example, a venture capitalist (VC) decides to invest a million dollars in a startup company. The risk (undesirable outcome) in this case is that the company will fail and the VC will lose part or all of her investment. The motivation for taking this risk is that the company becomes wildly successful and the initial backers make a great deal of money. To influence the outcome, the VC may require a seat on the Board of Directors, demand frequent financial reports, and mentor the leadership team. Doing these things, however, does not guarantee success. Risk tolerance is how much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit—in this case, how much money the VC is willing to lose. Certainly, if the VC believed that the company was destined for failure, the investment would not be made. Conversely, if the VC determined that the likelihood of a three-million-dollar return on investment was high, she may be willing to accept the tradeoff of a potential $200,000 loss.

Is Risk Bad?

Inherently, risk is neither good nor bad. All human activity carries some risk, although the amount varies greatly. Consider this: Every time you get in a car you are risking injury or even death. You manage the risk by keeping your car in good working order, wearing a seat beat, obeying the rules of the road, not texting, not being impaired, and paying attention. Your risk tolerance is that the reward for reaching your destination outweighs the potential harm.

Risk taking can be beneficial and is often necessary for advancement. For example, entrepreneurial risk taking can pay off in innovation and progress. Ceasing to take risks would quickly wipe out experimentation, innovation, challenge, excitement, and motivation. Risk taking can, however, be detrimental when ill considered or motivated by ignorance, ideology, dysfunction, greed, or revenge. The key is to balance risk against rewards by making informed decisions and then managing the risk commensurate with organizational objectives. The process of managing risk requires organizations to assign risk-management responsibilities, establish the organizational risk appetite and tolerance, adopt a standard methodology for assessing risk, respond to risk levels, and monitor risk on an ongoing basis.

Risk Appetite and Tolerance

Risk appetite is a strategic construct and broadly defined as the amount of risk an entity is willing to accept in pursuit of its mission. Risk tolerance is tactical and specific to the target being evaluated. Risk tolerance levels can be qualitative (for example, low, elevated, severe) or quantitative (for example, dollar loss, number of customers impacted, hours of downtime). It is the responsibility of the Board of Directors and executive management to establish risk tolerance criteria, set standards for acceptable levels of risk, and disseminate this information to decision makers throughout the organization.

In Practice: Information Security Risk Management Oversight Policy

Synopsis: To assign organizational roles and responsibilities with respect to risk management activities.

Policy Statement:

  • Executive management, in consultation with the Board of Directors, is responsible for determining the organizational risk appetite and risk tolerance levels.
  • Executive management will communicate the above to decision makers throughout the company.
  • The CISO, in consultation with the Chief Risk Officer, is responsible for determining the information security risk assessment schedule, managing the risk assessment process, certifying results, jointly preparing risk reduction recommendations with business process owners, and presenting the results to executive management.
  • The Board of Directors will be apprised by the COO of risks that endanger the organization, stakeholders, employees, or customers.

What Is a Risk Assessment?

An objective of a risk assessment is to evaluate what could go wrong, the likelihood of such an event occurring, and the harm if it did. In information security, this objective is generally expressed as the process of (a) identifying the inherent risk based on relevant threats, threat sources, and related vulnerabilities; (b) determining the impact if the threat source was successful; and (c) calculating the likelihood of occurrence, taking into consideration the control environment in order to determine residual risk.

  • Inherent risk is the level of risk before security measures are applied.
  • A threat is a natural, environmental, or human event or situation that has the potential for causing undesirable consequences or impact. Information security focuses on the threats to confidentiality (unauthorized use or disclosure), integrity (unauthorized or accidental modification), and availability (damage or destruction).
  • A threat source is either (1) intent and method targeted at the intentional exploitation of a vulnerability, such as criminal groups, terrorists, bot-net operators, and disgruntled employees, or (2) a situation and method that may accidentally trigger a vulnerability such as an undocumented process, severe storm, and accidental or unintentional behavior.
  • A vulnerability is a weakness that could be exploited by a threat source. Vulnerabilities can be physical (for example, unlocked door, insufficient fire suppression), natural (for example, facility located in a flood zone or in a hurricane belt), technical (for example, misconfigured systems, poorly written code), or human (for example, untrained or distracted employee).
  • Impact is the magnitude of harm.
  • The likelihood of occurrence is a weighted factor or probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).
  • A control is a security measure designed to prevent, deter, detect, or respond to a threat source.
  • Residual risk is the level of risk after security measures are applied. In its most simple form, residual risk can be defined as the likelihood of occurrence after controls are applied, multiplied by the expected loss. Residual risk is a reflection of the actual state. As such, the risk level can run the gamut from severe to nonexistent.

Let’s consider the threat of obtaining unauthorized access to protected customer data. A threat source could be a cybercriminal. The vulnerability is that the information system that stores the data is Internet facing. We can safely assume that if no security measures were in place, the criminal would have unfettered access to the data (inherent risk). The resulting harm (impact) would be reputational damage, cost of responding to the breach, potential lost future revenue, and perhaps regulatory penalties. The security measures in place include data access controls, data encryption, ingress and egress filtering, an intrusion detection system, real-time activity monitoring, and log review. The residual risk calculation is based on the likelihood that the criminal (threat source) would be able to successfully penetrate the security measures, and if so what the resulting harm would be. In this example, because the stolen or accessed data are encrypted, one could assume that the residual risk would be low (unless, of course, they were also able to access the decryption key). However, depending on the type of business, there still might be an elevated reputation risk associated with a breach.

FYI: Business Risk Categories

In a business context, risk is further classified by category, including strategic, financial, operational, personnel, reputational, and regulatory/compliance risk:

  • Strategic risk relates to adverse business decisions.
  • Financial (or investment) risk relates to monetary loss.
  • Reputational risk relates to negative public opinion.
  • Operational risk relates to loss resulting from inadequate or failed processes or systems.
  • Personnel risk relates to issues that affect morale, productivity, recruiting, and retention.
  • Regulatory/compliance risk relates to violations of laws, rules, regulations, or policy.

Risk Assessment Methodologies

Components of a risk assessment methodology include a defined process, a risk model, an assessment approach, and standardized analysis. The benefit of consistently applying a risk assessment methodology is comparable and repeatable results. The three most well-known information security risk assessment methodologies are OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation, developed at the CERT Coordination Center at Carnegie Mellon University), FAIR (Factor Analysis of Information Risk), and the NIST Risk Management Framework (RMF). The NIST Risk Management Framework includes both risk assessment and risk management guidance.

NIST Risk Assessment Methodology

Federal regulators and examiners often refer to NIST SP 800-30 and SP 800-39 in their commentary and guidance. The NIST Risk Assessment methodology, as defined in SP 800-30: Guide to Conducting Risk Assessments, is divided into four steps: Prepare for the assessment, conduct the assessment, communicate the results, and maintain the assessment. It is unrealistic that a single methodology would be able to meet the diverse needs of private and public sector organizations. The expectation set forth in NIST SP 800-39 and 800-30 is that each organization will adapt and customize the methodology based on size, complexity, industry sector, regulatory requirements, and threat vector.

In Practice: Information Security Risk Assessment Policy

Synopsis: To assign responsibility for and set parameters for conducting information security risk assessments.

Policy Statement:

  • The company must adopt an information security risk assessment methodology to ensure consistent, repeatable, and comparable results.
  • Information security risk assessments must have a clearly defined and limited scope. Assessments with a broad scope become difficult and unwieldy in both their execution and the documentation of the results.
  • The CISO is charged with developing an information security risk assessment schedule based on the information system’s criticality and information classification level.
  • In addition to scheduled assessments, information security risk assessments must be conducted prior to the implementation of any significant change in technology, process, or third-party agreement.
  • The CISO and the business process owner are jointly required to respond to risk assessment results and develop risk reduction strategies and recommendations.
  • Risk assessment results and recommendations must be presented to executive management.

What Is Risk Management?

Risk management is the process of determining an acceptable level of risk (risk appetite and tolerance), calculating the current level of risk (risk assessment), accepting the level of risk (risk acceptance), or taking steps to reduce risk to the acceptable level (risk mitigation). We discussed the first two components in the previous sections.

Risk Acceptance

Risk acceptance indicates that the organization is willing to accept the level of risk associated with a given activity or process. Generally, but not always, this means that the outcome of the risk assessment is within tolerance. There may be times when the risk level is not within tolerance but the organization will still choose to accept the risk because all other alternatives are unacceptable. Exceptions should always be brought to the attention of management and authorized by either the executive management or the Board of Directors.

Risk Mitigation

Risk mitigation implies one of four actions—reducing the risk by implementing one or more countermeasures (risk reduction), sharing the risk with another entity (risk sharing), transferring the risk to another entity (risk transference), modifying or ceasing the risk-causing activity (risk avoidance), or a combination thereof.

Risk mitigation is a process of reducing, sharing, transferring, or avoiding risk. Risk reduction is accomplished by implementing one or more offensive or defensive controls in order to lower the residual risk. An offensive control is designed to reduce or eliminate vulnerability, such as enhanced training or applying a security patch. A defensive control is designed to respond to a threat source (for example, a sensor that sends an alert if an intruder is detected). Prior to implementation, risk reduction recommendations should be evaluated in terms of their effectiveness, resource requirements, complexity impact on productivity and performance, potential unintended consequences, and cost. Depending on the situation, risk reduction decisions may be made at the business unit level, by management or by the Board of Directors.

Risk transfer or risk sharing is undertaken when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization. This is often accomplished by purchasing insurance. Risk sharing shifts a portion of risk responsibility or liability to other organizations. The caveat to this option is that regulations such as GLBA (financial institutions) and HIPAA/HITECH (healthcare organizations) prohibit covered entities from shifting compliance liability.

Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk appetite and tolerance, and a determination has been made not to make an exception. Risk avoidance involves taking specific actions to eliminate or significantly modify the process or activities that are the basis for the risk. It is unusual to see this strategy applied to critical systems and processes because both prior investment and opportunity costs need to be considered. However, this strategy may be very appropriate when evaluating new processes, products, services, activities, and relationships.

In Practice: Information Security Risk Response Policy

Synopsis: To define information security risk response requirements and authority.

Policy Statement:

  • The initial results of all risk assessments must be provided to executive management and business process owner within seven days of completion.
  • Low risks can be accepted by business process owners.
  • Elevated risks and severe risks (or comparable rating) must be responded to within 30 days. Response is the joint responsibility of the business process owner and the CISO. Risk reduction recommendations can include risk acceptance, risk mitigation, risk transfer, risk avoidance, or a combination thereof. Recommendations must be documented and include an applicable level of detail.
  • Severe and elevated risks can be accepted by executive management.
  • The Board of Directors must be informed of accepted severe risk. At their discretion, they can choose to overrule acceptance.

FYI: Cyber Insurance

Two general categories of risks and potential liabilities are covered by cyber-insurance: first-party risks and third-party risks:

  • First-party risks are potential costs for loss or damage to the policyholder’s own data, or lost income or business.
  • Third-party risks include the policyholder’s potential liability to clients or to various governmental or regulatory entities.
  • A company’s optimal cyber-security policy would contain coverage for both first- and third-party claims. A 2013 Ponemon Institute Study commissioned by Experian Data Breach Resolution found that of 683 surveys completed by risk management professionals across multiple business sectors that have considered or adopted cyber-insurance, 86% of policies covered notification costs, 73% covered legal defense costs, 64% covered forensics and investigative costs, and 48% covered replacement of lost or damaged equipment. Not everything was always covered, though, as companies said only 30% of policies covered third-party liability, 30% covered communications costs to regulators, and 8% covered brand damages.

FYI: Small Business Note

Policy, governance, and risk management are important regardless of the size of the organization. The challenge for small organizations is who is going to accomplish these tasks. A small (or even a mid-size) business may not have a Board of Directors, C-level officers, or directors. Instead, as illustrated in Table 4.2, tasks are assigned to owners, managers, and outsourced service providers. What does not change regardless of size is the responsibilities of data owners, data custodians, and data users.

TABLE 4.2 Organizational Roles and Responsibilities

Role

Small Business Equivalent

Board of Directors

Owner(s).

Executive management

Owner(s) and/or management.

Chief Security Officer

A member of the management team whose responsibilities include information security. If internal expertise does not exist, external advisors should be engaged.

Chief Risk Officer

A member of the management team whose responsibilities include evaluating risk. If internal expertise does not exist, external advisors should be engaged.

Compliance Officer

A member of the management team whose responsibilities include ensuring compliance with applicable laws and regulations. If internal expertise does not exist, external advisors should be engaged.

Director of IT

IT manager. If internal expertise does not exist, external service providers should be engaged.

Internal audit

If this position is required, it is generally outsourced.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020