CompTIA CASP+ CAS-004 – Chapter 01 – Understanding Risk Management

1. Chapter Introduction

In this first chapter, we’re going to be looking at the concepts of risk management. And risk management is going to be a big part of the life of a security professional because as security professionals in the information technology business, we’re surrounded by risk every day. And the way that we handle that risk will really prove the efficiency that we have at our job. In this chapter, we’re are going to discuss a number of different topics.

The first will be understanding business and industry influences. We have to look at new products and technologies that are in use in our organization as well as user behaviors and then understand how we can accommodate the risk management process in relation to those things. We’ll also discuss new and changing business models and strategies, internal influences versus external influences and the like. Then we’ll be looking at policies and procedures. Of course, these are the guidelines that we set up as security professionals for those in our organization as well as for ourselves, our team of individuals.

And the procedures are more of a step by step approach that we’ll take in order to implement these levels of security. With risk management, a key word that we hear often is mitigation. And mitigation simply could be meant as to minimize. Or you could just say this is how we’re going to handle this risk, that’s risk mitigation. Are we going to mitigate the risk? In other words, are we going to put up barriers, are going to put things in place to minimize the likelihood that the risk will actually happen. We can’t completely eliminate threats and vulnerabilities in many cases.

What we can do is put up protective mechanisms to mitigate risk, to control risk. And so we’ll be talking about some of those concepts we’ll also throw in here business Continuity planning. One of the big risk is that your business is unable to continue, that your data and services are not available. And so we have to have a disaster recovery plan. And a part of a disaster recovery plan is actually a part of an overall business continuity plan.

2. Topic A: Understanding Business and Industry Influences

In this first topic, we’re going to be looking at understanding business and industry influences, essentially in the life of a security professional.

3. Ongoing Risk Management

So let’s start by talking about ongoing risk management. And what you have to understand is that your It department that you work in is not operating in some sort of vacuum. The It department and It security as a whole is going to be influenced by various business objectives. It’s also going to be influenced by corporate politics and policies. On the politics side, you have political things in every corporation that are going to kind of persuade you to make certain decisions or change you from making a decision that you want.

And so this can actually make the job of a security professional even more difficult because they have to factor in all of these considerations. There are some things that come into play that are outside the enterprise. So you have legal considerations, you have regulations, you have partnerships with other companies, and then we have new technologies. And in many cases, these new technologies are untested and they’re unfamiliar. And so when you factor all of that in, then you really have the prescription for security incidents to arise. And that’s what we would like to try to avoid.

4. New Products and User Behaviors

So let’s talk a little bit about those new products and technologies. These are going to be never ending because they’re just a given in this industry. It’s not possible to stop the tide of new technology in the organization but it is possible to manage the risks that are involved. And so every single technology, every single behavior really needs to be studied through a formal risk management process. And that’s of course something that we’re going to be going through in this chapter. But you just have to understand that it’s really going to be a never ending process because the technologies are never ending, they’re always coming through.

The factors that affect risk profiles are constantly changing. And so at that point that means that the risk profile of a particular item may have to change as well. When a company decides that they want to use cutting edge technology there’s always going to be concerns. Concerns about maintaining support for the technology, especially in regard with software products. What if the vendor goes out of business? One of the approaches that you can use to kind of mitigate this concern is to have some sort of source code escrow clause in the contract for the system.

The source code escrow is usually maintained by a third party and that third party then is responsible for providing the source code to the customer in the event that a vendor goes out of business. And that’s just one example. But if you are on the bleeding edge then you have more of a potential for failures or more of a potential for just things that wouldn’t necessarily happen to well used, well known, relied upon software. It’s also necessary to keep abreast of any changes in the way that users are performing their jobs. For instance, suppose that over time users are increasingly using chat instant messaging type of technology rather than email.

And not only are they using it very readily but they’re using it to discuss sensitive issues. Well, in that kind of situation we need to make sure that we’re securing those Im communications. In fact, it becomes just as important as securing email if it’s being used to pass on sensitive information. And so we have to keep up to date with the way that users are using the technology, the way that users are choosing to work because it’s going to change the risk profile. So how do we go about doing that? Well, one is just periodically monitoring user behavior. We want to try to discover new areas of risk and we’re not only trying to identify new work methods but also just risky behavior. So for instance, the age old one is people writing down passwords on sticky notes.

But we can kind of keep an eye on users and understand what they’re doing. We can try to mitigate, deter and prevent risk. Often this is done through training and additional or new security policies and we can anticipate behaviors before they occur. And we would do that by researching trends. So the trend of the usage of mobile devices and the trend of cloud based data storage and other user behavior. So if we keep an eye on those things, then we’re able to adjust our security policies to meet those needs.

5. Business Models and Strategies

Another factor that can change the risk profile of a particular activity or a particular process is a change in the way that the company does business. So companies may form partnerships. They may have mergers and demergers. They may sell assets, introduce new technologies. In all of these, security is going to be impacted in some way. And so we need to just understand, as with the other things, as these changes occur, so does the risk profile.

So let’s talk about some of these considerations. We’ll start with partnerships. If you establish a partnership, regardless of whether it’s formal or informal, you establish this partnership with another entity, it’s going to require in many cases, the exchange of sensitive data and information. And any time that happens, it’s going to raise security issues. In in these cases, often we have what’s called a TCA or a third party connection agreement. And that’s just a document that spells out exactly what type of security measures should be taken as it relates to the handling of data that’s exchanged between these parties. They may be providing some sort of shared service as well.

Some partnerships may not involve actually the handling or exchange of sensitive data, but it’s a partnership so that I provide you a service. They can be formed by similar businesses within the same industry, or businesses that are affiliated with a particular third party. But it really doesn’t matter the nature of the partnership.

A TCA or some type of document really needs to be in place to identify all the responsibilities of the parties so that you can secure various connections, you can secure data and other sensitive information. Outsourcing is another consideration. Third party outsourcing is a liability that many organizations don’t even consider as a part of their risk assessment.

Any outsourcing agreement, though, should ensure that the information that is being entrusted to this other organization is protected by appropriate security measures, certainly to fulfill any regulatory and legal requirements. So it has to be included in that they really should include formal procedures, contractual agreements to help you kind of outline exactly what is happening between these two companies.

One thing we could consider is subcontracting and dealing with multiple vendors. And we also need to identify if you’re outsourcing across national boundaries, there are going to be additional complications. Some countries laws are going to be stricter than others. And so depending on where the data originates, where the data is stored, it may be necessary to consider the laws of more than one country or more than one regulatory agency. And so if a country and then one other thing, if a country has really lacks security, you may want to reconsider doing business with a company from that country. So all kinds of considerations there with both partnerships as well as outsourcing.

6. Cloud Technologies

One of the most popular choices today is to include cloudbased technologies. Cloudbased technologies will bring their own set of considerations. In some cases your regulatory requirements may actually prevent the use of a public cloud. So you have to consider those regulatory requirements to even see if it is an option. For instance, there may a regulatory requirement in regards to credit cards being processed outside of the country or processed by a shared hosting provider. And so in those cases public clouds may not be an option because you don’t really have control over that infrastructure. So we would have to use a private cloud within the company.

You got to keep those things in mind. Public clouds do offer a lot of benefits, but it can introduce all sorts of security concerns. How do you know in a multitenant type of environment that your data is kept separate from other customers data? How do you know in those types of environments or any public cloud environment that your data is safe? Anytime we’re outsourcing data security, confidentiality, integrity of data, it makes a lot of people uncomfortable. And it doesn’t mean, and I don’t mean by this, that you can’t trust the public cloud options, but simply that you need to consider these things and you really need to think through them and understand the different types of clouds. Okay, so a private cloud is actually, we should take a step back because cloud is sort of an ambiguous term. So when we refer to the cloud, most often we’re just talking about a set of resources.

Now the actual resources that are being utilized in your control over various resources do depend on the service models. We’re not getting into that. We’re just discussing the types. Okay? So when we say resources, we’re often talking about computing resources, CPUs, memory, we’re talking about storage, we’re talking about networking. Those are the resources in the cloud. A private cloud is a situation where one organization owns all those resources.

They’re using cloud technologies, which is often expandability, dynamic provisioning, a pay as you go model billing based on the actual resources that you use. So they’re using some of those concepts, but they’re using their own resources. We have multiple hypervisors generally and software that controls them so that we can dynamically allocate resources when a particular department requests it. But we control everything that we house all of these resources inside our data centers. Well that’s distinctly different from a public cloud. So AWS, Microsoft, Azure, the Google cloud, IBM cloud, all of these would be public cloud offerings. And of course there are many, many more that are smaller. And in the public cloud situation you don’t control those resources.

You may have some level of control based on service models, but you don’t actually control the physical disk. You don’t actually control the physical systems that are hosting the virtual machines. You can’t touch the fabric, you can’t go walk into the data center so you don’t have control over that. All right. A hybrid is a situation where you’re using both public and private cloud environments. Now in this case, the public and the private are distinct entities but they’re connected to one another. So an example of this might be company data that’s kept in a private cloud that connects to some sort of business intelligence application, but the application itself is hosted in the public cloud.

So we’re going to store the data but then we have this front end web application or business intelligence application that’s providing access to that data. And that’s just one example of a hybrid type of scenario. The last one is a community cloud. And the community cloud is shared by organizations that have some common need to address like regulatory compliance. So these clouds can be managed either by a cross company team or a third party provider. But the community cloud has been beneficial official to all the participants because it helps to reduce overall cost for each organization. Your most common community cloud would be the government type community clouds that are out there.

7. Acquisitions and Mergers

Another element that we need to consider are acquisitions and mergers. When you have two companies that merge or one company that acquires another, it’s really a sort of a marriage between those two systems. And this is a fairly common practice in businesses. We have to understand that in these situations we can combine networks, we can integrate systems and in other cases we might build entirely new infrastructures. But every time this happens, you have a process that gives you an opportunity to take a fresh look at how to ensure that all the systems in both businesses are as secure as we require.

And it can be complicated because often we might be using different hardware, different network architectures, different policies and procedures. But both entities in a merger acquisition really need to take advantage of a period of time during the negotiations called due diligence. And it’s just a time where we study and try to understand the operational details of both companies. It’s only then that both entities can actually enter into this merger acquisition and really have a clear understanding of what lies ahead in order to ensure security. Another thing that should be done before the two networks are joined is to do some sort of penetration testing that should be done separately on each network so that all the parties have an understanding of the existing risk going forward.

And it’s advisable to devise an interconnection security agreement or Isa in relation to the merger. That is going to be in addition to a complete risk analysis of the company that’s being inquired of their entire operation. If we find anything that’s lacking and required controls, then we need to redesign it. In most cases, the companies will adopt whichever of the two is the more strict security technologies and policies there are. Other cases the opposite can occur in a divestiture or a demerger. Some companies split off or spin off parts of the company.

So the merger is a marriage, whereas a demerger is more of like a divorce. The entities at that point need to come to an agreement on the removal of the information from the systems which assets are going to go with each entity. And this might involve the complete removal of certain types of information from one entity systems. But it is again a time to review all of the security measures on both sides. Especially in the case of a sale of another enterprise. It’s even more important because we want to make sure that only the request data is transferred to the purchasing companies. We certainly don’t want to give too much. We don’t want to give too little.

8. Due Diligence Team

One recommendation that can help to ensure secure mergers or demergers, is to create what’s called a due diligence team. This will be a team that’s responsible for a number of different things. They’d define a plan to set and measure security controls at every step of the process. They’d help to identify gaps and overlaps in security that exist between the two businesses that are merging or demerging or going through a demerger.

I don’t think demerging is a word, but they would create a risk profile for all the identified risk involved in moving the data, prioritizing processes, identifying processes that would require a more immediate attention, and then understanding the framework that is being utilized, making sure that auditors and compliance teams are utilizing matching frameworks. And so all of that is a part of that due diligence team, which is simply a team of individuals that are a part of the initial due diligence process.

9. Data Ownership

Data ownership is another thing that can be affected by changing business models. Depending on the business model that’s being adopted, management needs to make decisions on who owns the data, and this is often going to be required in acquisitions or mergers when these occur. As security professionals, we really need to determine if data is going to remain under separate ownership or if data will be merged merged as well.

 So if the merge of data is supposed to take place, then we need a comprehensive plan that’s going to detail the steps that we’re going to be involved in that data merge. In the case of the opposite of the Demerger, management needs to decide which entity is going to own the data as well. And then we need to have detailed plans and procedures written to make sure that the appropriate data is going to be extracted. You need to consider laws, regulations, standards that govern the two organizations. All of this has to be taken into account whether data is being merged, retained as separate entities, or separated based on ownership.

We have to make sure that data security remains a priority. That is going to be extremely important. You need to consider all different types of information. Health information, financial information, personally identifiable information. All of that would be very important as we consider who owns the data in both acquisitions and mergers.

10. Data Reclassification

Another thing we need to take a look at is data reclassification. We need to examine the classification model of data when we have these acquisitions or mergers or the demergers occur. In the case of an acquisition or merger, we got to decide whether to keep the data separate or merge the data into a single entity. And in the case of a divestiture demerger, we have to ensure that legally protected data is not actually given to an entity that’s not covered under the same laws, the same regulations, the same standard. So you have to take a look at those regulations and standards that are governing the two organizations, and it may be necessary at that point for the organization to actually design a new data classification model and design procedures for data reclassification. So it’s another little aspect that occurs when planning for these business changes.