Mike Chapple

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide


Скачать книгу

specific asset:

       (pre-safeguard ALE – post-safeguard ALE) – ACS

      or, even more simply:

       (ALE1 – ALE2) – ACS

      The countermeasure with the greatest resulting value from this cost/benefit formula makes the most economic sense to deploy against the specific asset-threat pairing.

      Once you have calculated a cost/benefit for each safeguard for each asset-threat pair, you must then sort these values. In most cases, the cost/benefit with the highest value is the best safeguard to implement for that specific risk against a specific asset. But as with all things in the real world, this is only one part of the decision-making process. Although very important and often the primary guiding factor, it is not the sole element of data. Other items include actual cost, security budget, compatibility with existing systems, skill/knowledge base of IT staff, and availability of product as well as political issues, partnerships, market trends, fads, marketing, contracts, and favoritism. As part of senior management or even the IT staff, it is your responsibility to either obtain or use all available data and information to make the best security decision for your organization. For further discussion of safeguard, security control, and countermeasure selection issues, see the “Countermeasure Selection and Implementation” section, later in this chapter.

Concept Formula or meaning
Asset value (AV) $
Exposure factor (EF) %
Single loss expectancy (SLE) SLE = AV * EF
Annualized rate of occurrence (ARO) # / year
Annualized loss expectancy (ALE) ALE = SLE * ARO or ALE = AV * EF * ARO
Annual cost of the safeguard (ACS) $ / year
Value or benefit of a safeguard (i.e., cost/benefit equation) (ALE1 – ALE2) – ACS

      Yikes, So Much Math!

      Yes, quantitative risk analysis involves a lot of math. Math questions on the CISSP exam are likely to involve basic multiplication. Most likely, you will be asked definition, application, and concept synthesis questions on the exam. This means you need to know the definition of the equations/formulas and values (Table 2.2), what they mean, why they are important, and how they are used to benefit an organization.

      Countermeasure Selection and Implementation

      Selecting a countermeasure, safeguard, or control (short for security control) within the realm of risk management relies heavily on the cost/benefit analysis results. However, you should consider several other factors when assessing the value or pertinence of a security control:

       The cost of the countermeasure should be less than the value of the asset.

       The cost of the countermeasure should be less than the benefit of the countermeasure.

       The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack.

       The countermeasure should provide a solution to a real and identified problem. (Don't install countermeasures just because they are available, are advertised, or sound appealing.)

       The benefit of the countermeasure should not be dependent on its secrecy. Any viable countermeasure can withstand public disclosure and scrutiny and thus maintain protection even when known.

       The benefit of the countermeasure should be testable and verifiable.

       The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on.

       The countermeasure should have few or no dependencies to reduce cascade failures.

       The countermeasure should require minimal human intervention after initial deployment and configuration.

       The countermeasure should be tamperproof.

       The countermeasure should have overrides accessible to privileged operators only.

       The countermeasure should provide fail-safe and/or fail-secure options.

      Keep in mind that security should be designed to support and enable business tasks and functions. Thus, countermeasures and safeguards need to be evaluated in the context of a business process. If there is no clear business case for a safeguard, it is probably not an effective security option.

Schematic illustration of the categories of security controls in a defense-in-depth implementation.

      Administrative

      The category of administrative controls are the policies and procedures defined by an organization's security policy and other regulations or requirements. They are sometimes referred to as management controls, managerial controls,