Author name: Bruce

ISACA is one of the leading international, non-profit organizations putting out what is now one of the world’s most respected set of information security and risk IT framework & IT certifications: COBIT, Business Framework for Governance and Management of IT Val IT, IT Framework for Business Technology Management Risk IT, Framework for IT Related Business Risk CISA, Certified Information System Auditor CISM, Certified Information System Manager CGEIT, Certified in Governance of IT CRISC, Certified in Risk of Information Systems  Controls ISACA used to stand for Information Systems Audit and Control Association, but is now just ISACA. ISACA Risk IT Framework The ISACA has a The Risk IT Practitioner Guide The Risk IT Framework fills the gap between generic risk management frameworks and detailed (primarily security-related) IT risk management frameworks. It provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. In summary, the framework will enable enterprises to understand and manage all significant IT risk types, building upon the existing risk related components within the current ISACA frameworks, i.e., COBIT and Val IT.  http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx ISACA Risk IT Framework is more that just a complement to DIARMF/NIST Risk Management framwork, its a complete framework that stands on its own that would be great for a non-government corporate entity to use.  

Conduct DoD Information Assurance Awareness Training: http://iase.disa.mil/eta/cyberchallenge/launchPage.htm DoD Information assurance awareness training is an interpretation of the federal law, Federal Information Security Management Act (FISMA).  As each unity, agency and branch of the DoD takes on the responsibility of FISMA compliance, they sometimes come up with their own flavor of DoD information assurance awareness. DoD Information Assurance Awareness is a requirement in accordance with the FISMA of 2002: “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of— ‘‘(A) information security risks associated with their activities; and ‘‘(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks” FISMA 2012 FISMA 2012 expands the scope if DoD information assurance awareness training and the department of homeland security with a The National Initiative for Cybersecurity Education (NICE).  NICE also includes National Initiative for Cybersecurity Careers and Studies (NICCS) portal25, an online resource for cybersecurity awareness, education, training, and career information open to the public. “The vision of NICCS portal is to provide a national resource to elevate cybersecurity awareness and affect the change in the American public; to adopt a culture of cyberspace security and to build a competent cybersecurity workforce. “ DOD Information Assurance Awareness & Security Training According to FISMA, all Government personnel and contractors must complete annual security awareness training. DoD 8570/DoD 8140 are directives that spawned as a result of FISMA also requirements to have specialized training for personnel and contractors with significant security responsibilities. Progress of DoD Information Assurance Awareness Training is tracked and taken VERY seriously.  So much so that if you don’t complete the annual training, you can lose your ability to access systems. DoD Information Assurance Awareness Training Security Controls Information Assurance awareness is addressed as an actual security control in NIST SP 800-53 as AT – Awareness & Training and the NIST SP 800-50 is for Building an Information Technology Security Awareness and Training Program. Awareness and Training AT-1 Security Awareness and Training Policy and Procedures AT-2 Security Awareness AT-3 Security Training AT-4 Security Training Records AT-5 Contacts with Security Groups and Associations  

noun: risk management - the method used to mitigate or prevent accidental or intentional loss to an organization. -Risk management is the process of predicting, measuring and controlling the impact of harm to an organization by identifying the threats to identified vulnerabilities and then limiting mitigating vulnerabilities. -The process of identifying, analyzing and then either acceptance or mitigation of uncertainty in decision-making.    CNSSI 4009 is describes risk management as, adapted “The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.” More risk management descriptions in ISO 31000:2009, Risk management – Principles and guidelines, NIST SP 800-39, Managing Information Security Risk, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems  

Risk Management Chart is described in NIST SP 800-39, Managing Information Security Risk. The Risk Management Chart is known as the Risk Assessment Activities (Figure 3-1).  The risk management chart consists of 9 steps: system characterization threat identification vulnerability identification control analysis Likelihood Determination Impact Analysis Risk Determination Controls Recommendations Results Documentation This data can be gathered and added to a risk management worksheet (some times known as a risk management chart):                                 Risk Management Chart steps description: 1)  System characterization – Gather information into a System Security Plan (SSP).  Syste characterization includes: Hardware, Software, System interfaces,  Data and information, IT system support staff, System mission,  System and data critical, System and data sensitivity. 2)  Threat Identification – Without a defined threat, there is no way to quantify or identify a threat. 3)  Vulnerability Identification – Once the asset and threat are identified, you can more easily determine if your system has a weakness for that particular disaster or exploit. 4)  Security Control Analysis – If your system already has security controls in place, you must take that into account because this may lower your risk. 5)  Likelihood determination – The probability that your asset will be exploited is based on the threat source motivation, threat capability, your vulnerability and the security controls you have in place. 6)  Impact Analysis – This where you gather all the data from asset identification, threat source, vulnerability identification, security controls, likelihood of attack and figure you what would happen if something really did happen. 7)  Risk Determination / Risk Identification – Based on all the data gathered you can make a pretty good risk determination. 8)  Control Recommendation – After risk identification, the information security practitioner can recommend security controls. 9)  Results Documentation – The data gathered is documented with a risk assessment report, security assessment report and/or risk registers/risk log/risk worksheet. Who does risk identification: Ultimately it is the information system owner and authorizing official that must make a determination on what kind of risk they will accept, but they rely heavily on the expertise of an information security engineer, information system security manager,  information system security officer and technical professionals to articulate what is happening on the ground. The ISSO/ISSM/ISSE typically document the process mentioned above or the DIARMF process.  Security professionals coordinate with IT professionals to “get into the weeds” of technical security controls and vulnerabilities.      

Information Assurance Services cover all aspects of information system security and beyond.  Information assurance services includes but is not limited to all the domains of the CISSP which is why most Information assurance jobs look for and IT professional with that certification: Access Control Telecommunications and Network Security Information Security Governance and Risk Management Software Development Security Cryptography Security Architecture and Design Operations Security Business Continuity and Disaster Recovery Planning Physical (Environmental) Security Information Assurance Services Companies Information Assurance services are such a big task that usually government agencies must rely on several companies and contracts to do all the work. Northrop Grumman Lockheed Martin SAIC Most of the large contractors provide Information Assurance Services (list of top 100 major govt contractors)  

Risk Management Analyst is a title that in many cases deals explicitly with market shares and stock analysis. In relation to Information Security and DIARMF, a Risk Management Analyst is an IT security professionals that mitigates the vulnerabilities of on organizations assets, identifies threats and risk of an organization.  Financial organizations are fond of using the term “risk” to describe system security engineering and system security analysts jobs. Variations of the risk management analyst are: IT Risk Management Analyst Enterprise Risk Management Analyst IT Vendor Risk Management Analyst The IT Risk Management position is very similar or exactly the same as IT Risk Analyst. IT Risk Management Analyst Job Description The IT Risk Management Analyst is responsible for maintaining organizations IT risk management program.  That means the IT Risk Management Analyst must identifying, evaluating and reporting on information technology security risks. The IT Analyst will work system administrators, project managers and other teams and to implement practices that meet organizational policies, standards and expectations for information risk management. IT Risk Management Analyst is responsible for advising the Chief Information Security Officer (CISO), the IT Leadership, and other key stakeholders.   

Risk Assessment Worksheets are in the form of a spreadsheet or a database that creates a Risk assessment worksheet.  These are also known as a risk assessment register or risk log. Here are some risk assessment worksheets: Risk Assessment Worksheet a Risk Assessment Worksheet b             The risk assessment worksheet can be used in the Authentication Package in the DIARMF process / Risk Management.  It can be used in the Risk Assessment Report / Security Assessment Report to quantify the potential impact of risk.      

AR 25-2, Information Assurance is the main guideline document for Army Information Assurance. AR 25-2 breaks down the Army Information Assurance Program (AIAP) which is designed to to be a one stop shop for protecting the confidentiality, integrity and availability of unclassified, sensitive, or classified information stored, processed, accessed, or transmitted by Army Information Systems.  AIAP is the Army’s flavor of implementing DODD 8500.1, DODI 8500.2, and Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01 to align Information Assurance goals. Like all of the others branches of the US Armed Forces, the Army certification & Accreditation part of the IA program will have to change to a more risk management framework as the DoD changes to a more NIST back Risk Management Frame work. But most of the main best practice system security items won’t change. Army Information Assurance program describes the responsibilities offices: Chief Information Officer Principal Headquarters, Department of the Army officials and staff Administrative Assistant to the Secretary of the Army Assistant Secretary of the Army for Acquisition, Logistics, and Technology The Deputy Chief of Staff, G-2 The Deputy Chief of Staff, G-3 The Deputy Chief of Staff, G-4 Commanders of Army Commands; Army Service Component Commands; Direct Reporting Units; U.S. Army Reserve; Army National Guard; program executive officers; direct reporting program managers; Regional Chief Information Officers; Functional Chief Information Officers; and the Administrative Assistant to the Secretary of the Army Commander, 1st Information Operations Command Commanding General, Network Enterprise Technology Command/9th Signal Command (Army) Commanding General, U.S. Army Training and Doctrine Command Commanding General, U.S. Army Materiel Command Commanding General, U.S. Army Intelligence and Security Command Commanding General, U.S. Army Criminal Investigation Command Chief, Army National Guard Chief, Army Reserve U.S. Army Reserve Command Chief of Staff U.S. Army Corps of Engineers Chief of Engineers U.S. Army Corps of Engineers Chief Information Officer Commanding General, Eighth Army Commanding General, U.S. Army Europe Commanding General, U.S. Army Medical Command Program executive officers and direct reporting program/project managers Commanders, directors, and managers Garrison commanders U.S. Army Reserve major subordinate command Army National Guard state DOIM/J6/CIO Regional Chief Information Officer Army Reserve command/unit/activity G–6 Director of Information Management AR 25-2 also explains the Army Information Assurance Program Personnel Structure including Information assurance support personnel where contractor fit in the structure. AR 25-2 is the Information Assurance Policy which includes funding and Information Assurance training.   Mission assurance category, levels of confidentiality, and levels of robustness are explained. The topics of the Army Information Assurance include: Software Security Security Controls Database management Design and test Hardware, Firmware, and Physical Security Hardware–based security controls Maintenance personnel Security objectives and safeguards Procedural Security Password control Release of information regarding information system infrastructure architecture Personnel Security Personnel security standards Foreign access to information systems Information Systems Media Protection requirements Labeling, marking, and controlling media Clearing, purging (sanitizing), destroying, or disposing of media Network Security Cross-domain security interoperability Network security Incident and Intrusion Reporting Information system incident and intrusion reporting Reporting responsibilities Compromised information systems guidance Information Assurance Vulnerability Management Information assurance vulnerability management reporting process Compliance reporting Compliance verification Operating non-compliant information system Certification & Accreditation Communication Security Risk Management  

NIST 800-39, Manage Information Security Risk is one of the primary documents of DIARMF/Risk Management Framework. This approach very effectively covers all the same “corporate risk” challenge you would see in major organizations.  It addresses corporate risk, by introducing a tiered approach to risk. The Fundamentals of Corporate Risk Management  (covered in Chapter 2, of NIST SP 800-39) 800-39 covers corporate risk in three layers (or tiers) of risk management: Tier 1: Organization level Tier 2: Mission/Business Process level Tier 3: Information System level Tier 1: Corporate Organization Level risk management NIST 800-39, Tier 1 addresses security from the entire organizations perspective.  Corporate risk structure starts from the top down.  The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance. Tier 2: Corporate/Mission Process Level risk management Tier 2 risk management activities include: 1) defining the mission/corporate processes to support the organization. 2) Prioritize the mission/corporate process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information. Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: types of threat sources and threat events that could have an adverse affect the ability of the organizations potential impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised Corporations resilience to such an attack that can be achieved with a given mission/business process Tier 3: Information System risk management From the information system perspective, tier 3 addresses the following tasks of the DIARMF/risk management framework steps: Categorization of the information system Allocating the organizational security control Selection, implementation, assessment, authorization, and ongoing Chapter 3 on NIST 800-39 focuses on the step to have a comprehensive risk management program. The tasks discussed include: Risk Framing Risk Assessing Risk Response Risk Monitoring Risk Framing Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships. Risk Assessment Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk. Risk Response Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. Risk identification is key to risk response. Risk types include: Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions. Risk Monitoring  Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

The job title and term “risk analyst” is used by financial institution usually in terms is investments, managing portfolios, stocks, bonds and stuff like that. In terms of security, “risk analyst” is not usually used unless it is “information security risk analyst” or “system security risk analyst”.  Banks and other institutions like to through “information security risk analyst” around for job titles.    I think its because financial organization REALLY understand risk down to formulas and equations. An Information Security Risk Analyst might be expect to do some or all of the following: Following Certification: CISA or CISM or CISSP Support Senior Analyst day-to-day operations Ensure that requirements of the Information Security Policy done Protect the confidential information of vendors, customers and third party organizations Conduct risk assessments (using risk register or risk matrix) Audit the security controls of systems risk advisories and continuous (ongoing) monitoring. Identifying trends in contractual reviews, risk assessments and due diligence; propose process modifications or policy changes as appropriate. An understanding of the requirements of the Gramm-Leach-Bliley Act (GLBA) and state privacy laws regarding the protection of customer information Excellent written and oral communication skills. An undergraduate degree As you can see, these tasks are very similar to what we do in DIARMF, DIACAP, Risk Management Framework and Certification and Accreditation.  The Financial/Bank sector just uses different terms and are subject to different federal laws. You may also see: IT Risk Management Analyst Compliance Analyst/IT Risk Management Analyst Information Security & Risk Analyst Information Security Senior Analyst All these positions do roughly the same thing, some variation of Risk Management Framework which in a single sentence is: Continuously monitor, mitigate and manage risk by finding and minimizing vulnerabilities in the organizations information systems.