now, another tool that may be helpful in assigning risks it's so important is something called a racy chart responsible, accountable, consult and inform. Ah, you may also hear it referred to as an Arky chart
accountable, responsible consultant in form. And actually, that's more accurate because accountable is really the top level. Accountable is kind of that this is the ultimate authority. This is the one with whom, really, the responsibility rests
responsible. These are the foot soldiers. These were the ones carrying out the work.
Consult means we're gonna talk about a decision or an event prior to making the decision inform. That's after the fact. But I'm gonna keep you in the loop, so to speak. So the idea is that we want to make sure that people know their degree of responsibility or accountability. Also, we know who to consult and inform
in relation to risk events,
the strategy of the business. Ah, And again you'll see lots of issues going back to the business, the business, the business. Our I T strategy is a sub component of the business strategy. I t is just here to help the business meet its goals. That's the only reason. So ultimately, when we're talking about
aligning the IittIe goals with that of the business,
we need feedback. We need support from senior management in order to do so.
This phrase alignment with business goals and objectives. It's all over the sea risk exam. Everything comes down to making a solution that further helps the business.
And once we do that, we're able to prioritize our risk responses so that we can maintain that support.
Risk management is better
when there is a central entity managing risks if your organization has a chief risk officer and many organizations do not, but when risk essentially managed, centrally documented. Ah, we have central communication. We have greater control. If you do have a central entity within the organization,
the role of information security within a company
support the business, and it is that simple. The only reason we have I t. Is because somehow we solve a business need.
So we keep that in mind, and we have to realize that that is our place.
The reason that's important. Let me ask you a question.
So the question I would ask anybody in the I t security field,
how much security is enough.
Pretty straightforward question. How much security is enough?
And I think most of us have been taught to say
or would immediately think you could never have enough security.
More is better, and that's actually not true. That's a common mistake or a common. It's a common phrase. It's a common thought, but but it's actually not accurate. You can have too much security. Like I said earlier, I'm not gonna spend $50 to protect a $20 bill. That's too much security.
So the answer. It often surprises people. But the answer of how much security is enough,
The answer is just enough.
Now I want to stress that I'm not saying cut corners get away with this little securities you can That's dangerous. That's irresponsible. That's not accurate.
What I'm saying is to make a good decision on how to secure
an asset of any value is first identify it and get a true understanding of what it's worth.
And this is not easy. You know, If I were to ask you what your company's reputation is worth,
that's a tough one, you know, give me a dollar value for the reputation of your country, your company?
How would I even go about that? Well,
you could consult with specialists.
You can do some research. You can look at other organizations in a similar industry or similar position. You can look it compromises they've had and the effect it had on their stocks
or their brand recognition or customer confidence. Yeah, it's not easy, right? But we have to do that
because once I have a true understanding of the value of what I'm protecting now, I can make a responsible decision on how much to spend.
If I'm one of those I t people and their many people like this out there, we want bigger, better, faster, louder, newer stuff all the time. And that's not a decision that supports the organization,
a decision that sports the supports. The organization says, What am I protecting? What's it worth?
What's the potential for loss
and then what's the cost of mitigation?
If I'm spending more to mitigate a risk than the potential for laws, I'm not supporting the organization and again central thread throughout everything that we cover this idea of cost benefit analysis, this idea of a balance, the pros and the cons
Okay. Now, also on this exam, make sure that you're comfortable with your role in your role is not as a decision maker, your role is a risk advisor.
So be careful on questions that have you acting out
as in ah, suspicious activities coming in through Ah, port on your firewall. What should you do?
Make the call to the appropriate party.
You know, you're not a firewall administrator. You're a risk advisor. Gather information.
Macon opinion inform senior management.
So for those of you folks that are more technical in nature, stay away from the quick technical response. Usually it's a lot more process driven than it is
As we move forward, we talk about the principal, the foundational elements of security. We have the C i A. Triad confidentiality, integrity and availability. So when I talk about wanting to bring security within an organization, these air the three service's I'm most concerned about.
So when we talk about confidentiality, I want to protect against unauthorized disclosure.
Wanna keep secrets secret?
So other words we might see would be privacy secrecy. Those were in line with confidentiality.
Right now, the biggest threat, social engineering huge today. And if you look back at many of the threats that are making the news, they started with a social engineering attack, whether it was security breaches on known organizations known cos if you do a little digging, you'll find that most of them
target. I'm sure you're familiar with the compromise with Target. You may have heard aboutthe one with R S. A.
A lot of times, phishing emails are the beginning of this process. Remember, as an attacker, I just need a toehold on your network.
Click on this link in this email. Just just do it. Just just one click on the link
might let in attack or have access to your network. So we have to be very careful. We train our people. I'm still amazed that people are clicking on links and emails opening up attachments. Ah, from e mails that aren't signed.
People are still doing it, so we have to continue training.
Something else to consider is separation of Judy's give people separate Judy's and separate responsibilities associated with those
that's important from a confidentiality standpoint, because you can't breach of confidence that you don't have.
So, um, receptionists can't give me the password to the server because she doesn't know that it's not part of her job. So that helps with social engineering.
Um, media reuse. Clean your media.
If you're gonna got a reusable hard drive, wipe it clean thumb drives. Any of this were usable media, portable media. We need to make sure that it's wiped clean and doesn't contain remnants.
Eavesdropping. Another threat on confidentiality. I already mentioned encryption. Even better would be to keep sensitive information off the network is a whole don't transmit passwords across the network.
That kind of puts us in a dilemma because I have to prove to my domain controller, for instance,
Ah, that I know my password. So is there a way that I can prove I know my password without sending my password across the network? And the answer is yes. Many challenge response based protocols as well as Kerberos, which is used for network authentication. Those allow
a user to prove it's called zero knowledge proof, basically,
which means I'm gonna prove to you I know something without telling you what that something is. Integrity, integrity, the second of the C I. A triad all about detecting modification and modification can come maliciously or inadvertently in a corruption files get corrupted over time
across certain unreliable media types.
So I need to be able to detect that as well as malicious modification. A couple of technologies, if you've been through C I S S P training or if you have a technical background Ah, couple of different things hashing were creating hashes will help me detect accidental modification.
Will use message authentication codes for malicious modification.
Ah, Or if we want detection against malicious modification And we also want non repudiation, which means a cinder can't dispute having sent the message nor the contents Basically its combination of authenticity and integrity. We need digital signatures.
We'll talk about this more in the cryptography chapter,
So hold tight with that,
all right, And then the last tenant of security availability,
I need to make sure that resource is air available in a timely fashion. So attacks like denial of service distributed denial of service is will certainly attack. The availability of our resource is, But also we have to think about things like natural disasters. We have to think about humidity in the server room.
I went into an organization, a company, small company
over the weekend, and I walked in and it was like 85 degrees. Well, I asked and they said, Yeah, that air conditioning. The building gets turned off on weekends.
Well, that's great, but their servers are running 24 7 And when you've got a server room, that's 90 degrees plus, you're gonna look at some failed servers, so we have to think about environmental issues as well.
The answer for availability is redundancy.
Eliminate a single point point of failure,
Fault, tolerance. All those words kind of go together. And the idea is for worried. One server will fail. Have a second server.
So those three tenants of security in any sort of relationship toe i t. You'll always focus around the C I A. Triad confidentiality, integrity and availability.