Case Study: Chief Information Security Officer-Level Risk

Pages: 12 (3324 words)  ·  Style: APA  ·  Bibliography Sources: 5  ·  Level: College Senior  ·  Topic: Business - Management  ·  Buy This Paper


[. . .] In addition, many hackers are adept at discovering the passwords of authorized users who choose passwords that are easy to guess or appear in dictionaries. The activities of hackers represent serious threats to the con-dentiality of information in computer systems. Many hackers have created copies of inadequately protected ?les and placed them in areas of the system where they can be accessed by unauthorized persons;

(2) Masqueraders. A masquerader is an authorized, or unauthorized, user of the system who has obtained the password of another user and thus gains access to ?les available to the other user by pretending to be the authorized user. Masqueraders are often able to read and copy con-dential ?les. Masquerading, therefore, can be de-ned as an attempt to gain access to a system by posing as an authorized user.

(3) Unauthorized user activity. This type of activity occurs when authorized, or unauthorized, system users gain access to ?les they are not authorized to access. Weak access controls often enable such unauthorized access, which can compromise con-dential ?les;

(4) Unprotected downloaded ?les. Downloading can compromise con-dential information if, in the process, ?les are moved from the secure environment of a host computer to an unprotected microcomputer for local processing. While on the microcomputer, unprotected con-dential information could be accessed by unauthorized users.

(5) Networks. Networks present a special con-dentiality threat because data ?owing through networks can be viewed at any node of the network, whether or not the data is addressed to that node. This is particularly signi-can't because the unencrypted user IDs and secret passwords of users logging on to the host are subject to compromise by the use of "sniffers" as this data travels from the user's workstation to the host. Any con-dential information not intended for viewing at every node should be protected by encryption techniques;

(6) Trojan horses. Trojan horses can be programmed to copy con-dential ?les to unprotected areas of the system when they are unknowingly executed by users who have authorized access to those ?les. Once executed, the Trojan horse can become resident on the user's system and can routinely copy con-dential ?les to unprotected resources.

(7) Social engineering. Social engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. For example, a person using social engineering to break into a computer network would try to gain the con-dence of someone who is authorized to access the network in order to get him to reveal information that compromises the network's security. (Official ISC Guide to the CISSP Exam, nd)

The central tasks of information risk assessment includes the establishment of an Information Risk Management Policy. It is reported that a sound Information Risk Management Policy has as its foundation a "well-thought-out IRM policy infrastructure that effectively addresses all elements of information security." (Official ISC Guide to the CISSP Exam, nd) The starting point is a "high-level policy statement and supporting objectives, scope, constraints, responsibilities and approach." (Official ISC Guide to the CISSP Exam, nd) The IRM policy must be communicated and enforced effectively with security of the facilities and planning for contingency. (Official ISC Guide to the CISSP Exam, nd, paraphrased) This requires the establishment and funding of an IRM team with functionalities including logical access control as well as contingency planning.

Allocation of funds for IRM policy planning and staffing should be according to "above minimum staffing and to make acquisition and training in the use of an automated risk assessment tool. It is necessary to establish IRM methodology and tools.

There are reported to be two applications of risk assessment that are fundamental: (1) determination of the current status of information security in the target environment(s) and ensuring that associated risk is managed (accepted, mitigated, or transferred) according to policy, and (2) assessing risk strategically. (Official ISC Guide to the CISSP Exam, nd) Risk must be identified and measures with the first risk assessment conducted with a broad scope to ensure that management "gets a good sense of the current status of information security and that management has a sound basis for establishing initial risk acceptance criteria and risk mitigation. (Official ISC Guide to the CISSP Exam, nd)

Project sizing is a task that includes "the identi-cation of background, scope, constraints, objectives, responsibilities, approach, and management support. Clear project-sizing statements are essential to a well de-ned and well-executed risk assessment project. It should also be noted that a clear articulation of project constraints (what is not included in the project) is very important to the success of a risk assessment." (Official ISC Guide to the CISSP Exam, nd)

The information protection environment includes threat analysis, which is a task that identifies threats that may affect the target environment adversely. Asset identification and valuation is a task that involves assets being identified and this means both that assets that are tangible and intangible including costs for replacement and the value of information asset availability, integrity, as well as confidentiality. Vulnerability analysis is a task involving the "…identi-cation of vulnerabilities that could increase the frequency or impact of threat event(s) affecting the target environment." (Official ISC Guide to the CISSP Exam, nd)

Risk evaluation is a tasks that involves "evaluation of all collected information regarding threats, vulnerabilities, assets, and asset values in order to measure the associated chance of loss and the expected magnitude of loss for each of an array of threats that could occur. Results are usually expressed in monetary terms on an annualized basis (ALE) or graphically as a probabilistic "risk curve" for a quantitative risk assessment. For a qualitative risk assessment, results are usually expressed through a matrix of qualitative metrics such as ordinal ranking (low, medium, high, or 1, 2, 3) and a scenario description of the threat and potential consequences." (Official ISC Guide to the CISSP Exam, nd)

Interim reports and recommendations are key reports used in documenting activity, decisions, and agreements that are significant including:

(1) Project sizing. This report presents the results of the project-sizing task. The report is issued to senior management for their review and concurrence. This report, when accepted, assures that all parties understand and concur in the nature of the project before it is launched. (Official ISC Guide to the CISSP Exam, nd)

(2) Asset identi-cation and valuation. This report may detail (or summarize) the results of the asset valuation task, as desired. It is issued to management for their review and concurrence. Such review helps prevent con-ict about value later in the process. This report often provides management with its ?rst insight into the value of the availability, con-dentiality, or integrity of the information assets.

(3) Risk evaluation. This report presents management with a documented assessment of risk in the current environment. Management may choose to accept that level of risk (a legitimate management decision) with no further action or proceed with risk mitigation analysis." (Official ISC Guide to the CISSP Exam, nd)

Mitigation of risk involves completing the risk assessment including mitigation of risk, costing, and benefit analysis. This task makes provision of information to Information Risk management that supports planning for the budget and execution of actual risk mitigation measures. It is reported that strategic risk assessment "plays a signi-can't role in the risk mitigation process by helping to avoid uninformed risk acceptance and having, later, to retro-t necessary information security measures." (Official ISC Guide to the CISSP Exam, nd)

Business Continuity Planning

Business continuity management and disaster recovery planning is described as a "holistic management process that identifies potential threats to an organization and the impact to business operations that the realization of those threats could bring. A sound program is essential to protecting the well-being of your organization and you must have a plan in place prior to an incident if you hope to emerge successfully from a crisis. To create and continuously update a plan, you will need to use significant resources and qualified experts who have had real-world planning and business continuity management experience." (CISSP, 2012)

Benefits to business continuity planning include:

(1) The provision of rapid recovery from crises and incidents that disrupt your normal business and operational processes;

(2) Ensuring disaster and crisis recovery preparedness;

(3) Identification of core business processes in order to prioritize recovery activities

(4) Ensuring appropriate business stakeholders support BCP/DR activities to facilitate success

(5) Maintenance of reputation and revenue during a crisis situation

(6) Meeting regulatory and vertical-specific compliance requirements by implementing and managing a Business Continuity Management program. (CISSP, 2012)

Comprehensive evaluation and reporting of the Business continuing planning and disaster recovery program includes:

(1) Asset inventory;

(2) review of documentation;

(3) Internal interviews of personnel;

(4) Business, organization and departmental overviews; and (5) Business continuity management program gap assessment. (CISSP, 2012)

Business continuity management program strategy development is inclusive of the following:

(1) Business Impact Analysis (BIA);

(2) Crisis management;

(3) Business continuity;

(4) Emergency planning; and (5) Disaster recovery (CISSP,… [END OF PREVIEW]

Four Different Ordering Options:

Which Option Should I Choose?

1.  Buy the full, 12-page paper:  $28.88


2.  Buy + remove from all search engines
(Google, Yahoo, Bing) for 30 days:  $38.88


3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)


4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Studying Information Security Term Paper

Information Security in Cloud Computing Platforms Research Paper

Security Policy Dr. Fossett's Dental Office Term Paper

Security Issues of Cloud Computing Data Analysis Chapter

Management Information Systems Security Term Paper

View 444 other related papers  >>

Cite This Case Study:

APA Format

Chief Information Security Officer-Level Risk.  (2012, December 9).  Retrieved July 19, 2019, from

MLA Format

"Chief Information Security Officer-Level Risk."  9 December 2012.  Web.  19 July 2019. <>.

Chicago Format

"Chief Information Security Officer-Level Risk."  December 9, 2012.  Accessed July 19, 2019.