Happy New Year 0111 1110 0000

This is the last post of this year which has been intense, stressful and accelerated sometimes and quiet and relaxed other times but it has always been funny and gratifying. This year has had 365 days which is a lot of time to do whatever we want like working, reading, studying and enjoying with friends, family, partners and workmates. I'm going to do a review of this 2015 to try to improve for the next 2016.

In this year, once again, I have seen that relationships is the best tool to improve ourself if we get a team with the same ideas and the same strength to work together toward the same goal which is live, learn and enjoy. Thanks that I participate in many projects during the year I can meet a lot of engineers and know how they work with their limitations, problems and advantages to try to improve their IT infrastructure and therefore their business. For this reason, my wishes to leave the cave, meet other people and interacting with them, improve my English language and contribute with the society have done that I went to Russia this summer for one month to make presentations about Spain, organize English and Spanish lessons for children and help to organize different educational, cultural and sport activities during the camp. Very interesting and delighted.

With regard to certifications and learning about Security and Networking, I got the FCNSP (Fortinet Certified Network Security Professional) certification at the beginning of the year and I also applied for the Second Challenge of ISACA, which I was the winner with the first award. For this award I had to read lots of papers about dynamic reputation systems and learning how attackers evade security controls to develop my own DGA malware, which is a new and innovate technique that it is used for malwares like cryptolocker. This was my opportunity for learning about Information Security Management because the award included an online course and exam about CISM (Certified Information Security Manager), that I took it last month and I'm waiting for the results. On the other hand, I finished my studies in English language and I got the C1 level, and this is the reason why I have begun to write in English language in the blog because I don't want to forget what I learned. In addition, I got an ethical hacking course to improve my technical security skills.

Speaking about projects, I have taught about OSPF and PIM (Protocol Independent Multicast) protocols under Alcatel-Lucent technology to the AENA Company and I have also taught about Cisco Firewall ASA to the Government of Spain. Moreover, I have had the luck to advise, install, configure and support load balancer solutions under F5 Networks and Radware that along with projects about Firewalls and Antispam I have reinforced my knowledge in network and security. Like the last year, I have also had the opportunity to participate in an installation about Open Nebula with HP, Cisco and NetApp equipment. I have not only participated in technical projects but I have also written a lot of documents about policies and procedures to make Disaster Recovery Plans (DRP) and adapt infrastructures to the PCI-DSS Compliance, which is a requirement if you want to work with the card industry like Visa, Mastercard or American Express. In the meantime, I have helped to deliver, support and maintain the Ariolo Cloud Services, I have also installed probes and SIEM systems, and helping to companies with security and networking audit to know how to improve their processes and infrastructures. Last but not less important, this year to keep my CISA certification I have had to give speeches about security, therefore I have given four speeches in EAP, Mérida, CUM and EPCC.

For the next year, I want to renovate my CCNP certification and maybe to begin to learn a new language, will see. Of course I want to keep my CISA certification and improve my English skills but what I want the most is to think big and meet with big professionals to share experiences and knowledge.

Merry Christmas and Happy New Year.

IT Management - Talk

Last week I was at Polytechnic University of Caceres giving a talk about IT Management and it was enjoyable to return to my University where I studied because I could speak with two of my former teachers who taught me Security and Project. This time my goal was to show how works the IT Management outside in the real world to students and future engineers.

Firstly we were talking about why we should have a Management System to deliver services. Today, IT has advanced dizzily and it is difficult to measure and improve without a proper IT Management, consequently we have to bring order to the chaos with policies and procedures if we want to make progress in our company.

Most companies need a lot of resources to make business and lots of technologies as well, therefore it is important to manage efficiently the resources if we don't want to waste it. This is the main reason of creating procedures and deliver services with a methodology because if we want to make big things like a bridge we will need manage resources, measure metrics and improve the life cycle of services. At the end we will have a product or service standardized with a Service Level Agreement (SLA) easily manageable, easily deliverable and easily improvable and it will always have the same quality because we were always following the same steps or procedures to deliver the services.

There are a lot of IT-related standards like ISO 20000, ITIL, Cobit, CMMI, ISO 27001, etc based in best practices that we can follow to improve our organization but we shouldn't forget that we can get a little bit of each of them to adapt them to our organization instead of getting one of them and follow strictly because maybe some processes aren't necessary to our company. With these standards IT departments will align with the business, and technologies will work for the business, thus we should adapt the technology to the business.

When I was talking about processes to students, they were a little weird because they don't understand adequately this abstract noun. I told them that if we always want to deliver a service in the same way with the same quality and without “surprise” we have to follow a set of steps to get the result. Sometimes these steps or procedures have to be changed because the board of directors change the strategy of our company or simply because they want to spread out the business with new products or services. In this moment, we will have to change the procedures and policies to adapt the processes and technology to the new strategy. This is like the new service of Amazon who wants to sell food, do you think they will have to adapt the technology to the new service? Of course, they'll do. Amazon will have to create new processes, policies and procedures to adapt the IT to the new service.

I hope students learned something new about IT Management in this talk because they will be the future engineers who will manage IT departments in big or small companies, it doesn't matter, the important thing is that they know how to manage an IT department regardless where they work. I'm glad to participate in this kind of initiatives to try to bring the real world to the University.

Best regards my friend and remember, if you have any question, go ahead!!

Gestion de las TI from dromerotrejo

CISM – Certified Information Security Manager

El año pasado me preparé, estudié, presenté y aprobé la certificación de Auditor de Sistemas de Información de ISACA, CISA por sus siglas en inglés, dedicada a validar los conocimientos en los campos de auditoría, control y seguridad de los sistemas de información. Aquella experiencia donde aprendí bastante sobre el campo de la auditoría de sistemas fue bastante gratificante y por eso este año opté por prepararme la Certificación en Gestión de Seguridad de la Información (CISM), también emitida por la organización ISACA e introducida en su catálogo de certificaciones en el año 2002, la cual está dirigida específicamente a profesionales experimentados en la Seguridad de la Información y orientada a la gerencia de riesgos y gestión de la seguridad de la información.

Realmente el capítulo de Madrid de ISACA ha sido el que me ha empujado a presentarme este fin de semana pasado al examen de CISM al regalarme un curso completo de preparación, además de las tasas de examen, todo ello gracias a ser el ganador del II Reto ISACA. La certificación CISM, al igual que la certificación CISA, requiere acreditar 5 años de experiencia en el sector, y además estamos obligados a mantenernos formados en materia de Seguridad de la Información obteniendo créditos CPE (Continuing Professional Education) que validan la formación continua.

Desde principios de año estaba valorando prepararme alguna certificación de seguridad como CISSP o CISM, pero finalmente tras ganar el premio del Reto ISACA y con la ayuda del Capitulo de Madrid me decidí por comenzar a estudiar el CISM en Septiembre después de mi vuelta de Rusia en las vacaciones de verano.

Tengo que reconocer que tras la experiencia del CISA sabía lo que me venía por delante, muchas horas de estudio y un examen complicado y agotador, pero todo ello merecía la pena porque sabía que aprendería nuevos conceptos y profundizaría en otros que me darían una visión sobre la Gestión de la Seguridad de la Información que no tenía y que todo ello luego podría aprovecharlos para aplicarlos en el día a día de mi trabajo. Y os puedo asegurar que así ha sido, el CISM te muestra la seguridad desde una perspectiva global para proteger la información de la organización, es decir el CISM te enseña a gestionar la seguridad elaborando políticas que se alineen con el negocio, y desarrollando procedimientos y baselines para proteger la información, por supuesto sin dejar atrás el proceso de Gestión de Riesgos y el de Incidentes de Seguridad.

El material utilizado y el orden de estudio ha sido el siguiente:

• Ver los vídeos de CBT Nuggets.
• Leer el libro Manual de Preparación al examen CISM 2015 de ISACA.
• Leer el libro Manual de Preguntas, Respuestas y Explicaciones de Preparación al Examen CISM 2014.
• Realizar el Curso Oficial de Preparación CISM de ISACA.
• Practicar el examen a partir de la base de datos de preguntas de ISACA.

La certificación CISM está dividida en cuatro áreas o dominios. Siendo los porcentajes que veis a continuación la importancia de cada uno de los dominios.

• Gobierno de la Seguridad de la Información (24%)
• Gestión de Riesgos de la Información y Cumplimiento (33%)
• Desarrollo y Gestión del Programa de Seguridad de la Información (25%)
• Gestión de Incidentes de Seguridad de la Información (18%)

Para todo aquel que me haya seguido durante los últimos meses en el blog habrá podido observar que he realizado muchas entradas referentes a la gestión de la seguridad, el motivo principal de ello ha sido que mientras iba estudiando también iba escribiendo en el blog para compartir mis conocimientos y experiencias con todos vosotros. Básicamente las entradas referentes a gestión de la seguridad que he escrito mientras estudiaba son las siguientes:

• Business Impact Analysis
• Due Diligence
• Obstacles to effective InfoSec Program Management
• Overview of InfoSec Program Management
• Government and Management aren't the same
• Security Program Scope
• Overview of InfoSec Program Development
• Threats and Vulnerabilities
• Risk Management Process
• Overview of Risk Management
• Approaches to a Security Framework
• Information Security Governance Metrics
• Information Security Governance

Todas las entradas anteriores os pueden servir para haceros una idea de los conceptos que se tratan en la certificación CISM y que por lo tanto hay que tenerlos claros. Al igual que el examen de CISA, esta certificación no me ha resultado nada fácil ya que aunque hayas hecho muchos tipos test, en el examen te encontrarás muchísimas preguntas que no has visto o simplemente planteadas de otra manera, por tanto es muy importante tener claro los conceptos para responder las 200 preguntas de opción múltiple en las 4 horas que dura la prueba.

Tan solo me queda recomendar a todo aquel que esté interesado en la seguridad de la información que estudie certificaciones como esta, ya que además de aprender y reforzar conceptos, sirve para que un tercero de confianza valide tus conocimientos. Veremos qué tal salen los resultados dentro de un mes, pero sean los que sean os puedo asegurar que estos últimos tres meses de estudios han merecido la pena por la visión en cuanto a seguridad que proporciona preparase una certificación como el CISM.

Un saludo amigos, y como siempre, cualquier aportación y/o duda, adelante.

Business Impact Analysis

Several times I have mentioned about Business Impact Analysis (BIA) but I have never written a whole post about that. We are going to see a closer look about some of the elements of BIA and how it is related to the overall process of Incident Management and Incident Response.

The overall purpose of BIA is to generate documents that help executive management has a good idea of what impact a particular incident that we can have on the business of our organization.

We have three main goals. The first goal is to prioritize how critical certain process and systems in an area of our business are. Therefore, each business unit process must be identified and prioritized as far as mission criticality. It's also need to be valued as far as what type of incident can occur and the impact in our organization. As a result, the higher the impact the higher the priority of that particular system. The second goal is to estimate the downtime. Therefore, we have to estimate the Maximum Tolerable Downtime (MTD) for each system. How much downtime can the system tolerate to still be viable? This can be the longer period of unavailability of critical processes, services and information assets before our company can no longer operate. And finally, the third goal is what are our resource needs. What are the requirements for these critical processes? We also have to identify those during the Business Impact Analysis. Obviously, the most time sensitive and higher impact to our processes and systems, they are going to need the most resource allocation.

Our Business Impact Assessment can involve four key steps: First of all, gathering information for identifying which business unit is the most critical to our organization and it can drill down the tasks for those critical business that we need to do to ensure business survival. Second, performing a vulnerability assessment. Third, analysing the data we have compiled from our information gathering and vulnerability assessment process. During this third step we can identify inter-dependence between different departments, we can also identify potential documentation threats and about these threats we can provide alternatives methods to respond. And finally, documenting.

The four steps commented before are going to lead to the overall BIA report which give us three things. First, it should establish the escalation of loss over time. In other words, the more hours our critical systems are down, how is that going to impact to our organization as far as time, money and the overall impact in the industry? Second, it should identify the minimum resources that we need to recover. Thirdly, it helps us to prioritize the recovery of processes and supporting systems.

The way the BIA is going to be implemented in the organization really depends because each organization is different but there are some things and elements that they are common in all organizations in the way the implementer can duck a BIA. There are five common elements that we can see next:

• Describe the mission of business unit.
• Identify critical functions.
• Identify time cycles to deliver functions.
• Estimate impact on business operations.
• Estimate recovery time.

Best regards my friend and remember, if you have any question, go ahead!!

Due Diligence

I have been with IT managers sometimes who don't want to know anything about security because this is a field with a lot of obstacles to make an effective InfoSec Program Management like poor support from management, insufficient money and inadequate human resources and after all, it's useful for them because when they have any incident they can blame to the security field. Therefore, they don't “waste” time and money to build an InfoSec Program Management because this mean that they'll have to write policies, procedures and standards to try to manage efficiently the Information Security.

IT managers who don't care about security have a lack of due diligence because they don't involve resources in investigating their business, systems or individuals while these investigations should be done by managers before any decisions are made. As a result, they make decisions without data and statistics, and if something goes wrong they blame to the budget saying that they need more money to buy more technology what it's wrong many times because what they need is to use efficiently their resources and buy cost-benefit technologies.

This is also related to a concept called “standard of due care” which is basically the idea what there are steps and processes that we must take, and reasonable people take, in similar circumstances to make sure that everything is on the up and up. As Information Security Managers this means the basic components of our security program are in place. We should make due diligence and not sweeping things under the rock, we shouldn't hide security holes and vulnerabilities from management because for example this doesn't fit in the budget or because we want to save our job.

Due diligence can be done on a voluntary basis, which is the best case scenario, but it also may be a result of legal obligation.

Information Security Due Diligence is typically going to occur during procurement process. In other words, it's going to take place when we are actually acquiring and procuring hardware, software, operating systems, applications, personnel, etc I mean … when we are acquiring the funds to get our programs and projects rolling.

With regard to risk, why should we do due diligence? Because risk must be known and managed to fill those holes and mitigate the vulnerabilities.

Due diligence also occurs during a merger or an acquisition of companies. In this scenario we are going to do due diligence to make sure we have identified and we are assessing security risk to our business and reporting that risk and making that knowledge to potential buyers. We can also belong to a risk, consultants or audit team to assess a potential company before the purchase is made. This is typically a process that's gone through for an entire macro-business standpoint.

Best regards my friend and remember, if you want to sleep without nightmares you should do due diligence.

Obstacles to effective InfoSec Program Management

CISOs want to protect the assets of the organization writing policies and procedures, evaluating risks, deploying controls and creating business cases but most of them realise that they have a lot of obstacles to manage effectively the information security like poor support from the board of directors, insufficient funding or inadequate human resources and they end up exhausted and terrified because they know that they will receive some attack in any moment that it will affect the business and their jobs.

When we are running an initiative to implement an effective InfoSec Program Management there are always some obstacles and challenges that we have to face it. We are going to discuss three main challenges.

The first one is basically poor support from management. This can be vertically from upper-management or executive management or it can also be horizontally from other manager that they are in the same level vertically and they are managing other units or departments but we need synergies and cooperation with them. Therefore this is the overall lack of support and it can be due to misunderstanding, it can be due to politics, it can be due to a lack of interest in security initiatives. Sometimes we have to utilize resources from other departments like data of other departments, individuals from other departments and of course this probably is going to cut into programs and projects that other managers are putting in place. As a results there is a constant battle for resources in the organization.

Secondly, an inadequate funding and insufficient money available to get our security projects implemented. This is one of the most frustrating issue that comes up. Thus, this is a new discipline that security managers have to learn to know how to get money to purchase a new cluster of firewalls, to put in place a new Intrusion Detection System (IDS) software solution or for other types management tools, or also just for putting together a team of people. Accordingly, getting funding can be a tough thing.

Security management is a new discipline and the board of directors may not recognize the value of security investment in hardware, software, personnel, time, training or awareness and may be they see it as a low value to the company. It also tough for the board of directors to conceptually see where money is going on security projects and security programs. We know that mitigating against risks and threats that they haven't occurred yet is tough for the board of directors and sometimes they want to wait for the problem to occur before allocating money to it.

Finally, inadequate human resources. This is not just no having the people, it is also have to be with the poor understanding of the type of activities that people have to engage. Besides, the lack of awareness, underutilization and the fact that many business units aren't willing to give up human resources to help us with our programs and projects.

Best regards my friend and remember, all managers have obstacles and we should help each other to run the business effectively.

Overview of InfoSec Program Management

Previously, I have written about Information Security Program Development and the Security Program Scope, while this time we are going to see the concepts in simple terms of Information Security Program Management. This is the process of oversight, monitoring and controlling all of the information security activities, and always in support of the objectives of our business or organization. Of course we have to combine this with management to know which resources are available to meet our goals in an optimum fashion.

Information Security Program Management is like managing other organizational units or aspects of our business. The problem we are running into here is the challenge that the security management and the program management aren't usually well defined. This is a new discipline that it is misunderstood and there is one area that it isn't fill very well from security managers because most people who are working in a security role are technicians, they are engineers with technical backgrounds who understand security standards, security mechanisms, mitigations, vulnerabilities, hacking tools, threats, etc and they find themselves in a new paradigm with these management responsibilities and they don't have well-defined standards based on years of experience.

The security manager should focus on administrative duties of overseeing daily security operations. Although the manager should also be included in the incident management responding to incidents, also in the disaster recovery, but not into putting in the place systems but actually responding to disasters, and in any investigations working with locals and federal state authorities to help to investigate security breaches on behalf of our organization and other land force entities.

Typically the information security program manager will be one person, may be two people, in small and medium size business advising and answering to CIO, who is more strictly concerned with hardware and software solutions. However, in large organizations we can find infosec managers at corporate executive level advising and answering directly to CEOs, who report to the board of directors.

The InfoSec Manager can have duties like physical security, data security and compliance. Some of this duties may include physical security at the perimeter and at the facilities protecting servers, networking devices, end-users workstations and the actual data security itself, which can be data stored, in transit, over the wire or wireless data. The InfoSec Manager should also treat privacy issues and compliance like LOPD, LSSI, PCI-DSS, etc. In addition, the InfoSec Manager may be part of the process of Business Continuity Plan and Disaster Recovery, which go hand and hand, and also the manager can take part of the overall planning and implementation of the security architecture. This mean that the manager is involved in reporting to executives with steering committees, who are responsible for putting together our programs, our policies and our initiatives of our ongoing security projects.

Best regards my friend and remember, if you have any question, go ahead!!

Government and Management aren't the same

This week I have begun a new course about CISM which is done by ISACA, and although I have written several times about Security Governance, I am receiving new concepts and standpoints in this course that I didn't have and I would like to write down here to try to consolidate my knowledge.

First of all, government isn't the same than management. Governance is an abstract noun that most of the IT engineers don't have in their head because nobody has told them that they have to learn business language to understand the requirements of the business. I mean that most technicians don't understand why the company invest more money or more resources in “things” or projects and that in the first time it could seem an error. However, this is the beginning of a strategic and risk analysis.

From the point of view of governance we have to speak with the board of directors, shareholders and stakeholders in business terms to understand the business needs to make a security strategic to improve the business. This is the main reason we have to learn the business language because, once the strategic and the vision of the business are written, we have to write the policies and standards which should be approved by the board of directors.

If we want to learn more about governance we can use the framework COBIT which is a guide of best practices to align the Information Technologies with the Business.

On the other hand, management is a field where we make the security program which should use the Deming Cycle PDCA (Plan-Do-Check-Act). Although the Plan phase should be in the governance, the rest of the phases have to be done inside the security program. In the management field we speak in technical language with technicians and security administrators and we will also write the procedures that it will be steps by steps to know how to do tasks like anti-virus installation, hardening services, etc.

Most companies worried about security have implemented security standards like ISO 27001 which is a certification with 114 controls in 14 groups. However, this standard belongs to the management field and not to the government field and therefore we can find companies with this security standard that it is not align with the business needs or even we can find companies without a strategy.

Therefore, as CISO we should understand the differences between government and management because we have to translate the business language into the technical language and back and forth. I mean, we are in the middle of both worlds and as much knowledge about technologies we have, better controls we define, and as much knowledge about business we have, better alignment we will get.

Best regards my friend and remember, governance and management aren't the same.

Security Program Scope

In the last post I wrote about the importance of the Security Program Development and the easy way to do it if we use a standardized methodology like CMMI or ISO 27001, although each company is unique and they have to adapt the policies and procedures to their business. In addition, we shouldn't forget that the board of directors must take part in the development of the Security Program to meet their business needs and requirements. While in this new post I want to speak about the Security Program Scope that it is the first step we have to take to limit the extent of the Security Program due to the fact that sometimes is too ambitious and therefore unmanageable.

The scope of our security program could involve several factors:

1. The scope could involve people whose activities and actions actually have a direct or indirect impact on the objectives. For example, these could be the business relationships between different managers or it could be actions of remote users.
2. The scope could involve the development process itself. Things to add a success of development process is make sure we have all our customers and employees on board, we have buy-in operation management or we have ways to communicate during time of crisis.
3. The scope could involve the information security policy. Within the scope the policy must meet regulatory and balancing requirements, in other words, integrations in balance between business needs and information security needs.
4. The scope could involve the available technologies and systems that the company has.

To formulate an standpoint, as far as the security program goes,

the scope = people + process + infosec policy + available technologies and systems

wherever we have in place at any given moment in time this should be the scope of our program.

Therefore, if we take this scope, we can add to it the overall management or executives objectives or management strategic, to deliver our information security charter. The charter should be understood between management and all the individuals who are part of the security program scope:

Scope + Management Objectives = InfoSec Charter

The ISACA actually describes with good detail what they consider a mature information security program:

“IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalised incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analysed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organisation-wide.”

Best regards my friend and remember, definition of the scope is the fist step we have to take if we want a successful security program.

Overview of InfoSec Program Development

In the last posts we have been speaking about Information Security Governance and Risk Management while in this new post I want to highlight what is an Information Security Program which is a main part of a good information security management.

Many organizations actually put in place of Information Security Program by starting out doing a Risk Assessment and then, based on that assessment, either qualitative or quantitative or a combination of both, they deliver some type of risk mitigation strategy.

The problem is we need to go further to balance strategic alignment. In other words, our risk assessment, in the information security program, has to align with the business needs. Also, we have to include other areas like resource management, integration, performance measurement, value delivery, etc. Therefore. all of those key important components that we have been speaking in the last posts should be part of the information security program.

The goal of the information security program is to implement a security strategic but basically what a program tell us is to meet some type of guide and step by step process. One of the advantages that we have if we use a standardized methodology like CMMI (Capability Maturity Model Integration) or ISO/IEC 27001 is their standardized methods that it costs any money. The problem is each organization is really unique and the changes in technologies and the rapid growth of communications in global business make us to really need some type of program that it has the ability to be more specialized and customized. If we want to be a successful information security manager we have to have the creativity, the adaptability and the skill sets to go beyond the standardized solutions to provide more customized real world solution for our customers, for our company and for our organization. If we have to try to do this with a limited budget, we need to find a way to implement a security strategic using the best available methods and the available resources. In other words, we have to do as much as we can with what is already existing in the business or the organization.

The program development should always be defined in business terms, no techno-speak or info-speak. It has to be in solid business terms in order that non-technical stakeholders, shareholders and executives can participate because the board of directors typically are not technical. Many stakeholders have financial expertise instead of technical expertise so we have to be able to position everything and communicate everything in real business terms and measurable business terms.

If we speak the same “language” as the board of directors they are going to give us a better feedback, they are going to want to participate, we will get a commitment of the board of directors and their solidarity, and if we have these things we are going to have a successful comprehensive information security program.

Best regards my friend and remember, develop your information security program along with your board of directors.

Threats and Vulnerabilities

In the Risk Management Process we have to identify the threats and vulnerabilities of our organization to find out what threats and vulnerabilities can potentially impact the business. Once we know the threats and vulnerabilities we have to treat these risks, which can be avoidance, mitigating them, transferring them or retaining them. Finally, we will have to communicate the risks to stakeholders and senior management, and monitoring them to avoid they are above the allowed risk.

A threat is any event or circumstance that has the potential to cause damage to information resource and it does this by exploiting a vulnerability in our system, in our design or in our infrastructure. Basically, vulnerabilities lead to threats if they are exploited.

Threats are typically categorize in four categories:

• Natural: They will be tornado, hail damage, earthquakes, biological plagues, fire, flood, etc.
• Unintentional: They will be accidents like the loss of utilities services, equipment failure, a damage to a building, unintentional water damage, unintentional fire damage, etc.
• Intentional physical threats: They will be terrorist acts, a bomb, vandalism, etc.
• Intentional non-physical threats: They will be injecting malicious code or malware into our systems, email phishing attacks, a denial of service attack for example against our perimeter routers, fraud, corporate espionage, malicious hacking, identity theft, social engineering, etc.

Once we have identified the threats, we need to look at what the underlying vulnerabilities can be in our systems using scanning technologies that it should be done by expert teams. However, the process vulnerability analysis is a tough task than the actual technological vulnerability but this may need a more careful analysis to uncover, for example the periodic audit is a valuable tool to identify process vulnerabilities. Next some example of vulnerabilities:

• Bad software: Poor written code without secure mechanism built-in into the code.
• Misconfiguration: Bad configurations on servers or networking devices like routers, or even configuration stored in others servers without cryptography techniques like encrypted configuration files.
• Non-compliance: For example, non-compliance to government regulations like LOPD, LSSI, etc.
• Poor network design: For example a switch network using VLAN is a more secure environment than a flat network without Virtual LAN which is vulnerable to a packet sniffing.
• Defective processes: For example the process of firing or terminating an employee can have a defective flow process allowing the employee to cause problems to the company before leaving the facility or allowing him to connect remotely to the organization after firing him.
• Poor management, insufficient staff, lack of end user support, inadequate security functionality, etc.

These are some of the threats and vulnerabilities that we can find in our organization and this is an important step to know and control the risks that can impact seriously the business. Therefore, if you want to manage properly the risk of your business, you should know what threats and vulnerabilities can destroy your business.

Best regards my friend and remember, measure, control and manage your risks.

Risk Management Process

In the last post we saw an Overview of Risk Management. We saw the importance of Business Impact Analysis (BIA) to know the nature and the extent of risks to our organization, without this analysis, and the proper classification of assets, is very difficult to know where we have to invest and spend the money to protect our assets. In this new posts we'll see the five step process of Risk Management.

Definition of Scope: It's basically the first initial process. This is where we establish our global perimeters for the performance of our risk management process. This is going to be to our entire organization of our business. We have to take in account internal factors, external factors, structured factors, which are things like plan the task or structured recognizance from competitors, and unstructured actions, or in other words accidents. Once we have defined the scope we have to perform the Risk Assessment.

Risk Assessment: It's a scientifically based process, it's also going to use technology and it really involves three things or three steps. First of all, we are going to identify risks, second we are going to analyse risks and finally we are going to evaluate risks.

Risk Treatment: In the third process we are going to consider the action plan. We are going to select and implement the measure that we are going to use to modify our risks or mitigate them or countermeasure against these risks. This include things like avoidance, optimization, transfer the risk, for example to insurance, or retain risk. In other words, if our company determines to take and allow a certain amount of risks then retain that risks. For example, accepting a certain amount of denial service attacks against the perimeter of our organization, perhaps adding more bandwidth or putting in quality of service or traffic policing techniques, we are never really going to remove that risk but retaining that risk we can allow in it at certain levels.

Risk Communication: Once we have assessed the risk by identifying, analysing and evaluating it and putting our action plan, which involve one of four things of avoidance, optimising our systems, transferring the risk to insurances or retaining the actual risk, we have to communicate the results and we have to exchange and share the information about these risks between stakeholders, shareholders, decision makers and people inside and outside of our organization like internal departments and outsources.

Monitoring and Review: This process is also referred to as an audit or auditing. It's where we measure the efficiency and the effectiveness of the overall risk management strategy. It's basically establishing an on going perpetual monitoring and review process. Making certain that decided management action plan are going to be relevant and are going to be updated in regular basis. This process also brings into the place control activities and compliance.

Best regards my friend and remember, measure your risks to protect properly your assets.

Overview of Risk Management

As a risk manager, what is the most concerned? First of all, risks and the threat of risks must have little impact on the business processes as possible. This is really our underlying mission.

We want to achieve for officer of our organization, for executive management, for stakeholders and shareholders, what we want is to give back to them, as a risk manager, is an acceptable level of predictability on the day to day basis. An a level of assurance or reliability, the threat and attack of our organization and other vulnerabilities are going to bring it down to our needs or impede the operations of our business or organization to a point what substantial of loss as seen.

The process of risk management is often going to be combined with the Business Impact Analysis (BIA). In other words, how can we do a relevant risk management program if we don't really understand the nature and the extent of risks to our information resources, to our data resources, to our physical and logical resources and the individual potential impacts on our activities? Without this impact analysis, we are not going to be able truly manage risks in an effective way.

The Business Impact Analysis (BIA) isn't going to be possible without information asset classification or identify our assets, classify our assets and setting the value of our assets, and that's really the main aspects of risk management and risk assessment. If our company can't do a full BIA, we can do another kind of less desirable option that it's called Business Dependency Evaluation (BDE) which basically determines overall macro criticality and sensitivity of our organization information resources.

The result of this would drive management to weigh the risk exposure with the costs to mitigate those risks as well as all of the financial, personal and time overhead it takes to implement countermeasures and controls in the organization.

Now just other disciplines that relate to information security. They are that risk assessment can be quantitative or qualitative. If it's quantitative basically means we got a mathematical formula involved, for example ALE, which is the Annual Loss Expectancy, that would be the value of an asset multiply by exposure factor multiply by the annualized rate of occurrence. On the other hand, a qualitative risk assessment is going to be a little more hypothetical. This is based on human judgement, intuitions and the experience of the people who assess the risk.

Of course, from all of this, several positive outcomes should result that we'll see in next posts.

Best regards my friend and remember, if you have any question, go ahead!!