Principles of Incident
Response and Disaster
Recovery, 3rd edition
Module 1: An Overview of Information
Security and Risk Management
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage.
All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,
in whole or in part.
Module Objectives
By the end of this module, you should be able to:
1. Define and explain information security
2. Describe the role of information security policy in the organization
3. Identify and explain the basic concepts of risk management
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Introduction
According to the U.S. Federal Emergency Management Agency, between 40
and 60 percent of small businesses affected by a disaster either never reopen
or go out of business following the event.
According to the Syncsort State of Resilience Report, “Nearly half of
businesses experienced a failure requiring a high availability/disaster recovery
solution to resume operations. 35% lost a few minutes to an hour of data, 28%
lost a few hours and 31% lost a day or more.”
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Information Security
Information security, as defined by the Committee on National Security
Systems (CNSS), is the protection of information and its critical elements,
including the systems and hardware that use, store, and transmit that
information.
Confidentiality is the protection of information from disclosure or exposure to
unauthorized individuals or systems.
Integrity is the prevention of the corruption of information while it is being stored
or transmitted.
Availability describes how data is accessible and correctly formatted for use
without interference or obstruction.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
The CNSS Security Model
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
What is Information Security?
Information security (InfoSec) is the protection of the confidentiality, integrity,
and availability of information assets, whether in storage, processing, or
transmission, via the application of policy, education, training and awareness,
and technology.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Key Information Security Concepts (1 of 2)
In general, a threat is any event or circumstance that has the potential to
adversely affect operations and assets. The term “threat source” is commonly
used interchangeably with the more generic term “threat.”
An asset is the organizational resource that is being protected. An asset can be
logical, such as a Web site, software information, or data. An asset can also be
physical, such as a person, a computer system, hardware, or other tangible
objects.
A vulnerability is a potential weakness in an asset or its defensive control
system(s).
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Key Information Security Concepts (2 of 2)
An exploit is a technique used to compromise a system. There are two
common uses of the term in security.
• Threat agents may attempt to exploit a system or information asset by
using it illegally for their personal gains.
• An exploit can be a documented process to take advantage of a
vulnerability or exposure, usually in software, that is either inherent in the
software or created by the attacker.
An attack is an intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it.
Defenders try to prevent attacks by applying controls, safeguards, or
countermeasures.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Key Concepts in InfoSec
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Threats to Information Security
Category of Threat
Compromises to intellectual property
Deviations in quality of service
Espionage or trespass
Forces of nature
Human error or failure
Information extortion
Sabotage or vandalism
Software attacks
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Theft
Attack Examples
Piracy, copyright infringement
Internet service provider (ISP), power, or
WAN service problems
Unauthorized access and/or data
collection
Fire, floods, earthquakes, lightning
Accidents, employee mistakes
Blackmail, information disclosure
Destruction of systems or information
Viruses, worms, macros, denial of service
Equipment failure
Bugs, code problems, unknown loopholes
Antiquated or outdated technologies
Illegal confiscation of equipment or
information
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
The Role of InfoSec Policy
in Developing Contingency Plans (CP) (1 of 2)
Much of what must be done in CP should be guided by, and reinforce,
organizational InfoSec policies.
Policy represents a formal statement of the organization’s managerial
philosophy—in the case of InfoSec policies, the organization’s InfoSec
philosophy.
Standards are more detailed statements of what must be done to comply with
policy.
Practices, procedures, and guidelines effectively explain how to comply with
policy.
Policies define what you must do and not do, whereas the other documents
focus on the “how.”
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
The Role of InfoSec Policy
in Developing Contingency Plans (2 of 2)
To produce a complete InfoSec policy portfolio, management should define and
implement three types of InfoSec policies:
• Enterprise information security policy (EISP)
• Issue-specific security policies (ISSP)
• Systems-specific security policies (SysSP)
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Policies, Standards, and Practices
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Enterprise Information Security Policy
An enterprise information security policy (EISP) is also known as a general
security policy, IT security policy, or information security policy.
The EISP is directly supportive of the mission, vision, and direction of the
organization and sets the strategic direction, scope, and tone for all security efforts.
The EISP guides the development, implementation, and management of the
security program.
The EISP also assigns responsibilities for the various areas of security.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Issue-Specific Security Policy
In general, the issue-specific security policy (ISSP) addresses specific areas of
technology and contains a statement about the organization’s position on a specific
issue.
There are a number of approaches to creating and managing ISSPs within an
organization:
• Independent ISSP documents, each tailored to a specific issue
• A single comprehensive ISSP document covering all issues
• A modular ISSP document that unifies policy creation and administration while
maintaining each specific issue’s requirements
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Elements of an Issue-Specific Security Policy
ISSPs vary from organization to organization, but in general, an effective ISSP
should contain the following elements:
• Statement of policy
• Authorized access and usage of technology
• Prohibited usage of technology
• Systems management
• Violations of policy
• Policy review and modification
• Limitations of liability
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Systems-Specific Policy
Systems-specific security policies (SysSPs) are frequently codified as standards
and procedures to be used when configuring or maintaining systems.
Systems-specific policies can be organized into two general groups:
• Managerial guidance SysSP—Created by management to guide the
implementation and configuration of technology
• Technical specification SysSP—Created by systems administration to
implement the managerial policy
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Guidelines for Effective Policy Development and
Implementation
For policies to be effective and legally defensible, they must be properly:
1.
Developed using industry-accepted practices, and formally approved by
management (Development)
2.
Distributed using all appropriate methods (Distribution)
3.
Read by all employees (Reading)
4.
Understood by all employees (Comprehension)
5.
Formally agreed to by act or affirmation (Compliance)
6.
Uniformly applied and enforced (Enforcement)
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Overview of Risk Management (1 of 2)
Contingency planning is usually considered to be part of the risk management
program process.
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to ensure the
confidentiality, integrity, and availability of all the systems’ components.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Overview of Risk Management (2 of 2)
Risk management involves discovering and understanding answers to some key
questions with regard to the risk associated with an organization’s information
assets:
1.
Where and what is the risk (risk identification)?
2.
How severe is the current level of risk (risk analysis)?
3.
Is the current level of risk acceptable (risk evaluation)?
4.
What do I need to do to bring the risk to an acceptable level (risk treatment)?
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Components of Risk Management
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Sun Tzu
“If you know the enemy and know yourself, you need not fear the result of a
hundred battles. If you know yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the enemy nor yourself, you will
succumb in every battle.”
Know Yourself
• Identify, examine, and understand the information and systems currently in
place within your organization.
Know The Enemy
• Identify, examine, and understand the threats facing the organization.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
RM Framework (1 of 2)
The RM framework is the overall structure of the strategic planning and design for
the entirety of the organization’s RM efforts.
The RM process is the identification, analysis, evaluation, and treatment of risk to
information assets, as specified in the RM framework.
In other words, the RM framework (planning) guides the RM process (doing), which
conducts the processes of risk assessment and risk treatment.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
RM Framework (2 of 2)
The RM framework consists of five key stages:
1.
Executive governance and support
2.
Framework design
3.
Framework implementation
4.
Framework monitoring and review
5.
Continuous improvement
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
RM Process
During the implementation phase of the RM framework, the RM plan guides the
implementation of the RM process, in which risk evaluation and remediation of key
assets are conducted.
The process includes the following tasks:
• Establishing the context
• Identifying risk
• Analyzing risk
• Evaluating risk to the organization’s key assets and comparing identified
uncontrolled risks against its risk appetite
• Treating the unacceptable risk
• Summarizing the findings
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Information Assets and Media
In the most general sense, an information asset is any asset that collects, stores,
processes, or transmits information, or any collection, set, or database of
information that is of value to the organization.
Some commercial RM applications separate information assets from media—
which in this context include hardware, integral operating systems, and utilities that
collect, store, process, and transmit information, leaving only the data and
applications designed to directly interface with the data as information assets for
the purposes of RM.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Classifying and Categorizing Information Assets
After the initial inventory is assembled, you must determine whether its asset
categories are meaningful to the organization’s risk management program.
The inventory should also reflect the sensitivity and security priority assigned to
each information asset.
A data classification scheme should be developed or reviewed to categorize these
information assets based on their sensitivity and security needs. For example:
• Confidential
• Internal
• Public
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Assessing Value in Information Assets
As each information asset is assigned to its proper category, posing the following
basic questions can help you develop the weighting criteria to be used for
information asset valuation or impact evaluation.
• Which information asset is most critical to the success of the organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?
• Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the most
embarrassing or cause the greatest liability?
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Weighted Factor Analysis Worksheet
Information Asset
Criterion 1:
Impact on
Revenue
Criterion 2:
Impact on
Profitability
Criterion 3: Weighted
Impact on
Score
Public
Image
30
100
Criterion weight (1–100); 30
40
must total 100
EDI Document Set 1—
0.8
0.9
0.5
75
Logistics bill of lading to
outsourcer (outbound)
EDI Document Set 2—
0.8
0.9
0.6
78
Supplier orders (outbound)
EDI Document Set 2—
0.4
0.5
0.3
41
Supplier fulfillment advice
(inbound)
Customer order via SSL
1
1
1
100
(inbound)
Customer service request
0.4
0.4
0.9
55
via e-mail (inbound)
Note: In the table, EDI = Electronic Data Interchange and SSL = Secure Sockets Layer.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Threat Assessment (1 of 2)
Armed with a properly classified inventory, you can assess potential weaknesses in
each information asset—a process known as threat assessment.
If you assume that every threat can and will attack every information asset, then
the project scope becomes too complex.
To make the process less unwieldy, each step in the threat identification and
vulnerability identification processes is managed separately and then coordinated
at the end.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Threat Assessment (2 of 2)
Answering the following questions can help you understand the various threats the
organization faces and their potential effects on an information asset:
• Which threats represent an actual danger to our information assets?
• Which threats are internal and which are external?
• Which threats have the highest probability of occurrence?
• Which threats have the highest probability of success?
• Which threats could result in the greatest loss if successful?
• Which threats is the organization least prepared to handle?
• Which threats cost the most to protect against?
• Which threats cost the most to recover from?
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Vulnerability Assessment
After the organization has identified and prioritized both its information assets and
the threats facing those assets, it can begin to compare information assets to
threats.
This review leads to the creation of a list of vulnerabilities that remain potential
risks to the organization.
This list is usually long and shows all the vulnerabilities of the information asset.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
The TVA Worksheet
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Assessment: Risk Analysis
Assessing the relative risk for each vulnerability is accomplished via a process
called risk analysis, which assigns a risk rating or score to each specific
vulnerability.
You can use the simple and popular risk model known as the Risk Management
Framework, which was developed and promoted by NIST, to evaluate the risk for
each information asset.
The model calculates the relative risk for each vulnerability based on existing
controls, and calculates the likelihood and impact of a threat event.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Likelihood
The likelihood of occurrence is a weighted risk factor based on an analysis of
the probability that a given threat is capable of exploiting a given vulnerability (or
set of vulnerabilities). (NIST)
Rank Description
Percent Likelihood
Example
0
Not Applicable 0% likely in the next 12 months Will never happen
1
Rare
5% likely in the next 12 months May happen once
every 20 years
2
Unlikely
25% likely in the next 12
May happen once
months
every 10 years
3
Moderate
50% likely in the next 12
May happen once
months
every 5 years
4
Likely
75% likely in the next 12
May happen once
months
every year
5
Almost Certain 100% likely in the next 12
May happen multiple
months
times a year
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Impact
The level of impact from a threat event is the magnitude of harm that can be expected
to result from the consequences of unauthorized disclosure, modification, or destruction
of information, or loss of information or information system availability. (NIST)
Rank Description
0
1
2
3
Example
Not applicable No impact
threat
Insignificant
No interruption, no
exposed data
Minor
Multi-minute interruption,
no exposed data
Moderate
Multi-hour interruption,
minor exposure of data
4
Major
5
Severe
One-day interruption,
exposure of data
Multi-day interruption,
major exposure of
sensitive data
Number of Productivity
Records
Hours Lost
N/A
N/A
Financial
Impact
N/A
0
0
0
0
2
$20,000
499
4
$175,000
5,000
8
$2,000,000
50,000
24
$20,000,000
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Determination (1 of 2)
For the purpose of relative risk assessment, risk equals likelihood times impact.
Asset
Vulnerability
Likelihood
Impact
Customer service
request via e-mail
(inbound)
Customer service
request via e-mail
(inbound)
Customer order
via SSL (inbound)
Customer order
via SSL (inbound)
E-mail disruption due to
hardware failure
3
3
Risk-Rating
Factor
9
E-mail disruption due to
software failure
4
3
12
Lost orders due to Web
server hardware failure
Lost orders due to Web
server or ISP service
failure
E-mail disruption due to
SMTP mail relay attack
2
5
10
4
5
20
1
3
3
Customer service
request via e-mail
(inbound)
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Determination (2 of 2)
(Table continues)
Asset
Vulnerability
Likelihood Impact
Customer service
request via e-mail
(inbound)
Customer service
request via e-mail
(inbound)
Customer order via
SSL (inbound)
E-mail disruption due to
ISP service failure
2
3
Risk-Rating
Factor
6
E-mail disruption due to
power failure
3
3
9
Lost orders due to Web
server denial-of-service
attack
Lost orders due to Web
server software failure
Lost orders due to Web
server buffer overrun
attack
1
5
5
2
5
10
1
5
5
Customer order via
SSL (inbound)
Customer order via
SSL (inbound)
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Evaluation
After the risk ratings are calculated for all TVA triples, the organization needs to
decide whether it can live with the analyzed level of risk—in other words, the
organization must determine its risk appetite. This is the risk evaluation stage.
For some organizations, a level of “10” is acceptable. For others, it may be too high
(or too low).
This value is used by the RM team to filter TVAs that do not exceed the value,
allowing the process team to focus its efforts on TVAs that do exceed the value.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Treatment/Risk Control Strategies (1 of 2)
Risk treatment, also known as risk control, is the process of doing something
about risk after the organization has identified risk, assessed it, evaluated it, and
then determined that the current level of remaining risk—the residual risk—is
unacceptable.
As risk treatment begins, the organization has a list of information assets with
currently unacceptable levels of risk; the appropriate strategy must be selected and
then applied for each asset.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Treatment/Risk Control Strategies (2 of 2)
The risk treatment strategies are as follows:
• Defense—Applying controls and safeguards that eliminate or reduce the
remaining uncontrolled risk
• Transference—Shifting risks to other areas or to outside entities
• Mitigation—Reducing the impact to information assets should an attacker
successfully exploit a vulnerability
• Acceptance—Understanding the consequences of choosing to leave an
information asset’s vulnerability facing the current level of risk, but only after a
formal evaluation and intentional acknowledgment of this decision
• Termination—Removing or discontinuing the information asset from the
organization’s operating environment
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Risk Treatment Cycle
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Managing Risk
Here are some rules of thumb for selecting a strategy:
• When a vulnerability exists in an important asset—Implement security controls
to reduce the likelihood of a vulnerability being exploited.
• When a vulnerability can be exploited—Apply layered protections,
architectural designs, and administrative controls to minimize the risk or
prevent the occurrence of an attack.
• When the attacker’s potential gain is greater than the costs of attack—Apply
protections to increase the attacker’s cost or reduce the attacker’s gain using
technical or managerial controls.
• When the potential loss is substantial—Apply design principles, architectural
designs, and technical and nontechnical protections to limit the extent of the
attack, thereby reducing the potential for loss.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Summary (1 of 3)
Now that the lesson has ended, you should have learned:
• Achieving an appropriate level of security for an organization depends on the
implementation of a multilayered system that works to protect information
assets from harm, unwanted access, and modification.
• Information assets have the characteristics of confidentiality when only the
people or computer systems with the rights and privileges to access the
assets are able to do so.
• Organizations face 12 general categories of threats that represent a clear
and present danger to an organization’s people, information, and systems.
• Policy represents a formal statement of the organization’s managerial
philosophy—in the case of information security policies, the organization’s
InfoSec philosophy.
• After policies are designed, created, approved, and implemented, the
technologies and procedures that are necessary to accomplish them can be
designed, developed, and implemented.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Summary (2 of 3)
• An enterprise information security policy (EISP) is a policy based on and
directly supportive of the mission, vision, and direction of the organization,
and it sets the strategic direction, scope, and tone for all security efforts.
• Issue-specific security policy (ISSP) addresses specific areas of technology
and contains a statement about the organization’s position on a specific
issue.
• One part of information security is risk management, which is the process of
identifying and controlling the risks to an organization’s information assets.
• You must identify, examine, and understand the information and systems
currently in place within your organization.
• Risk management is a complex operation that requires a formal
methodology. The RM framework is the overall structure of the strategic
planning and design for the entirety of the organization’s RM efforts, which
includes the processes of risk assessment and risk treatment.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.
Summary (3 of 3)
• The organization must understand its current levels of risk and determine
what, if anything, it needs to do to bring them down to an acceptable level in
alignment with the risk appetite specified earlier in the process.
• During the implementation phase of the RM framework, risk evaluation and
remediation of key assets are conducted. The process includes establishing
the context, identifying risk, and summarizing the findings.
• When an organization’s general management team determines that risks
from InfoSec threats need attention, it authorizes treatment of those risks
using one of five basic strategies: defense, transference, mitigation,
acceptance, or termination.
Whitman & Mattord, Principles of Incident Response and Disaster Recovery, 3rd Edition. © 2022 Cengage. All
Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole
or in part.