Information Security Models

 

1. Bell-La Padula Confidentiality Model:

Prevents unauthorised data flow through "no read up, no write down" policy.

   

2. BIBA Integrity Model:

Focuses on integrity by implementing "no read down, no write up" policy; 

primarily addresses external threats and doesn't prevent covert channels.

3. Clark Wilson Integrity Model:

Ensures integrity by prohibiting unauthorized modifications, 

maintaining internal and external consistency; 

uses access triple (Subject, Program, Object), 

Separation of Duty (SoD), 

Constrained Data Item (CDI), Unconstrained Data Item (UDI), 

Integrity Verification Procedure (IVP), and Transformation Procedures (TP).

4. Brewer and Nash Model (Chinese Wall Model):

Access control mechanisms vary based on user authorization, 

creating barriers between sensitive information.

5. Graham Denning Model:

Implemented through an Access Control Matrix, where subjects can perform actions on objects, each object owner holds special rights, and each subject has a special rights-granting subject.

6. Take Grant Model:

Defines rules for transferring rights: "Take" allows a subject to take rights over an object, "Grant" permits a subject to grant rights to an object, "Create" enables the creation of new rights, and "Remove" allows a subject to eliminate its own rights.

Things to consider in Risk Management

1. Risk Models - Always ideal to use the well established methods for risk analysis tasks rather than starting from scratch and preparing own risk models.
2. Risk Assessment - Should not be relating Risk Assessment with Audit. Audit role is to help company understand and implement security controls to determine where the controls failure will occur and/or where the breakdown in security controls will happen. But with Risk Assessment the focus is on checking that controls are in place to protect against the security threats by identifying risks to the organisation, its technology and its processes. The risk management role encompasses managing the risks associated with the use of information technology, to determine how to get most out of the investment in security controls and related processes. 
3. Cost/Loss Expectancy - Risk Management must also consider the Total Cost of Ownership (TCOR) - such like Insurance cost, Loss Cost, Annual Loss Expectancy, Administration cost, etc., 
4. Conflating Precision with Accuracy - It is not always possible to give exact numbers for risk assessment, vulnerabilities, incidents. Hence a range 60-90% can be considered as a probability. 
5. Risk Register - Document a list and rank all the risks/events that can go wrong in the risk register repository. Risk register should not overemphasise on esoteric risks, instead consider real world risks in the register and rate and prioritise on more threatening risks to the organisation and business. 
6. Risk Exception Management - when a risk identified fails to comply with organisation policy of risk management, deviate from standards practice for stipulated period of time, risk exception process is to be followed. It helps to clearly determine the areas of non compliance, timelines of impact, determine if there's risk of fines, penalties or malicious activity due to non-compliance. 
7. Risk Rating to assess the risks identified and classify them as low medium or high considering their probability, frequency and impact of the risk. 
8. Risk Intelligence program aims to identify potential risks that can help organisation recognise the challenges that could compromise their business. Provide a proactive approach to discover risks identify likelihood ad eliminate them. Help define a risk posture to provide a structure to the risks tailored to the organisation/business operations. It will be baselined on Threats, Controls, Assets and impacts (TCAI) and any changes to aforementioned will alter the risk posture. Also define and explain what makes a valid source of risk intelligence. Implement risk intelligence which will be capable to deal with new information/change that will induce changes to risk posture. 
9. Multiplying by ordinals - Just considering risks on an ordinal scale such like High, Medium, Low without considering the quantities represented by their value can lead to ineffective management and wrong utilisation of cost and resources in mitigation. If wee have high level risk and he probability is extremely low then emphasising on risk management with particular threat/risk is just a bad calculation. Doing risk management wrong is more worse than doing nothing at all!
10. ROSI - Return on Security Investments to clearly measure the return on investment in cyber security initiatives within organisation. It is difficult to quantify the benefits derived from the security initiatives for an organisation directly in monetary values. The measures will be in such type of the count of incidents prevented, attacks defended/blocked by the tools implemented, number of vulnerabilities patched, number of malwares removed or quarantined, Reduction in the number of risks over the time period, penalties and regulatory fines avoided, repetitional damage covered, response times, ability to minimise the loss/impact ad such. 

A glimpse into Cyber Security Risk Management

 

The increasing frequency, creativity and variety of cyberattacks all enterprises are bound to grab attention into the cyber security risk management.

The Definition:

The process of Risk Management  can better identify, assess, communicate, and manage their cybersecurity risks in the context of their stated mission and business objectives using language and constructs already familiar to senior leaders.

The Approach:

The Risk Management Framework (RMF) offers a methodical and adaptable strategy to handle the risk associated with integrating systems into the organization's mission and business processes. A good risk management framework should comprise of:

• Standards and Guidelines to support implementation of risk management programs 
• Meet the requirements of the abiding law and regulatory requirements
• Control Selection to baseline and provide adequate protection
• Control Implementation to make the framework functional
• Control Testing to determine if controls are implemented correctly, operating as intended and producing desired outcomes. 
• Risk Assessment to identify, analyse, evaluate and treat the risks 
• Continuous Monitoring for early threat detection, faster incident response and continuous compliance with regulatory requirements.

Top Risk Management Frameworks:

1. ISO 27001 & ISO 27002.
2. Cybersecurity Maturity Model Certification (CMMC)
3. NIST 800-53 & NIST CFS.
4. AICIPA, SOC 2.
5. EBIOS.

An Example - NIST RMF:

For more information on each RMF Step, including Resources for Implementers and Supporting NIST Publications, select the Step below.

Prepare	Essential activities to prepare the organization to manage security and privacy risks
Categorize	Categorize the system and information processed, stored, and transmitted based on an impact analysis
Select	Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
Implement	Implement the controls and document how controls are deployed
Assess	Assess to determine if the controls are in place, operating as intended, and producing the desired results
Authorize	Senior official makes a risk-based decision to authorize the system (to operate)
Monitor	Continuously monitor control implementation and risks to the system

This process will be executed with the chain of experts from cybersecurity team like Chief Information Security Officer, Chief Risk Officer, Risk Manager, Risk Advisor, Risk Management Co-Ordinator and so. However, it is ultimately the responsibility of the Business management team including Chief Executive Officer, Chief Technology Officer, Project Manager, Business owner, Application owner, Business Information Security Officer and so on to ensure risk management is completed effectively. 

In-house risk management teams will be a standard capability within the information technology sector. In contrast, major industries such as manufacturings, healthcare, finance, energy, transportation, pharmaceuticals, retail, real estates, and others will rely on cyber security risk consulting firms, including prominent entities like the Big 4 and other leading consulting companies.