93.26K

Xasanov_Bahodir_Management_Assignment

1.

IT Security Risk Governance
Integrating Frameworks for Enterprise Resilience
An Academic Deep Dive into NIST SP 800-37, ISO/IEC 27005, and COBIT 2019
Course: IT Security Management
Instructor: Qabulova Zulayxo
Student Name: Xasanov Bahodir
Assignment Type: Independent Study
Submission Deadline: 13.06.2026

2.

Agenda & Presentation Roadmap
1
2
3
4
Foundational Core
Assessment Paradigms
Global Frameworks
Apex Bank Study
The operational landscape of
Information Security Risk
Management (ISRM) and
governance lifecycles.
Quantitative versus qualitative
evaluation models, mathematical
definitions, and analysis
techniques.
Strategic analyses of
standardized guidelines from
NIST, ISO/IEC, and global
ISACA benchmarks.
Real-world risk modeling, hybrid
compliance integration, and
empirical financial ROI
telemetry.

3.

Part 1: Foundations of ISRM
Understanding core mechanics of organizational alignment, asset structures, and vector mitigation loops.

4.

What is IT Security Governance?
Governing the modern technical asset footprint demands
rigorous systems and procedures designed to ensure
cybersecurity efforts support macro business operations.
Aligns executive oversight structures with lower-level
engineering parameters to prevent disjointed policy definitions
and secure organizational buy-in.
Security investments must directly optimize enterprise
strategic goals. Clear oversight establishes accountability,
identifies system owners, and determines clear liability
metrics.
Fosters active communication loops that translate abstract risk
vectors into metrics readable by non-technical board members.

5.

The Continuous ISRM Lifecycle
1
2
3
Risk Identification
Risk Assessment
Risk Mitigation
Comprehensive discovery of assets,
mapping database architecture,
discovering hardware configurations, and
highlighting system exposure paths.
Calculating overall threat impact and
occurrence probabilities. Employs
descriptive and statistical approaches to
model operational outcomes.
Deploying structured technical, physical,
and administrative controls. Includes
regular validation monitoring to confirm
configuration integrity.

6.

Identifying Information Assets
Building comprehensive asset directories across hardware,
source code files, customer databases, and proprietary
business applications.
Understanding internal processing flows to trace sensitive
customer records as they traverse multiple network segments
and API nodes.
Utilizing vulnerability scanners, active endpoint
configuration managers, and secure automated discovery
solutions to maintain precise architecture registers.
Continuous validation loops verify active software licenses,
operating system versions, and system boundary parameters.

7.

Modern Threat Vector Taxonomy
Threat Source
Common Attack Vectors
High-Impact Consequences
Primary Governance Control
Advanced Syndicates
Polymorphic ransomware, double-extortion
tactics.
Loss of system operations, business
interruption.
Immutable data backup routines, isolation
zones.
State-Backed Actors
Zero-day gateway exploits, API query
manipulation.
Exfiltration of client PII database records.
Continuous perimeter profiling, edge
WAAP filters.
Malicious Insiders
Privileged credential abuse, localized
datastore theft.
Compromised audit logs, regulatory
penalties.
Least-privilege authorization, zero-trust
policies.

8.

Part 2: Assessment Methodologies
Divergent approaches to modeling risk severity, mathematical constructs, and executive prioritizations.

9.

Qualitative Risk Assessment
Utilizes descriptive scales and ordinal categories (e.g.,
Critical, High, Medium, Low) and expert consensus
workshops to quickly map overall threat exposure
parameters.
Relies heavily on subjective consensus from operations
stakeholders, system owners, and specialized information
security personnel.
Primary Advantage: Rapidly identifies critical risk areas
without demanding complex, costly actuarial historical
databases.
Operational Limitation: Highly susceptible to cognitive biases,
cognitive noise, and inconsistent qualitative parameters
between silos.

10.

Quantitative Risk Assessment
Uses exact monetary valuations, actuarial data feeds, and
probabilistic simulations (such as Monte Carlo models) to
determine enterprise exposure levels.
Establishes objective financial metrics that communicate
security exposures in direct profit-and-loss terminology.
Strategic Benefit: Directly justifies security infrastructure
investments, enabling precise Return on Investment (ROI)
analytics for security control selections.
Primary Limitation: Demands robust, highly accurate asset
valuations and reliable historical cybersecurity breach
databases.

11.

Calculating Single Loss Expectancy
SLE = AV x EF
Single Loss Expectancy Formula
Asset Value (AV): The complete financial worth of the targeted system,
factoring in direct asset costs, customer lifetime value, and regulatory
penalties.
Exposure Factor (EF): The precise percentage of the target asset's value that
would be corrupted, encrypted, or exfiltrated during a single successful security
incident.
SLE Application: Represents the immediate financial pain of a single event,
forming the baseline value used in downstream annualized planning.

12.

Annualized Loss Expectancy Formula
ALE = SLE x
ARO
Annualized Loss Expectancy Formula
Annualized Rate of Occurrence (ARO): The calculated probability that a
specific threat vector will exploit a vulnerability within a single calendar
year.
ALE Outcome: Represents the predicted average annual loss from a specific
risk category, allowing direct comparison against security implementation
costs.
Investment Justification: Enables security managers to definitively demonstrate
when a proposed technical control is financially sound.

13.

Qualitative vs Quantitative Risk
Operational Attribute
Qualitative Risk Modeling
Quantitative Risk Modeling
Primary Metric Type
Descriptive scales (High, Medium, Low).
Exact financial values ($ USD, EUR, etc.).
Data Requirements
Expert opinions, workshop consensus.
Empirical databases, exact asset valuations.
Speed of Execution
Rapid deployment, immediate categorization.
Time-intensive analysis and modeling.
Executive Board Appeal
Provides simple color-coded prioritizations.
Offers clear business-case calculations.
Susceptibility to Bias
High risk of cognitive and political bias.
Low, provided input datasets are highly accurate.

14.

Part 3: International Frameworks
Translating core risk theory into repeatable, standardized operational steps.

15.

NIST Risk Management Framework
Published by the National Institute of Standards and
Technology, the RMF establishes a rigorous, lifecycle-based
methodology for information system security optimization.
Ensures security parameters are built directly into federal
agency architectures and heavily regulated corporate enterprise
structures from step one.
Focuses extensively on the formal authorization of
technical controls. System owners must document evidence
proving configurations adhere to specific compliance
guidelines.
Creates clear, auditable paper trails demonstrating control
coverage across system boundaries.

16.

NIST RMF: Prep & Select (Steps 1-4)
1
Prepare
Conducts organization-level
context reviews to map strategic
boundaries, legal parameters, and
asset ownership.
3
2
Categorize
Classifies targeted information
systems by mapping data risk
boundaries across CIA tenets.
4
Select
Implement
Identifies a core baseline of
security controls from NIST SP
800-53 based on target system
classifications.
Deploys selected controls across
enterprise infrastructures and
documents implementation
details.

17.

NIST RMF: Assess & Monitor (5-7)
5
6
7
Assess
Authorize
Monitor
Conducts detailed verification activities to
confirm security controls are operating
correctly and as intended.
Secures senior management authorization
(ATO) to operate the system based on
accepted residual risk metrics.
Maintains continuous real-time system
monitoring to rapidly spot configurations
drift and emerging exploits.

18.

ISO/IEC 27005 Risk Management
Published to harmonize with the overarching ISO/IEC
27001 Information Security Management System (ISMS)
architecture.
Enables international operations to adapt threat assessments to
distinct regulatory guidelines, corporate structures, and threat
footprints.
Unlike control-specific catalogs, ISO 27005 outlines
standard iterative lifecycle steps to consistently locate,
analyze, rate, and treat risks.
Embeds flexible context setting into standard business
operations to ensure ongoing risk visibility.

19.

ISO 27005 Iterative Processes
1
Context Establishment
Defines internal boundaries, external risk
factors, legal jurisdictions, and overall
corporate risk tolerance parameters.
2
Communication Loop
Engages in persistent consultative
discussions with business managers to
prevent departmental risk assessment
silos.
3
Continual Review
Forces ongoing review cycles, ensuring
security postures evolve in tandem with
shifting market realities.

20.

COBIT 2019 Enterprise Alignment
Governance (Board): Evaluates operational performance,
directs business investments, and monitors strategic
alignment.
Management (C-Suite): Plans, builds, runs, and monitors
concrete systems supporting governance goals.
Aligns IT investments with overarching corporate
priorities. Rather than treating security as an isolated
technical expense, COBIT 2019 integrates it as a driver of
enterprise value.
Defines explicit ownership lines to minimize operational
vulnerabilities.

21.

APO12: Managed IT Risk Domain
1
2
3
Risk Portfolios
Data Integration
Enterprise RACI
Ensures that security metrics interface
directly with Enterprise Risk Management
(ERM) analytics tools.
Defines explicit ownership matrices
across all corporate divisions, clarifying
operational boundaries.
Aggregates technical risk factors into a
standardized corporate risk register to
maintain comprehensive organizational
visibility.

22.

Part 4: Comparative Analysis
Comparing framework strategies, alignment targets, and selecting optimal hybrid approaches.

23.

Comparative Framework Matrix
Criteria
NIST SP 800-37 RMF
ISO/IEC 27005:2022
COBIT 2019 (APO12)
Primary Design Focus
System authorization & control baselines.
Process-driven, adaptive risk cycles.
Board-level alignment and value creation.
Core Target Audience
Federal entities, regulated providers.
Multinational commercial operations.
Enterprise board members and CROs.
Implementation Strategy
Highly prescriptive control lists.
Iterative steps, flexible context.
Governance objectives and RACI matrices.
Primary Core Competency
Removes configuration ambiguity.
Highly adaptable process designs.
Bridges technical and corporate silos.

24.

Designing a Hybrid Framework
Rigid adherence to a single framework can leave critical
vulnerabilities unaddressed.
Leveraging COBIT for board oversight, ISO for standard risk
processes, and NIST for technical controls establishes an
optimal posture.
Translate technical telemetry into risk portfolios using
COBIT APO12 mechanisms.
This hybrid approach ensures robust compliance while
maintaining administrative agility and clear business-case
justification.

25.

Part 5: Apex Bank Case Study
Real-world risk modeling, hybrid compliance integration, and empirical ROI metrics.

26.

Apex Bank Architecture Context
System Parameters: A tier-1 financial provider underwent
a massive digital transformation, migrating legacy systems
to a hybrid cloud architecture.
Core Processing: Supports an Open Banking API gateway
handling more than $500M in daily financial transactions.
Securing high-volume digital connections with external
FinTech tools without disrupting operations.
Leveraging hybrid models allows for strict validation while
supporting active technical scaling.

27.

Ledger Database Threat Modeling
The Targeted Asset: Customer Account Data Ledger,
maintaining financial balances for 10M active accounts.
Vulnerability Point: Public API gateway endpoints exposed to
query injection exploits.
An APT actor exploits zero-day gateway flaws, moves
laterally, accesses the ledger, and deploys double-extortion
ransomware.
This would simultaneously threaten confidentiality, integrity,
and availability metrics.

28.

FIPS 199 Impact Classification
Security Tenet
Target Rating
Analysis of Strategic Threat Impact
Confidentiality
High Impact
Unauthorized data exposure triggers GDPR/PCI fines and
class-action lawsuits.
Integrity
High Impact
Unauthorized adjustments to balance histories destroy ledger
trust, halting operations.
Availability
High Impact
Unscheduled system downtime exceeding 15 minutes halts
transactions, halting clearing operations.

29.

Unmitigated Financial Risk (ALE)
Asset Value (AV): Calculated at $45,000,000, covering legal
defense, regulatory fines, and customer churn.
Exposure Factor (EF): Evaluated at 0.60, representing the
percentage of databases encrypted or exfiltrated.
Result: SLE = AV x EF = $27,000,000 USD.
ARO Value: Placed at 0.15, indicating an estimated
occurrence frequency of once every 6.6 years.
Unmitigated ALE: $4,050,000 USD, representing the annual
exposure of leaving the database vulnerability unaddressed.
Risk Tolerance Limit: Board guidelines strictly cap exposure at
$500,000 USD per single threat vector.

30.

Mitigating the Ledger Attack
To reduce exposure beneath the $500,000 threshold, the
CISO justified a $1,200,000 capital expenditure budget to
implement targeted NIST SP 800-53 controls.
Quantifying financial risk metrics presented a clear, undeniable
business case that won immediate Board approval.
SI-10 (Input Validation): Deployed edge AI-driven Web
Application and API Protection (WAAP) queries.
IA-2 (Multi-factor / credentials): Enforced OAuth 2.0 mutual
mTLS for third-party requests.
CP-2 (Immutable Backups): Established air-gapped snapshot
mirroring loops.

31.

Apex Bank Financial ROI Analysis
Unmitigated Baseline Risk (ALE)
$4,050,000 USD
Board Max Risk Limit
$500,000 USD
Mitigated Residual Risk (ALE)
$45,000 USD
Applying the $1.2M security budget reduced the Exposure Factor (EF) from 0.60 to 0.05 and the Annualized Rate of Occurrence (ARO) from 0.15 to 0.02.
Annualized Loss Expectancy dropped from $4,050,000 to just $45,000.

32.

Strategic Key Takeaways
1
2
3
Continuous Automation
Proactive Risk Posture
Hybrid Architectures
Traditional 'point-in-time' reviews leave
major gaps. Resilience requires real-time
monitoring, continuous boundary
scanning, and immediate configuration
drift alerts.
Bridges the communication gap between
technical and corporate divisions.
Translating cybersecurity parameters into
clear financial metrics aligns security with
enterprise strategy.
Combining COBIT for governance
alignment, ISO/IEC 27005 for processes,
and NIST for technical controls eliminates
blind spots across all organizational
layers.
English     Русский Правила