Title: Risk Management Process
1Risk Management Process
- Based on recommendations of the National
Institute of Standards and Technology in Risk
Management Guide for Information Technology
Systems (special publication 800-30)
Lianne Stevens Nebraska Health System April 16,
2003
2Goal of Risk Management Process
- Protect the organizations ability to perform its
mission - An essential management function
3Definitions
- Risk - a function of the likelihood of a given
threat-sources exercising a particular potential
vulnerability, and the resulting impact of that
adverse event on the organization. - Risk management process of identifying,
assessing and reducing risk
4Definitions
- Threat The potential for a threat-source to
exercise (accidentally trigger or intentionally
exploit) a specific vulnerability. - Threat-Source Either (1) intent and method
targeted at the intentional exploitation of a
vulnerability or (2) a situation and method that
may accidentally trigger a vulnerability
5NIST Guide Purpose
- Provide a foundation for risk management program
development - Provide information on cost-effective security
controls
6Guide Structure
- Risk Management Overview
- Risk Assessment Methodology
- Risk Mitigation Process
- Ongoing Risk Evaluation
7Risk Management Overview
- Encompasses 3 processes
- Risk Assessment
- Risk Mitigation
- Ongoing Risk Evaluation
- Integrated into System Development Life Cycle
(SDLC)
8Risk Management Overview
- Key roles
- Senior Management
- Chief Information Officer
- System Information Owners
- Business Functional Managers
- Information System Security Officers
- IT Security Practitioners
- Security Awareness Trainers
9Risk Assessment
- 1st process in risk management methodology
- Used to determine potential threats and
associated risk - Output of this process helps to identify
appropriate controls to reduce or eliminate risk
10Risk Assessment Methodology
- Step 1 System Characterization
- Collect system-related information including
- Hardware
- Software
- Criticality
- Users
- Technical controls
- Environment
11Risk Assessment Methodology
- Step 2 Threat Identification
- Identify potential threat-sources that could
cause harm to the IT system and its environment - Can be natural, human or environmental
12Risk Assessment Methodology
- Step 3 Vulnerability Identification
- Develop list of system vulnerabilities (flaws or
weaknesses) that could be exploited - Proactive System Security Testing methods
include - Automated vulnerability scanning tool
- Security test and evaluation
- Penetration testing
- Develop Security Requirements Checklist
13Risk Assessment Methodology
- Step 4 Control Analysis
- Control Methods may be technical or
non-technical - Control Categories preventative or detective
- Control Analysis Technique use of security
requirements checklist
14Risk Assessment Methodology
- Step 5 Likelihood Determination
- Governing factors
- Threat-source motivation capability
- Nature of the vulnerability
- Existence effectiveness of current controls
- Levels High, Medium or Low
15Risk Assessment Methodology
- Step 6 Impact Analysis
- Prerequisite information
- System mission
- System and data criticality
- System and data sensitivity
- Adverse impact described in terms of loss or
degradation of integrity, confidentiality,
availability - Quantitative vs. qualitative assessment
16Risk Assessment Methodology
- Step 7 Risk Determination
- Develop Risk-Level Matrix
- Risk Level Threat Likelihood x Threat Impact
- Develop Risk Scale
- Risk Levels with associated Descriptions and
Necessary Actions
17Risk Assessment Methodology
- Step 8 Control Recommendations
- Factors to consider
- Effectiveness of recommended option
- Legislation and regulation
- Organizational policy
- Operational impact
- Safety and reliability
18Risk Assessment Methodology
- Step 9 Results Documentation
- Risk Assessment Report
- Presented to senior management and mission owners
- Describes threats vulnerabilities, measures
risk and provides recommendations on controls to
implement
19Risk Mitigation
- 2nd process of risk management
- Involves prioritizing, evaluating and
implementing controls - Options
- Risk assumption
- Risk avoidance
- Risk limitation
- Risk planning
- Research and acknowledgment
- Risk transference
20Risk Mitigation
21Risk Mitigation
- Control Implementation Approach
- Step 1 Prioritize actions
- Step 2 Evaluate recommended control options
- Step 3 Conduct cost-benefit analysis
- Step 4 Select control
- Step 5 Assign responsibility to implement
control
22Risk Mitigation
- Control Implementation Approach
- Step 6 Develop Safeguard Implementation Plan
(action plan) - Prioritizes implementation actions
- Projects start target completion dates
- Step 7 Implement selected control(s)
- Identify any residual risk
23Risk Mitigation
- Control Categories
- Technical Security Controls
- Supporting
- Identification (of users, processes)
- Cryptographic key management
- Security administration
- System protections
24Risk Mitigation
- Control Categories
- Technical Security Controls
- Preventive
- Authentication (e.g. passwords, tokens)
- Authorization (e.g. update vs. view)
- Access control enforcement
- Non-repudiation (e.g. digital certificate)
- Protected communications (encryption)
- Transaction privacy (e.g. SSL)
25Risk Mitigation
- Control Categories
- Technical Security Controls
- Detection and Recovery
- Audit
- Intrusion detection and containment
- Proof of wholeness (e.g. system integrity tool)
- Restore secure state
- Virus detection and eradication
26Risk Mitigation
- Control Categories
- Management Security Controls
- Preventive
- Assign security responsibility
- Develop maintain system security plans
- Implement personnel security controls
- Conduct security awareness training
27Risk Mitigation
- Control Categories
- Management Security Controls
- Detection
- Implement personnel security controls
- Conduct periodic review of controls
- Perform periodic system audits
- Conduct ongoing risk management
- Authorize IT systems to address/accept residual
risk
28Risk Mitigation
- Control Categories
- Management Security Controls
- Recovery
- Develop, test and maintain continuity of
operations plan - Establish incident response capability
29Risk Mitigation
- Control Categories
- Operational Security Controls
- Preventive
- Control data media access and disposal
- Limit external data distribution
- Control software viruses
- Safeguard computing facility
- Secure wiring closets
- Provide backup capability
- Establish off-site storage
- Protect laptops, PCs, workstation
- Protect IT resources from fire damage
- Provide emergency power
- Control computing facility environment (HVAC)
30Risk Mitigation
- Control Categories
- Operational Security Controls
- Detection
- Provide physical security (e.g. motion detectors,
closed-circuit TV monitors) - Ensure environmental security (e.g. smoke and
fire detectors)
31Risk Mitigation
- Cost-Benefit Analysis
- Can be qualitative or quantitative
- Purpose demonstrate that costs of implementing
controls can be justified by reduction in level
of risk
32Risk Mitigation
- Residual Risk
- Risk remaining after implementation of controls
- If not reduced to acceptable level, risk
management cycle must be repeated
33Evaluation and Assessment
- Good Security Practice
- Should have a specific schedule for repeating
risk assessment process - Should be flexible to allow for major system and
processing changes - Keys for success
- Senior management commitment
- Support participation of IT team
- Competence of risk assessment team
- Awareness and cooperation of user community
- Ongoing evaluation assessment
34Appendices
- Sample IT system assessment questions
- Sample risk assessment report outline
- Sample safeguard implementation plan (action
plan) summary table - Acronyms
- Glossary
- References