Risk Management Process

1
Risk Management Process

• Based on recommendations of the National
  Institute of Standards and Technology in Risk
  Management Guide for Information Technology
  Systems (special publication 800-30)

Lianne Stevens Nebraska Health System April 16,
2003
2
Goal of Risk Management Process

• Protect the organizations ability to perform its
  mission
• An essential management function

3
Definitions

• Risk - a function of the likelihood of a given
  threat-sources exercising a particular potential
  vulnerability, and the resulting impact of that
  adverse event on the organization.
• Risk management process of identifying,
  assessing and reducing risk

4
Definitions

• Threat The potential for a threat-source to
  exercise (accidentally trigger or intentionally
  exploit) a specific vulnerability.
• Threat-Source Either (1) intent and method
  targeted at the intentional exploitation of a
  vulnerability or (2) a situation and method that
  may accidentally trigger a vulnerability

5
NIST Guide Purpose

• Provide a foundation for risk management program
  development
• Provide information on cost-effective security
  controls

6
Guide Structure

• Risk Management Overview
• Risk Assessment Methodology
• Risk Mitigation Process
• Ongoing Risk Evaluation

7
Risk Management Overview

• Encompasses 3 processes
• Risk Assessment
• Risk Mitigation
• Ongoing Risk Evaluation
• Integrated into System Development Life Cycle
  (SDLC)

8
Risk Management Overview

• Key roles
• Senior Management
• Chief Information Officer
• System Information Owners
• Business Functional Managers
• Information System Security Officers
• IT Security Practitioners
• Security Awareness Trainers

9
Risk Assessment

• 1st process in risk management methodology
• Used to determine potential threats and
  associated risk
• Output of this process helps to identify
  appropriate controls to reduce or eliminate risk

10
Risk Assessment Methodology

• Step 1 System Characterization
• Collect system-related information including
• Hardware
• Software
• Criticality
• Users
• Technical controls
• Environment

11
Risk Assessment Methodology

• Step 2 Threat Identification
• Identify potential threat-sources that could
  cause harm to the IT system and its environment
• Can be natural, human or environmental

12
Risk Assessment Methodology

• Step 3 Vulnerability Identification
• Develop list of system vulnerabilities (flaws or
  weaknesses) that could be exploited
• Proactive System Security Testing methods
  include
• Automated vulnerability scanning tool
• Security test and evaluation
• Penetration testing
• Develop Security Requirements Checklist

13
Risk Assessment Methodology

• Step 4 Control Analysis
• Control Methods may be technical or
  non-technical
• Control Categories preventative or detective
• Control Analysis Technique use of security
  requirements checklist

14
Risk Assessment Methodology

• Step 5 Likelihood Determination
• Governing factors
• Threat-source motivation capability
• Nature of the vulnerability
• Existence effectiveness of current controls
• Levels High, Medium or Low

15
Risk Assessment Methodology

• Step 6 Impact Analysis
• Prerequisite information
• System mission
• System and data criticality
• System and data sensitivity
• Adverse impact described in terms of loss or
  degradation of integrity, confidentiality,
  availability
• Quantitative vs. qualitative assessment

16
Risk Assessment Methodology

• Step 7 Risk Determination
• Develop Risk-Level Matrix
• Risk Level Threat Likelihood x Threat Impact
• Develop Risk Scale
• Risk Levels with associated Descriptions and
  Necessary Actions

17
Risk Assessment Methodology

• Step 8 Control Recommendations
• Factors to consider
• Effectiveness of recommended option
• Legislation and regulation
• Organizational policy
• Operational impact
• Safety and reliability

18
Risk Assessment Methodology

• Step 9 Results Documentation
• Risk Assessment Report
• Presented to senior management and mission owners
• Describes threats vulnerabilities, measures
  risk and provides recommendations on controls to
  implement

19
Risk Mitigation

• 2nd process of risk management
• Involves prioritizing, evaluating and
  implementing controls
• Options
• Risk assumption
• Risk avoidance
• Risk limitation
• Risk planning
• Research and acknowledgment
• Risk transference

20
Risk Mitigation

• Strategy

21
Risk Mitigation

• Control Implementation Approach
• Step 1 Prioritize actions
• Step 2 Evaluate recommended control options
• Step 3 Conduct cost-benefit analysis
• Step 4 Select control
• Step 5 Assign responsibility to implement
  control

22
Risk Mitigation

• Control Implementation Approach
• Step 6 Develop Safeguard Implementation Plan
  (action plan)
• Prioritizes implementation actions
• Projects start target completion dates
• Step 7 Implement selected control(s)
• Identify any residual risk

23
Risk Mitigation

• Control Categories
• Technical Security Controls
• Supporting
• Identification (of users, processes)
• Cryptographic key management
• Security administration
• System protections

24
Risk Mitigation

• Control Categories
• Technical Security Controls
• Preventive
• Authentication (e.g. passwords, tokens)
• Authorization (e.g. update vs. view)
• Access control enforcement
• Non-repudiation (e.g. digital certificate)
• Protected communications (encryption)
• Transaction privacy (e.g. SSL)

25
Risk Mitigation

• Control Categories
• Technical Security Controls
• Detection and Recovery
• Audit
• Intrusion detection and containment
• Proof of wholeness (e.g. system integrity tool)
• Restore secure state
• Virus detection and eradication

26
Risk Mitigation

• Control Categories
• Management Security Controls
• Preventive
• Assign security responsibility
• Develop maintain system security plans
• Implement personnel security controls
• Conduct security awareness training

27
Risk Mitigation

• Control Categories
• Management Security Controls
• Detection
• Implement personnel security controls
• Conduct periodic review of controls
• Perform periodic system audits
• Conduct ongoing risk management
• Authorize IT systems to address/accept residual
  risk

28
Risk Mitigation

• Control Categories
• Management Security Controls
• Recovery
• Develop, test and maintain continuity of
  operations plan
• Establish incident response capability

29
Risk Mitigation

• Control Categories
• Operational Security Controls
• Preventive
• Control data media access and disposal
• Limit external data distribution
• Control software viruses
• Safeguard computing facility
• Secure wiring closets
• Provide backup capability
• Establish off-site storage
• Protect laptops, PCs, workstation
• Protect IT resources from fire damage
• Provide emergency power
• Control computing facility environment (HVAC)

30
Risk Mitigation

• Control Categories
• Operational Security Controls
• Detection
• Provide physical security (e.g. motion detectors,
  closed-circuit TV monitors)
• Ensure environmental security (e.g. smoke and
  fire detectors)

31
Risk Mitigation

• Cost-Benefit Analysis
• Can be qualitative or quantitative
• Purpose demonstrate that costs of implementing
  controls can be justified by reduction in level
  of risk

32
Risk Mitigation

• Residual Risk
• Risk remaining after implementation of controls
• If not reduced to acceptable level, risk
  management cycle must be repeated

33
Evaluation and Assessment

• Good Security Practice
• Should have a specific schedule for repeating
  risk assessment process
• Should be flexible to allow for major system and
  processing changes
• Keys for success
• Senior management commitment
• Support participation of IT team
• Competence of risk assessment team
• Awareness and cooperation of user community
• Ongoing evaluation assessment

34
Appendices

• Sample IT system assessment questions
• Sample risk assessment report outline
• Sample safeguard implementation plan (action
  plan) summary table
• Acronyms
• Glossary
• References