Developing an Information Technology Risk Management Program - PowerPoint PPT Presentation

Loading...

PPT – Developing an Information Technology Risk Management Program PowerPoint presentation | free to view - id: 3c1ed-MDFhY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Developing an Information Technology Risk Management Program

Description:

SP 800-26 Security Self-Assessment Guide for Information Technology Systems ... each recommendation as you try to improve your information security program ... – PowerPoint PPT presentation

Number of Views:1316
Avg rating:5.0/5.0
Slides: 212
Provided by: PaulRas9
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Developing an Information Technology Risk Management Program


1
Developing an Information Technology Risk
Management Program
  • Training for DHHS Information Security Officials
    and Backup Security Officials

2
What this training covers . .
  • What Risk Management means
  • What NIST says you should do
  • What ISO 17799 says you should do
  • What COBIT says you should do
  • What Microsoft says you should do
  • What HIPAA says you should do
  • What NC ITS says you should do
  • What DHHS says you should do
  • What you should do and when to do it

3
Risk
  • Take calculated risks. That is quite different
    from being rash. General George S. Patton
  • Only those who risk going too far can possibly
    find out how far they can go T.S. Elliot
  • Of course you have to go out on a limb
    sometimes thats where the fruit is Unknown

4
Information Security
is
the protection of data against unauthorized
access or modification
5
What is Risk?
  • Risk is the net mission impact considering both
    the likelihood that a particular threat-source
    will exercise (accidentally trigger or
    intentionally exploit) a particular information
    system vulnerability, and the resulting impact on
    the organization if this should occur (NIST)
  • Risk is the probability of a vulnerability being
    exploited in the current environment, leading to
    a degree of loss of confidentiality, integrity,
    or availability, of an asset. (Microsoft)

6
What is Risk Management?
  • The total process of identifying, controlling,
    and minimizing information system related risks
    to a level commensurate with the value of the
    assets protected
  • The goal of a risk management program is to
    protect the organization and its ability to
    perform its mission from IT-related risk

7
Risk Management is the Keystone of Information
Security
RM
8
Golden and Silver Rules of RM
All risk is owned!
Risk that is not assigned is owned by the
organizations Director
9
Why are we doing this?
  • Why do we do risk management?
  • Why does a car have brakes?

A car has brakes so it can go fast
We do risk management so we can take risks
An organization that can take advantage of
opportunities (and the inherent risks) will
outlast an organization which cannot
10
Reactive Risk Management
  • Protect human life and peoples safety
  • Contain the damage
  • Assess the damage
  • Determine the cause of the damage
  • Repair the damage
  • Review response, and update policies

11
Proactive Risk Management
Owners
wish to minimize
to reduce
Controls
impose
that may be reduced by
value
that may possess
Vulnerabilities
may be aware of
Threat Sources
that exploit
leading to
Risk
to
give rise to
that increase
Threats
to
Assets
wish to abuse and/or may damage
12
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
13
What Assets are we Protecting?
  • Servers
  • Desktop Computers
  • Laptops and PDAs
  • Switches and Routers
  • Application software
  • Development Tools
  • Source Code
  • VPN Access
  • Backup Tapes
  • Email
  • Data Integrity
  • All Files on the Server
  • Consumer Information
  • Network Infrastructure
  • DHCP
  • Web Site Availability
  • Reputation
  • Employee Morale

14
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
15
Protecting From What Threats?
  • Human Threats Carelessness, Shoulder Surfing,
    User Abuse, Sabotage, Arson, Data Entry Errors,
    Intentional and Unintentional Procedure
    Violations
  • Technical Threats Takeover of authorized
    session, Intrusion, Keystroke Eavesdropping,
    System Failure, Saturation of Resources
  • Environmental Threats Fire, Earthquake,
    Hurricane, Tornado, Cable Cuts, Power
    Fluctuation, Hazardous Material Accident,
    Overheating

16
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
17
Threats to What Vulnerabilities?
  • Unlocked doors
  • Unlocked windows
  • Misconfigured systems
  • Missing patches
  • Antivirus out-of-date
  • Poorly written apps
  • Vendor backdoors
  • Spyware
  • Software Configuration
  • Systems not monitored
  • Unnecessary protocols
  • Poorly defined procedures
  • Stolen credentials
  • Poor password protection
  • Poor Disaster Recovery
  • Violations not reported

18
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
19
Vulnerabilities Protected by What Security
Controls?
20
Proactive Risk Management
Owners
wish to minimize
to reduce
Controls
impose
that may be reduced by
value
that may possess
Vulnerabilities
may be aware of
Threat Sources
that exploit
leading to
Risk
to
give rise to
that increase
Threats
to
Assets
wish to abuse and/or may damage
21
Two Approaches to Risk Assessment
1) Quantitative Risk Assessment
  • Value your assets
  • Determine the SLE (total amount lost from a
    single occurrence of the risk) Single Loss
    Expectancy
  • Determine the ARO (number of times you expect the
    risk to occur during one year) Annual Rate of
    Occurrence
  • Determine the ALE (amount you will lose in one
    year if the risk is not mitigated) Annual Loss
    Expectancy
  • Determine the ROSI (ALE before control) (ALE
    after control) (annual cost of control) ROSI
    Return On Security Investment

22
Two Approaches to Risk Assessment
2) Qualitative Risk Assessment
  • Estimate relative values
  • Determine what threats each asset may be facing
  • Determine what vulnerabilities those threats
    might exploit in the future
  • Determine controls which will mitigate the risks,
    and the approximate cost of each control
  • Management performs a cost-benefit analysis on
    the results

23
Comparing the Two Approaches the
BenefitsQuantitative Qualitative
  • Risks and assets are prioritized by financial
    values
  • Results facilitate management of risk by Return
    on Security Investment
  • Results expressed in terms management understands
    ()
  • Accuracy tends to increase over time
  • Enables visibility and understanding of risk
    ranking
  • Easier to reach consensus
  • Not necessary to quantify threat frequency or
    determine financial value of assets
  • Easier to involve people who are not experts on
    security or computers

24
Comparing the Two Approaches the
DrawbacksQuantitative Qualitative
  • Impact values assigned to risks are based on
    subjective opinion
  • Very time-consuming
  • Calculations can be very complex
  • Results are presented only in monetary terms, and
    can be difficult for non-technical people to
    interpret
  • Process requires expertise
  • Insufficient differentiation between important
    risks
  • Difficult to justify investing in control
    implementation when there is no basis for a
    cost-benefit analysis
  • Results are dependent on the quality of the Risk
    Management Team that is created

25
Effective Risk Management
Threats
Malicious attacks
Sabotage
Attempts to access private information
Natural disasters
User error
Fraud
Pranks
Controls Protecting Data, Applications, LAN and
Workstations
Potential Damage
Sensitive information disclosed
Services and benefits interrupted
Integrity of data and reports compromised
Assets lost
Publics Loss of confidence
Failure to meet contractual obligations
Critical operations halted
26
Know what to do now?
27
Who Wants to Help You?
28
NIST - The National Institute of Standards and
Technology
  • NIST is a non-regulatory Federal agency with the
    mission of developing and promoting measurement,
    standards and technology to enhance productivity
    and improve quality of life
  • They invent an atomic clock a cement-like
    substance that promotes bone regrowth
  • They develop - software for the 170 VA
    hospitals complex computational models
  • The set standards weights and measures,
    cholesterol testing, and . . .

Information Security
29
Pertinent NIST Publications
  • SP 800-12 An Introduction to Computer Security
    The NIST Handbook
  • SP 800-18 Guide for Developing Security Plans
    for Information Technology Systems
  • SP 800-26 Security Self-Assessment Guide for
    Information Technology Systems
  • SP 800-30 Risk Management Guide for Information
    Technology Systems

30
NIST SaysIts a Management Function
  • The goal of Risk Management is to protect the
    organization and its ability to perform its
    mission
  • The focus is the mission not IT assets
  • Risk Management, therefore, is an essential
    management function of the organization

31
NIST SaysRisk Management has Three Parts
  • Risk Assessment - Determining where risks lie,
    and how big they are
  • Risk Mitigation - Prioritizing, evaluating, and
    implementing appropriate risk-reducing controls
  • Evaluation and Assessment Since Risk Management
    is continuous and evolving, the past years Risk
    Management efforts should be assessed and
    evaluated prior to beginning the cycle again

32
Risk Management Process
What is my risk?
What will I do about it?
How did I do?
Risk Assessment
Risk Mitigation
RM Evaluation
33
National Institute of Standards and Technology SP
800-30The Ten Steps of Risk Assessment
  • System Characterization
  • Threat Identification
  • Vulnerability Identification
  • Control Analysis
  • Identify Threat-source/Vulnerability Pairs
  • Likelihood Determination
  • Impact Analysis
  • Risk Determination
  • Control Recommendations
  • Results Documentation

34
Risk Management Process
What is my risk?
What will I do about it?
Risk Assessment
Risk Mitigation
35
Risk Mitigation
  • Risk Mitigation is the process of identifying
    areas of risk that are unacceptable and
    estimating countermeasures, costs and resources
    to be implemented as a measure to reduce the
    level of risk
  • Determining appropriate risk-reducing controls
    is a job for your Risk Management Committee

36
What is Acceptable Risk?
  • Setting your agencys risk appetite is up to
    your Director and Senior Management
  • Because elimination of all risk is impossible, we
    must use the least-cost approach and implement
    the most appropriate controls to decrease mission
    risk to an acceptable level, with minimal adverse
    impact on the organizations resources and mission

37
Risk Mitigation Options
  • Assume the Risk Accept the risk and continue
    operating (how big is your appetite?)
  • Avoid the Risk Stop running the program or
    sharing the data
  • Transfer the Risk Use options to compensate for
    the loss, such as insurance
  • Lessen the Risk Implement controls that lessen
    the impact or lower the likelihood

38
Risk Mitigation Methodology
  • Prioritize based on risk levels presented
  • Evaluate recommended control options
  • Conduct a cost-benefit analysis
  • Select additional controls, as necessary
  • Assign responsibility
  • Develop an action plan, if necessary
  • Implement the selected controls

39
Cost-Benefit Analysis
  • If control reduces risk more than needed, see if
    a less expensive alternative exists
  • If control would cost more than the risk
    reduction provided, then find something else
  • If control does not reduce risk sufficiently,
    look for more controls or a different control
  • If control provides enough risk reduction and is
    cost-effective, then use it

40
Residual Risk
  • The risk remaining after the implementation of
    new or enhanced controls is the residual risk
  • If the residual risk has not been reduced to an
    acceptable level, the risk management cycle must
    be repeated to identify a way of lowering the
    residual risk to an acceptable level
  • Understand that no IT system can be risk-free

41
Risk Management Process
What is my risk?
What will I do about it?
How did I do?
Risk Assessment
Risk Mitigation
RM Evaluation
42
Evaluation and Assessment
  • People, systems, and networks change, so risk
    management must be ongoing
  • Federal agencies must conduct risk management at
    least every three years
  • Stay flexible to allow changes when warranted

43
NIST SaysGood Risk Management Depends Upon
  • Senior managements commitment
  • Support of the IT Team
  • Competence of the Risk Management Committee
  • Cooperation and education of the users
  • Ongoing assessment of IT-related mission risks

44
Who Wants to Help You?
45
ISO - International Organization of
Standardization
  • In the late 1990s, the British Standard Institute
    (BSI) developed a program to accredit auditing
    firms, called BS 7799
  • When demand grew quickly for an information
    security standard, the ISO (International
    Organization for Standardization) adapted 7799
    and released Part 1 in 2000 as ISO 17799
  • ISO 17799 defines a set of recommended
    information security management practices

46
On-line Purchases of ISO 17799
9
35
18
9
6
Others 9
47
ISO 17799 A Set of Recommendations
  • ISO does not expect you to apply every piece of
    the standard
  • Instead ISO suggests that you consider each
    recommendation as you try to improve your
    information security program
  • If a particular recommendation helps you address
    an important security need, then accept it
    otherwise, ignore it

48
ISO 17799 Says First, Understand
Perfect security may be achievable only for
networkless servers located in rooms without
doors in stone buildings without people on high
ground with no earth faults in areas with very
little rain
49
10 Key Contexts of ISO 17799
Security policy
Organizational security
Compliance
Asset classification and control
Business continuity management
Integrity
Confidentiality
Information
Personnel security
Systems development maintenance
Availability
Access control
Physical and environmental security
Communications and operations management
50
ISO 17799 Deliverables
51
ISO 17799s Information Security Management
Process
  • Obtain Upper Management Support
  • Define Security Perimeter
  • Create Information Security Policy
  • Create Info Security Management System
  • Perform Risk Assessment
  • Select and Implement Controls
  • Document in Statement of Accountability
  • Audit

52
ISO 17799 Risk Assessment Steps
  • Identify assets within the security perimeter
  • Identify threats to the assets
  • Identify vulnerabilities to the assets
  • Determine realistic probability

53
ISOs Probability of
Event Scale
54
ISO 17799 Risk Assessment Steps
  • Identify assets within the security perimeter
  • Identify threats to the assets
  • Identify vulnerabilities to the assets
  • Determine realistic probability
  • Calculate harm

55
ISOs Harm of
Event Scale
56
ISO 17799 Risk Assessment Steps
  • Identify assets within the security perimeter
  • Identify threats to the assets
  • Identify vulnerabilities to the assets
  • Determine realistic probability
  • Calculate harm
  • Calculate risk (probability x harm)

57
ISOs
Risk Scale
58
ISO 17799s Information Security Management
Process
  • Obtain Upper Management Support
  • Define Security Perimeter
  • Create Information Security Policy
  • Create Info Security Management System
  • Perform Risk Assessment
  • Select and Implement Controls
  • Document in Statement of Accountability
  • Audit

59
Who Wants to Help You?
60
COBIT Control Objectives for Information and
related Technology
  • Created by the Information Systems Audit and
    Control Association (ISACA) and the IT Governance
    Institute (ITGI)
  • The first edition was published in 1996, the
    second in 1998, the third in 2000, and the
    on-line edition became available in 2003
  • Recently found favor due to Enron scandal and the
    subsequent passage of the Sarbanes-Oxley Act

61
What COBIT Says You Should Do
  • COBIT looks at information that is needed to
    support business requirements and the associated
    IT resources and processes
  • COBIT has 34 high level objectives that cover 318
    control objectives, categorized in four domains
  • 1) Planning and Organization2) Acquisition
    and Implementation3) Delivery and Support4)
    Monitor

62
High Level ObjectivesCOBIT Planning and
Organization
63
High Level ObjectivesCOBIT Acquisition
Implementation
64
High Level ObjectivesCOBIT Delivery and Support
65
High Level ObjectivesCOBIT Monitor
66
Who Wants to Help You?
67
Microsoft Says . .Successful Risk Management
Requires
  • Executive sponsorship
  • A well-defined list of RM stakeholders
  • Organizational maturity in terms of RM
  • An atmosphere of open communication
  • A spirit of teamwork
  • A holistic view of the organization
  • Security Risk Management Team authority

68
Microsoft Says . .Risk Management Has Four Phases
  • Assessing Risk Triage an entire list of
    security risks, identifying the most important
  • Conducting Decision Support Potential control
    solutions are evaluated, and the best are
    recommended for mitigating top risks
  • Implementing Controls Control solutions are put
    in place
  • Measuring Program Effectiveness Checking to
    make sure that the controls are providing the
    expected protection

69
From Microsofts Security Risk Management Guide,
Chapter 2
70
Microsoft Says . .Assessing Risk Phase has Three
Steps
  • Planning Align your annual process with your
    budget Specify your scope Identify and pre-sell
    stakeholders embrace subjectivity
  • Facilitated Data Gathering Identify tangible
    and intangible assets, threats, vulnerabilities,
    existing controls, probable impact
  • Risk Prioritization Determine probabilities,
    and combine impact with probability to produce a
    risk statement

71
Microsoft Says . .Conducting Decision Support
Phase
  • Determine functional requirements
  • Identify combinations of controls
    (Organizational, Operational, Technological)
  • Compare proposed controls to functional
    requirements
  • Calculate the probable overall risk reduction to
    the organization
  • Estimate the cost of teach proposed control
  • Select which controls to implement

72
Microsoft Says . .Implementing Controls Phase
Solid Building Structure
Good Network Design
Secure Wireless Segment
Disable LAN Services
Remove User Rights
Good Firewall Settings
Least Privilege Necessary
Small attack surface
Frequent Backups
Encryption
73
Microsoft Says . .Measuring Program
Effectiveness Phase
  • Ongoing continues until next assessment phase
  • Should catch changes in the information systems
    environment, and in applications
  • Includes creating and maintaining a security risk
    scorecard that demonstrates the organizations
    current risk profile

74
From Microsofts Security Risk Management Guide,
Chapter 2
75
Who Wants to Help You?
76
The Health Insurance Portability and
Accountability Act of 1996
Dance with HIPAA or Get Smushed!
77
HIPAA Says Covered Entities Must
Final Rule, Administrative Safeguards 45 CFR
Part 164.306
  • Ensure the confidentiality, integrity and
    availability of all protected health information
    the covered entity creates, receives, maintains
    or transmits
  • Protect against any reasonably anticipated
    threats or hazards to the security or integrity
    of such information

78
HIPAA Security Specifications
Final Rule, Administrative Safeguards 45 CFR
Part 164.308
  • Security Management Process Implement policies
    and procedures to prevent, detect, contain and
    correct security violations Standard (a)(1)(i)
  • Train workforce Implement a security awareness
    and training program for all members of its
    workforce (including management) Standard
    (a)(5)(i)

79
HIPAA Security Specifications
Final Rule, Administrative Safeguards 45 CFR
Part 164.308
  • Information Systems Activity Review Implement
    procedures to regularly review records of
    information system activity, such as audit logs,
    access reports, and security incident tracking
    reports Standard (a)(1)(D)
  • Security Incidence Procedures Mitigate, to the
    extent practicable, harmful effects of security
    incidents that are known to the covered entity
    Standard (a)(6)(2)

80
HIPAA Security Specifications
Final Rule, Administrative Safeguards 45 CFR
Part 164.308
  • Risk Analysis A covered entity must conduct an
    actual and thorough assessment of the potential
    risks and vulnerabilities of the confidentiality,
    integrity, and availability of electronic PHI
    held by the covered entity Standard (a)(1)(2)(A)
  • Risk Management A covered entity must
    implement security measures sufficient to reduce
    risks and vulnerabilities to a reasonable and
    appropriate level Standard (a)(1)(ii)(D)

81
. . And Why You Should Do It
  • Civil Monetary Penalties for Non-Compliance100/p
    erson/violation, up to 25,000 per person per
    year per violation (Section 1176)
  • Knowingly Misusing PHI - 50,000, 1 year
  • Misuse of PHI under False Pretenses - 100,000
    and up to 5 years
  • Misuse of PHI with Intent to Sell - 250,000
    and up to 10 years (Section 1777)

82
Because its the Law!
83
Who Wants to Help You?
84
What NC ITS Says You Should Do
  • They say you should focus on four things
  • Identification of Risks
  • Analysis of Risks
  • Mitigation Planning
  • Tracking and Controlling Risks


Based on November 2004 Risk Management policy
issued by the State Chief Information Officer
85
NC ITSs Risk Management Program
  • Consists of two components Pre-Risk Assessment,
    and Risk Assessment (three phases), explained in
    a Risk Management Guide Phase I Identify
    Risks Phase II Analyze Risks Phase III
    Manage Risks
  • Heavily uses the NIST rating scale Low
    Limited adverse effect on agency Moderate
    Serious adverse effect High Severe or
    catastrophic adverse effect

86
NC ITSs RM Pre-Risk Assessment
  • Review lines of business service that have
    automated systems that support the business
    service
  • Determine if critical infrastructures are
    involved, or if there are critical infrastructure
    dependencies
  • Complete the Pre-Risk Assessment form

87
NC ITSs RM Phase I
  • A Facilitator leads a team of people responsible
    for delivery of a particular line of business
    through completing the Phase I Questions of the
    ITS Risk Assessment Questionnaire
  • If the final score is Low, the risk assessment
    process ends
  • If the final score is Moderate or High,
    proceed to Phase II for additional analysis

88
NC ITSs RM Phase II
  • A Facilitator leads a team of people
    knowledgeable in the particular line of business
    through the Phase II Questions of the ITS Risk
    Assessment Questionnaire
  • If the final score is Low, the risk assessment
    process ends
  • If the final score is Moderate or High,
    proceed to Phase III for mitigation

89
NC ITSs RM Phase III
  • A Facilitator leads appropriate managers and
    staff through an analysis that focuses on
    mitigation
  • The team identifies options to mitigate the risk,
    analyzes the cost implications, determines the
    benefits, and balances the cost of implementing
    each option against the benefits derived from it
  • The result is completion of the Risk Analysis
    Results Mitigation Plans form found in the ITS
    Risk Assessment Questionnaire

90
NC ITSs Risk Management Training
  • On March 31, 2004, ITS and its vendor partner,
    Strohl Systems, presented a two hour agency
    training session (introduced by Ann Garrett)
    which covered both Business Impact Analysis and
    Risk Management
  • Lets fast forward and view the Risk Management
    part of the PowerPoint slide show presented there
  • Lets try working through an example

91
Pre-Risk Assessment Form
  • Line of Business Pharmacy
  • Business Process Owner Pharmacy Director
  • Automated System Supporting MCPlus
  • Critical Infrastructure Linux Server
  • Critical Dependencies Vendor

92
Risk Assessment Questionnaire
  • 20 Phase I Questions (Q1 Q19)
  • If one or more questions is answered as
    Moderate or High, then proceed to Phase II
    questions
  • 65 Phase II Questions (Q1 Q25)
  • If one or more questions (except for Q3) is
    answered as Moderate or High, then proceed to
    Phase III
  • Lets try to fill out the Mitigation Plan now

93
Who Wants to Help You?
94
(Based on June 15, 2005 DHHS Risk Management
Policy)What DHHS Says You Should Do
  • Assign responsibility for managing risk to senior
    management
  • Provide a mechanism for tracking and reporting
    risks
  • Identify system threats in the environment
  • Identify system vulnerabilities the threats could
    attack
  • Identify current security controls
  • Identify current security gaps

95
DHHS Risk Management Policy, June 15, 2005More
Things DHHS Says to Do
  • Ensure that every risk has at least one owner
  • Develop the responses or controls necessary to
    mitigate identified and reported risks
  • Assess the probability of risks occurring and
    their potential impact
  • Identify the risks associated with critical
    processes in the workflow
  • Identify security controls currently implemented
  • Provide an analysis of risks

96
DHHS Risk Management Policy, June 15, 2005 Even
More Things DHHS Says to Do
  • Ensure that Risk Management is an intrinsic part
    of operations
  • Keep Risk Management policies and procedures
    current
  • Perform an analysis to evaluate risk mitigation
    actions taken, and to determine further steps
  • Respond to changes in risks, and take corrective
    action as needed

97
DHHS Information Security Management Policy,
June 15, 2005 Even More Things DHHS Says to Do
  • Implement a systematic, analytical and continuous
    risk management program for information systems
  • Ensure that risk identification, analysis and
    mitigation activities are performed
  • Ensure that risk assessments are performed
    periodically to evaluate effectiveness of
    existing controls
  • Define strategies and mitigate risks to
    acceptable levels

98
DHHS Says to Address Risks by
  • Risk Reduction Implement measures to alter the
    risk position of an asset
  • Risk Transference Assign or transfer the
    potential cost of the loss to another party
  • Risk Acceptance Accept the level of loss that
    will occur and be prepared to absorb the loss

99
Confused Yet?
ISO 17799
HIPAA
DHHS
NIST
What you thought you knew
Microsoft
COBIT
100
Who Provides Us with the Most Help?
101
NIST SaysRisk Management has Three Parts
  • Risk Assessment - Determining where risks lie,
    and how big they are
  • Risk Mitigation - Prioritizing, evaluating, and
    implementing appropriate risk-reducing controls
  • Evaluation and Assessment Since Risk Management
    is continuous and evolving, the past years Risk
    Management efforts should be assessed and
    evaluated prior to beginning the cycle again

102
Risk Management Process
What is my risk?
What will I do about it?
How did I do?
Risk Assessment
Risk Mitigation
RM Evaluation
103
National Institute of Standards and Technology SP
800-30The Ten Steps of Risk Assessment
  • System Characterization
  • Threat Identification
  • Vulnerability Identification
  • Control Analysis
  • Identify Threat-source/Vulnerability Pairs
  • Likelihood Determination
  • Impact Analysis
  • Risk Determination
  • Control Recommendations
  • Results Documentation

White Lie
104
1) System Characterization
  • Define the boundaries of the IT system you are
    addressing, along with the resources and the
    information that constitute the system, setting
    the scope of the assessment effort
  • Methods of gathering system characterization
    information include the use of questionnaires,
    interviews, and automatic scanning tools
  • Output 1 A system characterization paragraph

105
2) Threat Identification
  • A threat is the potential for a particular
    threat-source to successfully exercise a
    particular vulnerability
  • A threat-source is any circumstance or event with
    the potential to cause harm to an IT system
  • A vulnerability is a weakness that can be
    accidentally triggered or intentionally exploited

106
Two Types of Threat-Sources
  • Intent and method targeted at the intentional
    exploitation of a vulnerability
  • A situation and method that may accidentally
    trigger a vulnerability

107
Common Threat-Sources
  • Natural Threats Floods, earthquakes, tornadoes,
    electrical storms, landslides, avalanches, etc.
  • Human Threats Events either enabled or caused
    by human beings, including both unintentional
    acts (inadvertent data entry) and deliberate
    actions (unauthorized access)
  • Environmental Threats Long-term power failure,
    pollution, chemicals, liquid leakage

108
Threat-Source Identification
  • Humans are the most dangerous threat-source
  • For each type of human threat-source, estimate
    the motivation, resources, and capabilities that
    may be required to carry out a successful attack
    (to be used during the Likelihood Determination
    phase)
  • Output 2 A list of threats
  • Output 3 A chart showing motivation and
    necessary threat actions for human threats

109
3) Vulnerability Identification
  • A vulnerability is a flaw or weakness in system
    security procedures, design, implementation, or
    controls that could be exercised (accidentally
    triggered or intentionally exploited) and result
    in a security breach or a violation of an
    information security policy
  • Output 4 A list of vulnerabilities that could
    be exploited by the potential threat-sources

110
Where Vulnerabilities are Found
  • Hardware Configuration Servers, Workstations,
    Routers, Switches, Firewalls
  • Software Applications How installed, Where
    installed, Rights granted
  • IS Policies and Procedures How complete, How
    up-to-date, How well known
  • Humans Procedures not being followed, Staff not
    being trained

111
How We Find Vulnerabilities
  • Hardware Configuration Complete a System Risk
    Analysis form for each network component, arrange
    for penetration testing
  • Software Applications Complete an Application
    Criticality and Risk Analysis form for each
    application
  • IS Policies and Procedures Complete a review of
    the quality of your Information Security Policies
    and Procedures every year
  • Humans Review log files, training records, and
    incident reports

112
4) Control Analysis
  • The goal of this step is to analyze the controls
    that have been implemented to minimize the
    likelihood of a threat exercising a vulnerability
  • Output 5 A list of controls currently in use by
    network hardware components
  • Output 6 A list of controls currently in use by
    applications

113
5) Threat-Source/Vulnerability Pairs
  • Considering the controls in place, what are the
    Threat-source/Vulnerability pairs which are of
    most concern?
  • A vulnerability with no threat-source is not a
    risk
  • A threat-source with no vulnerability is not a
    risk
  • Output 7 A list of Threat-source and
    Vulnerability pairs of concern

114
6) Likelihood Determination
  • A determination of the probability that a
    potential vulnerability will be exercised
  • When determining likelihood, consider
  • Threat-source motivation and capability
  • The nature of the vulnerability
  • The existence and effectiveness of current
    controls

115
Likelihood Determination Results
  • Output 8 For each identified vulnerability, a
    determination of likelihood (H, M, or L)
  • High The threat-source is highly motivated and
    sufficiently capable, and controls to prevent the
    vulnerability from being exercised are
    ineffective
  • Medium The threat-source is motivated and
    capable, but controls are in place that may
    impede successful exercise of the vulnerability
  • Low The threat-source lacks motivation or
    capability, or controls are in place to prevent
    or significantly impede exercising the
    vulnerability

116
7) Impact Analysis
  • Determine the adverse impact resulting from a
    successful threat exercise of each
    threat-source/vulnerability pair of concern

117
Adverse Impact Comes From
  • Loss of Integrity- Improper modification
  • Loss of Availability- System cannot be accessed
    or data cannot be located
  • Loss of Confidentiality- Information classified
    as sensitive is disclosed without authorization

118
Impact Analysis Needs
  • For an Impact Analysis we must know
  • The organizations mission
  • The criticality of the data
  • The sensitivity of the data

Sensitivity is the sum of the potential injury
from a breakdown in confidentiality
Criticality is the sum of the potential injury
from a breakdown in integrity and/or availability
119
Impacts are High, Medium, or Low
  • Output 9 For each identified vulnerability, an
    estimation of the magnitude of probable impact
  • High Exercise of the vulnerability may result
    in a highly costly loss or may significantly
    impede an organizations mission or reputation
  • Medium Exercise of the vulnerability may result
    in a costly loss or may harm an organizations
    mission or reputation
  • Low Exercise of the vulnerability may result in
    the loss of some assets, or may noticeably affect
    an organizations mission or reputation

120
8) Risk Determination
  • NIST says risk is the net mission impact
    considering both the likelihood that a particular
    threat-source will exercise (accidentally trigger
    or intentionally exploit) a particular
    information system vulnerability, and the
    resulting impact on the organization if this
    should occur
  • Likelihood x Impact Risk

121
Use a Risk-Level Matrix
Risk Scale High (gt50 to 100) Medium (gt10 to
50) Low (1 to 10)
122
Risk Scale and Necessary Actions
123
Assessing the Risk Level
  • Final determination of mission risk is derived by
    multiplying the threat likelihood and the threat
    impact scores
  • Output 10 A numeric risk score for each
    identified vulnerability/threat-source pair
  • The Vulnerability Analysis form can be used to
    capture this information

124
9) Control Recommendations
  • Finish your risk assessment by thinking of
    controls which could help minimize the risk of
    the vulnerability/threat-source combinations you
    are most concerned about
  • To determine which controls are appropriate to
    add, perform a cost-benefit analysis
  • Output 11 Recommendation of additional controls
    based on risk assessment

125
10) Results Documentation
  • The Risk Assessment report should be of
    sufficient detail to allow the organizations
    management to make informed decision on
    appropriate actions in response to the risks
    identified
  • Unlike an audit or investigative report that
    looks for wrong-doing, the Risk Assessment
    report should be not be presented in an
    accusatory manner

126
Risk Assessment Report
  • Your Risk Assessment report should haveA) An
    IntroductionB) A description of your Risk
    Assessment approachC) A system characterization
    summaryD) A list of Threat-SourcesE)
    Vulnerability/Threat-Source analysis resultsF) A
    summary of risk levels and recommendations
  • Output 12 Risk Assessment Report that measures
    risk and provides recommendations

127
Report - Introduction
  • Purpose
  • Scope
  • Describe System Controls Elements
    Users Site Locations Other Details as
    necessary

128
Report Risk Assessment Approach
  • Describe Approach Used Risk Assessment Team
    members Techniques used to gather
    information(use of tools, questionnaires,
    etc.)Development and description of risk scale
    (3x3, 4x4, or 5x5 risk level matrix)

129
Report System Characterization
  • Describe the system - Hardware (server,
    router, switch) - Software (application,
    operating system) - System Interfaces
    (communication link) - Data - Users
  • Provide connectivity diagram or system input and
    output flowchart

130
Report - Threat Statement
  • Compile potential threat sources
  • List associated threat actions
  • Review Human Motivations

131
Report Risk Assessment Results
  • List observations (vulnerability/threat pairs)
  • Observations contain- Observation number and
    brief description- Discussion of threat-source
    and vulnerability- Identification of existing
    security controls- Likelihood discussion and
    evaluation- Risk rating- Recommended controls
    or alternative options

132
Report - Summary
  • Total number of threat-source/vulnerabilities
    pairs identified (observations)
  • Summarize- Observations- Associated risk
    levels- Recommendations- Any comments
  • Organize into a table to facilitate implementation

133
The Ten Steps of Risk Assessment
  • System Characterization
  • Threat Identification
  • Vulnerability Identification
  • Control Analysis
  • Identify Threat-source/Vulnerability Pairs
  • Likelihood Determination
  • Impact Analysis
  • Risk Determination
  • Control Recommendations
  • Results Documentation

134
Reviewing NISTs RA Output
  • System Characterization
  • List of Threats
  • Human Motivation Review
  • List of Vulnerabilities
  • Review Network Hardware Controls
  • Review Application Controls
  • List Threat-Source and Vulnerability pairs
  • Likelihood determination for each pair of concern
  • Estimation of probable impact
  • Identify risk scores
  • Recommendations, if any, for additional controls
  • Risk Assessment Report

135
Risk Management Process
What is my risk?
What will I do about it?
Risk Assessment
Risk Mitigation
136
Risk Mitigation
  • Risk Mitigation is the process of identifying
    areas of risk that are unacceptable and
    estimating countermeasures, costs and resources
    to be implemented as a measure to reduce the
    level of risk
  • Determining appropriate risk-reducing controls
    is a job for your Risk Management Committee

137
What is Acceptable Risk?
  • Setting your agencys risk appetite is up to
    your Director and Senior Management
  • Because elimination of all risk is impossible, we
    must use the least-cost approach and implement
    the most appropriate controls to decrease mission
    risk to an acceptable level, with minimal adverse
    impact on the organizations resources and mission

138
Risk Mitigation Options
  • Assume the Risk Accept the risk and continue
    operating (how big is your appetite?)
  • Avoid the Risk Stop running the program or
    sharing the data
  • Transfer the Risk Use options to compensate for
    the loss, such as insurance
  • Lessen the Risk Implement controls that lessen
    the impact or lower the likelihood

139
Risk Mitigation Methodology
  • Prioritize based on risk levels presented
  • Evaluate recommended control options
  • Conduct a cost-benefit analysis
  • Select additional controls, as necessary
  • Assign responsibility
  • Develop an action plan, if necessary
  • Implement the selected controls

140
Possible Technical Controls
  • User Identification
  • Security Administration
  • Authentication
  • Authorization
  • Nonrepudiation
  • Transaction Privacy
  • Restore Secure State
  • Virus Detection and Eradication

141
Possible Management Controls
  • Assign Security Responsibility
  • Conduct Security Awareness Training
  • Conduct end-user training for system users
  • Implement personnel clearance procedures
  • Perform periodic system audits
  • Conduct ongoing risk management activities
  • Establish incident response capability

142
Possible Operational Controls
  • Control physical access
  • Secure hub and cable wiring closets
  • Establish off-site storage procedures
  • Provide an uninterruptible power supply
  • Control temperature and humidity
  • Provide motion sensors or CCTV monitoring
  • Ensure environmental security

143
Cost-Benefit Analysis
  • If control reduces risk more than needed, see if
    a less expensive alternative exists
  • If control would cost more than the risk
    reduction provided, then find something else
  • If control does not reduce risk sufficiently,
    look for more controls or a different control
  • If control provides enough risk reduction and is
    cost-effective, then use it

144
When Should Management Take Action?
145
Residual Risk
  • The risk remaining after the implementation of
    new or enhanced controls is the residual risk
  • If the residual risk has not been reduced to an
    acceptable level, the risk management cycle must
    be repeated to identify a way of lowering the
    residual risk to an acceptable level
  • Understand that no IT system can be risk-free

146
Risk Management Process
What is my risk?
What will I do about it?
How did I do?
Risk Assessment
Risk Mitigation
RM Evaluation
147
Evaluation and Assessment
  • People, systems, and networks change, so risk
    management must be ongoing
  • Federal agencies must conduct risk management at
    least every three years
  • Stay flexible to allow changes when warranted

148
NIST SaysGood Risk Management Depends Upon
  • Senior managements commitment
  • Support of the IT Team
  • Competence of the Risk Management Committee
  • The cooperation of the users
  • Ongoing assessment of IT-related mission risks

149
Risk Management Examples
Scenario 1 - The Grounds of My Home
150
1) The Grounds of My Home
  • System Characterization - the land my home sits
    on (risk owned by my wife)
  • Threat Identification Environmental? From
    people? From Nature?
  • Vulnerability Identification Looking for
    weaknesses which could be exercised by a
    threat-source use eyes and knowledge
  • Control Analysis City Services, fire hydrant,
    Home Owners insurance, car insurance

151
The Grounds of My Home Continued
  • Identify Threat-Source/Vulnerability Pairs Dead
    limb or whole tree could fall on my car
  • Likelihood Determination Has happened before
    lots of storms high likelihood
  • Impact Analysis Dents, broken glass, car not
    drivable, repair cost medium impact
  • Risk Determination High (1.0) Likelihood x
    Medium (50) Impact Medium (50) Risk

152
The Grounds of My Home Continued
  • 9) Control Recommendation Options
  • Have wife pull the limb down
  • Hire a tree surgeon to take off the limb
  • Take the tree down
  • Dont park there
  • Park my wifes company car there
  • Buy a bicycle
  • Lower amount of deductible

153
Completing Mitigation . .
  • Assign ResponsibilityTaking down the limb - My
    wife (stronger)Parking differently - Me (get
    home first)
  • Develop an Action Plan (if necessary)This
    weekend------------------------------------------
    --------------
  • Lessen the likelihood by removing the limb
  • Transfer some risk to my wifes company
  • Accept the residual risk

154
(No Transcript)
155
Risk Management Examples
Scenario 2 - The Agency File Servers
156
2) The File Servers
  • System Characterization - the File Servers in
    our Server Closet
  • Threat Identification Environmental? From
    people? From Nature?
  • Vulnerability Identification Looking for
    weaknesses which could be exercised by a
    threat-source use eyes and knowledge
  • Control Analysis Firewall, Locks, Daily
    Observation, Separate Circuit, UPSs

157
The File Servers Continued
  • Identify Threat-Source/Vulnerability Pairs Big
    Oak could fall on flat roof, break it
  • Likelihood Determination Tree appears strong,
    but lots of storms low likelihood
  • Impact Analysis Damage from impact, water
    damage, repair cost high impact
  • Risk Determination Low (0.1) Likelihood x High
    (100) Impact Low (10) Risk

158
The File Servers Continued
  • 9) Control Recommendation Options
  • Have the tree removed
  • Weaken the tree on the other side to affect fall
  • Relocate the File Servers
  • Reinforce the roof
  • Buy a tarp and rig it over the servers
  • Buy a tarp and keep it handy

159
Completing Mitigation . .
  • Assign ResponsibilityLAN Manager - Buying a tarp
    at Wal-Mart for 9
  • Develop an Action Plan (if necessary)Do it
    tomorrow
  • --------------------------------------------------
    ------
  • Lessen the impact by preparing for the event
    (even though it is unlikely)
  • Accept the residual risk

160
(No Transcript)
161
Risk Management Examples
Scenario 3 - An Agency Application
162
3) An Agency Application
  • System Characterization - Local Access-based
    system with PHI sent over the internet
  • Threat Identification From people? From
    telecommunication?
  • Vulnerability Identification Availability and
    Integrity risks are low, but Confidentiality risk
    is high also, data is sent elsewhere
  • Control Analysis Logical and Physical Access
    controls, Security Awareness Program, Staff
    Sensitivity Designations

163
An Application Continued
  • Identify Threat-Source/Vulnerability Pairs We
    are sharing PHI with no Business Associate
    agreement in place
  • Likelihood Determination Sent to another CE,
    but no BA in place low likelihood
  • Impact Analysis PHI becoming exposed could hurt
    image badly high impact
  • Risk Determination Low (0.1) Likelihood x High
    (100) Impact Low (10) Risk

164
An Application Continued
  • Control Recommendation Options
  • Make sure the receiver of the PHI understands
    their BA responsibilities
  • Offer training to the Business Associate
  • Request written documentation for the program
  • Establish a written Memorandum of Understanding
    between the agencies

165
Completing Mitigation . .
  • Assign ResponsibilitySecurity Official will
    contact other Security OfficialSecurity Official
    will develop and offer training showData Owner
    will request software documentation
  • Develop an Action Plan (if necessary)------------
    --------------------------------------------
  • Lessen the likelihood establishing a HIPAA
    compliant Business Associate relationship
  • Accept the residual risk

166
(No Transcript)
167
So Lets Go!
  • All Set? - We know where we want to go, and we
    have a map, so were ready, right?
  • Hold On How long is this trip, and how old are
    we now?
  • Lets estimate our organizations risk management
    maturity, and our readiness

168
What is your Security Risk Management Maturity
Level?
Based on ISO 17799
Which of these 6 levels best describes your
organization?
169
Risk Management Maturity Levels
170
Risk Management Maturity Levels
171
Risk Management Maturity Levels
172
What is your Security Risk Management Readiness
Level?
Based on Microsofts Security Risk Management
Guide Chapter 3
The following test measures your organizations
readiness level
For each of these 17 questions, score your
organization on a scale of zero to five, using
the previous maturity level definitions as a guide
173
Risk Management Readiness Test
From Microsofts Security Risk Management Guide,
Chapter 3
  • Information security policies and procedures are
    clear, concise, well-documented, and complete
  • All staff positions with job responsibilities
    involving information security have clearly
    articulated and well understood roles and
    responsibilities
  • Policies and procedures for securing third-party
    access to business data are well-documented. For
    example, remote vendors performing application
    development for an internal business tool have
    sufficient access to network resources to
    effectively collaborate and complete their work,
    but they have only the minimum amount of access
    that they need

174
Risk Management Readiness Test
From Microsofts Security Risk Management Guide,
Chapter 3
  • An inventory of Information Technology (IT)
    assets such as hardware, software, and data
    repositories is accurate and up-to-date
  • Suitable controls are in place to protect
    business data from unauthorized access by both
    outsiders and insiders
  • Effective user awareness programs such as
    training and newsletters regarding information
    security policies and practices are in place
  • Physical access to the computer network and other
    information technology assets is restricted
    through the use of effective controls

175
Risk Management Readiness Test
From Microsofts Security Risk Management Guide,
Chapter 3
  • New computer systems are provisioned following
    organizational security standards in a
    standardized manner using automated tools such as
    disk imaging or build scripts
  • An effective patch management system is able to
    automatically deliver software updates from most
    vendors to the vast majority of the computer
    systems in the organization
  • Effective user awareness programs such as
    training and newsletters regarding information
    security policies and practices are in place

176
Risk Management Readiness Test
From Microsofts Security Risk Management Guide,
Chapter 3
  • The organization has a comprehensive anti-virus
    program including multiple layers of defense,
    user awareness training, and effective processes
    for responding to virus outbreaks
  • User provisioning processes are well documented
    and at least partially automated so that new
    employees, vendors, and partners can be granted
    an appropriate level of access to the
    organization's information systems in a timely
    manner. These processes should also support the
    timely disabling and deletion of user accounts
    that are no longer needed

177
Risk Management Readiness Test
From Microsofts Security Risk Management Guide,
Chapter 3
  • Computer and network access is controlled through
    user authentication and authorization,
    restrictive access control lists on data, and
    proactive monitoring for policy violations
  • Application developers are provided with
    education and possess a clear awareness of
    security standards for software creation and
    quality assurance testing of code
  • Business continuity and business continuity
    programs are clearly defined, well documented,
    and periodically tested through simulations and
    drills

178
Risk Management Readiness Test
From Microsofts Security Risk Management Guide,
Chapter 3
  • Programs have commenced and are effective for
    ensuring that all staff perform their work tasks
    in a manner compliant with legal requirements
  • Third-party review and audits are used regularly
    to verify compliance with standard practices for
    security business assets

How did you do?
179
Add all 17 scores together
180
Are You Ahead or Behind?
According to the Gartner Group, using a
population of G2000 type companies
181
So Lets Go!
  • All Set? - We know where we want to go, and we
    have a map
  • We know how mature we are, and have an idea about
    the readiness of our organization to begin risk
    management

Hold On!
Can we kill any other birds with the same stones?
182
Related DHHS Policies
  • System owners are responsible for determining
    the sensitivity of data and ensuring that
    adequate controls are implemented to protect the
    data.DHHS Information Systems Review and
    Auditing Policy
  • Tests that shall be included in overall security
    testing strategy for each Division/Offices shall
    include Vulnerability Scanning and Penetration
    Testing.DHHS Security Testing Policy

183
Related DHHS Policies
  • The BC/DR planning team shall do the following
    Identify the types of disasters most likely to
    occur and the resultant impacts on the agencys
    ability to perform its mission.DHHS Business
    Continuity and Disaster Recovery Policy
  • The BC/DR planning team shall do the following
    Propose protective measures to be implemented in
    anticipation of a natural or man-made
    disaster.DHHS Business Continuity and Disaster
    Recovery Policy

184
Related DHHS Policies
  • Plans shall include A risk assessment to
    determine risk priorities and probability of
    identified risk.DHHS Business Continuity and
    Disaster Recovery Policy
  • Plans shall include Development of
    recovery/restoration procedures for time critical
    systems and applications.DHHS Business
    Continuity and Disaster Recovery Policy

185
Related DHHS Policies
  • For each application, classify the risk from loss
    of confidentiality as low, medium, or high
  • For each application, classify the risk from loss
    of integrity as low, medium or high
  • For each application, classify the availability
    need level as 1 (2 to 4 days), 2 (5 to 9 days), 3
    (10 to 19 days) or 4DHHS Data Classification,
    Labeling and Access Control Policy

186
Related DHHS Policies
  • System Administrators have the responsibility of
    periodically reviewing user access privileges and
    notifying management of any access concerns.
  • The system owner of each information system
    shall ensure that all user accounts are reviewed
    and access rights evaluated at least once per
    quarter.DHHS User Authorization,
    Identification and Authentication Policy

187
More Related DHHS Policies
  • DHHS Divisions/Offices shall protect data on all
    sensitive and critical applications/systems by
    implementing controls that are commensurate with
    the security level required to protect the data
  • If sensitive electronic data resides in a DHHS
    Division/Office, administrative, physical and
    technical security controls must be implemented
    to limit unauthorized access to the dataDHHS
    Data Protection Policy

188
More Related DHHS Policies
  • All technology shall be evaluated to ensure that
    it can provide the level of security required.
  • Security risk in the operations environment
    shall be kept to a level that is considered
    acceptable riskDHHS IT Operations Security
    Policy

189
Related HIPAA Requirements
  • Application and Data Criticality Analysis
    Assess the relative criticality of specific
    applications and data in support of other
    contingency plan componentsHIPAA Section
    164.308 (a)(7)(ii)(E)
  • Emergency Mode Operation Plan Establish
    procedures to enable continuation of critical
    business processes for protection of the security
    of electronic PHI while operating in emergency
    mode HIPAA Section 164.308 (a)(7)(ii)(C)

190
HIPAA Security Specifications
Final Rule, Administrative Safeguards 45 CFR
Part 164.308
  • Risk Analysis A covered entity must conduct an
    actual and thorough assessment of the potential
    risks and vulnerabilities of the confidentiality,
    integrity, and availability of electronic PHI
    held by the covered entity Standard (a)(1)(2)(A)
  • Risk Management A covered entity must
    implement security measures sufficient
About PowerShow.com