Risk Assessment

1
Risk Assessment
2
InfoSec and Legal Aspects

• Risk assessment
• Laws governing InfoSec
• Privacy

3
Risk Assessment

• Assigns a risk rating for each asset
• Likelihood refers to the probability of a known
  vulnerability being attacked
• Likelihood of fire forecast from actuarial data
• Likelihood of virus estimated from volume of
  email handled and number of servers in use
• Likelihood of a network attack estimated from the
  number of network addresses in use

4
Risk Assessment

• How to assign value to information assets?
• NIST SP 800-30 contains parameters to check
• Critical assets are assigned the value 100
• Non-critical but essential asset gets the value
  50
• Least critical assets get the value 1
• What factors to look for in valuation?
• Which threats present a danger?
• Which threats present a significant danger?
• Cost to recover from an attack
• Threats that require maximum cost to prevent

5
Risk Assessment

• Risk determination
• Risk likelihood value risk percentage
• uncertainty
• Example
• Asset A has vulnerability score 50
• Number of vulnerabilities 1
• Likelihood value 1 with no controls
• Data are 90 accurate
• Hence, Risk 1 50 0 10
• 50 10 of (1 50) 50 5 55

6
Risk Assessment

• Example
• Asset B has vulnerability score 100
• Number of vulnerabilities 2
• Likelihood value 0.5 for 1st vulnerability which
  addresses 50 of risk
• Data are 80 accurate
• Hence, Risk 0.5 100 50 20
• 50 (50 of 50) (20 of 50)
• 50 25 10
• 35

7
Risk Assessment

• Example
• Asset B has vulnerability score 100
• Number of vulnerabilities 2
• Likelihood value 0.1 for 2nd vulnerability with
  no controls
• Data are 80 accurate
• Hence, Risk 0.1 100 0 20
• 10 0 (20 of 10)
• 10 2
• 12

8
Risk Assessment

• The generic risks to the business are
• Loss of key assets
• Information
• the network
• skilled people
• Disruption of key processes
• Revenue
• regulatory reporting

9
Risk Factors

• Assess risk based on these factors
• Impact Size
• Rate of Change
• Business Impact
• Complexity
• Recoverability
• Value
• Management Team Focus

10
Definitions

• Civil law addresses violations of rules that
  result in monetary loss as well as other forms of
  damage caused to individuals or organizations
• Criminal law addresses violations that are
  harmful to society
• Tort law addresses violations by individuals that
  result in personal, physical, or financial injury
  to an individual
• Private law regulates relationships between an
  individual and an organization
• Public law regulates relationships between
  citizens

11
Definitions

• Ethics is defined as socially acceptable behavior
• Code of conduct is a set of rules that an
  organization defines as acceptable

12
Laws governing Information Security

• Computer Security Act
• Communications Assistance to Law Enforcement Act
• Computer Fraud and Abuse Act
• USA PATRIOT Act

13
Computer Security Act

• Passed in 1987. Official designation PL100-235
• Law gave NIST the authority over unclassified
  non-military government computer systems
• NSA originally had this power
• Main goals
• Develop policies for federal agencies concerning
  computer security
• Develop procedures to identify vulnerabilities in
  computer security

14
Computer Security Act

• Provide mandatory security awareness training to
  all federal employees dealing with sensitive
  information
• Identify all computer systems that contain
  sensitive information

15
CALEA

• Passed in 1994
• Works in conjunction with FCC regulations
• Telephone companies to include hardware to their
  switches that will facilitate tapping of
  conversations by law enforcement agencies
• Telcos are not responsible for decrypting any
  intercepted communication
• Telcos will be provided reasonable compensation
  for the addition of interception hardware to
  switches

16
Computer Fraud and Abuse Act

• Originally passed in 1994 and amended in 1996
• PATRIOT Act amends this act further
• CFAAs main provisions relate to the following
• having knowingly accessed a computer without
  authorization
• intentionally accesses a computer without
  authorization
• knowingly and with intent to defraud, accesses a
  protected computer without authorization
• Prison time of up to 10 years is possible for any
  violation
• If damage caused is below 5,000 then only
  criminal penalties apply and no civil penalties
  apply

17
USA PATRIOT Act

• Uniting and Strengthening America by Providing
  Appropriate Tools Required to Intercept and
  Obstruct Terrorism
• Passed in October 2001
• Gives extensive powers to the federal government
  to suspend notification provisions of existing
  laws
• Provides authorization for information search
  without knowledge of the individual
• Law expires in December 2004, unless renewed by
  Congress

18
Privacy and Ethics

• Information privacy
• Information privacy laws
• Federal Privacy Act of 1974
• Electronic Communications Privacy Act of 1986
• Communications Act of 1996
• HIPAA of 1996
• Computer Security Act of 1987
• USA PATRIOT Act of 2001
• Ethical aspects of information handling

19
Information Privacy

• Privacy refers to personally identifiable
  information about an individual or an
  organization
• Privacy does not mean absolute freedom from
  observation
• Privacy means state of being free from
  unsanctioned intrusion
• Financial and medical institutions treat privacy
  as part of their compliance requirements
• Information is collected by cookies and points of
  sale

20
Information Privacy

• Privacy is a risk management issue
• Ability to collect information from multiple
  sources and combine them in different ways have
  resulted in powerful databases that can shed more
  light than previously possible

21
Information Privacy Laws

• Federal Privacy Act of 1974
• Requires all government agencies from protecting
  the privacy information of individuals and
  businesses
• Certain agencies have exemption to release
  aggregate data
• Census Bureau
• National Archives
• Congress
• Comptroller General
• Credit agencies

22
Information Privacy Laws

• Electronic Communications Privacy Act of 1986
• Regulates interception of wire, electronic, and
  oral communications
• Works in conjunction with the Fourth Amendment
  providing protection against unlawful search and
  seizure

23
Information Privacy Laws

• Communications Act of 1996
• Regulates interstate and international
  communications
• Communications decency was part of this Act

24
Information Privacy Laws

• Health Insurance Portability and Accountability
  Act (HIPAA) of 1996
• Protect confidentiality and security of health
  care data
• Electronic signatures are allowed
• Patients have a right to know who have access to
  their information and who accessed it

25
References

• NIST Risk Assessment Guide for Information
  Technology Systems, SP 800-30
• Mike Godwin, When copying isnt theft,
  www.eff.org/IP/phrack_riggs_neidorf_godwin.article
  
• Michael Whitman, Enemy at the Gates Threats to
  Information Security, Communications of ACM, 2003

26
References

• Financial institutions http//www.fdic.gov/news/n
  ews/financial/1999/FIL9968a.HTML
• Risk Assessment Process http//www.mc2consulting.
  com/riskart1.htm
• ISACA http//www.isaca.org/
• Risk Assessment Guidelines http//www.gao.gov/spec
  ial.pubs/ai99139.pdf
• Risk Assessment http//www.ffiec.gov/ffiecinfobas
  e/booklets/information_security/02_info_security_
  20risk_asst.htm