4.1 Risk Assessment and Treatment Assessing Security Risks

Size: px

Start display at page:

Download "4.1 Risk Assessment and Treatment Assessing Security Risks"

Brittany Williams
6 years ago
Views:

1 Information Security Standard 4.1 Risk Assessment and Treatment Assessing Security Risks Version: 1.0 Status Revised: 03/01/2013 Contact: Chief Information Security Officer PURPOSE To identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to VCCS. SCOPE This Assessing Security Risks Standard defines the approach VCCS has adopted to establish the basic criteria, risk evaluation criteria, impact criteria, and risk acceptance criteria for the VCCS Information Security Risk Management program and includes within its scope, the following: VCCS s strategic business objectives, strategies and policies The business processes VCCS s functions and structure Legal, regulatory and contractual requirements applicable to VCCS VCCS s information security policy VCCS s overall approach to risk management Information assets The different locations of VCCS and our geographical characteristics Constraints affecting VCCS Expectations of our stakeholders Socio-cultural environment

2 Interfaces, specifically information exchange with non-vccs entities, which VCCS defines as boundaries APPLICABILITY This Assessing Security Risks Standard is applicable to the System Office and all Colleges. STANDARD The results of this Assessing Security Risks standard will be used to determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. The following definitions are applicable to the VCCS Risk Management process: Basic Criteria (included areas) A risk assessment and risk treatment plan will be established for all information identified through the Business Impact Analysis process as either containing sensitive information or being a mission critical function. Policies and procedures will be implemented to include the implementation of the controls selected to remediate risks. Implemented controls will be monitored for effectiveness. The entire security risk management process will be monitored by the Information Security Officers. Risk Evaluation Criteria (included areas) The strategic value of the business information process. The criticality of the information assets involved. Legal and regulatory requirements, and contractual obligations Operational and business importance of availability, confidentiality and integrity Stakeholder s expectations and perceptions, and negative consequences for goodwill and reputation. Impact Criteria (included areas) Level of data classification of the impacted information asset Breaches of information security Impaired operations both internal and external/third party Loss of business and financial value Disruption of plans and deadlines Damage of reputation Breaches of legal, regulatory or contractual requirements Risk Acceptance Criteria (areas to be considered)

3 Business criteria Legal and regulatory aspects Operations Technology Finance Social and humanitarian factors VCCS s information security risk management program is organized and roles and responsibilities have been established around the following principles. The risk management process has been developed so that it is suitable to the System Office or college The stakeholders have been identified Internal and External roles and responsibilities have been defined and communicated to all appropriate personnel Escalation procedures and paths have been identified and documented All Risk Assessments and annual Risk Assessment executive summaries will be maintained for period of 3 years. Requirement: (ISO/IEC 27005:2008(E) Information Security Risk Assessment) Risks should be identified, quantified or qualitatively described, and prioritized against risk evaluation criteria and objectives relevant to System Office or college. The System Office or college will take a multi-step approach to Risk Assessment. During the first step the System Office or college will perform a Risk Analysis by reviewing the value of the information assets, identifying the applicable threats and vulnerabilities that exist (or could exist), identifying the existing controls and their effect on the identified risks, determining the potential consequences and finally prioritizing the derived risks and ranking them against the risk evaluation criteria. The Business Impact Analysis process will provide the System Office or college with the information required for the first high-level assessment. Once the first high-level assessment is completed, those risks that are ranked high will have a more detailed analysis performed as a second step. Requirement: (ISO/IEC 27005:2008(E) Identification of assets) Commonwealth of Virginia policies and procedures for asset management are already a requirement and the System Office and Colleges may have an individual assigned to this duty for overall asset management. The following are general guidelines that enhance the general asset management process. IT personnel are encouraged to maintain their own records; especially those components that are associated with the Business Impact Analysis and Risk Assessment processes. The System Office or college should ensure IT asset management is a component of the current asset management program or take measures to assign an individual to perform this duty. Access to IT asset inventory records should be restricted to a need-to-know basis. IT

4 employees may be of assistance when an IT asset inventory is conducted since some components are difficult to identify if included within a larger system. As long as the requirements are adhered to, IT employees may perform the following requirements or this function may fall under the responsibility of the employee currently assigned for overall asset management. Requirement: (ISO/IEC 27005:2008(E) Identification of threats) Threats and their sources shall be identified. VCCS will consider the following common threat-sources when identifying threats: Natural Threats Floods, earthquakes, tornadoes, hurricanes, landslides, electrical storms, severe weather, and other such events. Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Humans can be threat-sources through intentional acts, such as deliberate attacks by malicious persons or disgruntled employees, or unintentional acts, such as negligence and errors. A deliberate attack can be either (1) a malicious attempt to gain unauthorized access to an IT system (e.g., via password guessing) in order to compromise system and data integrity, availability, or confidentiality or (2) a benign, but nonetheless purposeful, attempt to circumvent system security. One example of the latter type of deliberate attack is a developer s writing a Trojan horse program to bypass system security in order to get the job done. Environmental Threats Long-term power failure, pollution, chemicals, HAZMAT, or liquid leakage. VCCS will also use the output reports from the incident response program as input to the threat identification process. Requirement: (ISO/IEC 27005:2008(E) Identification of existing controls) Existing and planned controls should be identified. VCCS will review the implementation of all existing controls to determine if they were effective, ineffective, not sufficient, or not justified. This identification and evaluation process will also include: Reviewing documents containing information about the controls Checking with the people responsible for information security and the users as to which controls are really implemented Conducting on-site reviews of physical controls, comparing what should be with what actually is, and Reviewing results of internal and external audits.

5 Requirement: (ISO/IEC 27005:2008(E) Identification of vulnerabilities) Vulnerabilities that can be exploited by threats to cause harm to assets or to VCCS should be identified. VCCS will review the following areas to assist in the identification of vulnerabilities: VCCS Organization Business Processes and procedures Management routines Personnel Physical Environment Information System Configuration Hardware, Software and network equipment Dependence on external or third parties Requirement: (ISO/IEC 27005:2008(E) Identification of consequences) The consequences that losses of confidentiality, integrity and availability may have on the assets should be identified. In performing risk analysis of the operational consequences of incident scenarios (security failures), VCCS will consider the following: Investigation and repair time (Work)time lost Opportunity lost Health and Safety Financial cost of specific skills to repair the damage Image reputation and goodwill These operational consequences will be documented on the Business Impact Analysis template on the first worksheet. Requirement: (ISO/IEC 27005:2008(E) Risk estimation methodologies) VCCS should define a risk estimation methodology to be undertaken depending on the criticality of assets, extent of vulnerabilities known and prior incidents involving VCCS. VCCS has determined that it will use Qualitative Estimation in its high level risk analysis and has assigned categories of HIGH, MEDIUM and LOW to describe the magnitude of potential consequences and the likelihood that those consequences will occur. This will be documented on the Business Impact Analysis template on the second worksheet. Requirement: (ISO/IEC 27005:2008(E) Assessment of consequences) VCCS should assess the business impact upon VCCS that might result from possible or actual information security incidents, taking into consideration the consequences of a

6 breach of information security such as loss of confidentiality, integrity or availability of the assets. VCCS will include asset valuation as part of its Business Impact Analysis. That BIA process includes replacement cost of the asset, the cost of recovery cleanup and replacing the information, as well as the business consequences of loss or compromise of the asset, such as the potential adverse business and/or legal or regulatory consequences from the disclosure, modification, non-availability and/or destruction of information, and other information assets. This asset valuation is included in the Financial Costs column of the Business Impact Analysis template on the first worksheet. VCCS has determined that it will use Qualitative Estimation in its assessment of consequences and has assigned categories of HIGH, MEDIUM and LOW to describe the magnitude of potential consequences for loss of confidentiality, integrity and/or availability of the assets. Requirement: (ISO/IEC 27005:2008(E) Assessment of incident likelihood) VCCS should assess the likelihood of the incident scenarios. VCCS has documented this as Probability of Loss on its Business Impact Analysis template. When determining the Probability of Loss. VCCS will consider: Experience and applicable statistics for threat likelihood For deliberate threat sources; o Motivation and capabilities o Resources available to possible attackers o Perception of attractiveness and vulnerability of assets For accidental threat sources; o Geographic factors o Human errors o Equipment malfunctions Vulnerabilities, both separately and in aggregation Existing controls and their effectiveness in reducing vulnerabilities VCCS has determined that it will use Qualitative Estimation in its Probability of Loss and has assigned categories of HIGH, MEDIUM and LOW to describe the magnitude of potential occurrence for loss of confidentiality, integrity and/or availability of the assets. Requirement: (ISO/IEC 27005:2008(E) Level of risk estimation) The System Office or college should estimate the level of risk for all relevant incident scenarios. The System Office or college has determined that it will use Qualitative Estimation in its estimation of the level of risk and has assigned categories of HIGH, MEDIUM and LOW to describe the level of risk for loss of confidentiality, integrity and/or availability of the assets. In the risk evaluation phase of risk assessment the System Office or college has determined that it will use all of the aforementioned risk analysis and risk

7 evaluation information to perform an overall risk evaluation. The outcome of the risk evaluation activity will be documented in the form of a Risk Assessment Executive Summary Report. Related Documents o VCCS Risk Assessment Application Management Template o VCCS Risk Assessment Enterprise Application Management Template o VCCS Risk Assessment LAN Management Template o VCCS Risk Assessment LOGON Identification Management Template o VCCS Risk Assessment Operations and Administrative Management Template o VCCS Risk Assessment System Server Template o VCCS IT Security Standard 4.2 Treating Security Risks o VCCS IT Security Standard 7-1 Responsibility of Assets o VCCS IT Security Standard 13.1 Reporting Information Security Events and Weaknesses o VCCS IT Security Standard 14.1 Information Security Aspects of Business Continuity Management o VCCS IT Security Guideline Including information security in the business continuity management process Review and Approval: Reviewed By: CISO, VCCS Reviewed Date: 03/01/13 Next Scheduled Review: 02/16/14

Information security management systems

BRITISH STANDARD Information security management systems Part 3: Guidelines for information security risk management ICS 35.020; 35.040 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT