Security Risk Management
Related Chapters Chapter 53: Risk Management Also Chapter 32 Security Metrics: An Introduction and Literature Review Chapter 62 Assessments and Audits 2
Definition of Risk According to "ISO Guide 73 ISO 31000", "Risk" is the effect of uncertainty on objectives. An effect is a deviation from the expected positive and/or negative. Objectives can have different aspects (such as financial, health and safety, and environmental goals) and apply at different levels (such as strategic, organization-wide, project, product and process). Risk is often characterized by reference to potential events and consequences, or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. (Information/Cyber) Security Risk Risk associated with information technology 3
Risk and its Related Concepts Figure 53.1 Risk and its related concepts. Vulnerabilities do not cause harm unless they are exploited by a threat. 4
Risk Elements The Risk is a function of four elements: A, the value of the assets; T, the severity and likelihood of appearance of the threats; V, the nature and the extent of the vulnerabilities and the likelihood that a threat can successfully exploit them; and I, the likely impact of the harm should the threat succeed, that is, R = f(a, T, V, I) 5
Formalizing Risk Risk (R) is a function of the probability of occurrence of a loss(p) and the cost of a loss (c) R = P * C Threat Potential cause of an incident Vulnerability Weakness of asset(s) that can be exploited by a threat Asset Anything that has value to the organization 6
Risk Management Coordinated activities to identify, control, and minimize information system related risks to a level commensurate with the value of the assets protected Goal of a risk management program to protect the organization and its ability to perform its mission from IT-related risk 7
Why Risk Management? A car has brakes so it can go fast We do risk management so that we can take risks An organization that can take advantage of opportunities (and the inherent risks) will outlast an organization which cannot. 8
Risk Management Strategies Reactive Proactive A process that responds to security events as they occur A process that reduces the risk of new vulnerabilities in your organization 9
Risk Management Methods Many methods available Some supported by software tools commonly accepted evaluation criteria for risk management methods exists CRAMM U.K. government s preferred risk analysis method MAGERIT Used by Spanish government agency 10
Risk Management Methods EBIOS Used in France ISF s Standard of Good Practice FIRM SARA SPRINT OCTAVE method Developed at Carnegie-Mellon in 1999 COBRA 11
Integrating Risk Management Risk management should be integrated into the System Development Life Cycle (SDLC) Five phases of the SDLC Initiation Development or acquisition Implementation Operation and maintenance Disposal Risk management activities are included in each phase 12
Relevant Laws and Regulations Many laws/regulations exist European Union: telecommunications infrastructure and data protection HIPAA Mandates security and privacy of health data in the United States Electronic banking industry is heavily regulated Sarbanes-Oxley (U.S.) New accounting standards 13
RISK MANAGEMENT PROCESS 14
Risk Management Process Establish context Risk assessment Risk treatment/mitigation Risk acceptance Risk communication Risk monitoring & review Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 15
1. Establish Context Setting basic criteria Risk evaluation criteria Impact criteria Risk acceptance criteria Defining scope and boundaries Establishing an organization for risk management Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 16
2. Risk Assessment Risk assessment Risk analysis Identification Estimation Risk evaluation Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 17
2. Risk Assessment Risk identification Assets Threats Existing controls Vulnerabilities Consequences of loss of C.I.A. (confidentiality, integrity, availability) Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 18
2. Risk Assessment Risk estimation Use quantitative or qualitative methodology estimate Consequences Incident likelihood Level of risk Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 19
Risk Assessment Methodologies Quantitative Qualitative Benefits Risks prioritized by financial impact; assets prioritized by their financial values Results facilitate management of risk by return on security investment Results can be expressed in managementspecific terminology Enables visibility and understanding of risk ranking Easier to reach consensus t necessary to quantify threat frequency t necessary to determine financial values of assets Drawbacks Impact values assigned to risks are based upon subjective opinions of the participants Very time-consuming Can be extremely costly Insufficient granularity between important risks Difficult to justify investing in control as there is no basis for a cost-benefit analysis Results dependent upon the quality of the risk management team that is created 20
2. Risk Assessment Risk evaluation Prioritize risks by comparing levels of risks against risk evaluation criteria and risk acceptance criteria Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 21
Expressing and Measuring Risk Information security event Identified occurrence or breach of a system, service, or network Bayesian statistics Likelihood is quantifiable if factors are analyzed Asset values can be quantified Cost to replace asset Cost of suspended operations Opportunity cost 22
23
Example In this example (table in previous slide), asset values expressed on a 0-10 scale, whereas threat and vulnerability levels are expressed on a Low-Medium- High scale. risk values expressed on a scale of 1 to 7. 24
Threat Types Physical damage (fire, water, pollution); natural events (climatic phenomenon, seismic phenomenon, volcanic phenomenon); loss of essential services (failure of air-conditioning, loss of power supply, failure of telecommunication equipment); disturbance due to radiation (electromagnetic radiation, thermal radiation, electromagnetic pulses); compromise of information (eavesdropping, theft of media or documents, retrieval of discarded or recycled media); technical failures (equipment failure, software malfunction, saturation of the information system); unauthorized actions (fraudulent copying of software, corruption of data, unauthorized use of equipment); and compromise of functions (error in use, abuse of rights, denial of actions). 25
Threats Origin Threats are classified according to origin into deliberate, accidental or environmental. A deliberate threat is an action aiming at information assets (remote spying, illegal processing of data); An accidental threat is an action that can accidentally damage information assets (equipment failure, software malfunction); An environmental threat is any threat that is not based on human action (a natural event, loss of power supply). 26
Vulnerabilities Classification Hardware susceptibility to humidity, dust, soiling; unprotected storage Software no or insufficient software testing, lack of audit trail); network (unprotected communication lines, insecure network architecture Personnel inadequate recruitment processes, lack of security awareness Site location in an area susceptible to flood, unstable power grid, and Organization lack of regular audits, lack of continuity plans 27
3. Risk Treatment/ Mitigation Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 28
Residual Risk The risk remaining after the implementation of risk treatment/mitigation is the residual risk If the residual risk has not been reduced to an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level Understand that no IT system can be risk-free 29
4. Risk Acceptance Decide if residual risks are acceptable, based on risk acceptance criteria Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 30
5. Risk Communication Sharing info between decision maker and other stakeholders Existence, nature, form, likelihood, severity, treatment and acceptability of risks Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 31
6. Risk monitoring and review What may be of minor significance today may be the disaster of tomorrow Review is an integral part of the risk management process Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 32
ISO AND NIST RISK MANAGEMENT STANDARDS 33
Risk Management Standards ISO/IEC 27000 Family of information security management standards Derived from British Standard 7799 ISO/IEC 27005:2011 provides guidelines for information security risk management ISO 31000:2009 Provides principles and generic guidelines for risk management NIST SP 800-30 Common foundation for risk management processes in IT systems 34
The Big Picture: ISO 31000 Risk management principles a) k) on the next slide Risk management framework A set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization Principles Risk management process Framework systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk Process 35
ISO31000 36
NIST Risk Management Framework 37
Three Tiered Risk Management Approach Strategic risk Traceability and transparency of risk based decisions Organization-wide risk awareness Tier 1 Organization Tier 2 Mission/Business Process Inter-tier and intra-tier Communications Feedback loop for continuous improvement Tier 3 Information Systems Ref: NIST SP 800-53 Tactic risk 38
References ISO 27005, Information technology -- Security techniques -- Information security risk management ISO 31000, Risk management -- Principles and guidelines NIST Risk Management Framework http://csrc.nist.gov/groups/sma/fisma/framework.html NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 2011. http://csrc.nist.gov/publications/pubssps.html 39