Post on 01-Jan-2016
Information Risk ManagementFighting for control of critical systems
Rick DakinRick.dakin@coalfiresystems.com
February 19, 2009
2
• Vulnerability versus Risks• Why Maintain a Risk Management Program?• Risk Management Process
o Risk Analysis o Control Selectiono Control Operationso Risk Measurement
• Reporting Risk
Agenda
Why Manage RISK ?
3
• Increasing Cyber Threats• Reduced Tolerance for Service Disruption• More Demanding Compliance Requirements• Need for more Efficient Data Sharing Across
Agencies• Justification to establish Risk Mitigation Priorities
and Allocation of Resources
Elements of RISK
Natural Disasters
SecurityControls &
Policies
Vulnerabilities
Good security controls can stop
certain attacks
Poor SecurityPolicies couldLet an attack
through
NO security policies orcontrols could be disastrous
MaliciousThreats
Non-MaliciousThreats
Motivesand
Goals
Methodsand
Tools
Methodsand
Tools
Methodsand
Tools
ASSE
TS
Threat + Motive + Method + Vulnerability = RISK
Risk Management Perspective
5
Risk Management on the Battlefield:
See It
Shoot It
Kill It
Risk Management Process
6
Step 1: Categorize Assets
7
Inventory Critical Services and InformationProcesses: Medicaid Disbursements, Patient Enrollment…Information: Patient Records, Patient Contact Info, Prescription
Records…
Inventory supporting information systemsApplications: MedCore, PharmTrackSystems: WEB01, SYS01, PHSYS12, WEB01_DR, SYS01_DRNetworks: 172.29.50.1/24, 10.1.52.1/16
Define Security Categorization Value SystemConfidentiality (High, Medium, Low)Integrity (High, Medium, Low)Availability (High, Medium, Low)
Assign Values to Information, Services, and Information Systems
Medicaid Disbursements (C:High, I:High, A:High)Patient Enrollment (C:High, I:Medium, A: Medium)
Categorize Assets
Goal:Identify critical assets and inventory supporting systems
Sample Data Flow
Customer Production Environment
Acquiring BankWells Fargo, BoA,
Chase
Admin Environment
Portal Access to Reconciliation Data (Charge Back / Sales Audit)
Transaction Servers or Payment Gateway
Transaction Record & Archive
Data WarehousePayment Gateway and Transaction Database
Batch Settlement
Application Servers
Back Office & Customer Svc
• Marketing
• Customer Service
• Ecommerce• Phone / Fax• Gift Cards
• Fraud• Accounting /
Administration
Ph
on
e,
Fa
x,
Em
ail
Web Server(card not present)
POS Terminals(card present in
stores and parking facilities)
Authorization
Document VaultsPaper records
Step 2: Assess Risk
9
Identify relevant threatsHuman Threats: Theft, Vandalism, Error, Interception, Tampering…Environmental Threats: Earthquake, Power Disruptions, Water Damage…
Link threats to specific assets / asset groupsService Threats: Power Outages, Earthquakes…Information Threats: Theft, Tampering, Interception…System Threats: Theft, Power Outages, Tampering, Water Damage…Network Threats: Power Outages, Water Damage, Tampering…
Test assets for vulnerabilities that could amplify riskVulnerability Scans, Pen Tests, Social Engineering…
Create risk statements (Threat + Asset)
Evaluate risk statement against impact and likelihood of occurrence
Assess Risk
Goal:Determine the reasonable level of risk that exists to organizational assets.
Risk ID Threat AssetRisk 1 An outsider could tamper with SYS01 in order to gain system access.Risk 2 A burst pipe above the MPOE could disrupt external communications.Risk 3 An outsider could use the SSLv2 vulnerability to intercept patient records.
Risk ID Likelihood ImpactRisk 1 Low HighRisk 2 Low HighRisk 3 High High
Risk Analysis
Each risk should be reviewed based upon a combination of severity and likelihood.
LOW
HIGH
HIGHSEVERITY
LIK
ELIH
OO
D
MEDIUM RISK
HIGH RISK
LOW RISK
Step 3: Select Controls
11
Select Controls
Goal:Select controls to protect data and system justified by risk levels
Identify compliance requirements• Determine by service/process inventories, line-of-business, and
information• Consult with Legal Counsel• Obtain source legal/contractual requirements
Identify best-practices requirements• Commercial sector best-practices (ISO)• Government best-practices (NIST)
Group requirements into control activities• Construct a control framework.• Eliminate and/or reduce redundancies in requirements
Review risks and implement to assets as necessary
Select justified controls
Risk ID Likelihood Impact Mitigating Controls)Risk 1 Low High 2.2.1, 2.2.2, 2.2.3Risk 2 Low High 4.3.4Risk 3 High High 3.1.2
Step 4: Operate Controls
12
Operate Controls
Goal:Observe strict adherence to organizational control activities in order to ensure that risks are managed to appropriate levels.
Establish Policies and Procedures from selected Control Activities• Ensure clear direction for control standards• Establish organizational risk position and risk expectations• Set firm tone for risk management
Communicate control responsibilities•Communicate responsibilities to all staff, contractors, and 3rd parties•Ensure that all service providers adhere to control standards•Keep employees up-to-date with controls and responsibilities through awareness programs
Establish Process to Verify Ongoing Control Effectiveness•Generate an audit trail of control activities•Keep activity and event logs•Prepare for audit
Step 5: Measure Controls
13
Report and Measure
Goal:Ensure that “bottoms-up” information emerges from control operation to keep decision-makers informed of changing risk landscape.
Report and Measure Against Existing Controls•Statewide or entity-level control frameworks should be homogenous•Control frameworks produce easily understood reports and reporting frameworks•Measuring against control frameworks allows state to measure real “residual risks” (amount of risk left over after controls).
Highlight “Residual Risks” from Control Deficiencies and Immaturity•Immaturity and poor operation of control reveals residual risks. These risks can be mitigated through remediation•Other residual risks may occur due to a lack or unawareness of the need for control.
Stay Consistent•Keep risk reporting processes aligned to control framework;•Framework should be highly organized, yet flexible for year-over-year changes•Consistency allows for better analysis of risk patters and year-over-year trends
Provide Report Data to Executive Decision-Makers•Develop consistent reports for both state entities and state executives•Report against key framework objectives (e.g., “Logical Access Controls”, “Personnel Security”, “Physical Access Controls”, “Malicious Code Prevention”, etc.)
Measure Progress
5 Optimized Management reviews reports and makes consistent program adjustments4 Managed Documented processes and policies have accountability to specific metrics
that are routinely measured and reported3 Documented The repeatable processes are defined, documented and staff trained.2 Repeatable Processes are routinely performed in a similar fashion by multiple staff
members.1 Ad Hoc Processes are performed on an individual basis and risk are dependent on
the dedication and insight of specific staff
0Unaware
1Ad Hoc
2Repeatable
3Documented
4Managed
5Optimized
The COBIT model will help guide IT staff to design, deploy and operate a sustainable security program that is not dependent on any single individual.
Current State
Challenges for Statewide Risk Management
15
1. Oversight for Processes and Standardso Where is the locus of control? Within a Centralized Authority or
Decentralized Authority?o Have standards for information security across all state entities been
established or codified into state law?o Do agencies/state entities have sufficient internal security leadership
to implement programs? o Are resources allocated to remediate most vulnerable systems with the
highest impact?o Does the state have sufficient processes in place to enforce security
controls and standards?
Challenges for Statewide Risk Management
16
2. Coordinating Risk Assessment Planso Are regular risk assessments executed across all state entities?o Are standards for risk assessment methodology established, so risk
information can be compared across state entities?o Are there sufficient tools and staff available to adequately assess risk?o Can agencies share data with the expectation of uniform protection?
Challenges for Statewide Risk Management
17
3. Measuring Risko How does the state measure risk?o At the executive level, controls and risks are not “black and white”.
Findings must not be based on prescribed control frameworks, since some level of control will always be “not in place”. Issue: provide credible report to justify action.
o Need to assess maturity of risk management and reporting processes in such a way as to test comfort with risk, rather than prescribed controls.
Challenges for Statewide Risk Management
18
4. Reportingo How are risk assessment and audit results communicated to
executives?o Are state executives and legislators sufficiently informed of risk?o Have reporting expectations been established for state entities?o Is there a repeatable reporting process in place across the state
entities, so results are centrally coordinated, organized, and managed?
Overcoming the Challenges
19
MS-ISAC and State of OklahomaState Challenges-Need to coordinate risk assessment planning and implement consistent risk methodology-Need to ensure risk is accurately captured (and not prescribed) from smaller entities to large agencies-Need to efficiently collect risk data from across hundreds of state entities
MS-ISAC Challenges-Need to generate consistent standards for cyber security risk reporting and measurement from the 50 participating states-Need to implement risk-based measurement system that could reflect disparity in control from state to state-Need to overcome disparity in security leadership and security standards that exist from state to state. ( Need a common yardstick )
Overcoming the Challenges
20
• Relational control requirements link different security programs together• Common measurement system (Control Maturity Ranking Index- CMRI) allows for flexible risk
measurement, even at state executive level• Flexible organizational structures permit hierarchical risk reporting• System automatically implements centralized intrastate and interstate risk reporting structures
Coalfire Navis Risk Management Platform
• Common Control Framework• Extensive Control Library • Hierarchical Risk Reporting• Coordinated Control & Risk Data• Centralized Reporting Processes• Coordinated Risk Measurement
Common Risk Measurement- CMRI
21
Level Control Performance & Implementation IndicatorsAd-Hoc Activities for this control are either not in place or are performed
through undocumented, unstructured activities. The implementation of the control is unstructured at best.
Documented State Policy The state has adopted a state-wide policy on this control, but the exact
standards and specifications for its implementation are undefined.
Documented Standard and/or Procedures
Statewide or agency-specific standards and specifications have been documented and communicated to all state agencies/ departments/ functions.
Risk Awareness
The State is aware that there is risk that may drive the selection of this control, but the control may not be in place within all risk areas. The State measures the implementation and adoption of the control, but only partial results may be available.
Risk TreatedThe state makes formal risk-based decisions on when to implement the control based the outcomes of risk assessment. These assessments cover all areas of state operations deemed appropriate.
Risk Validated
Control has been formally audited and/or tested by an independent entity. The control has been validated as sufficiently meeting risk mitigation/ treatment requirements.
Immature
Very Mature
Mature
Risk Determination
Remediation Plan
Priority
Resources
Funding
Joint Responsibility
Residual Risk
Comparative Analysis
Questions
Rick DakinRick.dakin@coalfiresystems.com
303.554.6333 ext. 7001
Knowledge – Action = Risk Acceptance