1

2

3

Introduction

Risk management: process of identifying and controlling risks facing an organization

Risk identification: process of examining an organization’s current information technology security situation

Risk assessment: assign a risk rating to each asset

Risk control: applying controls to reduce risks to an organizations data and information systems

4

An Overview of Risk Management

Know yourself: identify, examine, and understand the information and systems currently in place

Know the enemy: identify, examine, and understand threats facing the organization

Responsibility of each community of interest within an organization to manage risks that are encountered

5

An Overview of Risk Management (cont’d)

Information security, management and users, information technology all must work together

Periodical Management review:

Verify completeness/accuracy of asset inventory

Review and verify threats as well as controls and mitigation strategies

Review cost effectiveness of each control

Verify effectiveness of controls deployed

6

Risk Identification

Steps:Plan and organize the processCategorize system componentsInventory and categorize assetsIdentify threatsSpecify vulnerable assets

2

7

Risk Identification

Risk identification begins with the process of self-examination

Managers identify the organization’s information assets, classify them into useful groups, and prioritize them by their overall importance

8

Creating an Inventory of Information Assets

Identify information assets, including people, procedures, data and information, software, hardware, and networking elements

Should be done without pre-judging value of each asset

Values will be assigned later in the process

9

Table 4-1 - Categorizing Components

10

Identifying Hardware, Software, and Network Assets

Whether automated or manual, the inventory process requires a certain amount of planning

Determine which attributes of each of these information assets should be tracked

Will depend on the needs of the organization and its risk management efforts

11

Attributes for Assets

When deciding which attributes to track for each information asset, consider the following list of potential attributes:

NameIP addressMAC addressAsset typeSerial numberManufacturer nameManufacturer’s model or part numberSoftware version, update revision, or FCO numberPhysical locationLogical locationControlling entity

12

People, Procedures, and Data Asset Identification

More difficult to identify

Responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the necessary knowledge, experience, and judgment

3

13

Suggested Attributes for People, Procedures, and Data Assets

PeoplePosition name/number/IDSupervisor name/number/IDSecurity clearance levelSpecial skills

ProceduresDescriptionIntended purposeSoftware/hardware/networking elements to which it is tied Location where it is stored for referenceLocation where it is stored for update purposes

14

Suggested Attributes for People, Procedures, and Data Assets

DataClassification

Owner/creator/manager

Size of data structure

Data structure used

Online or offline

Location

Backup procedures

15

Classifying and Categorizing Assets

Once initial inventory is assembled, determine whether its asset categories are meaningful

Inventory should also reflect sensitivity and security priority assigned to each information asset

A classification scheme categorizes these information assets based on their sensitivity and security needs

16

Classifying and Categorizing Assets (Continued)

Each of these categories designates level of protection needed for a particular information asset

Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type

Classification categories must be comprehensive and mutually exclusive

17

Information Asset Classification

Many organizations have data classification schemes (e.g., confidential, internal, public data)

Classification of components must be specific to allow determination of priority levels

Categories must be comprehensive and mutually exclusive

Information owners responsible for classifying their information assets

Information classifications must be reviewed periodically

Corresponds to security clearance level

18

Management ofClassified Information Assets

Managing an information asset includes considering the storage, distribution, portability, and destruction of that information asset

Information asset that has a classification designation other than unclassified or public:

Must be clearly marked as such

Must be available only to authorized individuals

4

19

Management ofClassified Information Assets

To maintain confidentiality of classified documents, managers can implement a clean desk policy

When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster diving

20

Military Data Classification Cover Sheets

21 22

Assessing Values for Information Assets

As each information asset is identified, categorized, and classified, assign a relative value Relative values are comparative judgments made to ensure that the most valuable information assets are given the highest priority, for example:

Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the highest profitability? Which information asset is the most expensive to replace? Which information asset is the most expensive to protect? Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability?

23

Listing Assets in Order of Importance

The final step in the asset identification process is to list the assets in order of importance

Can be achieved by using a weighted factor analysis sheet

24

Table 4-2 – Example Weighted Factor Analysis

5

25

Threat Identification

Each threat presents a unique challenge to information security

Must be handled with specific controls that directly address particular threat and threat agent’s attack strategy

Before threats can be assessed in risk identification process, each threat must be further examined to determine its potential to affect targeted information asset

In general, referred to as threat assessment

26

Threats to Information Security

27

Weighted Ranking of Threat-Driven Expenditures

Top Threat-Driven Expenses RatingDeliberate software attacks 12.7Acts of human error or failure 7.6Technical software failures or errors 7.0Technical hardware failures or errors 6.0Quality-of-service deviations from service providers 4.9Deliberate acts of espionage or trespass 4.7Deliberate acts of theft 4.1Deliberate acts of sabotage or vandalism 4.0Technological obsolescence 3.3Forces of nature 3.0Compromises to intellectual property 2.2Deliberate acts of information extortion 1.0

28

Vulnerability Assessment

Once you have identified the information assets of the organization and documented some threat assessment criteria, you can begin to review every information asset for each threat

Leads to creation of list of vulnerabilities that remain potential risks to organization

Vulnerabilities are specific avenues that threat agents can exploit to attack an information assetAt the end of the risk identification process, a list of assets and their vulnerabilities has been developed

This list serves as starting point for next step in the risk management process—risk assessment

29

Risk Assessment

The goal at this point is to create a method to evaluate relative risk of each listed vulnerability

30

Risk Assessment

Steps:Assign value to attack on assetsAssess likelihood of attack on vulnerabilitiesCalculate relative risk factor to assetsReview possible controlsDocument findings

6

31

Risk Estimate Factors

Risk isThe likelihood of the occurrence of a vulnerability

Multiplied byThe value of the information asset

MinusThe percentage of risk mitigated by current controls

PlusThe uncertainty of current knowledge of the vulnerability

32

Likelihood

Likelihood is the overall rating - often a numerical value on a defined scale (such as 0.1 – 1.0) - of the probability that a specific vulnerability will be exploited

Can also use a weighted score, i.e. 1-100, low-med-high, etc

33

Valuation of Information Assets

Assign weighted scores for value of each asset; actual number used can vary with needs of organization

Can use the one from Risk Identification with some refinement if necessary

34

Percentage of Risk Mitigated by Current Controls

If a vulnerability is fully managed by an existing control, it can be set aside

If it is partially controlled, estimate what percentage of the vulnerability has been controlled

35

Uncertainty

It is not possible to know everything about every vulnerability

The degree to which a current control can reduce risk is also subject to estimation error

Uncertainty is an estimate made by the manager using judgment and experience

36

Risk Determination Example

Asset A has a value of 20 and has one vulnerability, which has a likelihood of 1.0 with no current controls

Your assumptions and data are 75% accurateAsset B has a value of 90 and has two vulnerabilities

Vulnerability #2 has a likelihood of 0.4 with a current control that addresses 50% of its riskVulnerability # 3 has a likelihood of 0.1 with no current controls

Your assumptions and data are 80% accurate

7

37

Risk Determination Example

Resulting ranked list of risk ratings for the three vulnerabilities is as follows:

Asset A: Vulnerability 1 rated as 25 = (20 × 1.0) –0% + 25%

Asset B: Vulnerability 2 rated as 25.2= (90 × 0.4) –50% + 20%

Asset B: Vulnerability 3 rated as 10.8 = (90 × 0.1) –0 % + 20%

38

Identify Possible Controls

For each threat and its associated vulnerabilities that have risk of being exploited, create a preliminary list of control ideas

Three general categories of controls exist:

Policies

Programs

Education, training, and awareness programs.

Technical controls

39

Documenting the Results of Risk Assessment

The goal of the risk management process:Identify information assets and their vulnerabilities Rank them according to the need for protection

In preparing this list, wealth of factual information about the assets and the threats they face is collectedAlso, information about the controls that are already in place is collectedThe final summarized document is the ranked vulnerability risk worksheet

40

Ranked Vulnerability Risk Worksheet

What’s the assumption made in this worksheet?

41

Documenting the Results of Risk Assessment (Continued)

By the end of risk assessment, you should have three deliverables

Information asset classification worksheet

Weighted factor analysis worksheet

Ranked vulnerability risk worksheet

Risk Control

8

43

Introduction

The primary goal of risk control is to reduce risk to an acceptable level

What level is acceptable?It is impossible to design and deploy a totally risk-free environmentRisk control is often achieved by applying safeguards

Safeguard: anything that removes a vulnerability or protects against one or more specific threats.

44

45

Risk Control Strategies

An organization must choose one of four basic strategies to control risks :

Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Transference: shifting the risk to other areas or to outside entities Mitigation: reducing the impact should the vulnerability be exploitedAcceptance: understanding the consequences and accept the risk without control or mitigation

46

Avoidance

Avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability

Avoidance is accomplished through:

Application of policy

Application of training and education

Countering threats

Implementation of technical security controls and safeguards

47

Transference

Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations

May be accomplished by Rethinking how services are offered

Revising deployment models

Outsourcing to other organizations

Purchasing insurance

Implementing service contracts with providers

48

Mitigation

Reduce riskby means of planning and preparation, the damage caused by the exploitation of vulnerability

This approach includes three types of plans: Disaster recovery plan (DRP)Incident response plan (IRP)Business continuity plan (BCP)

Mitigation depends upon the ability to detect and respond to an attack as quickly as possible

9

49

Summaries of Mitigation Plans

50

Acceptance

Acceptance of risk is the choice to do nothing to protect an information asset and to accept the outcome from any resulting exploitation.

It also means that management has agreed to accept the consequences and the loss if the risk is realized.

This control, or lack of control, assumes that it may be a prudent business decision to

Examine alternatives

Conclude the cost of protecting an asset does not justify the security expenditure

51

Acceptance (Continued)

Only valid use of acceptance strategy occurs when organization has:

Determined level of risk to information assetAssessed probability of attack and likelihood of a successful exploitation of vulnerabilityApproximated ARO of the exploitEstimated potential loss from attacksPerformed a thorough cost benefit analysisEvaluated controls using each appropriate type of feasibilityDecided that the particular asset did not justify the cost of protection

Usually require a sign-off letter.

52

Risk Control Strategy Selection

Risk control involves selecting one of the four risk control strategies for the vulnerabilities present within the organization

If the loss is within the range of losses the organization can absorb, or if the attacker’s gain is less than expected costs of the attack, the organization may choose to accept the risk

Otherwise, one of the other control strategies will have to be selected

53

Risk Handling Action Points

54

Risk Control Strategy Selection

Some rules:When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercisedWhen a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent occurrenceWhen the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controlsWhen potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss

10

55

Evaluation, Assessment, And Maintenance Of Risk Controls

Once a control strategy has been selected and implemented

Effectiveness of controls should be monitored and measured on an ongoing basis to determine its effectiveness

Accuracy of estimated risk that will remain after all planned controls are in place

56

The Risk Control Cycle

57

Feasibility Studies and Cost Benefit Analysis

Before deciding on the strategy for a specific vulnerability, all readily accessible information about the consequences of the vulnerability must be explored

“What are the advantages of implementing a control as opposed to the disadvantages of implementing the control?”

Number of ways to determine advantage or disadvantage of a specific control

Primary means are based on the value of information assets that control is designed to protect

58

Cost Benefit Analysis (CBA)

Economic Feasibility: criterion most commonly used when evaluating a project that implements information security controls and safeguards A primary goal is to ensure that only cost-effective safeguards are deployed.Organizations are urged to begin a cost benefit analysis by evaluating

Worth of the information assets to be protected Loss in value if those information assets are compromised

59

Cost

Just as it is difficult to determine the value of information, it is difficult to determine the cost of safeguarding itSome of the items that affect the cost of a control or safeguard include:

Cost of purchase, development, and licensingCost of implementation and customizationCost of annual operation, maintenance, administration, and so onCost of annual repairs and upgradesProductivity improvement or lossChanges to environmentCost of testing and evaluationTraining fees

60

Benefit

Benefit is the value to the organization of using controls to prevent losses associated with a specific vulnerabilityUsually determined by

Valuing the information asset or assets exposed by vulnerability Determining how much of that value is at risk and how much risk there is for the assetDetermining the annualized loss expectancy (ALE)

Benefit is expressed as the reduction in ALE due to implementation of the control/safeguard

11

61

Asset Valuation

Asset valuation is the process of assigning financial value or worth to each information asset

Actual costNon-monetary expenses

62

Asset Valuation (Cont’d)

63

SLE

Single loss expectancy (SLE): the cost associated with a single realized risk against specific asset

Based on asset value and expected percentage of loss that would occur from a particular attack:

SLE = asset value (AV) x exposure factor (EF)Where EF = the percentage loss if a specific asset were violated by a realized riskExample, if an asset is valued at $20,000, and it has an EF of 45% for a specific threat, then the SLE of the threat for that asset is _____.

This information is usually estimated64

ARO

Annualized Rate of Occurrence: the expected frequency with which a specific threat or risk will occur within a single yearNeeds estimation

Learn from historyGuessworkStatistical analysis

65

ALE

Annualized loss expectancy: the possible yearly cost of all instances of a specific realized threat against a specific assetALE=SLE*ARO

66

The Cost Benefit Analysis (CBA) Formula

CBA determines whether or not a control alternative is worth its associated cost

CBAs may be calculated

Before a control or safeguard is implemented to determine if the control is worth implementingOR

After controls have been implemented and have been functioning for a time:

CBA = ALE(prior) – ALE(post) – ACS

12

67

The Cost Benefit Analysis (CBA) Formula

ALE(prior to control) is the annualized loss expectancy of the risk before the implementation of the control

ALE(post control) is the ALE examined after the control has been in place for a period of time

ACS is the annual cost of the safeguard

68

Example 1

A computer is susceptible to hacker attack. If the hacker attack were successful, it will cause a financial loss of $5,000. Assume hacker attacks happen once per six month. Calculate ARO, SLE, and ALEA new firewall is installed on the computer, now the hacker attack happens once every two years. The financial loss is the same if the attack happens. Calculate ARO, SLE, ALEThe cost of the firewall is $6,000. (treat this as the Annual Cost) Is this control (firewall) economically feasible according to cost-benefit analysis

69

Example 2

A company is considering install Intrusion Detection system (IDS). Currently intrusion (hacker attack) happens once every month on average. Each time will cost about $10,000. The IDS will be able to detect 90% of the intrusions. When an intrusion is detected, the average financial loss due to that intrusion will be reduced to $2,000. The cost for the IDS is $50,000. Use CBA to decide whether the IDS is economically feasible.

70

CBA discussion

It is a daunting job to calculate EF, SLE, ARO, and ALE for every asset and every threat/riskFortunately, there are quantitative risk assessment tools available.

71

Other Feasibility Approaches

Organizational feasibility analysis examines how well proposed information security alternatives will contribute to operation of an organizationOperational feasibilityTechnical feasibility examines whether or not the organization has or can acquire the technology to implement and support the alternativesPolitical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest

72

Benchmarking

Benchmarking is an activity where organizations continuously engage in self--study and compare themselves with the leaders in their field so they can identify, adapt, and apply significantly better practices. Benchmarking:

Seeking out and studying practices of other organizations that produce desired results Measuring differences between how organizations conduct business

When benchmarking, an organization typically uses one of two measures to compare practices:

Metrics-based measures are comparisons based on numerical standardsProcess-based measures are generally less focused on numbers and are more strategic

13

73

Benchmarking Steps

Self-assessment. Decide what to benchmark.

Comparison.Decide who to benchmark.

Analysis and Adaptation. Ask why you are getting your results and why others are getting better results.

Implementation.Think carefully about what enablers (e.g., resources, schedule changes) are needed.

Feedback. Carefully monitor and measure the results of your innovation and recalibrate if necessary.

74

Benchmarking (Continued)

In the field of information security, two categories of benchmarks are used:

Standards of due care and due diligence, and

Best practices

75

Due Care and Due Diligence

For legal reasons, an organization may be forced to adopt a certain minimum level of security

When organizations adopt levels of security for legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances

Called standard of due care

Due diligence is demonstration that organization is persistent in ensuring implemented standards continue to provide required level of protection

76

Best Business Practices

Best business practices: security efforts that seek to provide a superior level of performance

Are among the best in the industry, balancing access to information with adequate protection, while maintaining a solid degree of fiscal responsibility

Companies with best practices may not be the best in every area

May simply have established an extremely high quality or successful security effort in one or more area

http://fasp.nist.gov

77

The Gold Standard

Even the best business practices are not sufficient for some organizationsThese organizations aspire to set the standard by implementing the most protective, supportive, and yet fiscally responsible standards they canThe gold standard is a defining level of performance that demonstrates a company’s industrial leadership, quality, and concern for the protection of informationSeeking the gold standard is a method of striving for excellence

78

Applying Best Practices

When considering best practices for adoption, address the following questions:

Does your organization resemble the organization that is implementing the best practice under consideration?Is your organization in a similar industry? Does your organization face similar challenges? Is your organizational structure similar to the organization from which you are modeling the best practices? Can your organization expend resources that are in line with therequirements of the best practice? Is your organization in a similar threat environment as the one cited in the best practice?

14

79

Problems with Benchmarking and Best Practices

Organizations don’t talk to each other

No two organizations are identical

Best practices are a moving target

Simply knowing what was going on a few years ago does not necessarily indicate what to do next

80

Baselining

Baselining is the analysis of measures against established standards

In information security, baselining is the comparison of security activities and events against the organization’s future performance

The information gathered for an organization’s first risk assessment becomes the baseline for future comparisons

81

Risk Appetite

Risk appetite defines the quantity and nature of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility

Reasoned approach to risk is one that balances expense against possible losses if exploited

82

Residual Risk

When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely accounted for residual risk

83

Residual Risk

The significance of residual risk must be judged within the context of an organization’s risk appetite

The goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’s risk appetite

84

Documenting Results

When risk management program has been completed, series of proposed controls are prepared

Each justified by one or more feasibility or rationalization approaches

At minimum, each information asset-threat pair should have a documented control strategy that

Clearly identifies any residual risk remaining after the proposed strategy has been executed

15

85

Documenting Results

Some organizations document outcome of control strategy for each information asset-threat pair in an action plan

Includes:

Concrete tasks, each with accountability assigned to an organizational unit or to an individual

86

Qualitative Measures

Quantitative assessment performs asset valuation with actual values or estimates

An organization could determine that it cannot put specific numbers on these values

Organizations could use qualitative assessments instead.

More scenario based

Rank threats on a scale to evaluate their risks, costs and effects

87

Qualitative Risk Analysis

BrainstormingDelphi techniqueStoryboardingFocus groupsSurveysQuestionnairesChecklistsOne-on-one meetingsInterviews

88

Scenarios

Basic process for all qualitative mechanisms is to create scenariosA scenario is a written description of a single major threat.

Focus on how a threat would be instigated and what effects it could have on the organization, IT infrastructure and specific assets.Generally one page eachAssign a threat level to the scenario, a loss potential and the advantages of each safeguard.

89

Delphi Technique

An anonymous feedback and response processElicit honest and uninfluenced responses from all participants

Round-by-roundEach participant writes down response on paper anonymouslyResults are compiled and presented to the group for evaluation

Until reach consensus

90

The usefulness and validity of a qualitative measure is improved as the number and diversity of the participants in the evaluation increases.

One or more persons from each levelOne or more from each major department, division, or branch

16

91

Comparison of Quantitative and Qualitative