CSRC - Effective Risk Analysis...2000/10/19 · Risk Management Cycle Central Focal Point Promote...
Transcript of CSRC - Effective Risk Analysis...2000/10/19 · Risk Management Cycle Central Focal Point Promote...
Driving eBusiness PerformanceSM
Effective Risk Analysis
Thomas R. Peltier, CISSP
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 2
Abstract
Effective Risk Analysis• The dictionary defines RISK as "someone or something that
creates or suggests a hazard". It is one of the many costs ofdoing business or providing a service today.
• Information security professionals know and understand thatnothing ever runs smoothly for very long. Any manner ofinternal or external hazard or risk can cause a well runningorganization to lose competitive advantage, miss a deadline,or suffer embarrassment. As security professionals,management looks to us to provide a method that allows forthe systematic review of risk, threats, hazards and concernsand provide cost-effective measures to lower risk to anacceptable level. This session will review the currentpractical application of cost-effective risk analysis.
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 3
Effective Risk Analysis
• Frequently Asked Questions– Why should a risk analysis be conducted?
– When should a risk analysis be conducted?
– Who should conduct the risk analysis?
– How long should a risk analysis take?
– What can a risk analysis analyze?
– What can the results of a risk analysis tell anorganization?
– Who should review the results of a risk analysis?
– How is the success of the risk analysis measured?
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 4
Effective Risk Analysis
• Risk Analysis as part of an organization-wide information quality assurance program– Supporting Business Objectives or Mission
requires• Identification of customer requirements
– Sensitivity of information– Availability of the system or application
• Basic enterprise requirements include– Information classification– Business Impact Analysis (BIA)– Risk analysis– Intellectual property safeguards
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 5
Effective Risk Analysis
• The goal of an enterprise-wide informationquality assurance program is to preservethe:– Integrity
– Confidentiality
– Availability
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 6
Effective Risk Analysis
• Information protection in quality assuranceworks with three key elements:– Integrity - the information is as intended
without inappropriate modification orcorruption
– Confidentiality - the information is protectedfrom unauthorized or accidental disclosure
– Availability - authorized users can accessapplications and systems when required to dotheir job
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 7
Effective Risk Analysis
• No matter what risk analysis process is used,the method is always the same:– Identify the asset
– Ascertain the risk
– Determine the vulnerability
– Implement the corrective action
• Remember - sometimes accepting the risk isthe appropriate corrective action.
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 8
Effective Risk Analysis
• The risk analysis process– When identifying safeguards, it will be
necessary to determine those already in place
– 80% - 90% of the controls that mitigate risksare already in place
– Safeguards will only lower risks to anacceptable level
– 100% security is not the goal
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 9
Effective Risk Analysis
• Definitions– Threat - an undesirable event
– Vulnerability - a condition of a missing orineffectively administered safeguard orcontrol that allows a threat to occur with agreater impact or frequency or both.
– Losses - these include direct and indirect loss• disclosure
• integrity
• denial of service
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 10
Effective Risk Analysis
• Definitions– Safeguard/Control - a countermeasure that acts to
prevent, detect, or minimize the consequences of threatoccurrence.
– Exposure Factor - how much impact or loss of assetvalue is incurred
• from 0% to 100%
– Single-time Loss Algorithm (SLA) - when a threatoccurs, how much the loss of asset value is expected tobe in monetary terms
– Annualized Rate of Occurrence (ARO) - how often athreat might be expected to happen in one year.
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 11
Effective Risk Analysis
• Method
• Annualized Loss Exposure (ALE) - a valuepresented by the classic risk analysis processindicating loss expectancy for a given threat;
• Consider the asset value (V), the likelihoodvulnerability exposure factor (L) will equalthe ALE.
• V x L = ALE
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 12
Effective Risk Analysis
• Now that we’ve identified the Assets and theThreats, we are now going to spend sometime trying to establish a bottom line valuefor the assets.
• One of the basic methods for determiningexpected loss is to multiply the Value of theasset (V) by the Likelihood of occurrence(L).
• This formula will produce an Annual LossExpectancy (ALE).
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 13
Effective Risk Analysis
NeverOnce in 300 YearsOnce in 200 YearsOnce in 100 YearsOnce in 50 YearsOnce in 25 YearsOnce in 5 YearsOnce in 2 YearsYearlyTwice a YearOnce a MonthOnce a WeekOnce a Day
1/3001/2001/1001/501/251/51/21/11/.512/152/1365/1
0.00.003330.0050.010.020.040.200.501.02.012.052.0365.0
Annualized Loss Multiplier Table
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 14
Effective Risk Analysis
• Exercise• Now that we have identified the Value of our assets
and the Likelihood of loss, let us use this informationto do some quantitative risk analysis.– You have a $3 million data center located in a flood
area. A major flood that would destroy the data centeroccurs once every 100 years.
– Compute the ALE.– Using the computed ALE, what is the probability that
management would be willing to spend $35,000annually to control this threat?
– Is it cost-effective?
•
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 15
Effective Risk Analysis
• Risk Analysis Objectives– Identify potential undesirable or unauthorized
events, “RISKS,” that could have a negativeimpact on the Integrity, Confidentiality, orAvailability of information by, or flowingthrough, an application or system.
– Identify potential “CONTROLS” to reduce oreliminate the impact of RISK eventsdetermined to be of MAJOR concern.
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 16
Effective Risk AnalysisAttempts to
Access Private Information
FraudPranks
MaliciousAttacks User
Error
NaturalDisasters
SabotageThreats
Systems/ApplicationsSupporting Enterprise
Operations
CustomerLoss of
Confidence SensitiveInformationDisclosedCritical
OperationsHalted
Services & Benefits
InterruptedAssetsLost
Integrity ofData & ReportsCompromised
Failure tomeet Contractual
Obligations
Potential Damage
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 17
Effective Risk Analysis
• Maintain customer,constituent, stockholder, ortaxpayer confidence in theorganization
• Protect confidentiality ofsensitive information(personal, financial, tradesecret, etc.)
• Protect sensitive operationaldata from inappropriatedisclosure
• Avoid third-party liability forillegal or malicious actscommitted with theorganization’s systems
• Ensure that organizationcomputer, network, anddata are not misused orwasted
• Avoid fraud
• Avoid expensive anddisruptive incidents
• Comply with pertinentlaws and regulations
• Avoid a hostileworkplace atmosphere
Information Security Objectives
Source GAO/AIMD 98-68
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 18
Effective Risk Analysis
• Risk Management Principles
– Assess risk and determine needs
– Establish a central management focalpoint
– Implement appropriate policies andrelated controls
– Promote awareness
– Monitor and evaluate policy andcontrol effectiveness
Source GAO/AIMD 98-68
Risk Management Cycle
Central FocalPoint
PromoteAwareness
ImplementPolicies &Controls
Monitor &Evaluate
Assess Risk& Determine
Needs
Source GAO/AIMD 98-68
Effective Risk Analysis
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 20
Effective Risk Analysis
• Assess Risk andDetermine Needs
• Recognize informationresources as essentialorganizational assets
• Develop practical riskassessment procedures thatlink security to business needs
• Hold program and businessmanagers accountable
• Manage risk on a continuingbasis
Sixteen Practices That Leading Use Organizationsto Implement the Risk Management Cycle
Principle Practices
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 21
Effective Risk Analysis
• Establish aCentralManagementFocal Point
• Designate a central group tocarry out key activities
• Provide the central groupready and independentaccess to senior executives
• Designate dedicated fundingand staff
• Enhance staffprofessionalism andtechnical skills
Sixteen Practices Used by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 22
Effective Risk Analysis
• ImplementAppropriatePolicies andRelated Controls
• Link policies to businessrisks
• Distinguish betweenpolicies and guidelines
• Support policies throughcentral security group
Sixteen Practices Used by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 23
Effective Risk Analysis
• Promote Awareness • Continually educate usersand others on the risks andrelated policies
• Use attention-getting anduser-friendly techniques
Sixteen Practices Used by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 24
Effective Risk Analysis
• Monitor andEvaluate Policyand ControlEffectiveness
• Monitor factors that affectrisk and indicate securityeffectiveness
• Use results to direct futureefforts and hold managersaccountable
• Be alert to new monitoringtools and techniques
Sixteen Practices Used by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 25
Effective Risk Analysis
• Assess Risk and Determine Needs– Risk considerations and related cost-benefit
trade-off are the primary focus of a securityprogram.
– Security is not an end in itself– Controls and safeguards are identified and
implemented to address specific business risks
• Understanding the business risks associatedwith information security is the starting pointof an effective risk analysis and managementprogram
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 26
Effective Risk Analysis
• “Information technology is an integraland critical ingredient for thesuccessful functioning of major U.S.companies”– Deloitte & Touche LLP - Survey of
American Business Leaders
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 27
Effective Risk Analysis
• Organizations that are most satisfied withtheir risk analysis procedures are those thathave defined a relatively simple process thatcan be adapted to various organizational unitsand involve a mix of individuals withknowledge of business operations andtechnical aspects of the enterprise’s systemsand security controls.*
*Source GAO/AIMD 98-68
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 28
Effective Risk Analysis
• Different Methods - Qualitative vs.QuantitativeQuantitative Pros
• The results are based substantially on independentlyobjective processes and metrics
• Great effort is put into asset value definition and riskmitigation
• Cost/benefit assessment effort is essential
• Results can be expressed in management-specificlanguage
– monetary value, percentages, probabilities
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 29
Effective Risk Analysis
• Different Methods - Qualitative vs.QuantitativeQuantitative Cons
• Calculations are complex
• Historically only works well with a recognized automatedtool and associated knowledge base
• Large amount of preliminary work
• Not presented on a personnel level
• Participants cannot be coached easily through the process
• Difficult to change directions
• Difficult to address ‘out-of-scope” issues
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 30
Effective Risk Analysis
• Different Methods - Qualitative vs.QuantitativeQualitative Pros
• Calculations are simple
• Not necessary to determine $ value of asset
• Not necessary to quantify threat frequency
• Easier to involve non-security and non-technicalstaff
• Provides flexibility in process and reporting
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 31
Effective Risk Analysis
• Different Methods - Qualitative vs.QuantitativeQualitative Cons
• Very subjective in nature
• Limited effort to develop monetary value fortargeted assets
• No basis for the cost/benefit analysis of riskmitigation
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 32
Effective Risk Analysis
Automated Checklists• Typically ask business units a series of
questions that prompt them to consider theimpact of security controls
• The results are reported to senior managementwith:
- stated business unit’s compliance with security policy
- planned actions to become compliant
- willingness to accept risk
• Reports submitted to management and auditing
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 33
Effective Risk Analysis
• Access Request Procedures– Connection to network requires
Business Case which includes• risks associated with connection
– Business case is reviewed by:• central security group
• technical staff
• requester
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 34
Effective Risk Analysis
• Request for Deviation– In order to deviate from a “mandatory policy”
the business unit submits letter explainingreason for deviation and recognizing therelated risks.
– Where necessary, alternative safeguards areidentified
– Request is reviewed by:• Business unit executive• Central security staff
– Ultimate decision left with business unit
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 35
Effective Risk Analysis
• Facilitated Risk Analysis Process (FRAP)– FRAP analyzes one system, application or segment of
business process at a time
– Team of individuals that include business managersand support groups is convened
– Team brainstorms potential threats, vulnerabilities andresultant negative impacts to data integrity,confidentiality and availability
– Impacts are analyzed to business operations
– Threats and risks are prioritized
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 36
Effective Risk Analysis
• Facilitated Risk Analysis Process (FRAP)
• The FRAP users believe that additional effortto develop precisely quantified risks are notcost effective because:– such estimates are time consuming
– risk documentation becomes too voluminousfor practical use
– specific loss estimates are generally not neededto determine if controls are needed
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 37
Effective Risk Analysis
• Facilitated Risk Analysis Process (FRAP)– After identifying and categorizing risks, the Team
identifies controls that could mitigate the risk• A common group of 26 controls are used as a starting point
– The decision for what controls are needed lies with thebusiness manager
– The Team’s conclusions as to what risks exist and whatcontrols are needed are documented along with a relatedaction plan for control implementation
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 38
Effective Risk Analysis
• Facilitated Risk Analysis Process(FRAP)– Each risk analysis session takes
approximately 4 hours
– Includes 7 to 15 people
– Additional time is required to develop theaction plan
– Results remain on file for same time as Auditpapers
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 39
Effective Risk Analysis
• Facilitated Risk Analysis Process (FRAP)– Team does not attempt to obtain or develop
specific numbers for threat likelihood orannual loss estimates
– It is the team’s experience that sets priorities
– After identifying and categorizing risks, thegroups identifies controls that can beimplemented to reduce the risk
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 40
Effective Risk Analysis
• The Risk and Control Summary Report isconfidential and is owned by the Businessmanager requesting or sponsoring the FRAP
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 41
Effective Risk Analysis
• Business managers bear the primaryresponsibility for determining the level ofprotection needed for information resourcesthat support business operations.
• Security professionals must play a strongrole in educating and advising managementon exposures and possible controls.
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 42
Effective Risk Analysis
• Government Accounting Office May 1998 ExecutiveGuide for Information Security Management(GAO/AIMD 98-68)– “OMB’s 1996 revision of Circular A-130, Appendix
III, recognizes that federal agencies have had difficultyin performing effective risk assessments . . . For thisreason, the revised circular eliminates a long-standingfederal requirement for formal risk assessments.Instead, it promotes a risk-based approach andsuggests that, rather than trying to precisely measurerisk, agencies should focus on generally assessing andmanaging risks.”
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 43
Effective Risk Analysis
• We have discussed:– Why should a risk analysis be
conducted?
– When should a risk analysis beconducted?
– Who should conduct the risk analysis?
– How long should a risk analysis take?
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 44
Effective Risk Analysis
• We have discussed:– What can a risk analysis analyze?
– What can the results of a risk analysistell an organization?
– Who should review the results of a riskanalysis?
– How is the success of the risk analysismeasured?
8/1/00 Copyright©2000 Netigy Corporation. All Rights Reserved 45
Comments?
Questions?
Critiques!
Driving eBusiness PerformanceSM
Effective Risk Analysis
Thomas R. Peltier, CISSP