Risk Based Security Management
Risk Based Security Management (RBSM)
may be defined as the application
of rigorous and systematic analytical techniques to the evaluation of the risks
that impact an organization's information assets and IT infrastructure.
Agenda
• THE PROBLEM • STEPS TO RBSM • GLINTT’S APPROACH • CONCLUSIONS • Q & A
THE PROBLEM
.: Many of the true assets of value are items that are intangible
and are typically not considered in technical approaches to
information security .:
FRIGHT INDEX
Threats to information security faced by organizations
Ponemon Institute 2012
FRIGHT INDEX II
The greatest rise of potential security risk within today’s IT environment
Ponemon Institute 2012
FRIGHT INDEX III
Security technology categories used to thwart internal and external threats
Ponemon Institute 2012
IDENTIFYING RISK
Steps taken to identify security risks
Ponemon Institute 2012
ADDRESSING RISK
Perceived security risk by layer in the security infrastructure and the allocated level of spending
Ponemon Institute 2012
STEPS TO RBSM
.: The goal is not perfection but to improve our decision making ability by reducing our uncertainty .:
IDENTIFY WHAT MATTERS
• How can this be achieved?
»» Survey the organization and its management.
»» Engage those who are responsible for business.
»» Gather relevant information about the organization.
COLLECT DATA ON WHAT MATTERS
• What kind of data can be useful to gather?
»» Asset valuation
»» Impact
»» Threat landscapes
»» Frequency and likelihood
»» Vulnerabilities
PERFORM A RISK ASSESSMENT
• Risk Assessment should:
»»Create meaningful analysis of probabilities and information on the magnitude of an event and its impact;
»»Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk
analyses of all sizes and types.
PRESENT TO THE ORGANIZATION
• The presentation of any risk analysis should:
»» State the assets that were considered;
»» The key threats to those assets;
»» Assumptions that were made in the analysis
»» The identified risks.
IDENTIFY CONTROL OBJECTIVES
• A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk.
»» In simple terms, control objectives are “what is it that needs to be achieved”.
IDENTIFY AND SELECT CONTROLS
• The process of selecting controls should consider:
»»What is the total cost of ownership
of the control?
»»How flexible is the control to changes in the organization or the elements that make up the risk?
IMPLEMENT CONTROLS
• If the control is implemented in a way that does not support the control objectives, the risk will likely not be reduced.
OPERATE CONTROLS
• RBSM takes an additional step that measures the effectiveness of the control itself and its operation.
MONITOR AND MEASURE
• The measures must focus on clearly identifying changes in risks.
»» Bear in mind that not all of these
elements are precisely measurable.
»» Attempting to measure the number of threats is problematic, but some qualitative or combination of measures can provide insight.
ADJUST & REPEAT
»»Are there changes in the environment that can also affect the metrics?
»»Are there changes in the threats as time changes?
»» Is the control being operated as intended and/or are the measures acting as indicators of control design and its operation?
GLINTT’S APPROACH
.: If the risk assessment is based on relevant data then the discourse should be rewarding, collaborative, and highly interactive. :.
RBSM Managed Services
»» Creates an environment of informed choice.
»» Strives to reduce
uncertainty
and eliminate conjecture.
»» Is best achieved through
a surplus of relevant data.
RBSM Managed Services
»» Based on analysis of frequency of threats
and vulnerabilities.
»» Cyclical and provide an opportunity for
continuous learning.
»» Involve feedback loops and
challenging assumptions.
RBSM Managed Services
»» Minimize the threats, reduce frequency
and/or likelihood, and reduce
the vulnerabilities that make the threats
viable.
CONCLUSIONS
.: A vulnerability lacks significant meaning if it is associated with
a worthless asset, just as a vulnerability is highly significant if it is
associated with a highly valuable asset .:
CONCLUSIONS
»» Anyone undertaking this process (RBSM) should be prepared to suspend their presuppositions and not to be shocked if ideas long held as truth are refuted by the data collected and analyses performed.
»» We challenge you to try our Services!
Top Related