Information Technology Risk Management
• Chapter 5: Defining Risk Assessment Approaches
• Chapter 6: Performing a Risk Assessment
• Chapter 7: Identifying Assets and Activities to be Protected
Book:
Information systems security & assurance series
Jones & Barlett Learning
Managing Risk in Information Systems – Darril Gibson-second edition
“Protected Assets” Please respond to the following:
• Consider a typical manufacturing facility. Determine the top five (5) IT assets to include in a risk assessment for this type of organization. Make sure that you focus your asset determinations on the manufacturing aspect of the facility and that you justify your selections.
Bottom of Form
List all references.
Cover page is not needed.
Risk Assessment Techniques
INFORMATION IN THIS CHAPTER
• Operational Assessments
• Project-Based Assessments
• Third-Party Assessments
INTRODUCTION
Once you have a risk model and a few assessments under your belt, you will want to start thinking strategically about how to manage the regular operational, project, and third-party assessments that will occupy most of your time as a risk manager or analyst. This can quickly become an overwhelming task if not approached strategically, making the best use of the tools and resources that are available. You will want to have a single risk model for the organization, but the actual assessment techniques and methods will need to vary based on the scope of the assessment. An assessment of risk during an incident investigation, for example, must be more streamlined than an architectural risk assessment of a new software application in development.
OPERATIONAL ASSESSMENTS
Do you think that you would use the exact same techniques to perform a risk assessment on a new application or system in development as you would use to assess an entire company during an acquisition? The answer is that you wouldn’t. So far, we have established risk models and frameworks, which will be the foun- dation for any assessment, but how you go about performing that assessment will vary based on the size and nature of the target. It can be helpful to start thinking about categories of assessments, beginning with the distinction between operational assessments, meaning those ongoing day-to-day assessments that are occurring all year long, and project-based assessments which have a finite dura- tion. The operational assessments will encompass regular assessments of emerging threats, newly announced vulnerabilities, and discovered standard violations, just to name a few. Operational assessments should not be confused with assessments of risks in the operations domain. In this context, operational describes the format
Security Risk Management. DOI: 10.1016/B978-1-59749-615-5.00010-4
© 2011 Elsevier Inc. All rights reserved.
189
of the assessment, indicating that these are ongoing and revolving assessments with no clear endpoint, as opposed to assessments of projects that have set completion dates. In contrast, an assessment of the operations domain would define the scope of the assessment, which would focus on threats to operations continuity. We are focusing on the former for the purposes of this discussion.
Some examples of operational risk assessment tasks in the information security space include the following:
◦ Threat analysis
◦ Vulnerability scanning
◦ Patch remediation
◦ Penetration Testing
◦ Incident prioritization
◦ Exception processing
◦ Compliance to standards reviews
◦ Certification and accreditation (C&A)
◦ Auditing (internal or external)
◦ Responses to client due diligence evaluations
◦ Vendor on-site reviews
◦ Regulatory gap analysis
As you can see, this list is rather diverse, and even so, it doesn’t even begin to cover all the various tasks for which a security risk management team might be responsible. It just wouldn’t be practical to use the exact same approach and techniques for each of these tasks, but fortunately, the fundamentals stay the same. It is really just the tools and format of the assessment that change with the type of task. For example, a vulnerability scan of your Internet presence is going to require a technical tool or service to perform security scanning of vulnerabil- ities, but an on-site review of a service provider’s physical security controls is going to require a body with a clipboard and a list of required controls. Likewise, you aren’t going to require an on-site physical assessment of Dell’s facility just because they provide your server hardware, but you would want to perform that on-site assessment of an offshore development center that provides 80% of the code for your products. When you are establishing your risk management program, start by thinking about the different levels of resources that you will be assessing and map out which methodology will be most efficient for each.
Operational Techniques
For all those potential operational assessments, your options really come down to just a few assessment formats:
◦ Questionnaire
◦ Interview
◦ Passive testing
Operational Assessments 191
• Active testing
• Review of third-party assessment
• Acceptance of a certification
When it comes to internal or third-party assessments, you should consider map- ping the depth and intrusiveness of the assessment technique to the risk sensitivity of the service being provided. For example, a review of an independent assessment report or a passive test, such as conducting a Google search for information about your organization, will usually be nonintrusive, requiring mostly only your own team’s resources. For those resources that have lower risk sensitivities or have already been reviewed in the past without any significant findings, you may want to consider these approaches to minimize your impact on staff from other business units.
Questionnaires and Interviews
The first two techniques are questionnaires and interviews, and we will address them together since, ultimately, a questionnaire is just a passive version of an interview. Choosing which is appropriate can often be difficult and it may come down to trial and error to determine which one your organization responds to better, but hopefully, these guidelines will give you a good place to start. First, the benefit of an interview style assessment versus a questionnaire is that a skilled assessor can use the responses to a static question to guide their follow-up ques- tions and direct which additional questions they ask. For instance, if you are assessing the IT environment and you have a series of questions about password controls (length, complexity, change history, expiration, initial distribution, reset procedures, and so on), but the system in question uses digital certificates or cryptographic keys instead, you can skip all the remaining password questions and drill into the key management questions on the fly. To do this with a ques- tionnaire, you either need to program some logic into an online questionnaire or you will be doing a lot of back and forth follow-up questions about why they selected “N/A” for all your password questions.
Especially, if you are doing an internal assessment, you would be surprised
how many additional risks you can uncover just by getting several people in a room at once and listening to them disagree about how something actually works. The manager will give you one answer, the engineer will correct him, and the junior engineer who recently joined the team will say “nobody told me that was the procedure.” Of course, the above scenario assumes that some level of trust has already been established, that the culture supports healthy disagreement in public, and that your assessor understands the power of just listening. A side benefit of the interview technique can often be increased awareness among the team being assessed about what is expected from a security perspective and, as a result, bad practices can often be corrected right then. In contrast to that situation is the defensive interviewee or the subject who is actively offended that anyone would dare question their practices. If you suspect that might be the case, then a questionnaire might be the more effective way to go.
192 CHAPTER 10 Risk Assessment Techniques
No matter how long you spend crafting the “perfect” questionnaire, you will always have questions that are misunderstood. If the question isn’t clear, you will probably experience one of the following responses from the person answering the questionnaire (in order of likelihood, from most to least likely):
1. Skip the question altogether
2. Select “N/A” if it is an option
3. Give up on the questionnaire entirely and not finish it
4. Answer the question with a “No” just to be safe
5. Ask for clarification
You may wish that response 5 was more common, but with so many pulls on resources’ time, you are probably going to have to hunt down the responder to find out that there was a question they didn’t understand. You can minimize this situation by trying to provide organization-specific examples along with each question. A targeted example can go a long way toward clarifying the intent of the question. Of course, when conducting an interview, you can address any con- fusion immediately, which minimizes the time lost and the frustration experienced by both sides.
As a general rule, using an interview style is going to give you the richest and most accurate information in the shortest amount of time, assuming you can get the right people in a room all at once. It may seem onerous to schedule all these interviews and coordinate resources, but it gets you exposure to many critical functions in the organization and will be your quickest option. The challenge is that interviews don’t scale well for large organizations, so you will need to priori- tize where you use a questionnaire versus an interview. One approach is to use an interview for the first assessment and a questionnaire for each subsequent assess- ment for that same resource. That way, you get a detailed risk assessment and understanding of the resource up front, but can scale back the resource effort over time. Another approach is to send out a questionnaire and schedule an in person meeting with everyone involved to review the answers and discuss any follow-up questions. With this approach, you leverage the benefits of both assessment formats.
Active and Passive Testing
Questionnaires and interviews might work well for identifying policy violations or process weaknesses, but to really evaluate the technical vulnerabilities in your environment, you will need to perform some sort of security testing. Although passive testing sounds harmless, beware that the definition of passive is not always consistent across the field. There are definitely gray areas to be aware of; any testing should require appropriate senior management approval. Most security scanners or vulnerability scanners are tools with large databases of known attacks and weaknesses and will scan the environment for signs of vulnerabilities or com- promises. These tools will also typically have the ability to identify missing patches, configuration mistakes, or denial-of-service weaknesses.
Operational Assessments 193
Security scanning tools are very common. Many will focus on general operating system and commercial application vulnerabilities, but others specialize in mapping environments or testing Web applications for weaknesses. Most will only look for signs of a weakness, while others also include the option to validate a vulnerability by actually exploiting it. Any tool that will actually verify a weakness by executing the exploit would be considered a penetration testing tool, not just a scanner. There are many open source and commercial scanners available. A few of the most common ones are as follows:
• Nessus (free and commercial versions available)
• NMap (free)
• ISS
• Retina
• Nexpose
• Foundscan
• Qualys
• Core Impact
• AppScan
• WebInspect
This list doesn’t even come close to being inclusive, especially as you start to look at specialized scanners for targets like wireless networks and Web applica- tions. A great list of the top 100 network security tools is available on Gordon Lyon’s SecTools site [1], and many of these tools are security scanners of some kind. Gordon is the author of the NMap scanner, so he knows a little something about the topic.
The scope of an active or passive test can range greatly depending on your organization’s particular concerns. For example, the following are all typical types of assessments:
• Enterprise vulnerability assessment (active)
• Penetration testing analysis (active)
• Wireless security assessment (active)
• Blackbox application testing (active)
• Malicious threat assessment (passive)
• Internet reconnaissance (passive)
• Application code security review (passive)
Most of these should have an obvious scope; however, malicious threat assessment and Internet reconnaissance both likely need some further explanation. Typically, a malicious threat assessment would involve putting a passive security device at key network aggregation points to review traffic for potential malicious activity or policy violations. This is sometimes accomplished by temporarily putting a specialized Network Intrusion Detection System (NIDS) device, or an anomalous network activity monitoring device like the Riverbed Cascade (formerly known as Mazu) analyzer, on the network, and reviewing the alarms
194 CHAPTER 10 Risk Assessment Techniques
that are triggered. This is a passive test because at no point is there any chance that the normal operations of the network can be impacted. Signatures and anomaly detection techniques aren’t perfect, so it may be useful to conduct one of these tests every so often, even if you already have intrusion detection systems (IDS) deployed in your environment. Just having an analyst look at your network traffic for a week without the prejudices of what is expected or suspicious can often uncover unknown issues.
An Internet reconnaissance test should be focused on assessing the organiza- tion’s profile based on what information is publicly available on the Internet. Domain registries, the organization’s financial statements, career postings, and vendor case studies are all sources of information about an organization that could be used by an attacker. Google has actually become a primary tool for would-be attackers to profile an organization looking for weaknesses that can be exploited by technical means or through social engineering. Any organization needs to have some level of public presence, a point that is emphasized by the introduction of the White House as an active participant on Facebook during the Obama administration. The point of this type of testing is to have someone with the knowledge of typical data mining techniques look at the organization’s profile from an Internet perspective and identify unnecessary information risks. Like other passive testing methods, this assessment presents no risk of an operational disruption to the organization.
Most active testing will involve either a tool or a person performing functions against a resource to look for known responses, which indicate that a vulnerability is present. For example, an active scan of your environment would look for known vulnerabilities and improper configurations that could allow an attacker unauthorized access to a resource. It is always recommended that you scan your environment both internally and externally so that you get an idea of what would be visible to any outside attackers as well as potentially malicious insiders. It is a good idea to publish a formal schedule for scanning and to communicate this to resource owners and administrators. You may need to do your scanning during off-hours or maintenance windows to avoid affecting a production service. After all, no matter how much time you put into tuning your scanner, you can’t guaran- tee zero impact to the environment being scanned, and resource administrators need to be prepared to respond if needed to a disruption.
Operational Assessments 195
One focus of security testing needs to be to validate that current controls are behaving as expected. It isn’t enough to just implement a set of controls; you need to evaluate those controls to ensure they are really reducing your risk exposure to the level you expect. Controls also require constant tuning and adjust- ment, especially with the growing sophistication and persistence of attackers, and you will need to be constantly monitoring each layer of controls to see which attacks are getting through. If you think that your firewall is locked down, run a port scan to verify. If you are relying on your anti-virus software to catch the lat- est threats, introduce a few sample pieces of malware into an isolated and con- trolled environment to see the detection rate (virtualization with no network connectivity can be a great test bed). If you think that peer review of application code is catching the violations of coding standards, have a security architect review a random sampling of code to validate. As they say, trust but verify.
In addition to regular scanning and other internal assessments, it is crucial to have outside experts come in periodically to assess different parts of the security program by performing penetration testing on the network or Web application, or by trying to bypass physical controls like gaining access to a secured area without a badge. This will help you to identify weak areas that need more attention and can also help you validate the threat vectors that you have assessed as most likely.
Third-Party Reviews and Certifications
When working with vendors and service providers, you are going to need to rely on other means of assessing the security posture of the third party. Most service providers aren’t going to let you show up at their offices with a security scanner and just let you go nuts on their environment (at least we hope they won’t!). Thus begins the negotiation of best evidence. You might think of this as a similar dilemma to what you would see in court. Direct evidence may not always be available, so you may need to rely on alternatives like maybe an expert witness. The same is often true when assessing a third-party provider—you may not be allowed to walk through their Security Operations Center (SOC) or run your own penetration test against their Internet-facing systems, but they should provide you some indication that they have had an independent third-party assessor perform these tests and that any high-risk findings are being addressed appropriately. The debate about the appropriate level of detail to require will be discussed in depth later in this chapter, but suffice to say for now that you likely shouldn’t expect a copy of a penetration report, but it might be reasonable to request an executive summary. After all, the provider also has to manage the risks inherent in distribut- ing active exploit details.
If report summaries from independent assessors are not available, the next best thing would be a certification that demonstrates a certain level of security posture and program maturity. For example, you might recognize an ISO 27001 or SAS70 Type II certification as being sufficient proof of robust security controls for the organization. Eventually, the industry will need to develop a certification that covers all the areas of review in the 800 to 3,000 question evaluations that
196 CHAPTER 10 Risk Assessment Techniques
some customers are requiring their providers to complete, but as a field, we aren’t there yet. The SAS70 certification, for example, can be a fantastic evaluation of security controls, but the scope will vary between organizations depending on what they chose to include in the review and the level of detail in the report. This makes the certification hard for risk managers to use as a consistent indicator of excellence.
Baseline Reviews
In terms of operational risk assessments, another important focus is Certification and Accreditation (C&A). For many business professionals, these terms may not be meaningful, but don’t worry: like with the term information assurance, you will most often see these terms in the context of the US federal government. Although the terminology isn’t popular in private industry yet, the function actually is already in use. On the most basic level, C&A tasks require establishing a security baseline for each system in your environment, ensuring any new deployments are compliant with the baseline, monitoring the configuration of the system over time to be sure it doesn’t deviate from the baseline, and documenting any areas where the system can’t comply with the baseline. In essence, a C&A process is meant to formalize the standards for configuring a system securely and force an explicit review of those controls and authorization decision to allow it to operate in an environment.
Certification and accreditation are really both subsets of an overall information security risk management program. Risk management is the overall program for identifying weaknesses, threats to those weaknesses, and assessing the impact to the organization that might result from an exploitation of those weaknesses. Certifica- tion is the process of evaluating whether the system/application meets the minimum standards that have been established, and accreditation is the management decision process to determine if any deviations from standards are acceptable. When you think about this in basic terms, it essentially equates to a risk assessment followed by a risk decision. In the US federal government, there are very explicit job roles and positions involved in this process; however, most corporations use a combina- tion of the resource owner or operator and a representative from the security team to negotiate these details.
There are two contexts in which the term “baseline” is used for Information Security. The first is referring to a point in time snapshot of the current state of the environment as a comparison point. The second is the minimum set of required configuration settings or controls to meet a desired level of security. In this chapter, we are using the latter definition—just think of it as a secure config- uration template.
There are many activities required to make a C&A process run smoothly, and many of these tasks will be performed by the resource administrators or operations teams, with oversight from the Information Security team. As part of the change management process, the postimplementation steps of updating documentation such as network diagrams, server build documents, software hash libraries,
Operational Assessments 197
standard build images, and so on should be performed. A good practice is to create a hash library of known good software in your environment; that way, when there is an investigation of a system compromise, you can easily identify software and configuration files that have not been tampered with because they match the unique hash you created in advance.
Many organizations also run regular (as often as nightly) scans of server configuration files to ensure they still meet the baseline, and if any deviations are found, they get escalated to management and the security team to investigate the cause. When a deviation from the baseline is required due to technical constraints or for specific business purpose, the justification, risk evaluation, and approval needs to be documented and processed like any other risk acceptance. This assess- ment needs to happen before the system/application “goes live” or is released and regularly until it is decommissioned. It is important to ensure that this requirement is communicated to all project managers and stakeholders so that they can account for this time upfront when they create a project schedule. You will also need to establish who has the authority to keep the system/application from going live or being released if there is a serious security issue. You may hear this authority referred to as the “red lever.” This is the person who the organization has estab- lished as having the authority to stop a system from going into production or to shut down an existing system if the exposure warrants it. Accreditation is not a permanent state; the security of any system/application needs to be re-evaluated periodically, usually on a set schedule, the frequency of which should depend on the sensitivity of the resource. The NIST Special Publication 800-37 Revision 1 [2] is a great reference for anyone who is involved in C&A work. It has evolved in this revision from a rather static and inflexible process into a risk-focused lifecycle methodology.
Assessment Approaches for Different Sized Scopes
When you are faced with assessing a very large environment, “random sampling” should be the first words that come to mind. It may be feasible to perform full port and vulnerability scans on 20 systems in a reasonable amount of time without putting a dangerous load on the systems or the network, but think about the logis- tics if you needed to assess 2,000 systems. At that point, is there really any value in documenting the same weaknesses across all 2,000 systems? You don’t need a sample size that big to establish a pattern. Especially if you are in a consultant role, you will want to very carefully consider what scope of assessment would be a productive use of time and resources. Remember that whatever you test, you will need to document and report on. Because of these considerations, and just like auditors have been doing forever, random sampling is the best approach.
Similarly, there are often debates about whether automated penetration testing is sufficient for a thorough assessment, as opposed to having a highly skilled ethi- cal tester hacking away at the application or system manually. Clearly, the latter option is preferred, but it is also typically not possible as the only method of
198 CHAPTER 10 Risk Assessment Techniques
testing on large-scale assessments. If you are looking to assess a specific function in an application that uses a proprietary protocol, then maybe a purely manual penetration test is the right solution, but for large-scale assessments, any tester is going to use a hybrid of some level of automation along with manual testing.
PROJECT-BASED ASSESSMENTS
Chapters 11 and 12 will cover daily risk assessment activities that continue on a con- stant cycle, but for now, let’s first look at how best to approach an assessment with a defined endpoint based on a single project. The three most common projects that will require a risk assessment are as follows. Each requires a slightly different approach and has its own challenges.
• Software development
• Software/technology acquisition
• Selection of third-party service provider
The scope of an assessment can vary greatly, from a new product enhancement to the acquisition of another company. However, the process and deliverables are going to be the same, even if the subject matter varies. The important distinction here is that this is a point-in-time assessment and not an on-going process like operational assessment activities, which we have previously discussed. Because of this, it is necessary to have a set project timeline and clear deliverables to guide the assessment.
Risk Assessments in the Project Lifecycle
Generally, the motivation for this type of risk assessment will be to demonstrate due diligence and assess the level of risk being undertaken by the project. These assess- ments need to be performed as early in the project’s lifecycle as possible so that it can be properly influenced by the results of the assessments from the beginning. Otherwise, time and effort may be lost if the team is allowed to go too far down a flawed path. A security risk assessment can be performed by just about anyone involved in the project team if given the proper guidelines, and occasionally, the project may require an outside party to guide the assessment. Your organization’s culture will strongly influence who should lead each assessment, but generally the responsibility will fall on the Information Security team.
The output of this assessment will include the identification of risks, threats, and general concerns from the team and, ultimately, recommendations for controls to mitigate those threats. The analysis and recommendations would then generally be presented to senior management or other project stakeholders to make the final deci- sions. You should notice that this is no different than any other assessment methodol- ogy that has been introduced so far, so what really distinguishes the project-based assessment is that it is time-boxed and is designed to be a point-in-time evaluation.
Project-Based Assessments 199
The FRAAP Approach
If you are interested in a structured approach to an accelerated assessment, Thomas Peltier has coined the term Facilitated Risk Analysis and Assessment Process (FRAAP) [3] to describe his approach to managing a risk assessment of a project in a short timeframe. Using this streamlined approach, you can cut down the time it takes to gather risk data and produce recommendations, while still getting the appropriate Subject Matter Experts (SMEs) involved. The goal is to conduct the assessment in a matter of 4 to 8 hours and then produce the recommendations within a few days of the assessment session. This can really help to keep projects on track and minimize the time requirements on the SMEs. Within this model, it is especially important to define a structured agenda and strict roles for each partici- pant. In doing so, you can avoid risk discussions that can drag on and drift far from the focus area. The role of the Information Security representative is to facilitate the discussions rather than dictate the direction they take. Depending on the topic, there might be several business units or departments represented in the session. Some of them are listed here as follows:
• Functional owner
• Business analyst
• System engineer
• Database administrator
• Network administrator
• System programmer
• Application programmer
• Functional manager
• Information security
• Legal
• Human resources
If you are serving as the facilitator for the meeting, then it is best to have someone else on your team attend to represent Information Security. This way you can focus on the facilitator’s responsibilities and not be perceived as pushing your own agenda. The idea behind the FRAAP format is to run a session that encourages the participants to raise issues and identify risks, without spiraling out of control with side discussions and tangents. Once the risks have been identified, the team analyzes the impacts and agrees on the likely consequences of those risks. Then, each risk is rated in terms of the priority to the organization.
For the most part, this analysis relies on the expertise and knowledge of the people in the room, including representatives from the security team, but it can also be influenced by other data about the resources or observed trends in the industry that were gathered prior to the assessment session. Activities like brainstorming serve an important role in Peltier’s FRAAP approach, but there is also enough structure to the assessment format that it should be able to keep the session productive.
200 CHAPTER 10 Risk Assessment Techniques
Prep Work
Before you lock everyone in a room for 8 hours talking about risks, you will need to do some preparation work. Set up a 1-hour pre-session meeting with the pri- mary stakeholder, project lead, and session facilitator to discuss the goals, agenda, and format for the session. Keep this meeting short and focused. Peltier recom- mends five deliverables for this meeting:
• Draft a scope statement for the initiative and the assessment.
• Obtain visual diagrams of any resource components, inter-dependencies, or information flows.
• Select the team members for the actual assessment session.
• Decide on meeting logistics, such as location, timing, supplies, food, and so on.
• Agree on definitions of any controversial terms such as the following:
◦ Confidentiality, integrity, availability, accountability
◦ Risk
◦ Threat
◦ Vulnerability
◦ Impact
◦ Control
Having this defined up front and published to the assessment team will avoid wasting time at the beginning of the session trying to get everyone on the same page.
The assessment session itself should last between 4 and 8 hours, depending on the size of the project and shouldn’t include more than 15 participants. If you can get everyone into a room off-site or at least away and disconnected from everyday distractions, then the sessions will be far more efficient. The last thing you want to see is everyone sitting around the table answering e-mails on their laptops or BlackBerries. Expectations need to be set early that this time will be dedicated to the project and the assessment activity.
The facilitator will want to come to the assessment session prepared with materials, such as flipcharts and markers, printed copies of the terminology defini- tions, a clear scope statement, and any visual diagrams that might be appropriate. It is recommended to distribute the materials from the pre-session meeting in advance. This gives the participants the opportunity to review them in advance, gather any information that they might need for the meeting, and also identify if they are not the right resource to be involved in the assessment. You should, how- ever, also assume that the majority of people will not review the materials in advance, so plan to spend a few minutes summarizing the scope at the beginning of the meeting.
Running the Session
The assessment session itself should only last between 4 and 8 hours. You will have to consider your audience, scope of the assessment, and the culture of your organi- zation when choosing the length of the session. Some assessments may be hard to
Project-Based Assessments 201
complete thoroughly in just 4 hours, but you also have to account for people’s attention span and other draws on their time. Scheduling any large group can be difficult, so the shorter the session, the better chance you have of getting everyone together. The session itself should have three deliverable goals. There is no one single way to capture this information, so experiment with a few approaches and choose the format that works best for you.
1. Identify the risks
2. Prioritize the risks
3. Identify controls to mitigate the top priority risks
One way to start off the session is to go around the room and ask each participant to identify any risks associated with confidentiality. Set a maximum time for this exercise (say 3 minutes per person) and capture all the ideas, then go around the room again and spend the same amount of time listing all the integrity risks. Repeat this process again for availability and accountability to create a com- prehensive list of risks. Alternatively, you could begin by going around the room and asking each participant to list one issue or concern that they have with the pro- ject. When you’re facilitating a session, keep in the mind the usual brainstorming tips, such as the following:
• Remain neutral at all times
• Don’t judge or dismiss any ideas
• Ensure that all ideas are captured
• Solicit input from everyone
• Only let one person speak at a time
• Don’t let any one person dominate the conversation
To keep the session moving forward, the facilitator needs to be very strict about following these general brainstorming guidelines. Especially for security professionals, it can be hard to stay in character as the facilitator and not comment on the issues or ideas being raised as you would when wearing your security hat, but this separation of roles is important to the success of the session. It can be difficult to find the balance between allowing participants to be creative and not letting any one personality dominate the discussion. A good way to avoid this is by cutting people off after 3 minutes or so. Otherwise, you may find the session spending too much time on a single issue and missing others. Be sure to have someone tasked with recording all the ideas and issues being raised, and defer those that are out of scope for this project. Finally, be sure to manage the group so that you only have one conversation going at a time; if the debate gets heated, you may need to mediate to keep the conversa- tion productive and above the line.
Next, look at each identified risk and analyze the severity of each. Then, take each of those risks and rate it based on the likelihood of occurrence. Following this, you will want to prioritize the risks based on their risk rating and focus the rest of the session on the higher exposure items. The assessment and analysis will
202 CHAPTER 10 Risk Assessment Techniques
be captured in worksheets, similar to the worksheets provided as a part of OCTAVE Allegro, which we will explore in Chapter 11.
Sample Worksheets
Having a structured assessment approach is essential to the viability of the FRAAP approach; so, this section provides several worksheets that can be used to capture the artifacts of each step of the FRAAP session. Keep in mind that each worksheet has been slightly adapted from the typical FRAAP worksheet to meet the risk model used in this book, but the general concepts remain the same.
The first step in the session is to start identifying concerns or risks, assign them a risk type (C-I-A-A), and identify the resource affected by the risk. You can see an example of this in Figure 10.1.
Once you have completed the brainstorming, review the list of risks identified and eliminate any duplicates. You should now have a list of categorized risks with the associated resources identified. Next, on the resource sensitivity profile worksheet (Figure 10.2), you will start out by listing each resource from the first worksheet.
Once you have listed all of the resources, include a very short description of that asset’s sensitivity or importance to the organization. Use this description to guide your rating of the resource’s confidentiality, integrity, availability, and accountability sensitivities using the same Low-Moderate-High scale from our
Risk description list
#
Risk type
Risk description (vulnerability and consequences)
Resource
0
Confidentiality
Sensitive account information is discarded in the regular trash, which could lead to disclosure of customer financial accounts to unauthorized internal or external parties. Disclosure of this data violates several state privacy laws.
Paper statements
1
FIGURE 10.1
Risk description list worksheet.
Resource sensitivity profile
#
Resource impacted
Sensitivity description
Confid
Integ
Avail
Acct
Overall
0
Paper copies of client account statements
Client account statements include the client’s name, financial account number, address, and current balance. This information is protected by several regulations and privacy laws.
Disclosure could lead to financial fraud and liability for the organization, or legal penalties.
High
Low
Low
Moderate
High
1
FIGURE 10.2
Resource sensitivity profile worksheet.
Project-Based Assessments 203
Risk exposure rating
#
Brief vuln desc.
Threat category
Threat activity
Like
Sev
Sens
Exposure
0
Account information in trash
External targeted attack
A criminal could pull a few client’s sensitive financial account information out of the dumpster behind the office and use it for fraudulent purposes.
High
Moderate
High
High
1
Account information in trash
Internal abuse
An employee could pull sensitive financial account information for all clients out of the trash cans in the office and use it for fraudulent purposes.
Moderate
High
High
High
2
FIGURE 10.3
Risk exposure rating worksheet.
earlier security risk profile. Finally, determine the overall sensitivity for the resource based on highest of the individual C-I-A-A values.
At this point, you have identified the risks and their associated resources and rated the sensitivity to risk for each resource. Next, you will need to break each risk into its threat and vulnerability components, as shown in Figure 10.3.
Notice in the example in Figure 10.3 that one initial risk has been separated into two different combinations of threat/vulnerability pairs with slightly different risk ratings. This illustrates how the combinations of threats and vulnerabilities can result in different risk exposures depending on the threat category. The threat categories being used are as follows:
• Natural disaster
• Infrastructure failures
• Internal abuse
• Accidents
• External targeted attacks
• External mass attacks
In this worksheet, the likelihood and severity of the threat/vulnerability pair is combined with the sensitivity of the resource from the previous worksheet to derive the final exposure rating.
You can use the qualitative mapping table from Chapter 6 to derive the expo- sure value from the likelihood, severity, and sensitivity ratings.
Once the risks have been captured and rated, you will need to identify the con- trols that will mitigate them. You can start with a list from one of the numerous industry resources available (for example, ISO, NIST, NSA) or you can build your own custom list. Often, organizations will publish a list of approved or exist- ing controls and technologies. This can help to reduce the complexity of the envir- onment and increase the reusability of previous investments.
204 CHAPTER 10 Risk Assessment Techniques
A good place to start is with the 20 Critical Security Controls for Effective Cyber Defense [4]. These Top 20 Controls were agreed upon by a consortium US govern- ment representatives, which included the National Security Agency (NSA), US Computer Emergency Readiness Team (US CERT), the Department of Defense Joint Task Force-Global Network Operations (DoD JTF-GNO), the Department of Energy Nuclear Laboratories, the Department of State, and the Department of Defense Cyber Crime Center, plus the top commercial forensics experts and penetra- tion testers that serve the banking and critical infrastructure communities.
Use the mitigating controls list worksheet shown in Figure 10.4 to capture the mitigating controls that could be implemented to address the risks identified above, including the control type of preventative, detective, or responsive. You will use this worksheet to map each risk to the control that will adequately mitigate it. When choosing controls, follow these guidelines:
• Identify controls that address multiple risks
• Focus on cost-effective solutions
• The total cost of the control should be proportional to the value of the asset
In many cases, multiple controls will be needed to properly mitigate a single risk. Likewise, a single control may mitigate several risks. In the original FRAAP worksheets, there are a few interim worksheets to help illustrate the effects of mapping the controls to the risks and the risks to the controls. This can help you see the controls that will give you the most bang for your buck. For the sake of simplicity, those worksheets have been eliminated here and have been replaced with the single action plan worksheet in Figure 10.5. The last worksheet (Figure 10.4) was a simple list of each risk and the controls that could be used to mitigate it in the order the risks were identified. The action plan worksheet should summarize all the information that you have gathered so far for each of the priority items. These should be listed in order of importance.
You want to start by focusing on the risks with the highest ratings because they require the most immediate attention. The moderate risks will need attention soon and the low risks can be dealt with when time and resources are available. You may also focus on prioritizing the controls that mitigate the most risks. When you are recommending actions, remember to think about the time and resources
Mitigating controls list
#
Brief risk desc
Control type
Control description
X
Insider stealing paper statements
Preventative
Paper cross-cut shredder in all the mail rooms
Y
Insider stealing paper statements
Preventative
Data classification and handling policy, requiring the use of a shredder for all sensitive documents
1
FIGURE 10.4
Mitigating controls list worksheet.
Third-Party Assessments 205
Action plan
#
Brief risk desc
Risk type
Rating
Control
Priority
Owner action
By whom
When
1
Insider stealing paper statements
CONF, ACCT
High
X, Y
6
Buy a shredder and install in convenient location, and publish a handling policy
Administrative staff
4/30/07
2
FIGURE 10.5
Action plan worksheet.
that will be required to execute on the plan. There is no value in listing action items that aren’t practical.
Be sure to identify who is responsible for each item and include a deadline. As you are considering mitigating controls, always keep in mind that accepting a risk as-is may be an option as well.
Reporting
After the completion of the assessment session, your goal should be to have the report ready within 4 to 6 days. Because a template is being used to gather the information, it will be easier to compile into an assessment and recommendations report. The report is generally written by the session facilitator. Finally, a postses- sion meeting or meetings should be held with the stakeholders to present the report. This may be done in two or more meetings: one for an executive level overview and one to dive into more detail about each issue.
The FRAAP approach is just one technique for adding structure to your project-based risk assessments. Its value is in the defined agenda, roles, and work- sheets for capturing, rating, and mitigating risks. As was illustrated here, the model is flexible enough to allow you to expand on the worksheets and risk scales themselves over time to incorporate them into a different risk model. If you expect to perform any project-based assessments, it is highly recommended that you read Peltier’s book Information Security Risk Analysis.
THIRD-PARTY ASSESSMENTS
Earlier in this chapter, we started to lay out the challenges that quickly present themselves when dealing with third-party assessments. Almost every organization these days is experiencing this struggle from both sides of the relationship, as the client performing a due diligence evaluation and as the provider answering client or partner queries. This process can quickly become a huge drain on your resources if not managed properly. Let’s pull back the curtain and look at the inner workings of this process from behind the scenes.
206 CHAPTER 10 Risk Assessment Techniques
As noted earlier, the first issues you will encounter are the lack of an industry standard format for vendor risk assessment questionnaires and the lack of a uni- versally accepted certification as an alternative to individual evaluations from clients. What makes it even worse is that even among clients who are looking for the same general information, each questionnaire will word the questions just differently enough that you can’t even reuse your answers. So, you will need to have staff who are capable of crafting appropriate answers to these questions based on their knowledge of your security controls without giving away too much information, all the while responding in as positive a manner as possible so as to discourage follow-up questions. People with this skill are not easy to come by. To make matters even worse, you may get multiple questionnaires from different parts of the same company, and you can’t even count on the questionnaires staying the same from year to year from a single client. As their programs grow and mature, they change the focus of their questions so that you basically end up having to start from scratch each year.
Industry Standard Assessments
Hopefully, you didn’t just read that long list of issues and give up because solutions to these problems are available. Now that we have adequately framed out the context for the challenges, let’s talk about these solutions. In the short- term, the solution that can have the largest positive impact would be creating a standardized set of vendor due diligence questions in a common format to eliminate the need for so many customized responses. This will greatly speed up the request turnaround time and allow service providers the ability to provide the most accurate answers possible. With so many ad hoc requests coming in, it can be challenging to always find the right SME to provide a defi- nitive response and you can be sure that some clients ask some very obscure questions.
The good news is that there is a standard questionnaire emerging out of the financial services industry that could meet this need if adoption of it continues to expand quickly outside of this industry. Out of the BITS Financial Services Roundtable, there emerged a Standardized Information Gathering (SIG) ques- tionnaire [5], which is aligned with the Federal Financial Institutions Examina- tion Council (FFIEC) guidelines, and the Agreed Upon Procedures (AUP) report, which can be provided as a substitute for individual client tests of sta- ted security procedures. The value of these tools has been proven by several large and small organizations; however, its usefulness all hinges on universal adoption of this format between businesses and their providers, and between businesses and their clients/partners. Version 6 of the SIG was released in 2010, but you will likely see organizations using a variety of versions from 3 to 5 as they transition to the newer version, which promises to have streamlined the number of questions down from several thousand to a more manageable number. The breadth of topics covered include the typical security operations
Third-Party Assessments 207
and policy questions that you might expect, as well as sections ranging from physical security and business continuity to privacy. As a standard, the SIG is far from universal, but adoption is growing at a fast pace, to the point where some of the leading GRC tools have integrated it into their software offerings.
Levels of Assessment
This section certainly isn’t meant to be an advertisement for the SIG, but there are several features of the implementation that make it worth highlighting. The first is (as of version 5) the flexibility to roll out three levels of detail, a level 1, a level 2, and a detailed version. Version 5’s level 1 contains around 100 questions, which lends itself really well to a client due diligence request during the early stages of a vendor review when a Non-Disclosure Agreement (NDA) may not have been established yet and sales needs a really quick turnaround. Using the level 1 ques- tionnaire, you can quickly identify if there are any red flags or show-stoppers that would cause you to reject the vendor as a candidate, without the vendor having to give away too much about their controls. The version 5, level 2 questionnaire is more detailed, with closer to 400 questions, so this might be more appropriate for later in the contract negotiations, either after the contract has been signed or at least when an NDA is in place.
Another way to make use of the levels in the SIG is when you are performing due diligence reviews of your own vendors and service providers. It allows you to base the level of SIG required on the sensitivity level of the service being provided. One possible schedule for assessments is shown in Table 10.1.
This particular schedule might assume that there was no high-exposure risk found during the review in the first year. You could set a threshold for the number or level of the findings to determine the frequency and depth of the assess- ments performed. Another consideration to keep in mind is that vendors in your category of low sensitivity might not require a full formal review at all. Vendors who, for example, just provide you desktop and laptop hardware probably don’t need to answer 20 questions about privacy controls; so, you might implement a modified version of the schedule, as shown in Table 10.2.
In this scenario, the SIG level 1 would be used only for the moderate- sensitivity vendors, and the low-sensitivity vendors would undergo any formal SIG assessment beyond the basic security questions that would be asked during
Table 10.1 SIG-Based Vendor Schedule—Example 1
Service Sensitivity
First Year
Sec
ond
Year
Third Year
Fourth Year
High
SIG
detailed
SIG
level
2
SIG
detailed
SIG
level
2
Moderate
SIG
level 2
N/A
SIG
level 1
N/A
Low
SIG
level 1
N/A
N/A
SIG
level
1
208 CHAPTER 10 Risk Assessment Techniques
Table 10.2 SIG-Based Vendor Schedule—Example 2
Service Sensitivity
First Year
Second Year
Third Year
Fourth Year
High Moderate Low
SIG detailed SIG level 1 N/A
SIG level 2 N/A
N/A
SIG detailed SIG level 1 N/A
SIG level 2 N/A
N/A
the vendor selection process specific to the service. However you slice it, the point is that use of a measure like the SIG allows you a lot of flexibility.
Now, imagine a world where you have three versions of the SIG prepared and ready to distribute to your clients and partners immediately upon request. This will never completely replace requests for individual assessments of some services or requirements up front to perform architectural reviews, and so on, but it can reduce the load on your teams significantly. Version 6 of the SIG was released in 2010, and at the time this book was published, it was still unclear how the improvements will affect the adoption rate in the industry. Of course, some clients still may not accept a standardized response like the SIG, no matter how detailed it is, or even a third-party certification; so, you will need to leverage internal risk assessment activities as sources of information when responding to these client queries.
Basing Assessments on Sensitivity
In Chapter 4, risk profiling and risk sensitivity were discussed in detail. This discussion touched on vendor profiling, but didn’t get into specific questions that should be included in a third-party profile versus a security risk profile for an internal resource. Concerns around third-party providers are going to focus on a few areas, such as the following:
• Will the vendor store or process sensitive data at their site?
• Will the vendor have access to regulated information?
• Will the vendor’s systems directly connect to your organization?
• Will the vendor’s service or product be integrated into your offerings?
• Will the vendor’s staff need access to your facilities?
These types of questions would be included in a vendor risk profile and then used to determine the sensitivity of the service being provided. You could even include more specific questions about the types of data involved in the service, such as the following:
• Will the vendor store or process sensitive employee data at the vendor location?
• Will the vendor store or process sensitive customer data at the vendor location?
Third-Party Assessments 209
With the introduction of the SIG, version 6, in 2010, there were several improvements made that eliminated one level of assessment detail and, at the same time, made it easier to structure the assessment detail level around the answers to your profiling questions. Version 6 of the SIG includes a SIG-Lite, which is similar to the previous SIG level 1, but no longer includes a SIG level 2 questionnaire for those moderate-sensitivity vendors. Instead, you can use the SIG-Lite as the base for all the assessments and then add individual topic-based questionnaires as needed. For example, you may structure your assessments as follows:
• If the vendor’s risk sensitivity rating is High, then the following questionnaires need to be completed:
◦ SIG-Lite
◦ SIG-F. Physical and Environmental Security
▪ required if the vendor will process or store any employee privacy data or client confidential data
◦ SIG-G. Communications and Operations Management
▪ required if the vendor’s system or network will be directly integrated with your environment
◦ SIG-I. Information Systems Acquisition Development and Maintenance
▪ required if the vendor will have direct or indirect access to your production systems
◦ SIG-J. Incident Event and Communications Management
▪ required if the vendor will process or store any sensitive data
◦ SIG-K. Business Continuity and Disaster Recovery
▪ required if the vendor’s service will be integrated into your offerings to customers or supports a critical service
◦ SIG-L. Compliance
▪ required if the vendor will process or store any regulated data at their site
◦ SIG-P. Privacy
▪ required if the vendor will process or store privacy data for your employees or your clients at their site
• If the vendor’s risk sensitivity rating is Moderate, then the SIG-Lite
questionnaire needs to be completed.
• If the vendor’s risk sensitivity rating is Low, then no further assessment is required beyond the questions in the vendor security risk profile.
If you design your security risk profile for each vendor to capture this informa- tion from the business owner of the relationship, then you can easily determine the proper level of due diligence required. Of course, you could also create your own questions, but then you are contributing to the problem for service providers who have to respond to so many customized questionnaires. It is better to start with a standard question set and pick and choose which items to include in your subset.
210 CHAPTER 10 Risk Assessment Techniques
Improving the Process
Having a single vendor assessment format is certainly not the silver bullet; there are several other efficiency improvements that you can make rather easily. The first is to develop a public-facing document that summarizes your security pro- gram at a high level, almost like a marketing brochure. This can be a very helpful tool for your sales team to able to provide to new prospective clients/partners before they get into the detailed analysis stage. Include brief summaries of aspects of your program like the general philosophy, alignment with any industry stan- dards, and your high-level privacy policy. Again, this will not replace a detailed analysis later, but it may help to satisfy any concerns that the client’s security team will have and help to build confidence that your organization takes security seriously.
Regardless of whether you choose to implement a standardized questionnaire like the SIG or not, you will need some repository for past client questionnaires and answers. If your organization is most often the vendor being reviewed, then you need a way to quickly search old questionnaires for already approved answers or, in the case of repeat client questionnaires, to reuse and refresh the answers from last time. Be cautious about reusing any answers without first viewing them because things change quickly in everyone’s environment, and those answers could easily be out of date. Some sort of searchable database of past answers would be a useful investment so that your staff isn’t forced to spend a lot of time writing new responses to the same questions. If a database is used as the client response repository, then it needs to be searchable by at least client name, date, and question keywords.
Another option is to align your internal risk assessment processes, such as a Certification and Accreditation review or internal audit function, to the standard assessment questionnaire to ensure that the information is being captured and kept fresh all year round. Otherwise, the task of refreshing it yearly can be signif- icant when you have to break it up into pieces and get each operational team to review and approve their answers. Whenever you can combine assessments, or at least streamline them, you will earn appreciation from the business. If you find yourself in the situation where clients are commonly asking you questions that you have never asked internally, then you will probably want to update your own internal risk assessment process to incorporate these areas of concern. A good indicator of how the threat landscape is shifting is the trends in changing client due diligence focus areas. One year it might be high availability, and the next year, end-point data leakage protection controls. Being aware of these changes in focus can be invaluable when planning and prioritizing your own assessment focus areas.
One final piece of the overall process optimization is feeding any data gathered back into the policy and standard governance process. If your policies or standards seem to be out of line with what clients or partners are expecting, then you should flag these areas and entertain adjusting the internal policy to match.
Summary 211
Similarly, if all your providers are coming up short in your assessments in a certain area, then you might consider adjusting the expectations in your internal policy to allow for some kind of compensating control that provides equivalent protection.
SUMMARY
Whether to use a questionnaire or interview style of assessment can be an important decision that will affect how quickly you get answers back from the other business units and how detailed the responses are. Interviews will provide you the richest information, but the questionnaire is more scalable and less intrusive. Similarly, you should carefully consider at the beginning of every assessment whether you want to use an active testing technique that will produce the most reliable results, or use a less-intrusive passive testing method. When faced with a one-time assessment of a new project, strongly consider Peltier’s FRAAP methodology for streamlining the process. Assessments of your program from clients and assessments of your own service providers can be a large resource drain if you don’t implement a stan- dardized approach. Try to maximize your resources by producing customer-facing documentation about your security program to minimize ad hoc requests.
Action Plan
After reading this chapter, you should consider taking the following actions in your own organization:
• Pick a few of your most sensitive business areas and schedule an in-person interview with the SMEs to perform the risk assessment, instead of sending them a questionnaire.
• Perform a targeted Google search for any information about your organization
that is publically available.
• If you have any active monitoring devices in your environment, including intrusion detection systems or even logs from a firewall, pick a random sampling of data for, say, 30 minutes and review it for any anomalies.
• If you find that you are spending a lot of time assessing and remediating risks
associated with the nonsecure configuration systems or software, initiate a project to establish security baselines that meet your standards and focus on automating compliance checks.
• For the next project-based assessment, try the FRAAP approach and worksheets.
• Download the BITS SIG and consider standardizing on it for assessments of your third-party providers and/or make a version available to your clients as a substitute for ad hoc reviews.
• Review your schedule for third-party assessments and ensure that the
assessment frequency is directly tied to the sensitivity of the vendor service.
212 CHAPTER 10 Risk Assessment Techniques
References
[1] Top 100 Network Security Tools. SecTools.Org. http://sectools.org (accessed 20.01.11).
[2] NIST 800-37, Guide for Applying the Risk Management Framework to Federal Informa- tion Systems. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf (accessed 29.12.09).
[3] T.R. Peltier, Information Security Risk Analysis, second ed., Auerbach Publications, Boca Raton, FL, 2005.
[4] SANS Institute, 20 Critical Security Controls for Effective Cyber Defense. www.sans
.org/critical-security-controls (accessed 19.05.10).
[5] BITS Standardized Information Gathering (SIG) questionnaire. www.sharedassessments.org (accessed 02.02.11).
CIS527 Week #3_ P1 IT Risk Management – Defining Risk Approaches
Slide #
Slide Title
Slide Narration
Slide 1
Introduction
Welcome to IT Risk Management.
In this lesson we will discuss Defining Risk Assessment Approaches.
Next slide
Slide 2
Topics
The following topics will be covered in this lesson:
What risk assessment is,
what critical components of a risk assessment are,
what types of risk assessments are available,
which risk assessment challenges should be addressed, and
what best practices for risk assessment are.
Next slide
Slide 3
Understanding Risk Assessment
A risk assessment is also referred to as risk analysis. A risk assessment is a process used to identify and evaluate risks. Risks are then quantified based on their importance to impact severity. The risks are then prioritized.
A risk assessment (RA), also referred to as “risk analysis,” is a process used to identify and evaluate risks. Risks are then quantified based on their importance or impact severity.
These risks are then prioritized.
Risk assessments are a major part of an overall risk management program. They help identify which risks are most important. A major difference between a risk assessment
and a risk management program is that the risk assessment is created at a moment in time, while a risk management program is a continuous process.
An RA is used to help identify which safeguards to implement.
Safeguards are also known as controls and are used to control or reduce risk. A control may reduce a vulnerability or it may reduce the impact from a threat. An RA can help determine where to draw the line.
Risk assessments are an important part of the risk management process. Without an RA, it becomes difficult to determine which systems should be protected. An RA will help with identification of the most important systems to protect.
An RA should be completed when evaluating risk, when evaluating a control, and periodically after a control has been implemented. An RA is a point-in-time document.
RAs should be scheduled on a regular basis after a control has been implemented. The goal is to determine if the control is still useful.
Next slide
Slide 4
Understanding Risk Assessment (continued)
Risk assessments are important tools to assist management -they help management quantify risks. RAs also help management identify controls and evaluate the effectiveness
of these controls.
Risk assessments tend to support decision making and help evaluate control effectiveness. Steps involved in the RA include:
Identify threats and vulnerabilitie;s
Identify likelihood that risk will occur;
Identify asset values;
Determine impact of risk; and
Determine usefulness of safeguard or control
The RA identifies threats and vulnerabilities against the current system and assumes current controls are working as expected.
It is also to be mentioned that risk management is a continuous process, while risk assessment is not.
Next slide
Slide 5
Understanding Risk Assessment (continued)
There are several components that need to be considered when tasking and performing an RA. Three critical steps that need to be completed early include:
Identify scope,
Identify the critical areas, and
Identify the team
The scope identifies the boundary of the RA. It is important to identify the scope of a risk management plan to eliminate scope creep. This helps to keep the project on track. Similarly, the scope of the RA helps to keep the RA on track.
The RA also identifies critical areas that should be included. This helps the RA team focus only on what’s important. For example, a scope could include a Web server, a database server, and a firewall. The RA could identify the following critical areas:
Web server. This would address all elements of the Web server. including hardware, the operating system, and the Web site application. For hardware, focus on any single point of failure. A single point of failure (SPOF) is any single piece of hardware whose failure can take down the Web site.
When identifying the critical areas, the focus should be on areas that are most critical to the business such as profitability and survivability. Some data is critical, such as financial data and customer data. Other data, such as public data, doesn’t need the same level of protection. Similarly, some servers or IT services are critical. Other servers and services are less critical.
Although it certainly makes sense to include only critical areas, the RA team may not understand what is critical to management. The team should stay focused on what management considers important.
Risk assessment team personnel should not be the same people who are responsible for correcting deficiencies. This helps avoid a conflict of interest.
For example, imagine that an administrator is responsible for implementing controls on a Web server. The administrators input may be slanted by his or her desire to implement the control. If disinterested parties provide the input, there is a better chance of getting accurate, objective data.
Next slide
Slide 6
Types of Risk Assessments
When considering an RA, the method to be used needs to be identified. The two primary methods used in the IT field are quantitative and qualitative.
The quantitative method is an objective method that uses numbers such as actual dollar values. A quantitative RA requires a significant amount of data. Gathering this data often takes time. If the data is available, this type of RA becomes a simple math problem with the use of formulas.
Qualitative is a subjective method that uses relative values based on opinions from experts. Experts provide their input on the probability and impact of a risk. A qualitative RA can be completed rather quickly
It is important to realize that neither method is superior to the other. They both have benefits and limitations. However, one method sometimes works better than the other in specific situations.
A quantitative risk assessment uses numbers such as dollar values. The data is gathered and then entered into standard formulas. The results can help with identification of the priority of the risks.
Some of the key terms associated with quantitative risk assessments include single loss expectancy (SLE), annual rate of occurrence (ARO), annual loss expectancy (ALE) and Safeguard value.
Next slide
Slide 7
Types of Risk Assessments (continued)
One of the primary benefits of a quantitative RA is that it becomes a simple math problem. This is especially true if tools are used that automate the assessment. For example, applications are available that allow a user to plug in values for SLE, ARO, and safeguard value. The application calculates the results and provides a recommendation. Because the application performs the calculations, the data is often more accurate.
Another big benefit of a quantitative RA is that it provides a Cost Benefit Analysis (CBA). When there are accurate values for the SLE, ARO, and safeguard value, the CBA can also be calculated.
There are some limitations to using a quantitative analysis. One of the biggest limitations is that accurate data isn’t always available. This is especially true when identifying ARO reductions. The accuracy of these estimates can be difficult to verify.
For example, an earlier example stated that if hardware locks were purchased, the ARO would decrease from four to one. In other words, instead of four laptops being stolen each year, only one laptop would be stolen. It sounds good, but how do you know it’s true?
The accuracy of this estimate is difficult to verify. Another difficulty is vulnerability when reporting to skeptical or unsupportive managers.
Another limitation is ensuring that people use the control as expected. Hardware locks were mentioned in the example to protect the laptops. As long as everyone uses the hardware locks, they will work. However, users may consider them inconvenient. Just because the locks are purchased doesn’t mean they will be used. Additional steps may need to be taken to ensure users are aware of the importance of the control. Even though laptop computers are stolen all the time, users are still very surprised when it happens to them.
Next slide
Slide 8
Types of Risk Assessments (continued)
A qualitative risk assessment doesn’t assign dollar values, but determines the level of risk based on the probability and impact of a risk. The values are determined by gathering the opinions of experts.
Probability is the likelihood that a threat will exploit vulnerability. The risk occurs when a threat exploits vulnerability. A scale can be used to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High and percentages can be assigned as values to these words.
Impact is the negative result if a risk occurs and is used to identify the magnitude of a risk. The risk results in some type of loss. However, instead of quantifying the loss as a dollar amount, an impact assessment could use words such as Low, Medium, or High. These categories may be used to identify probabilities. However, where a probability is expressed as a percentage, impact is expressed as a relative value. For example, Low could be ten. Medium could be fifty. High could be one hundred.
A qualitative analysis can be divided into two sections that include attempts to prioritize the risk and attempts to evaluate the effectiveness of controls.
It is possible to perform both sections at the same time. However, for clarity, they are presented as two separate actions.
Next slide
Slide 9
Types of Risk Assessments (continued)
The goal of this part of the RA is to identify which risks are most important. An analysis is done by assigning probability and impact values to known risks.
For example, a company Web site sells company products. Due to some recent outages, the customer is trying to identify the most important risks to the Web site. Based on feedback from several experts, a list has to be compiled and the risks prioritized.
The risk categories are:
DoS attack—Any denial of service (DoS) or distributed DoS (DDoS) attack that results in an outage
Web defacing—Modification of the Web site by unauthorized parties
Loss of data from unauthorized access—Any loss of confidentiality. This could be from an attacker accessing customer data. It could also be from an attacker accessing any internal private data. It does not include the loss of public data that is freely available.
Loss of Web site data due to hardware failure—This indicates the loss of any Web site data. This can include any data used to show the Web pages to customers.
It can also include the Web site application used to retrieve and format the data into Web pages.
The risk of a DoS attack clearly rises to the top as the biggest risk. Based on the current controls, the experts agree that the system will be attacked. When it is attacked, they also agree that the impact will be high.
The list of risks from most important to least important is as follows:
•Priority one , DoS attack, with a value of one hundred
•Priority two, Web defacing, with a value of forty-five
•Priority three, Loss of Web site data due to hardware failure, with a value of twenty-seven
•Priority four, Loss of data from unauthorized access, with a value of three
Next slide
Slide 10
Types of Risk Assessments (continued)
A risk assessment ends with a report. This report is used by management to decide what controls to implement. The list of topics that are commonly used in the risk assessment report include an introduction, risk assessment approach, the system characterization, the threat statement, the risk assessment results, the control recommendations, and the summary.
The Risk assessment results are the most important section in the report. Results can be listed as vulnerability/threat pairs representing a risk. The risk is described with existing security controls. The likelihood of the risk occurring with current controls is listed. How the risks are described depends on which analysis is used. A quantitative method uses terms such as SLE, ARO, and ALE. A qualitative method identifies probability and impact based on a defined scale. All of this data is supported with discussions identifying how the result was obtained.
Next slide
Slide 11
Check Your Understanding
Slide 12
Risk Assessment Challenges
When completing any risk assessment, there are several challenges to address and overcome. Many of these are dependent on the type of assessment chosen. Both
the quantitative and qualitative assessments have their own challenges that were listed in the previous section as limitations.
There are several additional challenges, which include:
Using a static process to evaluate a moving target;
Availability of data and resources;
Data consistency;
Estimating impact effects, and
Providing results that support resource allocation and risk acceptance
Next slide
Slide 13
Risk Assessment Challenges (continued)
As mentioned previously, the RA is a point-in-time assessment. It evaluates the system against known risks at a specific time. It considers the risks based on current controls. In other words, the RA is a static process but the security is not static because risks can and do change. Attackers and attacks are constantly changing, but the security does not stand still. As attackers become successful at any attack, security experts implement controls.
At some point, these attacks become much less successful so the attackers learn new methods of attack, causing the security experts to modify the controls or implement new controls. Some threats and vulnerabilities look as if they’ve been mitigated successfully and no longer present a risk. Then, they appear suddenly as another threat.
Domain Name Server (DNS) cache poisoning is a good example. DNS cache poisoning can cause a system to resolve a Web site name to a bogus Internet Protocol (IP) address. For example, users may try to access Acme.com with a Web browser. However, they are instead redirected to Malware4u.com. DNS cache poisoning was identified years ago as a significant threat. It was successfully mitigated and fell into disuse. From an IT security perspective, it almost became a historical footnote.
Then in the summer of 2008, a flaw was discovered and published by Dan Kaminsky. Quick as a flash, DNS cache poisoning was once again an issue. Once the results were
published, attackers quickly learned how to exploit the vulnerability. DNS cache poisoning was once again raised as a serious concern.
Next slide
Slide 14
Risk Assessment Challenges (continued)
Availability challenges are present in two primary areas. One relates to the availability of resources. The other relates to the availability of data. Both are important to address
early in the process of the RA. If not addressed, they can seriously affect the quality.
First, resources: Personnel involved in the assessment should be knowledgeable about the system they are assessing. With a higher level of expertise, a higher quality of assessment is expected. If the RA team does not have the high level of knowledge and experience needed, they may have to resort to guessing. The RA also needs support from upper management. This support will help ensure that management dedicates adequate resources to the team.
As far as data goes, its availability is also very important. Data
availability will drive the type of assessment performed. For
example, there is a great deal of internal historical data related
to actual performance and outages, a quantitative RA needs to be performed. The use of this historical data will identify
values for the SLE and ARO. If this data isn’t available, a
qualitative RA will need to be performed instead.
Without the availability of the right personnel and the right data, the RA becomes much more difficult to complete.
Next slide
Slide 15
Risk Assessment Challenges (continued)
Another challenge with risk assessments is data consistency.
Data consistency refers to the accuracy of data. Several issues can affect data consistency, which include:
Differences in data format
Changes in data collection, and
Changes in the business
Each of these concerns can directly affect the accuracy of the data. However, even if the data isn’t one hundred percent accurate, it doesn’t mean that it cannot be used.
Some risk assessments address the accuracy of data with an uncertainty level. An uncertainty level indicates how valid the data is. If all conditions were ideal, the data would be one hundred percent accurate, and there would be one hundred percent assurance that it is accurate.
For example, historical data could indicate that a Web site generates approximately two thousand dollars revenue per hour. Current data could indicate this trend is continuing with slight growth. There could be an eighty percent assurance that the data is accurate, or a twenty percent uncertainty level. When using this sales data to calculate SLE, there could also be an uncertainty level.
The potential impact of any risk is difficult to estimate. The most important thing to realize is that this is an estimate. If we could accurately predict exactly what will happen
in the future, we probably wouldn’t be working in the IT field.
When estimating the impact effects, several factors come into play. This is true even if we have accurate historical data. For example, a Web site could have been attacked resulting in an outage of several hours. While troubleshooting the outage the technicians learn quite a bit. Yes, the primary focus is to resolve this current outage, but the knowledge and experience is tucked away. The next time the server suffers an outage, the recovery time may be much quicker.
Next slide
Slide 16
Risk Assessment Challenges (continued)
The results of an RA need to be useful. However, it is possible for security professionals to fall into the trap of thinking security must be pursued at all costs. A proper balance between profitability and survivability must constantly be considered.
Two important points to consider are resource allocation and risk acceptance.
Security teams don’t have an unlimited amount of funds, or an unlimited number of personnel. Instead, security will be allocated a finite percentage of resources. Any recommendations need to be realistic and must consider the culture of the business and the actual potential for the recommendations to be accepted.
Some organizations are willing to accept more risks than others. This isn’t right or wrong, it’s just the way a business operates. When creating a risk assessment, you need to be aware of the business culture.
There are two sides to accepting more risk which include:
The greater the risk, the greater the rewards, and
Bigger risks present larger potential losses.
Consider the stock market. There are many companies in
existence today that had stock for sale for less than a dollar
at one point. If a person bought ten thousand dollars of their stock, he or she would be a millionaire today. However, few actually bought that ten thousand dollars of stock. The reason is that when the stock was at a low price, it wasn’t clear the company would survive.
Some people took the risk and have great rewards. However, others took similar risks on other companies that have since gone bankrupt. Their risky investment turned out to be a huge loss.
This is not to say that data should be hidden. There is still a responsibility to present all of the data. If some of the recommendations clearly don’t look as if they will be
accepted, they can be included in the report. They just don’t need to be included in the list of actual recommendations.
Next slide
Slide 17
Best Practices for Risk Assessment
Risk assessments can proceed differently in organizations. A risk assessment on a Web server may look substantially different from an assessment that evaluates HIPAA data. The following list identifies several best practices for risk assessment approaches:
Start with clear goals and a defined scope;
Ensure senior management support;
Build a strong RA team;
Repeat the RA regularly ;
Define a methodology to use; and
Provide a report of clear risks and clear recommendations
Risk assessments are used to identify and quantify risks. They do so by identifying threats and vulnerabilities and then applying an assessment methodology to prioritize
the risks. Once the risks are quantified, controls and safeguards can be identified.
Next slide
Slide 18
Check Your Understanding
Slide 19
Summary
We have reached the end of this lesson. Let’s take a look at what we’ve covered.
First we considered what risk assessment is and what the critical components of a risk assessment are, such as identifying the scope, critical areas and the team.
Next, we looked at what types of risk assessments are available and the two methods used for the analysis of the risks – the quantitative method and the qualitative method.
Finally we discussed which risk assessment challenges should be addressed, and what the best practices for risk assessment are.
This completes this lesson.
CIS527 Week #3_ P2 IT Risk Management – Performing a Risk Assessment
Slide #
Slide Title
Slide Narration
Slide 1
Introduction
Welcome to IT Risk Management.
In this lesson we will discuss Performing a Risk Assessment.
Next slide
Slide 2
Topics
The following topics will be covered in this lesson:
Selecting a risk assessment methodology,
identifying the management structure,
identifying assets and activities within risk assessment boundaries,
identifying and evaluating relevant threats and vulnerabilities, identifying and evaluating countermeasures,
selecting a methodology based on assessment needs, and developing mitigating recommendations.
Next slide
Slide 3
Selecting a Risk Assessment Methodology
Once a risk assessment is performed, an outline that will align the next steps to be taken as to how to proceed is necessary.
This takes time and planning. Now we will paint the overall picture of a risk assessment.
In general, a risk assessment involves the following steps:
Identify assets and activities to address
Identify and evaluate relevant threats
Identify and evaluate relevant vulnerabilities
Identify and evaluate relevant countermeasures
Assess threats, vulnerabilities, and exploits
Evaluate risks
Develop recommendations to mitigate risks, and
Present recommendations to management
Two preliminary actions need to be taken before progressing to the risk assessment, which include:
define the assessment and
review previous findings.
Next slide
Slide 4
Selecting a Risk Assessment Methodology (continued)
In defining the risk assessment, what needs to be defined is the starting point. For example, if it is a system, the system will need to be described. If it’s a process, that will need to be described.
It’s also important to describe the system or process as it is right now. We have stressed that an RA is a point-in-time assessment. This is unlike an overall risk management, which is a continuous process.
When describing the system or process, the focus needs to be on two primary areas – operational characteristics and the mission of the system.
Operational characteristics define how the system operates in the environment. It’s not enough to just name the system, such as “E-mail server.” Instead, identification of how the system is currently configured and operating needs to be done.
The RA against the current system can be completed with some questions:
Does the current system diagrams and is there documentation of the current systems?
The mission of the system defines what the system does. Compared to the operational characteristics of the system, the mission is easy to define. The mission definition for
any single system can be as short as a paragraph. It can also consist of simple bullet statements.
For example, an e-mail system could have the following mission: The e-mail server provides all e-mail services for the network. This includes the following functions:
Routing e-mail between internal clients;
Accepting e-mail from external e-mail servers and routing to internal client;
Accepting e-mail from internal clients and routing to external e-mail servers;
Scanning all e-mail attachments and removing malware, and
Scanning all e-mail for spam and stripping out confirmed spam.
Next slide
Slide 5
Selecting a Risk Assessment Methodology
(continued)
If previous audits or risk assessments are available, they should be reviewed. These reports can contain a lot of valuable information, such as the list of assets, threats, and vulnerabilities. They should also list the controls
that are currently in place. They may provide recommendations for additional controls. Three items especially worth investigating include recommendations, current status of accepted recommendations, and unapproved recommendations.
Next slide
Slide 6
Identifying the Management Structure
The management structure refers to how responsibilities are assigned. When defining the scope of the RA, it’s helpful to keep the scope within the ownership of a single entity.
This allows for easier implementation of recommendations.
A small organization may have a single IT section. This single section is responsible for all IT systems and processes. Because this section controls all IT systems, the section can implement recommendations for any of the systems, but a larger organization may have multiple IT sections or divisions. In this case, various managers or management teams oversee different IT systems and each manager has different responsibilities.
For example, an organization may have the following sections
for IT management:
Network infrastructure;
User and computer management;
Email servers;
Web servers;
Database servers; and
Configuration and change management
A small organization may perform a risk assessment for many systems at the same time, but a larger organization will likely separate the risk assessments. For example, a larger organization that performs a risk assessment on Web servers, database servers, and firewalls at the same time can face problems. Three separate sections with three separate managers would need to implement the recommendations.
The goals and schedules could compete with internal priorities.
However, if the organization assesses a single section at a time, the results are easier to implement.
Next slide
Slide 7
Identifying Assets and Activities within Risk Assessment Boundaries
Asset valuation is the process of determining the fair market value of an asset. This is one of the first priorities of risk management. This can be determined by the value from the replacement value of the asset. You can determine the value based on either what the asset provides to the organization, or the cost to recover the asset. It’s also possible to determine the value using a combination of both values.
Once the value of your assets is known, their importance can prioritized. If an asset is worth one thousand dollars, it needs one level of protection. If another asset is worth one million, it needs another level of protection. It is important that you evaluate only assets that are within the boundary of the RA. Scope creep occurs when you start evaluating assets outside the scope of the RA. This results in wasted time and wasted resources.
When considering the value of an asset replacement value and recovery value should be considered as differing perspectives.
Several elements also need to be considered when determining the value of different assets which include system access and system availability, system functions, hardware and software assets, personnel assets, data and information assets and facilities and supplies.
Next slide
Slide 8
Identifying Assets and Activities within Risk Assessment Boundaries (continued)
Access and availability refers to how and when the asset needs to be available. Some assets need to be available twenty-four hours a day, seven days a week. Other assets only need to be available Monday through Friday during business hours. The more available the asset needs to be, the more risks you have related to outages.
For example, consider a Web server used to sell products over the Internet. Customers may access the Web site at any time. If the Web site is not operational when the customer tries to access it, the sale may be lost.
With this in mind, the risk assessment needs to consider the risks associated with this Web site going down at any given time. Additionally, how maintenance is performed on the system without taking the Web site down needs to be determined. This includes performing backups of the data and also how to keep the system up to date. The Web server may be one of many servers in a Web farm or it may be one of multiple Web servers in a failover cluster. Both configurations allow a single server to go down while the Web site continues to function. One single server outage could be catastrophic
Next slide
Slide 9
Identifying Assets and Activities within Risk Assessment Boundaries (continued)
If a system provides a service, functions of the system must be considered when determining the asset’s value. Of particular importance is how the functions are performed whether manually or through automation.
For example, imagine the evaluation of the value of e-mail in an organization. The e-mail system could have multiple elements, including a spam filter. Studies report that as much as ninety percent of the e-mail sent through the Internet is spam. Spam filters will eliminate some of this spam with a goal of not eliminating any valid e-mails. A spam filter that filters out as much as thirty percent of the spam provides a significant reduction in unwanted e-mail with a high assurance that valid e-mail isn’t filtered.
When calculating the value of the manually managed spam appliance, the work done by the administrators also needs to be considered. The value may be higher if it takes additional man hours and expertise to initially configure it as well as manage it.
Hardware assets are any assets that can be physically touched. This includes computers such as laptops, workstations, and servers. It also includes network devices such as routers, switches, and firewalls.
There is a wide range of values among the devices. A simple desktop PC can cost less than five hundred dollars. However, a high-end server can cost tens of thousands of dollars.
Software assets include both the operating systems and the applications. The operating system is what allows the computer to operate. This could be a Microsoft operating system, such as Windows Seven or Windows Server 2008. It could also be a UNIX or Macintosh operating system.
Applications allow the tasks to be performed. For example, Microsoft Word is an application that allows creation and editing of documents. Similarly, Oracle is a server-level application used to manage databases.
Personnel assets are also very important to value. An organization that is able to retain personnel often has fewer problems than an organization with a high turnover rate.
There are specific things an organization can do to retain valued personnel. For example, organizations have different levels of benefit package which include different types of insurance such as health, dental, and life. They also include retirement plans such as matching 401 K contributions. Many organizations also take additional steps to increase the morale and working environment.
Next slide
Slide 10
Check Your Understanding
Slide 11
Identifying and Evaluating Relevant Threats
A threat is any potential danger. The danger can be to the data, the hardware, or the systems. A threat assessment is the process of identifying threats. It is important to understand how threats interact with risks as a whole.
Two primary methods can be used to identify threats – review historical data and modeling.
History often repeats itself. This is true in so many areas of life. It’s also true with IT systems. You can save yourself a lot of time by reviewing historical data to identify realistic threats.
When reviewing historical data, the following events need to be looked at:
Attacks,
Natural events,
Accident, and
Equipment failures.
Threat modeling is a process used to identify possible threats on a system. It attempts to look at a system from the attacker’s perspective. The result of threat modeling is a document called a threat model. The threat model provides information on the system, the threat profile and the threat analysis.
Threat modeling allows for prioritization of attacks based on their probability of occurring and the potential harm.
Next slide
Slide 12
Identifying and Evaluating Relevant Vulnerabilities
As a reminder, a vulnerability is a weakness. It can be a weakness in physical security, technical security, or operational security, and can be procedural, technical, or administrative.
The following two statements are related to vulnerabilities:
All systems have vulnerabilities, and
Not all vulnerabilities result in a loss.
The two primary assessments are vulnerability assessments and exploit assessments.
A vulnerability assessment is a process used to discover weaknesses in a system. The assessment will then prioritize the vulnerabilities to determine which weaknesses are relevant.
Vulnerability assessments can be performed internally or externally. An internal assessment attempts to discover weaknesses from within the network. An external assessment attempts to discover what attackers outside the company may see.
A vulnerability assessment often starts by gathering information. Vulnerability scanners perform network reconnaissance. This is similar to an enemy scouting out a target to evaluate it and identify the best method of attack. A vulnerability assessment may have multiple goals, such as:
Identify IP addresses,
Identify names,
Identify operating system,
Identify open ports,
Identify weak passwords,
Capture data,
Nmap,
Nessus,
SATAN, and
SAINT
An exploit assessment attempts to discover what vulnerabilities an attacker can exploit. Exploit assessments are also referred to as “penetration tests.” An exploit assessment starts an exploit with a vulnerability assessment. After the weaknesses are discovered, the exploit is attempted.
Next slide
Slide 13
Identifying and Evaluating Counter Measures
A countermeasure is a security control or a safeguard. A countermeasure can be implemented to reduce a risk. Risk can also be reduced by reducing vulnerabilities or by reducing the impact of the threat.
When identifying and evaluating the countermeasures, the following should be considered:
In-place controls
Planned controls, and
Control categories
Countermeasures cost money. Prior to purchasing a countermeasure, an organization will evaluate their options. During their evaluation of alternative countermeasures, the organization will gather relevant documentation. When performing a risk assessment, documentation should be retrieved for these controls and then reviewed.
There are several ways that controls are organized or classified. One of the popular methods is to define them based on these three categories:
Administrative security controls;
Technical security controls; and
Physical security controls
Next slide
Slide 14
Identifying and Evaluating Counter Measures (continued)
Administrative security controls are the controls in place in response to the rules and guidelines directed by upper-level management. These include several specific controls. However, one important point about administrative controls is that they are implemented with a written document.
Some examples of administrative controls include:
Policies and procedures,
Security plans,
Insurance,
Personnel checks,
Awareness and training, and
Rules of behavior.
Next slide
Slide 15
Identifying and Evaluating Counter Measures (continued)
A technical security control uses computers or software to protect systems. The benefit is that the control is automated. This can be set once and it will consistently enforce the control.
Some examples of technical controls include
Login identifier,
Session timeout,
System logs,
Audit trails,
Input validation,
Firewalls, and
Encryption
Next slide
Slide 16
Identifying and Evaluating Counter Measures (continued)
A physical security control controls the physical environment. This includes controls such as locks and guards to restrict physical access. It also includes elements to control the
environment, such as heating and cooling systems.
Some examples of physical controls include:
Locked doors,
Guards and access logs,
Video cameras,
Fire detection and suppression,
Water detection,
Temperature and humidity detection, and
Electrical grounding and circuit breakers
Next slide
Slide 17
Selecting a Methodology Based on Assessment Needs
The two primary methodologies used for assessments are quantitative and qualitative.
The quantitative method uses predefined formulas. The data collected can be used to identify the following values:
• Single loss expectancy (SlE)
• Annual rate of occurrence (ARO)
• Annual loss expectancy (AlE), and
• Safeguard or control value
A qualitative methodology uses the opinions of experts to determine two primary data points, probability and impact.
This allows for ranking of the risks. This ranking allows the risks to be prioritized from the most important to the least important.
Next slide
Slide 18
Developing Mitigating Recommendations
After performing the analysis, specific recommendations will be provided. These recommendations should mitigate the risks.
The data collected is used to support the recommendations.
Supporting data may include:
Threat/vulnerability pairs,
Estimate of cost and time to implement,
Estimate of operational impact, and
Cost-benefit analysis
The recommended controls should address specific risks. As a reminder, a risk occurs when a threat exploits a vulnerability. If a threat doesn’t exist to exploit a vulnerability, a risk doesn’t exist. Similarly, if a vulnerability doesn’t exist that a threat can exploit, a risk doesn’t exist.
A control needs to address specific threat/vulnerability pairs. Each recommendation will address one or more threat/vulnerability pairs. If a control cannot be associated with
a threat/vulnerability pair, then the control is not needed. This becomes an easy check for the validity of the control.
Many controls will address several threat/vulnerability pairs. If the control will mitigate several pairs, each of them should be listed.
Next slide
Slide 19
Developing Mitigating Recommendations (continued)
The cost of the control should be included in the recommendation. This will be included in the cost- benefit analysis. It’s important to accurately identify this cost by including both direct and indirect costs. The direct cost is the purchase of the control. However, indirect costs aren’t always
easy to identify. For example, the indirect costs could include the man hours needed to learn the control. They could also include the cost of training.
A common mistake is underestimating the costs needed to implement a control. For example, a sophisticated firewall may require a trained administrator. If a firewall is acquired but the administrators don’t have the knowledge to use it, it will sit idle.
Administrators will then need to master it on their own or attend a formal class. In the interim, the firewall sits in the box.
A schedule or time to implement the control should also be included. For simple controls, the time can be negligible. For other controls, the time can be extensive.
Countermeasures can sometimes consume so many system resources that the system is unable to perform its primary job. If a control has any effect on the system’s normal operations, it has an operational impact. The operational impact of
a control can be identified as negligible, low, medium, high, or overwhelming. Ideally, a control will have very little impact on normal operations. If the impact is too high, you may not be able to use the control. It’s important to consider the operational impact while developing recommendations.
Any computer system has four primary resources. If a control has an operational impact, it will usually show up in one of these resources. These include the processor, memory, disk and network interface card.
A cost-benefit analysis to support the recommendations should be included. A cost-benefit analysis shows that the cost is justified. Ideally, it will show that a small amount of money can be spent up front to save a lot of money in the long term. The cost-benefit analysis is an important tool needed by management to justify the cost. As demonstrated earlier, a quantitative risk assessment includes dollar figures. When using the qualitative risk assessment, additional steps need to be taken to create the cost-benefit analysis.
Next slide
Slide 20
Present Risk Assessment Results
After completing the RA, a report is created that documents the results. This report should include two phases.
In the first phase, the recommendations are presented to management. As a reminder, management decides which recommendations to implement. It’s possible that
management won’t approve every recommendation.
Management may determine that the CBA for a recommendation doesn’t justify the cost. For another recommendation, they may decide they want to accept the risk.
Any risk that remains after controls are implemented is a residual risk. Because management decides which controls to implement, management is also responsible for the residual risks.
In the second phase, the decisions made by
management are documented. A plan of actions and milestones (POAM) is then created. The POAM is used to track and monitor the controls. The POAM helps ensure the controls are implemented and helps track the actual costs.
Next slide
Slide 21
Best Practices for Performing Risk Assessments
There are several steps that can be taken to ensure success when performing RAs.
The following list identifies some best practices for performing RAs:
Ensure systems are fully described;
Review past audits;
Review past risk assessments;
Match the RA to the management structure;
Identify assets within the RA boundaries;
Identify and evaluate relevant threats;
Identify and evaluate relevant vulnerabilities;
Identify and evaluate countermeasures; and
Track the results
The performance of the risk assessment takes several specific steps. It is important to start with a clear definition of the system to be assessed. Whenever possible, the management structure needs to be considered to ensure easy implementation of the recommendations
Identify threats and vulnerabilities. Relevant threat/vulnerability pairs identify actual risks. The controls to mitigate the risks need to be put in place. The recommendations to management for a decision with a cost-benefit analysis are presented, and then the POAM is created to track the approved recommendations.
Next slide
Slide 22
Check Your Understanding
Slide 23
Summary
We have reached the end of this lesson. Let’s take a look at what we’ve covered.
We started our discussion by looking at the first step of selecting a risk assessment methodology. Here, we learned that we need to establish objectives, complete some preliminary actions, define the assessment, and review previous findings.
The next step we learned is identifying management structure. This refers to how responsibilities are assigned. We looked at a sample management structure in this section.
Next, we moved on to the step of identifying assets and activities. Here, we learned about the asset valuation process.
We moved on to the steps of identifying and evaluating the relevant threats along with the relevant vulnerabilities. Here we learned the two primary methods of identifying threats – reviewing historical data and modeling – as well as the two primary assessments for identifying vulnerabilities – vulnerability assessments and exploit assessments.
Once the relevant threats and vulnerabilities are identified and evaluated, the relevant countermeasures need to be considered.
With this consideration comes the assessment of not only the threats and vulnerabilities, but also the exploits. Here, we examined of in-place controls, planned controls, and the three control categories.
The next step is to select a methodology based on the assessment needs. We took a look at the two primary methodologies used for assessments – quantitative and qualitative.
For our final step, developing mitigating recommendations, we looked at the supporting data for the recommendations, the estimate of cost and time to implement, the estimate of operational impact, and the creation of a two-phase report that documents the results.
We concluded our lesson with a list of recommended best practices in performing risk assessments.
This completes this lesson.
CIS527 Week #4_ P1 IT Risk Management – Identifying Assets and Activities to be Protected
Slide #
Slide Title
Slide Narration
Slide 1
Introduction
Welcome to IT Risk Management.
In this lesson we will discuss Identifying Assets and Activities to be Protected .
Next slide
Slide 2
Topics
The following topics will be covered in this lesson:
System access and availability,
system functions: manual and automated,
hardware assets, software assets, personnel assets,
data and information assets,
asset and inventory management within the seven domains of a typical IT infrastructure, and
identifying facilities and supplies needed to maintain business operations.
Next slide
Slide 3
System Access and Availability
System access and availability refers to when users or customers need a system or service. This is an important consideration. Some systems need to be operational ninety-nine point nine nine nine percent of the time while other systems need to be operational only during limited business hours, such as between eight a.m. and six p.m. Monday through Friday.
A failover cluster provides fault tolerance for a server. It ensures that a service provided by a server will continue to run even if a server fails. It includes at least two servers, called “nodes.”
In a failover cluster, a user appears to connect to a single database server.
The external drive can be a single point of failure. A single point of failure is any part of a system that can cause an entire
System to fail, if it fails. A hardware redundant array of independent disks (RAID) is often used to ensure that data isn’t lost, even if a drive fails. The failover cluster also allows you to perform maintenance without any downtime.
Maintenance can be performed on the inactive node without affecting users. If the active node needs servicing, the nodes can be switched, making the other node active.
To determine what systems require ninety-nine point nine nine nine percent access, an availability identification of the value of the service provided can be done. The highly valued systems require greater protection. This can be done by measuring direct and indirect revenue, value, or productivity.
Next slide
Slide 4
System Functions: Manual and Automated
Services are usually provided by combining multiple functions. These functions can be manual, automated, or a mixture of the two. When identifying system assets, it is important to understand the difference.
For a manual process, there are two primary asset values, written records and knowledge of process. An example of written records is a guest log at a hotel reservation desk. Knowledge of process is when employees need to know how to create the bill from available records. Once the payment is received, there would be a separate process to deposit the money. With this example, the value is the written records and the personnel with the knowledge of the process.
Automated methods may be used in hotel processing as well. When evaluating the automated method, there are several things to consider, such as value to the customers, value to the company, ensuring the process stays up, and protection of data. The important point to remember is that assets are more than just things. They can be the processes that provide the services.
Next slide
Slide 5
System Functions: Manual and Automated (continued)
Hardware assets are the assets that can be touched, such as computers, servers of desktop PCs, networking devices, and network appliances. Information about the hardware needs to be documented for monitoring and maintenance purposes. Information includes location, manufacturer, model number, hardware components, hardware peripherals, and basic input/output system BIOS version.
Hardware inventories can also help in identification of unneeded components, such as systems that include modems. Modems can present significant risks also.
Software assets include the operating system and applications that are used to start the computer. Examples of operating systems include Microsoft Windows, Mac OS, and Red Hat Linux. OS specifics should include the hardware system where it is installed; the name of the operating system, such as Microsoft Windows 7; and the latest service pack installed. An accurate inventory must be kept of the operating systems.
For applications, specifics of installed applications should include the name of the application, version number, and service pack or update information if available. All of this information is nearly impossible to gather manually, but is readily available through automation of process.
Next slide
Slide 6
Personnel Assets
Personnel assets are the people working in the organization and who work on the teams. Key personnel are usually trained for any key function, instead of a single person. When any function or process depends on a single person, that person becomes a single point of failure. Although it’s good to have talented and skilled personnel, it’s not good to have too much reliance on a single person.
Many things can take an employee out of the team environment, which include illness, accident, family emergency, winning the lottery, a better job, or more money elsewhere. These are the elements that cannot be controlled, but the job conditions and the pay can be controlled
A person can actually be a single point of failure. If only one person knows how to maintain a system, that system is at risk. The risk can be reduced by taking different measures, such as hiring additional personnel, cross training and job rotation.
Next slide
Slide 7
Data and Information Assets
Another important asset to consider is data and information held by a company. The value of data cannot be overstated. If an organization loses data, it can have tragic results. Data is protected in two ways, by access controls and backups.
Access controls protect data from unauthorized disclosure. Backups protect the data when it becomes corrupted or accidentally deleted. At least two copies of backups should exist.
It’s important to recognize the value of the data, and after identifying it, to take the necessary steps to protect it. This includes taking steps to back up the data regularly. It also includes taking steps to protect it from unauthorized disclosure, which includes the following categories:
•Organization;
•Customer;
•Intellectual property;
•Data warehousing; and
•Data mining
Next slide
Slide 8
Data and Information Assets (continued)
Organization data includes any internally used data. Most of this data would remain private if a firm is publicly held. Some of the financial data, however, may be published and may include employee data, billing and financial data, system configuration data, system process data, and vendor data.
Many laws mandate the protection of different types of data. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of health-related data. Most employee files include HIPAA data even if the organization isn’t involved in health care. The Sarbanes-Oxley Act (SOX) addresses the accuracy of financial data for publicly traded companies. Organizations must protect certain financial data to remain in compliance with SOX.
Customer data includes all of the data held on customers. Depending on how the data is collected and used, customer data may be minimal or may be a full-blown database.
Customer data could include name, address, phone number, e-mail address, historical purchases, accounts receivable data, credit card or banking data, account name and password, and demographic data such as age and gender.
Next slide
Slide 9
Data and Information Assets (continued)
Intellectual property (IP) data is data created by a person or an organization that can include inventions, literary and artistic works, symbols, names, and images. The World Intellectual Property Organization (WIPO) divides IP into two categories: industrial property and copyright.
Organizations can have either or both categories of IP. It depends on the function of a company. For example, a recording company may focus on copyright IP. However, a medical research company may focus only on industrial property.
Both national and international laws protect IP; however, thieves still steal it. The money invested in the creation of the property can be lost if the data is not protected. If an organization has IP, it needs to be protected, and the level of protection depends on the value of the IP.
Data warehousing and data mining techniques combine to retrieve meaningful data from very large databases (VLDBs). Although a database can host huge amounts of data, that data isn’t readily useful. The goal is to convert the raw data into useful intelligence. This can be done with data warehousing and data mining.
Data warehousing is the process of gathering data from different databases. The data is retrieved from the source databases and placed in a central database. Data mining is a group of techniques used to retrieve relevant data from a data warehouse. Decision makers are able to view the data from different perspectives, allowing them to make predictions about future events.
Next slide
Slide 10
Check Your Understanding
Slide 11
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
It can often be useful to approach an IT management problem from the perspective of the seven domains. This includes asset management and inventory management. As a reminder, the seven domains of a typical IT infrastructure are as follows:
•User Domain;
•Workstation Domain;
•LAN Domain;
•LAN-to-WAN Domain;
•WAN Domain;
•Remote Access Domain; and
•System/Application Domain
Next slide
Slide 12
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure (continued)
In the context of a typical IT infrastructure, there is a difference between inventory management and asset management. Inventory management is used to manage hardware inventories, while asset management is used to manage all types of assets in detail.
An organization may decide to use either or both types of management for different areas. For example, an organization may use inventory management for desktop PCs. This ensures that the PCs are tracked and the investment is not lost. However, the same organization can also use automated asset management techniques. Asset management ensures the systems are patched correctly.
The User Domain includes people or employees. An HR department maintains records on employees. These can be manual records, such as folders held in filing cabinets,
or files held on servers.
Data on users includes:
•Personal and contact data;
•Employee reviews;
•Salary and bonus data; and
•Health care choices
A significant concern with asset management in the User Domain is confidentiality. Data must be protected against unauthorized disclosure. At the very least, the data
includes PII that must be protected by law. If any health care data is included, HIPAA mandates its protection. If salary and bonus data is leaked, it often results in morale problems.
Next slide
Slide 13
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure (continued)
The Workstation Domain includes the PCs used by employees. It could include typical desktop PCs and also mobile computers or laptops. Assets in the Workstation Domain have two risks to address -theft and updates. The use of automated asset management systems to keep systems up to date is effective. An automated system will often perform three steps:
One – inspect systems for current updates,
Two – apply updates, and
Three – verify the updates.
The LAN Domain includes all the elements used to connect
systems and servers together. The local area network (LAN) is
internal to the organization. The primary hardware components
are hubs, switches, and routers. It is very important to have a basic inventory of these devices. This includes the basics such as model, serial number, and location. Although any network device includes firmware, the more functional network devices such as routers and switches have a built-in operating system (OS). The version of the OS determines its capabilities, so it’s often useful to include the version in the inventory.
The LAN-to-WAN Domain is the area where your internal LAN connects to the wide area network (WAN). In this context, the WAN is often the Internet. The primary devices
we are concerned with in this domain are the firewalls. There can be a single firewall separating the LAN from the WAN or multiple firewalls to create a demilitarized zone (DMZ) or a buffer area.
Firewalls in the LAN-to-WAN Domain are hardware firewalls that can be programmed to allow and block specific traffic. The following information should be included in an asset management system: hardware information and configuration data.
Next slide
Slide 14
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure (continued)
The WAN Domain includes any servers that have direct access to the Internet. This includes any server that has a public Internet Protocol (IP) address. It also includes any public-facing server in the DMZ.
Most organizations don’t have many servers in the WAN
Domain. However, any servers in the WAN have significantly
higher risks. It’s very important to take extra precautions
to ensure these servers are hardened as much as possible.
Inventory and asset management information for
WAN-based servers includes hardware information and update information.
Remote access technologies give users access to an internal network via an external location. This can be done via direct dial-up or virtual private network (VPN). When dial-up is used, clients and servers have modems and access to phone lines. When a VPN is used, the VPN server has a public IP address available on the Internet. Clients access the Internet, and then use tunneling protocols to access the VPN server.
Inventory and asset management information needed for servers in the Remote Access Domain is similar to those in the WAN Domain. However, for dial-up remote access servers, you’ll also need to include the dial-up equipment. This includes both
modems and phone branch exchange (PBX) equipment.
Next slide
Slide 15
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure (continued)
The System/Application Domain includes servers used to host server applications. Some examples of different types of application servers include e-mail servers, database servers, Web servers, and networking service servers.
Inventory and asset management systems should include the following information on any servers in the System/Application Domain:
Hardware information, which includes basics such as the model and serial number, and inventory of the hardware components.
Update information includes servers needing to be kept up to date.
Next slide
Slide 16
Identifying Facilities and Supplies Needed to Maintain Business Operations
Accidents and disasters happen. Some can be so catastrophic that a business can stop functioning. To ensure a business can continue to function even after a catastrophe, there must be a plan in place.
Several steps in the planning process need to be conducted, as follows:
•Mission-critical systems and applications identification;
•Business impact analysis planning;
•Business continuity planning;
•Disaster recovery planning;
•Business liability insurance planning; and
•Asset replacement insurance planning
Let’s take a look at each of these in further detail.
Next slide.
Slide 17
Identifying Facilities and Supplies Needed to Maintain Business Operations (continued)
A primary step in any planning is to identify what systems and applications are mission-critical. A mission-critical system is any system that must continue to run to ensure the business continues to run. Similarly, a mission-critical application
must also continue to run to ensure your business continues to run.
It is impossible to determine what is mission-critical before first understanding how an organization operates. The point to remember is that the importance of a system is determined
by how the system is used. One organization may consider a specific system mission-critical, while another organization may consider the same system disposable.
A business impact analysis (BIA) identifies the impact of a sudden loss of business functions. The impact is often
quantified in a cost. Both direct costs and indirect costs are used to calculate the impact. Direct costs are the immediate loss of sales or expenses related to recovering from the loss. Indirect costs are the related loss of customer confidence.
The BIA provides an analysis of the effect of a loss of specific
IS services. For example, a BIA can be used to determine the impact of a loss of email or loss of a specific database. The BIA also helps an organization determine the minimum set of services required for the company to continue to operate.
When completing a BIA, following steps will be taken:
• Define the scope. The scope of a BIA is limited to specific IT systems. For example, the BIA could examine the impact of loss of eail or loss of a Web site. If the scope is limited to loss of email, loss of additional IT services should not be included.
• Identify objectives. BIA objectives are related to the scope of the BIA. The objectives identify specifically what the BIA should achieve. For example, a BIA task may include the following objectives:
•Determine the direct impact of the loss of e-mail services for one business day.
•Determine the indirect impact of the loss of e-mail services for one business day.
•Calculate the impact of the loss of e-mail services for three business days.
•Calculate the impact of the loss of e-mail services for five business days.
• Map business functions and processes to IT systems. This step can be easy or complex. For example, if the BIA analyzes e-mail services served by one e-mail server, the IT system is the e-mail server. On the other hand, if an organization uses Microsoft SharePoint Portal Servers to increase collaboration among employees, multiple IT systems are being used. A SharePoint solution can include Web servers, file servers and database servers. Documentation on the IT systems will help you complete this step.
The result of the BIA is a BIA report. This report documents the findings of the analysis. It often includes direct and indirect costs, maximum acceptable outage, and materials or resources needed for recovery.
Next slide
Slide 18
Identifying Facilities and Supplies Needed to Maintain Business Operations (continued)
A business continuity plan (BCP) is a document used to help a company plan for a disaster or an emergency. The goal is to ensure that the critical operations of an organization continue to function. The BCP includes procedures and instructions used to restore operations in the event of disaster.
When completing a BCP, the following steps need to be taken:
Identify scope;
Identify key business areas;
Identify critical functions;
Identify dependencies between different business areas and functions;
Determine acceptable downtime; and
Create a plan to maintain operations.
Details from a BIA report help in the creation of the BCP. The two are commonly completed in conjunction with each other.
The BCP includes specific steps that can be taken for different phases. The content of the phases is dependent on the disaster.
The phases include the notification/activation phase, the recovery phase, and the reconstitution phase.
Next slide
Slide 19
Identifying Facilities and Supplies Needed to Maintain Business Operations (continued)
A disaster recovery plan (DRP) includes the details needed to recover a system from a disaster. The DRP provides the details necessary to respond immediately to a disaster. A DRP is included as part of a BCP. The terms BCP and DRP are sometimes used interchangeably. However, they are
separate.
It’s worthwhile noting the differences. The BCP is an overall plan used for emergency response. It identifies the
critical systems for an organization, including acceptable downtimes. The BCP includes BIAs and DRPs for individual IT systems. The DRP is a key component of a BCP. It includes the details needed to recover one or more systems after a disaster.
Fire insurance can help a company replace assets if a fire causes damage. Other types of insurance that provide protection for assets include:
•Flood insurance
•Hurricane, wind, tornado, or other weather insurance
•Life insurance for certain people, such as for key officers
The insurance purchased depends on many factors. This includes the value of the assets for the organization. For inexpensive assets, the cost of the insurance isn’t
justified. It could cost more for the insurance over several years than it would cost to replace the product. The insurance purchased also depends on the relevant risks. Hurricane insurance is relevant for coastal states like Florida, Louisiana, and Texas, but is not relevant for landlocked states like Iowa or Ohio.
Next slide
Slide 19
Check Your Understanding
Slide 20
Summary
We have reached the end of this lesson. Let’s take a look at what we’ve covered.
First we considered system access and availability. Here, we learned that a failover cluster provides fault tolerance for a server. We also looked at single points of failure.
Next we looked at system functions: manual and automated. We discussed manual processes’ two primary asset values, written records and knowledge of process. We also looked at considerations in automated methods such as value to the customers, value to the company, ensuring that the process stays up, and protection of data.
Then we looked at hardware assets and the hands-on issues related to documenting all of the important information on the hardware used in the systems.
Next we discussed how to protect software assets and personnel assets, which are often one-deep in an organization.
We then moved on to consider how to identify and protect data and information assets. Here, we looked at the value of access controls and backups, and listed and defined several categories of unauthorized disclosure – organization, customer, intellectual property, data warehousing, and data mining.
We next looked at asset and inventory management within the seven domains of a typical IT infrastructure. We learned the differences between inventory management and asset management in this section, and also looked at the User Domain, the Workstation Domain, the LAN Domain, the LAN-to-WAN Domain, the WAN Domain, the Remote Access Domain, and the System/Application Domain.
Finally, we identified facilities and supplies needed to maintain business operations. We learned that the planning process needs to include mission-critical systems and applications identification, business impact analysis planning, business continuity planning, disaster recovery planning, business liability insurance planning, and asset replacement insurance planning.
This completes this lesson.
