Risk Assessment. The Heart of Information Security

Similar documents
Effective Strategies for Managing Cybersecurity Risks

Information Security Policy

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Business continuity management and cyber resiliency

INTELLIGENCE DRIVEN GRC FOR SECURITY

ISO : 2013 Method Statement

TEL2813/IS2820 Security Management

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

What is ISO ISMS? Business Beam

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ISO/IEC Information technology Security techniques Code of practice for information security management

Information Technology General Control Review

Nine Steps to Smart Security for Small Businesses

SECURITY & PRIVACY DOCUMENTATION

Standard: Risk Assessment Program

Computer Security: Principles and Practice

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

Security Management Models And Practices Feb 5, 2008

Cyber Criminal Methods & Prevention Techniques. By

Computer Security Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Altius IT Policy Collection Compliance and Standards Matrix

Annual Report on the Status of the Information Security Program

The Common Controls Framework BY ADOBE

MIS5206-Section Protecting Information Assets-Exam 1

Automating the Top 20 CIS Critical Security Controls

EXHIBIT A. - HIPAA Security Assessment Template -

Threat and Vulnerability Assessment Tool

2015 HFMA What Healthcare Can Learn from the Banking Industry

Disaster Recovery Self-Audit

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

MINIMUM SECURITY CONTROLS SUMMARY

01.0 Policy Responsibilities and Oversight

What is Penetration Testing?

Altius IT Policy Collection Compliance and Standards Matrix

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity for Health Care Providers

Sage Data Security Services Directory

NCSF Foundation Certification

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Options for, and road map to, information security implementation in the registry system

Seven Requirements for Successfully Implementing Information Security Policies and Standards

DEFINITIONS AND REFERENCES

Oracle Data Cloud ( ODC ) Inbound Security Policies

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

CISM Certified Information Security Manager

ISMS Essentials. Version 1.1

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

10 FOCUS AREAS FOR BREACH PREVENTION

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Security Policies and Procedures Principles and Practices

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Compliance Audit Readiness. Bob Kral Tenable Network Security

Building a Complete Program around Data Loss Prevention

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

10 Hidden IT Risks That Might Threaten Your Business

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

HIPAA RISK ADVISOR SAMPLE REPORT

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

Information Security Data Classification Procedure

Cyber Risks in the Boardroom Conference

SDR Guide to Complete the SDR

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Information Security Risk Strategies. By

Security Controls in Service Management

Predstavenie štandardu ISO/IEC 27005

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

The Honest Advantage

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

IMPROVING NETWORK SECURITY

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Rev.1 Solution Brief

TSC Business Continuity & Disaster Recovery Session

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

PCI Compliance. What is it? Who uses it? Why is it important?

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Keys to a more secure data environment

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

A company built on security

MIS Class 2. The Threat Environment

Risk Management. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

CCISO Blueprint v1. EC-Council

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Transcription:

Risk Assessment The Heart of Information Security

Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons Learned 2

Ready for a Quiz? 3

True or False? 1. Conducting a risk assessment is optional for most organizations. False 2. Risk assessment is a decision support aid, not a decision making tool. True 3. Risk assessments should focus on business processes or areas of responsibility, rather than individual assets. True 4. Risk assessment has been used by some enterprises as rationale not to implement security controls. True 5. Risk assessments are plagued by subjectivity which means they simply cannot be relied upon. False 6. The risk assessment process can improve communication between business managers, system support staff, and security/risk specialists. True 4

True or False? 7. The only acceptable risk assessment is performed by risk assessment experts. False 8. Risk assessments only need to be done once. False 9. Security professionals are ultimately responsible for accepting residual risks. False 10. If you don t have all the data, risk assessments are a waste of time. False 11. A proper risk assessment can help you prioritize security spending. True 12. Risk is the effect of uncertainty on objectives and can include both positive and negative consequences. True 5

How did you do? R I S K 6

Why do we perform risk assessments? Not just security, the right security.

Plenty of Assets Needing Protection Unless we identify our assets, their locations and value, how can we assess the risk and decide the amount of time, money and effort that we should spend on protecting them? Physical assets Computer equipment/infrastructure Communication equipment Storage media Non IT equipment Furniture and fixtures Information assets Databases Data files (Hard & Soft Copies) Archived information Software assets Application software System software Custom Management software Services ISO/IEC 27002:2005 Outsourced computing services Communication services Environmental conditioning services Supporting Documentation Compliance Documentation Corporate Policies and Procedures BC/DR Plans Intangible assets Key employees Intellectual Property Company knowledge - Innovation Brand/Corporate culture 8

Valuable Information is Everywhere Medical History/Claims Financial Account Numbers SS Numbers Medical ID Cards Credit or Debit Card Numbers Drivers License Numbers Email Addresses User Names Intellectual Property Client Lists/Contact Information PINs & Passwords Check Images 9

Top Data Types Exposed in 2012 2012 Incidents by Data Type Exposed Medical 8.4% Date of Birth 10.2% User Name 10.4% SSN 12.4% Address 17.4% Name 43.4% Misc. 49.6% Password 52.1% email 54.6% 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 10

Percent of Total Incidents Change in Top Data Types Exposed 90% Incidents by Data Type Lost 80% 70% 60% 50% 40% 30% 20% 10% Misc. email Password Name Address SSN Date of Birth Medical Info. Account Info. Unknown Credit Card Number User ID Phone Number Intellectual Property 0% 2009 2010 2011 2012 11

Regulations/Standards Demand It HIPAA HITECH GLBA FFIEC ISO 27001/5 ISO 31000 NIST SP 800-30/37/39 FISMA Red Flag Rules PIPEDA GDPR SOX PCI DSS COBIT ITIL State Privacy Laws 12

Today s Reality Data Breaches 450,000,000 3500 400,000,000 3000 350,000,000 300,000,000 2500 250,000,000 200,000,000 150,000,000 100,000,000 2000 1500 1000 Records Incidents Linear (Records) Linear (Incidents) 50,000,000 500-2006 2007 2008 2009 2010 2011 2012 2013 0 2013 Estimates Incidents April 30th x 3 Records April 30th x 2 13

Today s Reality New Exploits 100,000 75,000 50,000 Annual Vulns Cumulative 25,000 0 2006 2007 2008 2009 2010 2011 2012 9,079 Average 2013 2013 Estimate April 30th x 3 14

The Need has Never Been Higher Anyone who captures, stores or transmits sensitive information or processes financial transactions is actively being targeted. Organizations need a way to properly focus limited resources to deal directly with potential impacts and existing vulnerabilities. Organizations need justification for security recommendations in business terms. In a highly competitive business environment, organizations cannot afford to have costly or inappropriate security. An effective risk assessment program can be thought of as the first line of defense of an organization s profitability. 15

The Language of Risk Assessments Not just security, the right security.

Information Security ISO/IEC 27002:2005 defines Information Security as the preservation of: Non-repudiation Confidentiality Assurance Risk Information Assessment Reliability Integrity Availability Authenticity Accountability 17

First, Some Definitions Risk can be defined as a combination of the consequence of an event and the probability of the event Impact x Threat x Vulnerability Impact to the organization when a threat exploits a vulnerability the effect of uncertainty on objectives (positive or negative) A threat is any potential danger to an asset or business objective A vulnerability is a weakness that provides an open door to exploit Risk Score is the potential impact to the business based on the likelihood of a threat agent taking advantage of a vulnerability 18

风险 Danger + Opportunity

Risk Assessment Risk assessment is made up of three processes: Risk identification is used to find, recognize, and describe the risks that could affect the achievement of objectives. Risk analysis is used to understand the risks that you have identified, study impacts and consequences, and to estimate the level of risk based on the controls that currently exist. Risk evaluation compares the risk analysis results with risk criteria to determine the appropriate risk treatment. Risk treatment options include: avoidance, transfer, implementing safeguards (controls), or knowingly accepting the risk. Residual risk is the risk left over after you ve implemented risk treatment. 20

My Personal Risk Definition Risk a combination of the consequence of an event and the probability of the event happening Consequence The impact to the organization of a potential breach to an asset s confidentiality, integrity or availability. [Asset Value (AV) or Security Impact (SI)] Probability The probability of the threat occurring. [Threat Likelihood (TL)] X The probability of exposure to the threat considering the existing security controls. [Vulnerability Exposure (VE)] Consequence X Probability Risk = AV x (TL x VE)

Where Do We Get The Numbers? Quantitative Analysis uses real numbers in the calculation of probability and consequence, not rankings (1 st, 2 nd, 3 rd ); and is used in industries with years of documented historical data. [Any industries come to mind?] Qualitative Analysis uses common terms to describe the magnitude of potential consequences and probability and is useful when reliable data for more quantitative approaches is not available or too costly to obtain. 22

What Can You Spot? Asset Vulnerability Safeguard Safeguard Threat 23

The Process of Risk Assessments Not just security, the right security.

The Best Method of Accomplishing an Accidental Result Ambrose Bierce 25

The Risk Assessment Process Risk Assessment Report Identify Critical Business Processes (Scope) Identify Assets & Prioritize by Value (AV) Develop Risk Treatment Plans to Mitigate Risk Define & Accept Residual Risk Calculate Risk Scores & Prioritize AV x (TL x VE) Implementing RTPs & (Security Control Test Plan) Identify Vulnerabilities & Rate Potential Exposure (VE) Identify Threat Vectors & Likelihood of Occurrence (TL) Identify Existing Security Controls 26

The Risk Assessment Scope Identify Critical Business Processes (Scope) System Characterization (Scope) Business Process/ Department Mission Description Information Flow Security Requirements People & Users Physical & Logical Perimeters Network Diagram Critical Information Asset Inventory 27

Calculating Asset Values (AV) Identify Assets & Prioritize by Value (AV) Asset Name Data Classification Impact to the Asset from a Breach in Confidentiality 5.0 Very High; 4.0 High; 3.0 Medium; 2.0 Low; 1.0 Very Low Impact to the Asset from a Breach in Integrity 5.0 Very High; 4.0 High; 3.0 Medium; 2.0 Low; 1.0 Very Low Impact to the Asset from a Breach in Availability 5.0 Very High; 4.0 High; 3.0 Medium; 2.0 Low; 1.0 Very Low Asset Value SCORE (AV) Web Server Sensitive 3.0 4.0 5.0 4.0 On-line Banking Application Marketing Material Confidential 5.0 5.0 5.0 5.0 Public 1.0 2.0 3.0 2.0 28

Asset Value (AV) Severity Descriptions Value (AV) Severity Description Catastrophic (5.0) Severe impact to operations, extended outage, permanent loss of resource, triggers business continuity and/or public relations procedures, complete compromise of information, damage to reputation and/or significant cost to repair with continuity of business in jeopardy Major (4.0) Serious impact to operations, considerable system outage, compromise of a large amount of information, loss of connected customers, lost client confidence with significant expenditure of resources required to repair Moderate (3.0) Some impact to operations, tarnished image and loss of member confidence with significant effort to repair Minor (2.0) Small but tangible harm, may be noticeable by a limited audience, some embarrassment, with repair efforts absorbed into normal operations Insignificant (1.0) Insignificant impact to operations with minimal effort required to repair, restore or reconfigure 29

Threats & Threat Likelihood Identify Threat Vectors & Likelihood of Occurrence (TL) Threat a potential cause of an unwanted incident, which may result in harm to an organization s asset. Natural/Manmade Disaster Equip./Service Failures Acts of Terrorism Hackers Corporate Espionage Theft, Loss, or Fraud Accidental Human Action Malicious Human Action Software Errors Non Compliance External Parties Unauthorized Access Emerging Threats 30

Threat Likelihood (TL) Descriptions Threat Likelihood (TL) Very High (5.0) High (4.0) Description There are incidents, statistics or other information that indicate that this threat is very likely to occur or there are very strong reasons or motives for an attacker to carry out such an action. (Likely to occur multiple times per week) Likely to occur two - three times per month Medium (3.0) Low (2.0) There are past incidents, or statistics that indicate this or similar threats have occurred before, or there is an indication that there may be some reasons for an attacker to carry out such an action. (Likely to occur once per month) Likely to occur once or twice every year Very Low (1.0) Few previous incidents, statistics or motives to indicate that this is a threat to the organization (Likely to occur two/three times every five years) 31

Existing Controls Inventory Identify Existing Security Controls Security Controls administrative, technical, and physical safeguards intended to ensure the confidentiality, integrity, and availability of an organization s information assets. Access Enforcement Separation Of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Previous Logon Notification Concurrent Session Control Session Lock Session Termination Supervision And Review Access Control Remote Access Auditable Events Content Of Audit Records Audit Storage Capacity Response To Audit Processing Failures Audit Monitoring, Analysis, And Reporting Audit Reduction And Report Generation Time Stamps Protection Of Audit Information Audit Record Retention Security Assessments Security Certification Baseline Configuration Access Restrictions For Change 32

Vulnerabilities & Exposures Identify Vulnerabilities & Rate Potential Exposure (VE) Vulnerability a weakness that can be exploited by one or more threats that could impact an asset. Vulnerabilities are paired with specific threats. Inadequate fire prevention Disposal/re-use of storage media Excessive authority Inadequate asset classification Inadequate/insufficient testing Inadequate access control Lack of security awareness Poor segregation of duties Lack of third party contracts Lack of protection from viruses Lack of information back-up Inadequate control of visitors Lack of termination procedures Insufficient security controls testing Inadequate physical protection Located in Flood/tornado zone 33

Vulnerability Exposure (VE) Descriptions Vulnerability Exposure (VE) Very High (5.0) High (4.0) Medium (3.0) Low (2.0) Very Low (1.0) Description The vulnerability is very easy to exploit and the asset is completely exposed to external and internal threats with few if any security controls in place; (Requires drastic action to safeguard the asset and immediate attention to implementing security controls.) The vulnerability is easy to exploit and the asset is highly exposed to external and internal threats with only minimal security controls in place; (Requires immediate action to safeguard the asset and near-term implementation of security controls.) The vulnerability is moderately exposed to both internal and external threats and the security controls in place to protect the asset are limited and/or are not regularly tested. (Requires immediate attention and safeguard consideration in the near future) The vulnerability is easy to exploit and the asset is highly exposed to external and internal threats with only minimal security controls in place; (Requires immediate action to safeguard the asset and near-term implementation of security controls.) The vulnerability is very hard to exploit or the security controls in place to protect the asset are very strong 34

Calculating Risk Scores Calculate Risk Scores & Prioritize AV x (TL x VE) Risk = AV x (TL x VE) Asset ID# Asset Description Asset Value (AV) Threat Threat Likelihood (TL) 5 Very High; 4 High; 3 Medium; 2 Low; 1 Very Low Vulnerability Vulnerability Exposure (VE) 5 Very High; 4 High; 3 Medium; 2 Low; 1 Very Low Risk Score AV x TL x VE 35

Calculating Risk Scores Calculate Risk Scores & Prioritize AV x (TL x VE) Risk = AV x (TL x VE) (1-5) x [(1-5) x (1-5)] 5 Catastrophic 25 50 75 100 125 A S S E T 4 Major 3 20 40 60 80 100 V A L U E Moderate 2 Minor 1 15 30 45 60 10 20 30 40 75 50 Prioritized Mitigation Managed Mitigation Accept, but Monitor Accept Insignificant 5 10 15 20 25 0 5 10 15 20 25 Rare Unlikely Possible Likely Almost Certain TL x VE 36

Calculating Risk Scores Calculate Risk Scores & Prioritize AV x (TL x VE) Threats & Vulnerabilities Risk = AV x (TL x VE) Asset Value [Security Impact] Threat Likelihood Vulnerability Exposure Very Low Low Medium High Very High High M M H H H High Medium L M M H H Low L L M M H High L L M M H Medium Medium L L L M M Low L L L L M High L L L L M Low Medium L L L L M Low L L L L L 37

Developing Risk Treatment Develop Risk Treatment Plans to Mitigate Risk Risk Treatment Plan Risk Calculation Risk Treatment: Avoid, Transfer, Accept or Control Rationale if Avoiding, Transferring or Accepting Risk Control to Mitigate Risk New Vulnerability Exposure (NVE) after Controls 5 Very High; 4 High; 3 Medium; 2 Low; 1 Very Low New Risk Calculation with Additional Control Mitigation Action Action/ Control Owner Target Implementation Date 38

Reviewing Residual Risk Define & Accept Residual Risk The quantity of risk left over at the end of a risk treatment process. It is management's responsibility to set their company's acceptable risk level. As a security professional, it is our responsibility to work with management and help them understand what it means to define an acceptable level of risk. Each company s acceptable risk level is derived from its legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts. 39

Risk Assessment Report EXECUTIVE SUMMARY Risk Assessment Report I. INTRODUCTION Purpose Scope of Risk Assessment II. SYSTEM CHARACTERIZATION Mission Description Security Requirements People & Users Physical Perimeters Logical Perimeters Network Diagram Critical Information Assets III. RISK ASSESSMENT APPROACH Introduction Methodology Project Participants Information Gathering Techniques Information Assets Impact Analysis Threat Identification & Likelihood Determination Control Analysis & Vulnerability Exposure Determination Risk Calculations Prioritized Mitigation Actions 40

Risk Assessment Report IV. RISK ASSESSMENT RESULTS Business Owner Threat Analysis Previous Risk Assessment Mitigation Actions Policy and Procedure Review Security Control Test Plan Review Vulnerability Scan Results Mitigation Actions Summary Overall Level of Risk Acceptable Level of Risk Conclusions 41

Implementing RTPs Implementing Risk Treatment Plans RISK TREATMENT PLAN Planning Phase Priority (1-2-3) Reference Task Description Owner Resource ID# Estimate (Man days) 1. Presentation to the 5.1 board defining risk assessment results. 2. 6.2.1 Establish an Information 3. 6.3.1 Security Committee. Create a procedure defining how information security activities will be coordinated throughout the organization. Target Date Percent Complete Comments 42

Risk Mitigation Triangle Security Control Security Control Security Control Threat Likelihood (TL) Risk Vulnerability Exposure (VE) Risk Acceptable Level of Risk? Asset Value (AV) 43

Lessons Learned All business processes do not have the same impact; Critical information assets include more than just the IT assets; All information assets are not valued the same; Risk scores help to prioritize control decisions; Lowering risk scores is a cost benefit exercise; It is important for business and IT to acknowledge the responsibility for risk ownership; Risk requires consistent terminology to discuss and measure; and Risk assessment is the foundation to better decision making. 44

Remember Risk assessment is about Direction and NOT Perfection. There is no perfect risk assessment. We don t have enough time or money to consider every threat and vulnerability and even if we did the assessment is still obsolete as soon as the report is published. 45

Thank you for your attention Not just security, the right security.

For more information Contact: Barry L. Kouns Risk Based Security, Inc. Email: barry@riskbasedsecurity.com 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback