Information Security Risk Strategies By Larry.Boettger@Berbee.com
Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not Dealing With Risks Applying Real-World Risk Management Methodologies Conclusion
Challenges Information & System Availability Complex Environments Connectivity Requirements (Work From Anywhere \ Anytime) Fast Paced Growth (Acquisitions) Regulation Requirements Transitioning from Reactive to Proactive Practices Limited Resources (Biggest Challenge)
Regulations HIPAA Health Insurance Portability & Accountability Act GLBA Gram-Leach-Bliley Act Sarbanes-Oxley- Sarbanes-Oxley Act Payment Card Industry Credit Card Industry Specific Requirements
Key Methodologies ISO-17799 National Institute of Standards & Technology (NIST) ITIL CoBIT
Importance of NIST & ISO-17799 National Institute of Standards & Technology Referenced Throughout Most Regulations Policies and Procedures Are Critical to NIST Best Practices ISO-17799 is Industry Recognized Standard for Security ISO-17799 Covers 10 Areas of Security Each ISO-17799 Area Has Individual Security Items If You Follow NIST and ISO-17799 You Would Have a Strong Security Posture and Should Pass Almost Every Audit Combine NIST 800-26 Levels and ISO-17799
ISO-17799 Covered Areas Security Policies Organizational Security Asset Classification & Control Personnel Security Physical and Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance
NIST Legend Level 1 control objective documented in a security policy Level 2 security controls documented as procedures Level 3 policies and procedures have been communicated & implemented Level 4 procedures and security controls are tested and reviewed Level 5 procedures and security controls are fully integrated into a comprehensive program.
ISO-17799 Graph Sample Business Continuity 6 5 4 Actual Practice Peer Comparison NIST Level 3 2 1 0 Business Continuity Management Process Business Continuity & Impact Analysis Writing & Implementing Continuity Plan Business Continuity Planning Framework Testing Maintaining & Reassessing BC Plan
Assess the Pyramid
What is the Pyramid Holistic\Integrated Approach to Security Represents the key building blocks to a strong Information Security Posture Represents Berbee s approach to security Much Like Malsow s Hierarchy of Needs or USDA s Food Pyramid
Three Types of Clients Those that are maintaining the pyramid Those who are building the pyramid Those that need to start building the pyramid They all have different pyramid needs
Security Professional s Goals Reduce Risk Reduce Cost Reduce Complexity
Policies, Procedures, Standards & Leadership Support Policies Procedures Standards Leadership Support
Assessments & Risk Management Risk Management Provide a roadmap to strengthen weaknesses Provide an idea of remediation budget If you re regulated, it will save you time when the audit occurs Assessments Types Baseline Compliance Progress Purposes Facilitation Education Justification
Benefits of Identifying Risks Can t Manage if You Can t Measure Knowing Risks will allow you to determine what and how to protect against threats It will identify costs of dealing with threats Roadmap for Protection Mechanisms Knowing Risks will be the first step towards evaluation & implementation of protection practices and solutions Project Plans and Head Count Necessary for Risk Mitigation will be defined Enhances Proactive Response Practices Knowing Risks will allow for more effective Incident Handling, IT Contingency, and Physical protection mechanisms With Risk Prioritization, when multiple issues occur, it will reduce time to respond
Dealing or Not Dealing With Risks Three ways to deal with risks Accept the risk as it is Mitigate or reduce the risk Transfer the risk (insurance) Not taking the time to identify risks has these potential consequences Significant monetary loss due to attacks Regulatory Penalties Civil Penalties (class action lawsuits by victims) Damage to Reputation Intellectual Property Loss Customer Privacy Compromised Physical Loss Loss of Life in Critical Infrastructures (Transportation, Health Care, Government, Utilities)
How To Identify and Prioritize Risk First Step is a Business Impact Analysis Utilize ISO-17799 Checklist Send out a BIA Questionnaire to Business Units Fill out the Risk Assessment Spreadsheet for each System, Application and Process from the BIA and ISO Checklist Create Priority Matrix & Tasks Lists With the results from the Risk Assessment Spreadsheet and other Material, a Task Plan can be built Identify resources that should be part of the Risk Management Project Risk Management Team First Steps Should each risk be: Accepted, Mitigated, Transferred For those that need to be mitigated: determine next steps
Key Processes In Overall InfoSec Program Assess policies, standards, procedures by conducting a gap analysis Author policies and procedures that are not in place based on the gap analysis Implement an internal Audit and Assessment process Conduct a Risk Analysis to identify systems, applications and their critical priority level Build an Incident Response\Handling process
Key Processes Continued Implement Release, Configuration and Management processes Create a Security Awareness Program for all internal personnel Conduct a Cost\Benefit Analysis (CBA) on technologies that can assist in reducing the complexity and costs associated with security risks Designate staff to lead the security initiatives and allow them time to do so Assess what organizations in your industry and that are similar in size, strategy, etc, are doing for their security initiatives
Key Take Aways ISO-17799 and NIST Are Important Components in Identifying, Measuring and Managing Risks Risk Management involves Leadership support to get the resources to deal with it Not dealing with risk has consequences There are free tools available for initiating & maintaining the risk management process Risk Management involves diligence, key personnel involvement and keeping it simple
Links & Tools http://www.securityfocus.com/vulnerabilities http://www.infosyssec.com/index.shtml http://www.nessus.org http://new.remote-exploit.org/index.php/auditor_main (Auditor) http://www.iwhax.net/modules/news/ (Whoppix) http://www.knoppix.net/ http://www.isecom.org/osstmm/ http://www.insecure.org http://www.foundstone.com/ http://www.metasploit.com/ http://packetstormsecurity.nl/
More Links & Tools http://www.owasp.org/index.jsp http://www.hackingexposed.com/ http://www.sans.org http://www.sans.org/score/ http://isc.sans.org/ http://csrc.nist.gov/publications/nistpubs/ http://csrc.nist.gov/pcig/cig.html http://csrc.nist.gov/checklists/repository/category.html http://www.iso17799software.com/ http://www.microsoft.com/security http://www.cisco.com/security
Thank You