Professional Documents
Culture Documents
1
Outline
• Introduction
• Risk Management
• Risk Identification
• Risk Assessment
• Documenting the Results of Risk Assessment
2
In the News
• “Imprudent curiosity” and ample warning?
"Every single time they access a computer there's a
reminder that comes up that says: The
information you are about to access has Privacy
Act restrictions on it and you are acknowledging
that you have a need to know in order to do your
job to access this file; and that if you are
accessing it in an unauthorized manner, then
there are potential penalties."
http://www.cnn.com/2008/POLITICS/03/21/passport.breach/index.html
3
Introduction
• Information security departments are created primarily to
manage IT risk
• Risk management program has two formal processes
» Risk identification and assessment
» Risk control
4
Knowing Ourselves
• Identify, Examine and Understand
» information at rest, in motion, and in use (stored,
transmitted, and processed)
• Initiate an in-depth risk management program
• Risk management is a process
» It is the safeguards and controls that are devised and
implemented (due diligence is required)
5
Knowing the Enemy
• Identify, examine, and understand
» the threats
• Managers must be prepared
» to fully identify those threats that pose risks to the
organization and the security of its information assets
• Risk management is the process
» of assessing the risks to an organization’s information
and determining how those risks can be controlled or
mitigated
6
Risk Management
• The process concerned with identification,
measurement, control and minimization of security risks
in information systems to a level commensurate with the
value of the assets protected (NIST)
Identify
Identify
the
the
Risk
RiskAreas
Areas
Re-evaluate
Re-evaluate
the Assess
Assessthe
theRisks
Risks Risk Management Risks
the
Risks
Cycle
7
Accountability for Risk Management
• All three communities of interest bear
responsibility (IT, InfoSec, Management & Users)
» Evaluating risk controls
» Determining which control options are cost-effective
» Acquiring or installing appropriate controls
» Overseeing processes to ensure that controls remain
effective
» Identifying risks
» Assessing risks
» Summarizing findings
8
Risk Identification Process
9
Risk Identification
• Risk identification
» begins with the process of self-examination
• Managers
» identify the organization’s information assets,
» classify them into useful groups, and
» prioritize them by their overall importance
10
Creating an Inventory of Information
Assets
• Identify information assets
» people, procedures, data and information, software,
hardware, and networking elements
» values will be assigned later in the process
11
Organizational Assets
12
Identifying Hardware, Software, and
Network Assets
• Many organizations use purchased asset inventory
systems
• Determine which attributes of each of these information
assets should be tracked
» Will depend on the needs of the organization and
» its risk management efforts
13
Attributes for Assets
• Potential attributes:
» Name
» IP address
» MAC address
» Asset type
» Manufacturer name
» Manufacturer’s model or part number
• Software version, update revision,
» Physical location
» Logical location
» Controlling entity
14
Commercial Products
• Altiris
• Novell Zenworks
• Microsoft SMS
• CA Asset Management
15
Identifying People, Procedures, and
Data Assets
• Whose Responsibility ?
» managers who possess the necessary knowledge,
experience, and judgment
• Recording
» use reliable data-handling process
16
People, Procedures, and Data
Assets
• People
Suggested Attributes
Procedures
Description
» Position Intended purpose
name/number/ID Software/hardware/ networking
» Supervisor elements to which it is tied
name/number/ID Location where it is stored for
reference
» Security clearance Location where it is stored for update
level purposes
» Special skills
17
People, Procedures, and Data
Assets
• Data Suggested Attributes
» Classification
» Owner/creator/manager
» Size of data structure
» Data structure used
» Online or offline
» Location
» Backup procedures
18
Classifying and Categorizing Assets
• Determine whether its asset categories are
meaningful
» After initial inventory is assembled
• Inventory should also reflect sensitivity and
security priority assigned to each asset
• A classification scheme categorizes these
information assets based on their sensitivity and
security needs
» One exmple: confidential, internal, and public
19
Classifying and Categorizing Assets
(Continued)
• Categories
» designates level of protection needed for a particular
information asset
• Classification categories must be comprehensive
and mutually exclusive
• Personnel may require alternative classification
» identifies the clearance needed to use the asset type
» Need-to-know, right-to-update
20
Assessing Values for Information
Assets
• Assign a relative value
» to ensure that the most valuable information assets are
given the highest priority, for example:
• Which is the most critical to the success of the organization?
• Which generates the most revenue?
• Which generates the highest profitability?
• Which is the most expensive to replace?
• Which is the most expensive to protect?
• Whose loss or compromise would be the most embarrassing or
cause the greatest liability?
• Final step in the Risk Identification process is to
list the assets in order of importance
» Can use a weighted factor analysis worksheet
21
Weighted Factor Analysis Worksheet
Risk Management for IT Systems
(NIST SP 800-30)
22
Data Classification Model
• Data owners must classify information assets for which
they are responsible and review the classifications
periodically
• Example:
» Public
» For official use only
» Sensitive
» Classified
23
Data Classification Model
• US Military uses a five-level classification scheme as
defined in Executive Order 12958:
» Unclassified Data
» Sensitive But Unclassified (SBU) Data
» Confidential Data
» Secret Data
» Top Secret Data
24
Security Clearances
• Personnel Security Clearance Structure:
» Complement to data classification scheme
» Each user of information asset is assigned an
authorization level that indicates level of information
classification he or she can access
• Most organizations have developed a set of roles
and corresponding security clearances
» Individuals are assigned into groups that correlate with
classifications of the information assets they need for
their work
25
Management of
Classified Information Assets
• Managing an information asset includes
» the storage, distribution, portability, and destruction of
that information asset
• Information asset that has a classification
designation other than unclassified or public:
» Must be clearly marked as such
» Must be available only to authorized individuals
26
Management of
Classified Information Assets
• Clean Desk policy
» To maintain confidentiality of classified documents,
managers can implement a clean desk policy
• Destruction of sensitive material
» When copies of classified information are no longer valuable
or too many copies exist, care should be taken to destroy
them properly to discourage dumpster diving
27
Threat Identification
• Assess potential weaknesses in information assets
• Requires experience and good judgment
• Cannot assume that each and every threat will lead to an
attack
• Need to prioritize and identify threats and threat agents
28
Threat Identification
29
Threat Assessment
• Which threats present a danger to this organization’s
information assets in its current environment?
» Eliminate any threats that do not impact your organization.
» Provide specific examples for the threats those that do
impact
30
Threat Identification
• Which threats represent the gravest danger to the
organization’s information assets?
» Consider probability of threat, amount of damage, or
frequency that an attack can occur
» Based on existing level of preparedness and used for
improving information security strategy
31
Threat Identification
Top three threats identified by top computing
executives:
• Deliberate software attacks
• Technical software failures or errors
• Acts of human error or failure
• Do you agree?
32
Threat Identification
Top four types of attack or misuse:
• Virus
• Laptop/mobile theft
• Insider abuse of Net access
• Unauthorized access to information
• Any thoughts?
33
Frequency of Attacks
Ask the following questions:
• How much would it cost to recover from a successful
attack?
» Can rank potential costs (1-5) or assign raw values
» Want rough assessments, not full blown analysis
• Which threats would require the greatest expenditure to
prevent?
34
Frequency of Attacks
• Detected attacks have been decreasing*
• Some organizations also do not know if they have been
attacked or not
35
Vulnerability Assessment
• Create asset-threat pairs.
• Use the table of threats to analyze and list
possible vulnerabilities for each specific asset.
• Process can be somewhat subjective and based
on experience/knowledge.
• Use teams with diverse backgrounds (specialists,
management, technically proficient users) to
conduct assessment.
36
Threat Vulnerability Asset Worksheet
(TVA)
• TVA => Prioritized list of assets and their vulnerabilities +
Threats prioritized by weights
• X-axis => Prioritized set of assets with most valuable asset
listed on the extreme left
• Y-axis => Prioritized set of threats with most important or
dangerous threat listed at the top
• A grid that provides a convenient method of examining the
exposure of assets
• Provides a simplistic vulnerability assesment
• Created in “triples”
56
57
Risk Management: Controlling Risk
Presented by:
Molly Coplen, Dan Hein, and Dinesh Raveendran
EECS
58 711 Chapter 8 Risk Management: Controlling Risk
Chapter Overview
• Risk Control Strategies
• Managing Risk
• Feasibility and Cost-Benefit Analysis
• Recommended Control Practices
• The OCTAVE Method
• Microsoft Risk Management Approach
EECS
59 711 Chapter 8 Risk Management: Controlling Risk
Risk Management
EECS
60 711 Chapter 8 Risk Management: Controlling Risk
Risk Control Strategies
Four strategies:
• Avoidance
• Transference
• Mitigation
• Acceptance
EECS
61 711 Chapter 8 Risk Management: Controlling Risk
Avoidance
– applying safeguards that eliminate or reduce the remaining
uncontrolled risks
– attempts to prevent the exploitation of the vulnerability
Avoidance is the preferred approach as it seeks to avoid risk
rather than deal with it after it has been realized.
EECS
6 711 Chapter 8 Risk Management: Controlling Risk
3
Transference
The control approach that attempts to shift the risks to other
assets, other processes, or other organizations.
EECS
64 711 Chapter 8 Risk Management: Controlling Risk
Mitigation
The control approach that attempts to reduce, by means of
planning and preparation, the damage caused by the
exploitation of a vulnerability.
EECS
65 711 Chapter 8 Risk Management: Controlling Risk
66 EECS 711 Chapter 8 Risk Management: Controlling Risk
Acceptance
Acceptance is the choice to do nothing to
protect an information asset from risk, and to
accept the outcome from any resulting
exploitation.
EECS
67 711 Chapter 8 Risk Management: Controlling Risk
Acceptance
Valid practice if management has ….
• Determined the level of risk posed to the information asset
• Assessed the probability of attack and the likelihood of a
successful exploitation of a vulnerability
• Approximated the potential loss that could result from
attacks
EECS
68 711 Chapter 8 Risk Management: Controlling Risk
Acceptance
EECS
69 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk
Risk appetite (or risk tolerance) describes the quantity
and nature of the risk that organizations are willing to accept,
as they evaluate the trade-offs between perfect security and
unlimited accessibility.
EECS
70 711 Chapter 8 Risk Management: Controlling Risk
71 EECS 711 Chapter 8 Risk Management: Controlling Risk
71
Managing Risk
Residual risk is what is left after vulnerabilities
have been controlled as much as possible – the risk
that has not been completely removed, shifted, or
incorporated into plans.
72
EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk – Strategy
Selection
• When a vulnerability (flaw or weakness) exists,
implement security controls to reduce the
likelihood of a vulnerability being exercised.
• When a vulnerability can be exploited, apply
layered protections, architectural designs, and
administrative controls to minimize the risk or
prevent the occurrence of an attack.
EECS
73 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk – Strategy
Selection (continued)
• When the attacker’s potential gain is greater than
the cost of attack, apply protections to increase
the attacker’s costs, or reduce the attacker’s gain
by using technical or managerial controls.
• When the potential loss is substantial, build
protections to limit the extent of the attack,
thereby reducing the potential for loss.
EECS
74 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk
The control strategy articulates which of the four fundamental
risk-reducing approaches will be used, how the various
approaches might be combined, and justifies the findings by
referencing the feasibility studies.
EECS
75 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk
Once a control strategy has been selected and implemented,
controls should be monitored and measured on an ongoing
basis to determine their effectiveness and to estimate the
remaining risk.
EECS
76 711 Chapter 8 Risk Management: Controlling Risk
EECS
77 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk
At a minimum, each information asset-threat pair should
have a documented control strategy that clearly identifies any
residual risk that remains after the proposed strategy has
been executed.
EECS
78 711 Chapter 8 Risk Management: Controlling Risk
Feasibility Studies and Cost-
Benefit Analysis
• Determines the level of risk posed to the information asset
• Identifying the advantages and disadvantages of
implementing a control
• Value of information assets
• Dollar-denominated expenses and savings from economic cost
avoidance
• Non economic feasibility criteria
EECS 711
Philip Mein
"Prakash" Pallavur Sankaranaraynan
Annette Tetmeyer
Outline
• Introduction
• Staffing the Security Function
• Information Security Professional Credentials
• Employment Policies and Practices
• Conclusion
• Questions
EECS 711EECS
Spring711
2008 Chapter
Spring 200810Chapter 10 150
150
Security Certified Program (SCP)