BUILDING AN INFORMATION SECURITY RISK ASSESSMENT SECURITY RISK ASSESSMENT PROGRAM (WITH $0 BUDGET)Kathy Doolittle CISSP, CISM, CEH kathy.doolittle@onsemi.com10.23.08

Agendag

1. Background 2. Security risk assessments3 Creating a repeatable simple process essentially at 3. Creating a repeatable, simple process - essentially at

$0 cost (+ Labor, Existing Technology)4. Examples of tools5. Selling the idea to management6. Reassess & Fix

Blueprintsp

F d IT S it Ri kFocused on IT Security RiskBuild it with little outlay of tools/$

More manualLess complexGood starting point

Assess your needs (compliance, security, reporting)

B k dBackground

Background: Issuesg

No security plans or risk assessment y pprogram in place; ad hoc tracking of issues

No money, very limited staff

R t it / i k t f Rare to no security/risk assessments for technology purchases, integrations, M&A

Very limited security integration or involvement into IT requirements gathering

Ad hoc security assessments for projects; limited risk assessment focused on SOX

Background: Goals g

Main goal Identify security risks in IT Needs & Requirements

Main goal: Identify security risks in IT projects and manage the risksCreate a process for assessmentCreate a process for assessmentCommunicate the need for Risk Management to management and peersg g pIntegrate process into current process for least impact and increased chance of usageGrow it

S i Ri k A * Security Risk Assessment*

What is Risk?

• hazard: a source of danger; a possibility of incurring loss or misfortune

• adventure undertaken without regard to possible loss or injury

• exposure to a chance of loss or damage

What is Security Risk?y

Project RiskFactors that may cause

a failure to meeta project’s objectives

Business RiskFactors that may cause

a failure to meet a company’s objectives

Security RiskFactors that may cause

a failure to meeta company’s risk a project s objectives

Inexperienced personnelNew technology

company s objectives

Growth risk Technology risk

a company s risk acceptance level or

regulatory requirementImpacts to

Time constraintsBudget

Dependencies

Marketing riskFinancial risk

Team/Management risk

Confidentiality, Integrity,Availability due to

vulnerabilities& threats& threats

ACCEPT: Implement Workarounds -- Reactionary - UnfundedMITIGATE I l t S P ti C t l P ti ll F d dMITIGATE: Implement Some Preventive Controls --- Partially FundedTRANSFER/AVOID: Implement Strong Preventive Controls &/or Insurance – Fully Funded

Why Do We Assess Security Risk?y y

M SMoney Spent

Security Provided

What an Assessment Identifies

Example: Assessment Outcomesp

Proactively identify risks that are posed to systems and data

Quickly identify and prioritize high risk projects

Assure adequate planning scoping and prioritization for new Assure adequate planning, scoping, and prioritization for new security services or protection methods

Outcome:Outcome:

Fully understand & communicate company risk posture & statusidentifies risks to core systems when integrating new systems identifies risks to core systems when integrating new systems Ability to measure risk and show value of security projectsHolistically manages risk in a global infrastructureManages risk in a repeatable way for compliance requirements

C i R bl PCreating a Repeatable Process

Creating the Process: Gap Analysisg p y

D i & O tDrivers & Outcomes• Drivers: Regulatory, best practices, certifications,

business• Outcomes: What do you want/need to meet drivers?• Outcomes: What do you want/need to meet drivers?

Components• Wh t d h & h t d d ( l • What do you have & what do you need (people,

processes, technology)• What is your timeline and who will be involved?• Do you have any funds? Do you have a sponsor?

Interaction•Who are the stakeholders? Educate or must sell?•Where are points of interaction for process?

Use What You Have

Technology• Office type apps or open

Processes• Methodologies (SDLC MSF

People• StakeholdersOffice type apps or open

source (databases, spreadsheets, presentations)

• SharePoint• Web servers• S it VA

Methodologies (SDLC, MSF, other Project Lifecycles)

• Purchase Approvals• Change Controls• Project Approval Process

C i i h (

Stakeholders• Security, Audit• Board of Directors• Communications Director• Application Developers

• Security VA programs• Maturity Modelers (Gartner)

• Communication paths (mgt meetings, HR, legal, audit committees

• Training (brown bag)

• Project Managers• C-Level Backing

Your wits Your wits, your intelligence,

your charm, your experience ,

your personal ‘hammer’

Example: RA in the Project Lifecyclep j y

RAD (Risk Acceptance Document), if necessary

Initial Risk QuestionnaireQuestionnaire (IRQ) for all projects

RISC plan (S i ) f(Security Plan) for high risk projects

Initial Process

IRQ - Information Risk QuestionnaireProject Managers or Sponsors

All Projects

RISC Plan – Risk & Information SecurityC l Pl

ONLY Moderate & High Risk IRQ Scored Projects

Controls PlanInformation Security Analyst ( + project architects)

ONLY Projects with Critical and High Risks to Accept

RAD – Risk AcceptanceDocument

ONLY Projects with Critical and High Risks to Accept

DocumentProject Managers & Sponsor

Identify the Focus & Priorityy y

Where will you focus out of Set achievable goals

Focus Priority

the gate and why?Regulatory systems

Security systems

Set achievable timelines and stick to them

Quarterly & YearlyNew technology or processes

Foundational systems

Critical processes

Quarterly & YearlySystem Focus

Prioritize based on what Application development

Use drivers & desired outcomes to help you focus

you can do with limited budget and personnel

outcomes to help you focus

Think in Terms of Standardization

DocumentationProcesses

Integration pointsStandard Assessment methodsStandard Assessment methods

Policies, standards (internal, best practices, etc)Conducting the assessmentProject Risk Levelsj

Follow up

Slight Guarded Moderate High

<28 points 29-33 points 34-39 points >40 points

ToolsCommunication methodsT i lTerminologyMetrics

Make It Repeatablep

D fi d Defined: Integration Points

Defined: processes for assessment

Defined: methods of

communication

Standard Defined: path for documentationfor

fix/assess/fix…

Create the Process

• Focus on your main priorities & goals• Prioritize your SRA process over time

C d d l & d• Create standard templates & documents• Use existing corporate processes & add to them• Keep it easy to use• Test it out prior to deployment• Re-evaluate over time (quarterly yearly)Re-evaluate over time (quarterly, yearly)

E lTh IRQ (I f ti Ri k Q ti i )

Examples• The IRQ (Information Risk Questionnaire)• The RISC (Risk and Information Security Controls)Th RAD (Ri k A t D t)• The RAD (Risk Acceptance Document)

Information Risk Questionnaire

A k k ti t i k The IRQ Requirements

Asks key questions to score risk Extremely easy to use by non-security ( dit) l(or audit) personnelQuick (~ 10 minutes at most)Implemented in early stage of project lifecycleLow cost (.xls and stored on SharePoint)

Risk & Information Security Controlsy

Repeatable processThe RISC Plan (aka Security Plan) Requirements

Repeatable processStandardize method to limit risk and control types, ability to add types

RequirementsProject, Foundational, Ad Hoc PlansLow cost (Access Database) to create & maintain (but can be ported later)maintain (but can be ported later)Ability to imbed design documentsAbility to report based on risks, controls, Ability to report based on risks, controls, outstanding issues, foundation & project plansMultiple associations between risks & plans ll dallowed

RISC Database Schema Examplep

Risk Acceptance Documentp

M t i ff Hi h d RAD Requirements

Management signoff on High and Moderate (year 2) Risks D t d Documented Provides means to communicate on

it & i k security & risk Provides means to “include security

l i j t”early on in a project”

Process Development: Lessons Learned

1 Really understand the processes to integrate withProcess Development

1. Really understand the processes to integrate with2. Get to input from users3. Combine forces for IRQ development

Li it t f d t 4. Limit amount of new documents or processes5. Get a sponsor6. If you have no money, you can achieve a

t bl b t li it f & fi t repeatable process, but limit your focus & first year goals

7. Start focused and build from thereIf h li it d l k th 8. If you have limited personnel, make sure they are fully trained in process and goals for each year

Training Usersg

Introduce Security RiskIntroduce Security RiskIdentify the process (e.g. Slide 18)Explain impact to themExplain impact to themRequire training for IRQK di lKeep an open dialog

Have a Wiki (or FAQ site)H l f li i lHave lots of online material

Touch base and get feedback

S ll S R k MSelling Security Risk Management

Selling the Idea to Management g g

Introduce idea of Security Risk Use compliance requirements, security audits/VAs

What How

Be clear on impact to users and processes

Show high level plan

security audits/VAs

Grab metrics

Focus on goals of assessments

Focus on immediate impact & deliverables

Don’t oversell (too many

Advance simple ideas regarding process inclusion

Define impact of process at high Don t oversell (too many graphics, metrics, charts)

Define impact of process at high level

Don’t forget industry practices

Selling – Go In Knowing:g g

How: Process Will Integrate with Existing Business ProcessesExisting Business Processes

When: Who: Key Users When: Timeline

What:C t Eff t

What: Deliverables

What: Projected

Cost, Effort Deliverables Outcomes

R & FiReassess & Fix

Review & Reassess

IRQ Scoring

# of

Scoring

RISC Plan

# of Projects Using

ProcessRISC Plan

Identification, Scoring Values &

Validity

Next Logical Stepsg p

Shore up weak points in process or assessmentsMore Project Types (M&A, Applications, Partners)Increase RISC Plans for more types

Increase RADs for Moderate (add to Critical/High)

Slight Guarded Moderate High

<28 points 29-33 points 34-39 points >40 points

Increase RADs for Moderate (add to Critical/High)Globalize Process Require training 2x year for Security Assessors Give Audit/Compliance & Management Updates on Progress

L L dLessons Learned

My Lessons Learnedy

M&A IWhat I Wish I Knew Then

M&A IssuesExpect Pushback - ITRunning Aground on other ProcessesSell, Sell, SellDon’t stop communicating Take Compliance & Audit to lunch -often