developing it security risk management plan
DESCRIPTION
As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network defense and entire enterprise risk management strategies. Security for that matter is not only about protecting the network, but also the data. That requires a combination of tactics, from securing the network perimeter to encrypting data on mobile and storage devices. Today, many enterprises look at network as taking a layered approach. As security become more complex, businesses increasingly see a need for enterprise security strategies, as well as ways to collate information from the various tools and evaluate their performance. And they are grappling with new issues created by growing mobility and anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall – thus increasing risk to enterprise resources. In this respect, IT managers are currently focusing more and more on getting end-to-end visibility. However, more importantly – the road to an enterprise security strategy and risk management starts with consulting stakeholders to determine what level of risk is acceptable. Then you can formulate a policy that lays out the controls that will achieve the goals via implementing – a solid IT security risk management plan – geared towards organizations’ IT security objectives driven by business requirements for improved performance.TRANSCRIPT
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 2 OF 50 Bright Future 2
Module I Risk Management Plan
A Case Study
SerengetiGroupIT Security Project Solution
www.serengetisys.com
Bedrock City University (BCU) Secure Network Infrastructure Project Developing IT Security Risk Management Plan The Way Forward
Document History:
Date Version # Author(s) Description of Changes
Feb 02, 2008 BCU-RMP-001 BCU-ISESC,
SISC
Final Issue
A Global Open Versity Reading Room Academic Technical Publication
Permissions: A GOV Open Knowledge Academic Access License
Learn more, visit: www.serengetisys.com
www.globalopenversity.org Kefa Rabah
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 3 OF 50 Bright Future 3
Module I
Developing IT Security Risk Management Plan
Abstract
As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network defense and entire enterprise risk management strategies. Security for that matter is not only about protecting the network, but also the data. That requires a combination of tactics, from securing the network perimeter to encrypting data on mobile and storage devices. Today, many enterprises look at network as taking a layered approach. As security become more complex, businesses increasingly see a need for enterprise security strategies, as well as ways to collate information from the various tools and evaluate their performance. And they are grappling with new issues created by growing mobility and anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall – thus increasing risk to enterprise resources. In this respect, IT managers are currently focusing more and more on getting end-to-end visibility. However, more importantly – the road to an enterprise security strategy and risk management starts with consulting stakeholders to determine what level of risk is acceptable. Then you can formulate a policy that lays out the controls that will achieve the goals via implementing – a solid IT security risk management plan – geared towards organizations’ IT security objectives driven by business requirements for improved performance.
1.0 INTRODUCTION
Risk management is a much talked about, but little understood area of the IT Security industry. While risk management has been practiced by other industries for hundreds of years, little historical data exists to support qualitative analysis in the IT environment.
The industry approach to-date has been to buy technology without really understanding the potential underlying risks. To further complicate matters, new government regulations create additional pressure to ensure sensitive data is protected from compromise and disclosure. Processes need to be developed that not only identify the sensitive data, but also identify the level of risk posed due to noncompliance of corporate security policies. Serengeti Information Security Consulting (SISC) at Bedrock City has developed security procedures based on industry standards that evaluate and mitigate areas deemed not compliant to internal security policies and standards. Through the use of quantitative analysis, AISC is able to determine areas that present the greatest risk, which allows for identification and prioritization of security investments.
1.1 OVERVIEW OF RISK MANAGEMENT IN IT SECURITY FIELD
The fundamental precept of information security is to support the mission of the organization. All organizations are exposed to uncertainties, some of which impact the organization in a negative or positive manner. In order to support the organization, IT security professionals must be able to help their organizations’ management understand and manage these uncertainties.
Managing uncertainties is not an easy task. Limited resources and an ever-changing landscape of threats and vulnerabilities make completely mitigating all risks impossible. Therefore, IT security professionals must have a toolset to assist them in sharing a commonly understood view with IT and business managers concerning the potential impact of various IT security related threats to the mission. This toolset needs to be consistent, repeatable, cost-effective and reduce risks to a reasonable level. However, due to the complex nature of the network infrastructure and its integrated information system, it
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 4 OF 50 Bright Future 4
is important to present the reader with a clear picture of the risky business of protecting information systems.
In this respect, risk assessment plays a vital role in any information-security program, ensuring that resources are being allocated in the most effective way to support the business objectives. Because resources are always limited, controls should be applied to areas that represent the biggest risks. It's crucial that the risk-assessment process link security exposures to business needs; risks should be measured against the potential impact to the confidentiality, integrity or availability of any critical business process. Basically stated, every security control has an associated cost, and there must be a business reason for it to be implemented. Risk-assessment methodologies should be used to provide justification and prioritization for the implementation of security controls to mitigate risks.
1.2 Historical Perspective of Risks in the IT Security Field
A few years ago not many computers were connected to the Internet. Nowadays with the prices for broadband falling and households joining the Internet, things changed. The same is happening with the small to medium to corporate sector businesses. While email was not widely used, nowadays every company needs that form of communication in some form. With these changing habits, the risk is changing as well. A point to note here – you cannot eliminate risk – you can only reduce it!
Moreover, in the computing age of today, we have witnessed the growing popularity of the Internet and networks in our society. With these tools at our fingertips, we are able to communicate and do business even more quickly and efficiently than ever before. For example, businesses can market their products online so customers do not have to leave their homes, and banks can conduct transfers and manage accounts with more ease, speed, and functionality than with the paperwork of the past. Also, what is probably the most popular means of communication, email, is used by just about everyone each and every day.
Furthermore, today, the world continues to witness an explosion in mobile technology designed to help people communicate faster and more easily. We carry powerful digital computers in our pockets, exchange digital information in addition to voice data with our mobile phones, and surf the Web with high-end PDAs. In the near future, especially the coming of age of 3G wireless devices, every type of electronic data channel will be used to exchange every type of electronic information. This has become even more challenging with the entry of “Incredible Hulk” of smart-phone family, the iPhone 2.0. One of the great challenges of the ability to communicate digitally is securing the increased amount of electronic information now exchanged over the network. To make the matter worse today, everyone wants to be everywhere and anywhere and be reached via his tech-mobile system exchanging data with enterprise network. And that makes mobile security risk management a top priority for many businesses that want to offer high-end mobile customer application.
It is clear that these modern conveniences have made our lives much smoother. However, as we continue to add these conveniences to our lives, we open the door to more numerous, possibly even more dangerous, outlets for attacks ranging from malware to identity theft. With the prominence of identity theft on the rise, we must all be weary of the security of online communication. Moreover, in today’s network environment, and as every organization tries to deliver value from IT while managing an increasingly complex range of IT-related risks, the effective use of best practice can help to avoid re-inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks, such as: Project failures, Wasted investments, Security breaches, System crashes, and Failures by service providers to understand and meet customer requirements. See Fig. 1 for the evolution of IT threats.
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 5 OF 50 Bright Future 5
While a few years ago every network needed to have a firewall and then everything was good, things changed here as well. Our society today, is based and relay on a free flow of information. That is, in real-time, information is constantly and continuously moving around, leaving and entering inter-networks (the Internet) around the world at any one instance. Today, therefore, IT professional’s main problem is, that this information can not be protected by a simple firewall, because that information will not stay in one place but “move around”. One could argue that we then should keep the information in one place where we can protect them. But, as mentioned above, our society needs that flow of information to further evolve and keep pace with ongoing industrial revolution and constantly ever changing innovative ideas being fueled by the ever rapidly evolving cyber-space, the Internet, and on its wake the mighty and vicious cyber-crime fueled by tech-savvy cybercriminals run by organized criminals looking upon the Web as a new – and extremely lucrative – source of ill-gotten gain mainly via identity theft.
Back Doors
DDOS Internet Worms
Boot Nets
PasswordGuessing
1980
Password CrackingSelf Replicationcode
1990 2000 2010
High
Technical KnowledgeRequired
Exploiting KnownVulnerabilities
Disabling Audits
Hijacking Sessions
SniffersSweepers
Stealth Diagnostics
Packet Forging/Spoofing
Sophistication of Hackers Tools
Script Kiddies
Viruses
Trojan Horses
InternetSQL InjectionsBack Doors
DDOS Internet Worms
Boot Nets
PasswordGuessing
1980
Password CrackingSelf Replicationcode
1990 2000 2010
High
Technical KnowledgeRequired
Exploiting KnownVulnerabilities
Disabling Audits
Hijacking Sessions
SniffersSweepers
Stealth Diagnostics
Packet Forging/Spoofing
Sophistication of Hackers Tools
Script Kiddies
Viruses
Trojan Horses
InternetSQL Injections
Fig. 1: Threats are more dangerous; and easier to use
The Full document has moved to docstoc.com. You may access it from here: http://www.docstoc.com/docs/28838188/?key=MmFlZGE5ZGEt&pass=YTRlOS00ZDQ1 ----------------------------------------------- Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several fields of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your educating and career goals using the latest innovations and technologies.