how to do a formal risk assessment
TRANSCRIPT
Implementing a Formal Information Security
Risk Assessment
Praveen Joseph VackayilM.S, B.E, CISSP, PCI QSA cert., CCNA, ISO 27001 LA
ABOUT• CONSULTING
• TRAINING
• AUDIT & CERTIFICATION
AGENDA• CONTEXT ESTABLISHMENT
• ISRA IN THE INDIAN CONTEXT
• CASE STUDY RISK ASSESSMENT
• COMMON CHALLENGES, SUGGESTED SOLUTIONS
• NEED OF THE HOUR IN INDIAN ORGANIZATIONS
WHAT IS RISK ASSESSMENT?
WHAT IS RA?• Risk Assessment is just people being people• It is the accomplishment of a basic human need…
CONTROL
TOBE
IN
FORMAL INFORMATION SECURITY RISK ASSESSMENT
MEASURABLE
COMPARABLE REPEATABLE
NEW METHODOLOGY vs FORMAL METHODOLOGY
Develop a New RA methodology Adopt a pre-existing Formal RA methodologyRA METHODOLOGY:• A new methodology must be developed, tried and
revised. • This is in some ways re-invention of the wheel
• A tried and tested methodology already exists. It needs to be identified, tailored and adopted.
• Corresponding RA template may be available
RISK ASSESSORS:• Develop an in-house talent pool that is well versed
with the methodology. Training costs extra.• Hire RA personnel with relevant
experience/certification. Staffing costs extra.
COMPATIBILITY :• It will be created as per the organization’s unique
environment.• The existing methodology may need to be tweaked
to suit the organization’s environment, structure and culture. Eg. Primary and supporting assets may be selected according to the org-structure.
ADOPTION:• Factors that support user adoption may be built-in
while developing the methodology. • Eg. Qualitative risk calculation is used, since it is
easier for all to understand.
• Ways to enable user adoption of the methodology must be developed. Eg. The survey-based approach of OCTAVE may not work in an organization where people don’t respond to emails.
FIRST TIME USE:• Not sure if it will succeed/fail since there is no prior
user experience/reviews to refer to• Tried and tested. Common pitfalls will be available
based on others’ experiences.
RISK ASSESSMENT APPROACHQualitative Quantitative
• High, Medium, Low• Red, Green, Yellow
Numeric
Easy to calculate May include complex formulae
Less accurate, but gets the job done Precise. Useful in $ estimations
Difficult to convince stakeholders since it is based on subjective judgment
Easier to convince stakeholders
Risk = f (Asset Value, Threat probability, Level of Vulnerability)
Basic concepts to be noted:SLE=Asset Value x Exposure FactorALE= SLE x ARO
A truly quantitative risk assessment is not possible to achieve.
True. Because we are assigning quantitative values to qualitative entities. For example, stating that an earthquake will occur once in 10 years and will incur loss of INR 3 crore cannot be 100% accurate.
Ref - Shon Harris - CISSP AIO, 6th Edition
TRUE OR FALSE ?
ISRA IN THE INDIAN CONTEXT
WHY DO A RISK ASSESSMENT?
GUESS WHICH OPTION GETS YOU MAXIMUM BUY-IN
“A formal information security risk assessment is needed to
a) Prepare for a compliance program (eg. PCI, ISO 27001, HIPAA, etc.)
b) Formulate an information security strategyc) Meet a compliance mandated) Perform a due diligence check on the current
security posture”
TYPICAL RESPONSE #1 – AUDIT vs RA
“We have annual audits done by our clients. We don’t need risk assessment.”
WHAT HAS GONE WRONG
AUDIT RISK ASSESSMENT
WHAT CAN GO WRONG
TYPICAL RESPONSE #2 – COMPLIANCE vs RA
“I am trying to check the boxes in my PCI DSS/SSAE 16 checklist. I don’t need a separate risk assessment.”
UNIVERSAL SET OF CONTROL REQUIREMENTS
COMPLIANCE STANDARD RISK ASSESSMENT
MAPS CONTROL REQUIREMENTS TO UNIQUE NEEDS OF AN
ENVIRONMENT
TYPICAL RESPONSE #3 - RoSI
“Everything eventually boils down to the numbers. How do I justify the cost invested in an RA?”
0 100%SECURITY INCIDENTS ROSI
CASE STUDY: CARD DATA RISK ASSESSMENT IN A
BANKScope Asset Threat Vulnerability Risk Score Risk Management
Scope
Asset
Threat
Vulnerabili
ty
Risk Scor
e
Risk Management
SCOPE BY BUSINESS PROCESS
SCOPE BY TECHNOLOGY
Scope
Asset
Threat
Vulnerabili
ty
Risk Scor
e
Risk Management
ASSET TYPE ASSET VALUE
ASSET OWNER/CUSTODIAN
Scope
Asset
Threat
Vulnerabili
ty
Risk Scor
e
Risk Management
THREAT ACTOR THREAT MOTIVETHREAT ACCESS
THREAT OUTCOME THREAT LIKELIHOOD
Scope
Asset
Threat
Vulnerabili
ty
Risk Scor
e
Risk Management
CONTROLS ARE ABSENT
VULNERABILITY LEVEL
CONTROLS ARE INEFFECTIVE/OBSOLETE
Scope
Asset
Threat
Vulnerabili
ty
Risk Scor
e
Risk Management
NIST SP 800-30
RISK = F (IMPACT, THREAT LIKELIHOOD) = F (ASSET VALUE, LEVEL OF VULNERABILITY, THREAT LIKELIHOOD)
Likelihood of Occurrence
Level of Impact
Very Low Low Moderate High Very High
Very High Very Low Moderate High Very High Very High
High Low Moderate Moderate High Very High
Moderate Low Low Moderate Moderate High
Low Very Low Low Low Moderate Moderate
Very Low Very Low Very Low Low Low Low
Scope
Asset
Threat
Vulnerabili
ty
Risk Scor
e
Risk Management
ACCEPTTRANSFERMITIGATEAVOIDACCEPT
TRANSFER
MITIGATE
AVOID
COMMON CHALLENGES, SUGGESTED SOLUTIONS
COMMON CHALLENGES
COMPREHENSIVE ASSET IDENTIFICATION
INTERNAL VS EXTERNAL RISK ASSESSORS
OUTSOURCING
TRUST
ACCURATE SCOPING
WHICH OF THE FOLLOWING IS THE BEST TIME TO DO A RISK ASSESSMENT?
•Before acquiring a company• Just before an audit• Just after deploying new laptops •Before starting operations in a new facility• Every month for all assets•Never.
CONTINUOUS RISK ASSESSMENT
ScopeIdentify
AssessManage
Document
NEED OF THE HOUR IN INDIAN ORGANIZATIONS
2015: STATS
74%
26%
2015: RA Not Done
2015: RA Done
Ref: http://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/Cyber-Crime-Survey-2015-30Nov15.pdf
72%Organizations Breached
KEYS TO A SUCCESSFUL RISK MANAGEMENT PROGRAM
SUFFICIENT SECURITY SPEND
POST RISK IDENTIFICATION, WHAT’S NEXT?
TRAINING
PROACTIVE APPROACH