managing information security risks - protiviti information...g. social engineering / phishing h....

April 2013

Managing Information Security Risks

© 2010 Protiviti Inc.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 2

It takes twenty years to build a reputation and five minutes

to ruin it. If you think about that, you'll do things differently

– Warren Buffett ” “



New World Order of Information – Data Loss, Theft,

Compromise, and…Consequences

• Data Security and Privacy is a Major Area of Concern

• More and More Volume Creates Greater Opportunities

• Companies Reluctant to Divulge Loss or Theft Unless Required by Law

• Scale of Vulnerabilities are Not Always Known – Only See Headlines

• Damage Assessment is Difficult – Don’t know What Was Actually Stolen

• Lack of Data Governance Increases Risks

• Advanced Persistent Threat is a Considerable Issue

• Social Engineering Continues to be a Clear Vector for Opportunist



What is Risk Management?

• Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

• Impact of Risk Exposure

• Legal Implications Resulting in Fines or Other Actions

• Loss of Credibility and Damage to Brand

• Lack of Consumer or Customer Confidence

• Business Disruption

• The goals of a Risk Management

• Dimension risk exposure (quantitative and qualitative) to enable

management to confirm an acceptable level of risk

• Ensure adequate controls, maintain exposure and losses within

acceptable levels

• Determine the appropriate level of capital to absorb extreme losses

associated with risks that do not lend themselves to controls.



Data Security and Privacy – Real Issues and Challenges

• There are real and increased concerns over information leakage, data retention

and data loss

• Custodianship is still a major issue – internal data owners, third parties, cross-

business process use

• Data risk assessments struggle to identify in scope assets – where is the data?

• Where is it stored, processed and transmitted? Is there an understanding of

transitory data that may be both ‘at rest’ and ‘in motion’?

• Compliance is often a silo from other compliance initiatives – competing for the

same dollars

• Awareness and education is as important as the actual controls

• Increased requirements for 3rd party reviews and due diligence

• Technology improvements are tearing at data silos (Warehouses, Shared

Services, Virtualization, Technology out and co-sourcing)

• Ongoing struggle to deliver successful Identity & Access Management



Who’s to Blame?

Final Edition

Source: Information Week, October 2007

Headline News

Theft Of Gap Laptop Puts 800,000 Job

Applicants At Risk

What really happened – “The laptop was stolen from one

of the retailer's third-party vendors that manages

information on job applicants.”

Ponemon Annual Study: Cost of a Data Breach

42 % 58 %

2009 Third Party

Internal



Overall Cost of a Breach

The cost of a data breach continues to grow. Experiencing a 1.5% increase from 2008 ($201 per

record) and 2009 ($204 per record) and an 12.7% increase since 2006 ($181 per record).

Ponemon 2009 Annual Study: Cost of a Data Breach



Growing Regulatory Compliance Requirements

Information Security Risk

Assessment – Getting to a

Destination



How do you get there?

Plan

• Formalize a plan for Information Risk Management

• Identify Stakeholders and Obtain Support

Execute

• Select a Risk Management Framework

• Ensure a Comprehensive Approach and Scope

Monitor

• Complete Assessment with Risk Outcomes

• Identify Ownership, Manage, Report, and Assess Mitigation



Goals of IT Risk Assessment and Management

• Accurate view on current and near-future IT-related events

• End-to-end guidance on how to manage IT-related risks

• Understanding of how to capitalize on the investment made in an IT

internal control system already in place

• Integration with the overall risk and compliance structures within the

enterprise

• Common language to help manage the relationships

• Promotion of risk ownership throughout the organization

• Complete risk profile to better understand risk



What is Data Security and Privacy?

Security

• Security is securing or protecting data assets. Typically viewed as the CIA triangle (Confidentiality,

Availability and Integrity)

• Numerous models – ISO 27001/2, NIST 800-53, COBIT, etc.

Privacy

• Privacy is protecting the confidentiality of private data (personal information, proprietary data, etc.) of

which Security is one element

• The main Privacy Model we see today is GAPP (Generally Accepted Privacy Principles)



Components of Security and Privacy

A. External Vulnerability Assessment

B. Internal Vulnerability Assessment

C. Wireless Security

D. Data Privacy

E. PCI

F. IT Security Governance

G. Social Engineering / Phishing

H. Physical Security

I. IT Regulatory Compliance Reviews

J. IT Security Process Reviews

K. Data Governance

L. Infrastructure Security

M. Other (Email Security, Workstation

Security, Database Security, etc.)

Protiviti Technology Risk Model



Example of a Risk Management Framework: ISO 27001 (Information technology – Security techniques – Information security management systems – Requirements)

Security Policy

• Information Security Policy

Organization of Information Security (Organizational Security)

• Manage information security within the Company

• Information Security Infrastructure

• Security of Third Party Access

• Outsourcing

Asset Management (Asset Classification and Control)

• Accountability for Assets

• Information Classification

Human Resource Security (Personnel Security)

• Security in Job Definition and Resourcing

• User Training

• Responding to Security Incidents and Malfunctions

Physical and Environment Security

• Secure Areas

• Equipment Security

• General Controls

Communications and Operational Management

• Operational Procedures and Responsibilities

• System Planning and Acceptance

• Protection Against Malicious Software

• Housekeeping

• Network Management

• Media Handling and Security

• Exchanges of Information and Software

Access Control

• Business Requirement for Access Control

• User Access Mgmt

• User Responsibilities

• Network Access Control

• Operating system access control

• Application Access Control

• Monitoring system access and use

• Mobile Computing and Tele-working

Systems Development and Maintenance

• Security Requirements of Systems

• Security in Application Systems

• Cryptographic Controls

• Security of System Files

• Security in the development and support processes

Information Security and Incident Management

• Incident Detection

• Incident Reponses

• Incident Escalation

Business Continuity Management

• Aspects of Business Continuity Management

Compliance

• Compliance with legal requirements

• Review of Security Policy and Tech controls

• System Audit Considerations



Data Sensitivity and What It Means

Business Value Oriented Solutions

5-10%

80-90%

5-10%

HIGH VALUE

• Sensitive And Critical

• Major Impact if Comprised

• Highest Cost for Protection

LOW VALUE

• Little to No Impact

• Not Considered a Loss

MEDIUM VALUE

• Impact if Comprised

• Highest Volume of Data

More

Sensitive,

More

Resource

Intensive



Risk Analysis Phases Information Security Framework (ISF) Layers

Risk Assessment Methodology

Identification of Safeguards

Threat Assessment

Asset Identification

Vulnerability Assessment

Risk Determination

Reporting

Remediation Planning

17

Reactive

processes that

enable

management to

measure how

well policies are

implemented

and followed and

when they need

to be changed.

Technologies

needed to

provide the

appropriate

protection and

support critical

processes.

Management

strategies for

information

technology and

relevant policies,

standards,

guidelines or

directives used

to communicate

these strategies

to the

organization.

Proactive

processes that

turn policies into

awareness

programs,

change

management,

security

administration

and other

activities.



Approach: Risk Analysis Activities

18

Asset

Identification

Threat

Assessment

Vulnerability

Assessment

Risk

Determination

Identification of

Countermeasures

PHASE I PHASE II PHASE III PHASE IV PHASE V

• Document security landscape, create context diagram

• Inventory and integrate current asset management/ identification data

• Choose from the following options:

– Facilitated sessions with upper management and business unit management

– Self-service survey sent to business units

– Combination of 1 & 2

• Determine asset classification (information, people, business process, etc.)

• Determine asset valuation approach (quantitative vs. qualitative)

• Categorize assets by ISF layer

• Perform asset valuation/ prioritization

• Obtain detailed documentation of infrastructure components

• Conduct assessments at

each layer of the ISF:

• Identify vulnerability types

and categories

• Identify impact and

likelihood of vulnerabilities

• Determine risk strategy

(mitigation, acceptance,

transference)

• Quantify risks based on

management defined

scale

• Identification of risk

acceptance authority

• Validate risk levels with

management

• Prioritize risk

• Apply previously identified

threats to each layer in the

ISF

• Customize threats to

organization based on CIA

(Confidentiality, Integrity,

Availability)

• Identify additional threats

• Identify existing

countermeasures

• Identify likelihood of

occurrence for each threat

• Develop options to move

business risk to an

acceptable level

• Work with management to

choose effective

countermeasures

• Identify safeguard gaps

• Develop an action plan for

risk mitigation

• Create a continuous risk

assessment process

• Integrate risk assessment

into overall risk

management strategy

Note: Each phase is a discrete activity which could be delivered in combination with other phases or performed standalone.

In addition, we may be able to leverage previous work or documentation within the various phases.

Activities



Approach: Sample Deliverables

19

Asset

Identification

Threat

Assessment

Vulnerability

Assessment

Risk

Determination

Identification of

Countermeasures

• Detailed asset inventory for all relevant business systems and processes

• Asset inventory tied to each level of the ISF

• Asset valuation and prioritization

• Security Landscape and Context Diagram

• A complete

vulnerability

assessment,

organized by ISF

layer

• For each weakness

identified in the

vulnerability

assessment, the

business risk will be

categorized

according to the

scale selected by

management

• A completed threat

table, including:

– Likelihood of

occurrence

– Business Risk

– Overall risk level

• A listing of all

identified threats to

identified assets

• For each threat, a

tieback to a specific

ISF layer and

specific asset

• For each threat – the

likelihood of

occurrence, taking

into account existing

countermeasures

• A prioritized list of

threats, risks, and

identified

countermeasures –

providing a roadmap

to the future

• Additionally, a gap

analysis comparing

your organization to

leading practices

Deliverables

PHASE I PHASE II PHASE III PHASE IV PHASE V

Automation Communication Project Management Business Focus



Risk Assessment Metrics

20

Risk Calculation

Impact Severity * Occurrence Likelihood = Inherent Risk – Safeguards (Controls) = Residual Risk

Asset Valuation

Assets are defined as a system or applications used to store, process or transmit client data. Specific asset categories are to be

discussed and agreed upon in the beginning stages of the review.

Impact Severity

Impact severity is the measure of the effect, vulnerability will have on an asset when exercised by a threat. For the Risk

Assessment, impact severity was defined by the amount of cardholder data and sources likely to be exposed.

Occurrence Likelihood This is the estimated probability that a threat will occur for a given asset.

Safeguards The technical, procedural, or physical measures in place that protect an asset from risk.

Risk Calculation Inherent risk was calculated as high, medium or low by cross indexing the metric factors for impact severity and likelihood of

occurrence on the table below. This table was calibrated to represent the total reputational and financial risks presented to client

by the threat vulnerability asset pairings in the SRA tool.

Residual Risk Residual risk is calculated as high, medium or low based on the highest risk individually assessed threat, vulnerability and

safeguard combination. The risk rating for the TVS combination is based on the revised likelihood and severity calculation,

accounting for the effect of an applied safeguard. The metrics are adapted from NIST and other leading methodologies as well as

input from client management regarding quantitative scale metrics. For each asset, threat, vulnerability and safeguard

combinations are assessed for residual risk. The totality of TVS combinations is assessed with consideration for the data affected.



Example: Initiative Summary Heatmap

Low Medium High

Impact

Difficult

(6 – 9+ months)

Moderate

(3 – 6 months)

Easy

(0 – 3 months)

1 IS Policy and Compliance

2Information Security

Governance

3Information Classification and

Labeling

4 Access Control - Logical &

Physical

5 Incident Response

6

7

8

9

Systems Development Life

Cycle

10Business Continuity

Management

11

Vendor Management Program Ea

se

of

Imp

lem

en

tati

on

Initiatives

1

2

3

4

5

6

7

8

9

10

11

Monitoring & Logging

IT Audit & Assessment

Vulnerability Assessment and

Management Program



Summary

Risk Management must

• Take a complete look at technology across the enterprise

• Be grounded in business risk and business context

When you measure risk

• Use quantitative factors in addition to the qualitative measures

• Focus on the maturity of the risk assessment over time

• Involve and educate all stakeholders in the risk assessment process

Use risk assessment to

• Drive your security and privacy plans

• Enable the organization to assess, manage, and accept risk



Questions

And

Comments



Mario Balakgie

1701 Pinnacle Drive, Suite 1600

McLean, VA 22102

Direct: 571.382.7231

Mobile: 571.277.1188

Fax: 571.382.7327

[email protected]

Powerful Insights. Proven Delivery.™

mailto:[email protected]

managing information security risks - protiviti information...g. social engineering / phishing h....

Documents