MSIS 4253 Systems Certification and Accreditation

Exam #1: Lecture Notes- Chapters 1-5

Chapter #1 Information Security Risk Management Imperatives and Opportunities

IT Risk Management Information loss is always rated in the top 5 of concerns for CEO/CIOs

Loss of Information Loss of productivity Loss of revenue

Vulnerabilities, Threats, Exploits, and Controls Risk: The expected loss. The aggregation of the possibilities, their probabilities, and the loss

associated with each possibility

Information Security Confidentiality – Can we keep communications private Integrity – Keeping the information from being manipulated Availability – Ex. Amazon Authentication and Non-repudiation (IA)

**RM Process Risk identification

Asset identification Ex. Expensive car 2014 Mustang?

Risk identification Risk assessment

Driving Ex. Weather, texting and driving Risk mitigation planning

Ex. Driving in Oklahoma- if you can, you should park under cover What insurance should I get to cover my car

Risk mitigation implementation Following through with the mitigation

Evaluation of RM effectiveness Did it work (car being restored by insurance)

Risk Identification Process of identifying threats, threat sources, vulnerabilities, and events

Malicious Someone coming trying to harm us. Take down are server, steal our data,

mess up our data Environmental

Weather Building’s power taken out by storm

Planned Things we know are risk (driving out on the road)

Random Hitting a Deer

Risk Assessment Calculating quantitatively the potential damage and/or monetary cost. Entails:

Quantifying the potential damage Quantifying the probability the damage will occur

Based on previous events, subject matter experts, and audits

Risk Mitigation Planning Controlling and mitigating IT risks Cost-Benefit Analysis

Cost/ benefit of you mitigating the risk? Sargent ex. Sometimes you have to figure out something else

Selection, Implementation, Test, and Evaluation of Security Safeguards Prioritizing

Look at all risk, threats and where should you spend your money to help your infrastructure

Considers effectiveness and efficiency Mission impact Constraints due to policy, regulation and laws (certain controls you cant put into

place because of laws) Impact on other systems (Biros added)

Risk Mitigation Implementation Deploying the risk mitigation techniques that were determined in risk mitigation planning Deployment decisions

Direct cutover Turn off old control and cut the other on

Parallel operation Keep both in place for a time and eventually cut over

Prioritizing Where certain controls go

Evaluation of Mitigation Effectiveness Monitoring environment

Pre/Post Measurement Is your intrusion detection system good?

Measuring effectiveness against previous set of threats, vulnerabilities, and events Test the effectiveness against the system

Determining new threats, vulnerabilities or events do to the modifications

Risk Management Models Authors’ model ISO 27002 NIST SP 800-30 Draft ISO/IEC 31000 AS/NZS 4360:2004 Microsoft approach Operationally Critical Threat Asset and Vulnerability Evaluation-OCTAVE) by CERT

Top Business Liabilities1. Loss or theft of customer data2. Business disruptions from IT failures and disruptions3. Lost of integrity for critical IT assets and information- don't know if right info is being

pushed out.o Biros Dissertation-Manipulated military data

4. E-Discovery issueso Hacking 101-Finding all data about your target

Orgs That Need a RM Program? Characteristics Has IT assets Data Proprietary information Keeps financial data, health data or PII Personally identifying information Requires formal documentation and policies Required to adhere to SOX, HIPPA, FERPA, FISMA and others Fiduciary responsibility to stockholders

Points to Ponder IS Security spending was $30 Bil in 2005; “reported” losses were at $15 Bil Systems don’t configure themselves; tools don’t run themselves

- Remember theres a huge human factor in this Technological and Procedural IS RM capabilities Ready-to-go human resources

- People who knows what’s expected from them 90% of all successful IS incidents could have been avoided had RM been accomplished

- If we had known the risks- Example: Hospitol back access door, keycard

RM Team member skills IT knowledge

o What it does what its capable of IS/IA knowledge

o What kind of threats are out there vulnerabilities Basic quantitative skills

o Cost benefit analysis single loss expectency Understanding of the operational needs of the organization

o Security can either enhance or inhibit operational needs Good presentation skills

o Oralo Written

Some Perspectives IS is 1/3 technical, 2/3s policy and procedures Security depends more on people than tech Employees are a greater threat than outsiders- not malicious, just ignorant Strong as the weakest link Degree of security depends on:

The Risk one is willing to tolerate Functionality of the system- some systems so old people don't know how to hack

them Cost one is prepared to pay

Security is not a snapshot, but an on-going process- this should never ends

Other thoughts: Security techniques have been around since the 1970s According to the Open Security Foundation’s DataLossDB, in 2008 there were 246 reported

incidents that could have been most likely avoided with encryption Majority of companies spend relatively little time on information security…

Yet… According to the Information Security Forum’s biennial status survey on average a business-

critical information resource will: Someone (Company) Suffers an IS incident almost every working day (225

incidents a year) Have a 58% chance of experiencing a major incident over the course of a year

So what’s the problem?

RM Problems Low awareness of RM activities in both the public and private sector

Most people don't know what it is. Absence of a “common language”

A lot of people don't understand the risk management language. Lack of surveys on existing methods, tools, and good practices

We don't know what works or what works well or not so well Limited or non existent interoperability of methods and integration with corporate

governance

Critical Components for Successful RM Top leadership support Well defined list of RM stakeholders

Understand who they are Org maturity in terms of RM-

Guy is just trying to make sure companies don't get hacked Open communication Spirit of teamwork Holistic view of the organization Authority throughout the process

In the end… It’s really about the protection of information in all forms:

Printed or written on paper Dumpster diving, shred it

Stored electronically Traditional storage - HD Removable storage – multi terabyte drives are more difficult to deal with Remnant security –

In transit Target- from the point of sale to the database

Shown on film Spoken

EEFI Etc

Its about the information stupid

Chapter 2: Information Security Risk Management Defined

Basic DefinitionsVulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Basic DefinitionsThreat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability

Common Threat-Sources• Natural Threats—Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and

other such events.• Human Threats—Events that are either enabled by or caused by human beings, such as

unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

• Environmental Threats—Long-term power failure, pollution, chemicals, liquid leakage.

Basic Definitions• Controls: Means of managing risk, including policies, procedures, guidelines, practices, or

organizational structures, which could be administrative, management, technical, or legal in nature

Control Techniques• Preventive controls inhibit attempts to violate security policy and include such controls as

access control enforcement, encryption, and authentication.• Detective controls warn of violations or attempted violations of security policy and include such

controls as audit trails, intrusion detection methods, and checksums.

Basic Definitions• Risk: The mathematical combination of the likelihood of an event and the impact (expected

value of the loss)

• Risk Management: The on-going process whereby the threats, vulnerabilities, and potential impacts from the security incident are evaluated against the cost of safeguard implementation

Risk Management Sub-Process• Risk assessment• Risk analysis• Risk mitigation• Uncertainty analysis• Threats assessment• Vulnerability assessment• Probability Estimation• Internal control reviews• Audits• Rate of occurrence estimiation• Asset valuation• Adequate and appropriate protection of assets• Cost-Benefit Analysis• Application security reviews/audits• Verification reviews

Mathematical Definition of Risk• Risk = (probability of an event occurring) X (impact of the event)

• Often difficult to exactly calculate risk• Many orgs establish 3-5 levels of probability; low to high and establish p via historical

data, fiat, SMEs, or other means• Timeframes and other data may also be added

Financial Metrics• To adequately establish a risk value, financial metrics must be used:

• Monetary value of assets• List of significant threats• P of each threat occurring• Recommended safeguards, controls (and costs) and remediation/implementation

actions. Calculating Damage

• Overall value of the asset to the organization• Immediate financial impact of losing the asset• Indirect business impact of losing the asset

Calculating Damage cont’d• Exposure factor: percentage of lost that a single threat could have on a certain asset• Single Loss Expectancy (SLE): total amount of loss from a single occurrence of the risk• Annual Rate of Occurrence (ARO): Normalized rate at which the risk exposure resulting in

actual damage occurs during one year• Annual Loss Expectancy (ALE): Total amount of money that an organization will lose in one

year if nothing is done to mitigate the riskROSI

• Return On Security Investment (ROSI)ALE before control – ALE after control – Annual cost of control

• Simply put, the task is to 1) identify and prioritize assets to be protected, 2) identify relevant threats and the probability of their occurrence and 3) compare the expected loses with the cost of appropriate countermeasures.

Minimum IT RM• ID software vulnerabilities and patching• Data confidentiality controls• Data integrity controls• System integrity controls (availability)

Basic Threat Checklist• See Table 2.4, pages 59-60 of text• What are the likelihood and impacts of each?• Note the broad range of threats• See Table 2.5 page 61 for a partial list of tools to mitigate some of the threats

Enterprise Architecture (EA) Creates a map for the IT assets and business processes, along with a set of governance

principles that drive an on-going discussion about business strategy and how it can be expressed through IT.

The EA seeks to create a unified IT environment (standardize hardware and software) across a firm or all of the firm’s business units, with tight symbiotic links to the business side of the organization and its strategy.

Productivity Paradox…RM Paradox Chapter 2 Appendices Read and review the Chapter 2 Appendices 2A.1 thru 2A.5 for a more complete list of:

o IS Threatso IS Vulnerabilitieso IS Impactso IS Risk Eventso IS Controls

You will be responsible for those appendices

Chapter 3: Information Security Risk Management Standards

Whats a Standard

Something set up and established by an authority as a rule for the measure of quantity, weight, extent, value, or quality

A commonly accepted way of performing a task or doing something

Why Have Standards

Provides for a common language Reduces costs Assures quality and integrity Demonstrates accomplishment of legal, regulatory, or policy obligations Demonstrates a level of performance

Common Standard Making Bodies (International and US)

International Standards Organization (ISO) Internet Engineering Task Force (IETF) American National Standards Institute (ANSI) National Institute of Standards and Technology (NIST)

Legal Requirements

Federal Information Security Management Act of 2002 Family Education Rights and Privacy Act (FERPA) Heath Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX)

Recall the Risk Management Processes

Ongoing ID of threats, vulnerabilities, and events Risk assessment (probability of event happening x impact) Risk mitigation planning (i.e., ROSI) Risk mitigation implementation Evaluation of mitigation effectiveness

ISO/ IEC Standards

ISO/IEC 13335-1:2004: IT Security Techniques ISO/IEC 27000 Series: Family of standards; all things information security ISO/IEC 27001:2005: IS Management System requirements ISO/IEC 18028:2006: Network Security ISO/IEC 18044:2004: Incident Management ISO/IEC 31000: Risk Management Series

ISO/IEC 13335-3: 1998

Identification of assets Valuation of assets and establishment of dependencies between assets Threat and vulnerability assessment ID of existing or planned safeguards Assessment of risk exposure

ISO/IEC 27000 Series

Provides generally accepted best practices and guidance on establishing, operating, monitoring, reviewing, maintaining and improving a documented ISMS

The ISMS is a security governance/management process that is or can be used by an organization to handle information security and risk management

Describes the fundamentals and vocabulary

ISO/IEC 27001:2005

Defines the requirements for an ISMS An ISMS is a management system for dealing with information security risks exposures

o Provides a framework for policies; procedures; physical, legal, and technical controls security controls forming the organization’s overall risk management process

o Incorporates the Deming “Plan, Do, Check, Act” cycle

PDCA

Plan : Define requirements, access risks, decide controls Do : Implement and operate the ISMS Check : Monitor and review the ISMS Act : Maintain and Continuously improve the ISMS

Why 27000?

Certification against an accepted standard is increasingly being demanded by business partners

Engenders rigor and formality into the process Certification bodies around the world recognize the standard Still growing as a recognized standard (50 million corporations/institution in the world)

ISO/ IEC 27001:2005 Specifications for an ISMS

Formulate security requirements and objectives Ensure security risks are effectively managed Ensure compliance with laws and regulations Framework for implementing controls Incorporate new security processes Identify and clarify existing security processes Status of information security process Used by auditors to demonstrate IS policy Provides information security information to customers

ISO 27002: 2005 Security Controls

Identifies a set of 133 controls, under 33 security objectives to address IS risk exposure Controls not mandatory Organizations can choose those that are applicable Code of practices, not a formal specification Provides a listing of best practices

Overarching 27002 Security Tenets

Security Policy A high-level policy statement defining key directives and mandates of the organization A comprehensive apparatus of specific organizational security policies and instructions Provides a clear statement of the organizations posture on issues such as:

o Computer and Network Securityo Acceptable Useo Trainingo Incident Responseo Certification and Accreditation

27002 Tenet: Organization of Information Security

Considers security controls for internal and external partieso Internal: Roles and responsibilities, confidentiality agreements, contracts and

special interest groupso External: Deals with 3rd party risk exposures such as contractors, service providers,

suppliers, and customers

27002 Tenet Asset Management

Inventory of information assets Inventory of IT assets

o Hardwareo Softwareo Datao Systemso Storage medialo Supporting systems (HVAC, UPS)

Should include security priority classification and acceptable use policies

27002 Tenet: Human Resource Security

Controls for “joiners, movers, and leavers” Recruiting best practices IS education and training of employees Disciplinary process for breaches in security Return of corporate assets, removal of access rights Changes in rights and data access privileges for those who move within the organization

27002 Tenet: Physical and Environmental Security

Physical protection from malicious or accidental damageo Overheatingo Loss of powero Emanationso Cabling

Fires, floods, storms, sabotage

27002 Tenet: Communications and Operations Management

Operational and procedural responsibilities (separation of operational and development systems)

Third-party service delivery management System planning and acceptance Protection against malicious code and mobile code Back up Network management Media handling Exchange of information Electronic commerce services Network monitoring

27002 Tenet: Access Control

Codified in access control policy User access management

o Authenticationo Rights and privilegeso Periodic review of rights

User responsibilities Network access controls Operating System controls Application and information access controls Mobile computing and telework

27002 Tenet: Information Systems Acquisition, Development and Maintenance

Security requirements for IT systems Correct processing in application systems Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management

27002 Tenet: IS Incident Management

Responsibilities Procedures CERT Handling of evidence Reporting to public Reconstitution of systems and information

27002 Tenets: Others

Business Continuity Managemento Disaster recoveryo Continuity managemento Contingency planning

Complianceo Legal Requirementso Security Policy and Standardso Information system audit considerations

ISO/IEC 27003

Provides implementation guidance for ISMS Sections

o Obtain management approval for the ISMSo Defining scope and policyo Conducting business analysiso Conducting risk assessmentso Designing ISMSo Implementation

ISO/IEC 27004

Security Techniques and Measurements In second final committee draft

o Provides guidance toward selecting measurements for evaluating the effectiveness of the ISMS

o Usually related to controlso Measurements can take years to adequately develop

ISO/IEC 31000

Provides the first international standard for “risk management” 27000 series focuses on the ISMS Part of the ISMS is risk management Note that it is for all RM in all domains, not just information systems

ISO.IEC 31000: Principles

RM should create value RM should be an integral part of organizational processes RM should be a part of decision making RM should explicitly express uncertainty RM should be systematic and structured RM should be based on the best available information RM should be tailored (to the org’s risk tolerance) RM should take into account human factors RM should be transparent and inclusive RM should be dynamic, iterative, and responsive to change RM should be capable of continuous improvement and enhancement

NIST Standards

Provides a series of special publications (SPs) to support information security and risk management

Covers vulnerabilities, threats, exploits, controls and measurement For this class, the focus is on specific information systems Will be coved in detail during the latter half of the class

AS/NZS 4360

Will not be covered in this class Students are not responsible for its content

Chapter 4 Information Security Risk Management Methods and Tools

RM Method

Well defined process (a series of activities) based on a published standard (Chapter 3) RM Phases

o ID threats, vulnerabilities and eventso Risk assessmento Risk mitigation planningo Risk mitigation implementationo Evaluation of mitigation effectiveness

RM Tools

A plethora of tools (Table 4.1) Can be based on standards National International (ISO 27000) De facto (OCTAVE) Sector based [industry] Individual organization Adoption of a similar system standard

Which tool to use?

Varies from organization to organization An industry based approach

o Allows for certification against a methodologyo Give stakeholders and trading partners some assuranceo Due diligence

Each tool has trade offs Many tools are now automated

Review of Selected RM Methods

Large number of tools Often country based Many follow ISO standards and follow the same basic steps Use both quantitative and qualitative methods Our focus will be limited to US methods However, knowledge of the existence of other countries’ methods could be helpful

o Mergerso Trading partnerso Global/International expectations

FAIR

Factor Analysis of Information Risk Framework for understanding, analyzing, and measuring information risk Can work with other tools such as COBIT and OCTAVE (Chapter 5) Provides a

o Taxonomy of the factors that make up risko Method for measuring risko Computational engine to understand relationships between measured factors

o Simulation model for building risk scenarios

An Example: Terrorist Threat

Motive : ideology Primary intent : damage/destroy Sponsorship : unofficial Preferred general target characteristics : entities or people who clearly represent a

conflicting ideology Preferred specific target characteristics : high profile, high visibility Preferred targets : human, infrastructure Capability : varies by attack vector Personal risk tolerance : high Concern for collateral damage : low

Points to ponder

If the previous example would be a record in a database, what could be derived:o Other threats with like characteristicso Mitigation strategies targeted to those characteristicso Effectiveness of mitigation strategies and controls against multiple threatso Prioritization of mitigation strategies and controlso Comparison to other organizations

FIRM

Fundamental Information Risk Management Developed by the Information Security Forum (ISF) Scalable to organizations of all sizes Has supporting products and modules for risk identification, analysis, and evaluation

o Standard of good practice for information securityo FIRM and the revised FIRM scorecardo Information Security Status Surveyo Information Risk Analysis Methodologies (IRAM) projecto Simple to apply risk analysis (SARA)o Simplified process of risk evaluation (SPRINT)

SPRINT

Can help identify the vulnerabilities of existing systems and the safeguards need to protect them

Can define the security requirements for systems under development and define the controls needed to satisfy them

o Secure SA&Do Baked-in vs. Bolted-on

FMEA

Failure Modes and Effects Analysis Examines potential ways a system might fail and cause adverse effects

o Lists assets under consideration and their intended useo Collects security related requirements for assetso Elaborates threats and applies them to systems to determine vulnerabilitieso Scores the riskso Proposes and implements mitigation strategies

Helps prioritize requirements by analyzing likelihood levels with severity levels (sound familiar?)

Use’s high, medium, low scores for both axis of the matrix Acceptable risk scores are decided by the organization Goal is to develop measures that will best reduce risk to acceptable levels

FRAP

Facilitated Risk Analysis Process A qualitative approach to RA

o Identifies threatso Establishes probability that threat will occuro Determines the impact of the threato Can adjust risk levelso Identifies mitigating controls and safeguardso Helps to develop implementation action plan

Facilitator led process Establishes the:

o Assessment scopeo Assessment definitionso Process for prioritizing threats

Business driven process Helps an organization to select the appropriate methodology for assessing risk

ISAMM

Information Security Assessment Monitoring Method Helps an organization define the ISMS for obtaining ISO 27001 certification Quantitative approach using the formula:

o Annual loss expectancy = Probability X Average Impact Planner can show and simulate the effect on the risk ALE with each improvement measure

and compare it to the cost of the investment Can show this in a number of visual formats Like most other tools ISAMM helps

o ID Assets and threatso Vulnerability level and threat prob and impacto Representation of risks and prob and impacto DS for acceptability of riskso DS for selection of safeguardso Graphic representations and reports

ISAMM RM has 4 partso Scopingo Assessment of compliance and threatso Validation of compliance and threatso Result – calculation and reporting

ISO 31000 Methodology

Step 1: Understanding the organization and the environment Step 2: Define the RM policy Step 3: Achieve integration in organizational policy Step 4: Define accountability Step 5: Identify resources Step 6: Establish internal communications and reporting measures Step 8: Develop a plan for implementation Step 9: Implementing the framework for managing risk Step 10: Implementing the process

o 10.1: Communication and Consultationo 10.2: Establishing the contexto 10.3: Developing risk criteriao 10.4: Risk assessmento 10.5: Preparing and Implementing treatment planso 10.6: Recording the RM processo 10.7: Monitoring and review

Step 11: Monitoring and review of the framework Step 12: Continual Improvement of the framework Ultimate goals is to achieve ISO 31000 certification

Other tools include

IT – Grundschutz (IT Baseline Protection Manual) MAGERIT (Methodology for IS Risk Analysis and Management MEHARI (Harmonized Risk Analysis Method Microsoft’s Security Risk Management Guide MIGRA NIST NSA IAM/IEM/IA-CMM Open source approach

Commonality among approaches

Follow a similar structure: Identify, Analyze Risk, Prioritize, Select and Implement Controls Provides documentation to prove an RM was accomplished Many tools now offer a database of risks and controls to conduct “what-if?” analysis Tool vendors will help…for a price

Selecting a tool

Standards-based or not Quantitative or qualitative Cost and value of tool (ROI) Maimtainability and support Usability Scaleability

Chapter 5: COBIT and OCTAVE

COBIT

Control Objectives for Information and Related Technologyo Links IT to business requirementso Organizes IT into a generally accepted process modelo Indentifies the major IT resource to be leveragedo Defines management control objective

RM is a part of COBIT

Information Criteria

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

IT Resources Considered

Application Information Infrastructure People

Process-Oriented Approach

Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

IT and Application Control

IT Controlso Systems Developmento Change Managemento Securityo Computer Operation

Application Controlso Completenesso Accuracyo Validityo Authorizationo Segregation of duties

Support Maturity Models

What are our industry peers doing and how are we placed in relation to them? What is acceptable industry good practice and how are we placed with regard to these

practices Based on these comparisons, can we be said to be doing enough How do we identify what is required to be done to reach an adequate level of management

and control over our IT process?

COBIT Points to ponder

RM and Security are subsets of COBIT However, if using COBIT for other purposes it can do a lot to help prepare a Risk Analysis or

C&Ao Can help avoid redundancies of efforto Can help when new systems are developedo Can help with configuration control

OCTAVE

Operationally Critical Threat, Asset and Vulnerability Evaluation Series of workshops by team’s of organization’s personnel

o ID critical assetso ID vulnerabilities and threatso Develop protection strategy and risk mitigation plans

OCTAVE Method

Keys to successo Senior Management Sponsorshipo Select Analysis Teamo Scope OCTAVEo Select Participants

Phaseso Build Asset-Based Threat Profileso Indentify Infrastructure Vulnerabilitieso Develop Security Strategy and Plans

Build Asset-Based Threat Profiles

Process 1: Identify Senior Management Team Process 2: Identify Operation Area Management Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles

Identify Infrastructure Vulnerabilities

Process 5: Identify Key Components Process 6: Evaluated Selected Components

Develop Security Strategy and Plans

Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy

OCTAVE Points to Ponder

Assumes much of this hasn’t already been doneo Not necessarily a blank slate

Assumes top management team is available for support Somewhat of a precursor for true Risk Management and C & A