Webinar:  4  shortcuts  to  professional  IT  risk  assessments  

Presented  by  Lars  Neupart    Founder,  CEO  of  Neupart    Informa9on  Security  Management  LN@neupart.com  twiBer  @neupart    

About  Neupart  •  ISO  27001  certified  company.  

•  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  ISMS  solution  allowing  organizations  to  automate  IT  governance,  risk  and  compliance  management.    

•  “The  ERP  of  Security”  

•  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+  customer  portfolio  covering  a  wide  range  of  private  enterprises  and  governmental  agencies.    

IT  GRC  =  IT  Governance,    

Risk  &  Compliance  Management  

Program  Introduc9on  

Business  Impact  Assessments  

Threat  Catalogues  

Vulnerability  Assessments  

Carrying  out  a  risk  assessment  project  

Summary  of  shortcuts  to  beBer  risk  assessments    

Selected  ISO  2700x  standards  

ISO  27000  • Overview  and  vocabulary  

ISO27001  • Informa9on  Security  Management  Systems  –  Requirements  

ISO27002  • Code  of  prac9ce  for  informa9on  security  management  

ISO  27003    • ISMS  Implementa9on  Guidelines  

ISO  27004  • Informa9on  Security  Management  -­‐  Measurement    

ISO27005  • Informa9on  Security  Risk  Management  

ISO27006  • Requirements  for  bodies  providing  audit  and  cer9fica9on    

+  +  +  +    

ISO  31000  Enterprise  Risk  Management  

Plan  

Do  

Check  

Act  

Comparing  ISO  27005,  NIST  SP800-­‐30  ISO  27005   NIST  SP800-­‐30  

Context  establishment              

Identification  of  assets   System  Characterization  Identification  of  threats   Threat  Identification  

Identification  of  existing  controls   Vulnerability  Identification  Identification  of  vulnerabilities   Control  Analysis  Identification  of  consequences      

       Assessment  of  consequences   Likelihood  Determination  

Assessment  of  incident  likelihood   Impact  Analysis  Risk  estimation   Risk  Determination  

       Risk  evaluation      

       Risk  treatment   Control  Recommendations  Risk  acceptance      

Risk  communication   Results  Documentation  

ISO  27005  is:  •  A  threat  based  risk  

management  guidance  •  Considered  best  practice  •  Well  aligned  with  other  

risk  frameworks  •  A  method  to  comply  

with  ISO  27001  risk  management  requirements  

ISO  27005  

Business  Impact  Assessment  ISO  27005:  Estimate  the  business  impact  from  breaches  on  CIA  (confidentiality,  integrity,  availability)    •  Financial  terms    

– Revenue,  cash  flow,  costs,  liabilities  •  Non-­‐financial  terms:  

–  Image,  non-­‐compliance,  competitiveness,  service  level  

Example:  Business  Impact  Assessment  

Example  from  SecureAware  

Threats  

Example:  Threat  Catalogue  

Example  from  SecureAware  

Not  all  assets  burn  (hint:  link  your  threats  to  asset  types)  

Example  from  SecureAware  

Reduce Likelihood Proactive

Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus

Reactive Security

Reduce Consequence

IT Service Continuity Teams IT Service Continuity Strategy

IT Service Continuity Plans Disaster Recovery Procedures

Emergency Operations Flexibility

Standby Equipment Virtualization

Backup

IT  Risk  Management  -­‐  Explained  

Risk

Prioritization

Incident Likelihood

Incident Consequence

Threat Frequency

Threat Effect

Threats

Preventive Measures

Corrective Measures

Vulnerability  &  control  environment  assessment  

Administra9ve  Measures  

Physical  /  Technical  Measures  

Preven9ve  Measures  

Correc9ve  Measures  

Firewalls   An9virus  

Server  Clusters  

RAID   Backup/Restore  Standby  

Equipment  Virtualiza9on  

Security  Policy  

System  Documenta9on  

Awareness  

Compliance  Checks  

Alarm  System  

Fire  Suppression  

Logging  Change  

Management  

IT  Service  Con9nuity  Plan  

Disaster  Recovery  Procedures  

Business  Con9nuity  Strategy  

Redundancy  

Access  Control  System  

Standby  Site  

Server  snapshots  

Recommenda9on:  Base  assessments  on  a  maturity  level  scale  

Monitoring  

Assess  how  well  your  controls  addresses  relevant  threats  

Example:  Vulnerability  Assessments  

Example  from  SecureAware  

Assets:  Dependency  Hierarchy  Business  Impact  values  are  inherited  downwards  

Vulnerability  values  are  inherited  upwards  

Server  01  Virtual  Server  

SAN  01  Data  Staorage  

HP  DL380  Hardware    unit  

Data  Center  Oslo  Datacenter  

Finance  DB  Database  

ERP  IT  Service  

Dynamics  AOS  Business  system  

HP  DL380  Hardware  unit  

Server  02  Virtual  Server  

Finance  

Business  Process  

Business  Processes  &  IT  Services  

Business Process 1

IT Services (on premise)

Business Process 2

IT Services from vendor, e.g.

cloud

Business  Impact  Scores  Inherits  Downwards  

Vulnerability  Scores  Inherits  Upwards  

High  level  assesments  •  You  can  postpone  the  more  

detailed  assessments  and  analysis.  

•  Begin  at  the  top:  –  High  level  BIA  can  combine  

different  impact  types  e.g.  revenue,  cost,  cashflow,  image  in  a  single  question.  

–  High  level  vulnerability  assessments  can  combine  different  threats  in  a  single  question  

An  assessment  project  step-­‐by-­‐step  

What  business  processes,  IT  

Services,  etc.  to  include  (assets)?  

Who  to  involve  in  the  assessments?  

Perform  interviews  /  collect  data  

Repor9ng  and  communica9on  

Risk  Management  •  Risk  Owner  •  (Assets)  •  Threats  •  Business  Impact  

Assessment  •  Vulnerability  Assessment  •  Reporting  &  evaluating  •  Treating  (Accept,  Reduce,  Share,  

Avoid)  

Keep  it  simple:  

Risk  Management    =  

Risk  Assessments    +    

Risk  Treatment  

Neuparts  4  responsible  short-­‐cuts.    PS!  They  also  apply  to  the  2013  edition  of  ISO  27001  J  

Do  not  use  complete  threat  catalogue  on  each  of  your  assets  (relevant  threats  

depends  on  asset  type)  

1:  Not  all  threats  

• Inheritance:  Business  impact  values  inherits  downwards  

• Vulnerability  scores  inherits  upwards  

• Asset  dependencies  /  Hierarchy  

2:  Inheritance  

Assess  your  most  important  assets  first    (you  can  add  more  

later)  

3:  Not  all  assets  

• Make  overall  assessment  first  –  refine  later  

• Example:  Assess  threats  combined  first  –  individually  later  

4:  High  level  first  

Ressources    •  White  papers  and  presentations  at  Neupart  blog    

–  treatingrisk.blogspot.com    

•  Educational  Webinars  and  SecureAware  Live  Demos  at  our  website:  –  neupart.com/events      

 •  SecureAware  ISMS  tool  

–  www.neupart.com/products    –  ISO  27001  Policy  &  Compliance  Management  ,  IT  Risk  Management  –  Out  of  the  box  solution;  Free  trial  

More  webinars:  Treating  Risks  -­‐    today  4pm  CET:    

SecureAware  Live  Demo  –  tomorrow  2pm  neupart.com/events  

     

INFORMATION SECURITY MANAGEMENT

Asset  Management  

Your  best  and  worst  assets    

Example  from  SecureAware  

Risk  Management  Projects  

Example  from  SecureAware  

Key  features  summary  –  Risk  TNG  •  Business  impact  assessment    •  Vulnerability  assessment  •  Role  based  interviews  •  Flexible  asset  inventory  for  any  type  of  asset,  i.e.  

business  processes,  IT  services,  and  their  relationships  •  Customizable  threat  catalogue    •  Risk  dash  boards  &  flexible  reporting  options  •  Risk  treatment  processes  •  API