Risk ManagementRisk Management(Risk Identification)(Risk Identification)Principles of Information SecurityChapter 4 Part 1

Class discussion: is this true? Provide examples and counterexamples.

ReferencesReferences

1.NIST Risk Management Guide for Information Technology Systems

◦ http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf#search=%22risk%20management%20phases%22

2.SANS Overview of Threat and Risk Assessment

◦ http://www.sans.org/rr/whitepapers/auditing/76.php

3.SANS Introduction to Information Risk Assessment

◦ http://www.sans.org/rr/whitepapers/auditing/1204.php

2

Principles of Information Security, 3rd Edition 3

Define risk management, risk identification, and risk control

Understand how risk is identified and assessed

Assess risk based on probability of occurrence and impact on an organization

Grasp the fundamental aspects of documenting risk through the creation of a risk assessment

Chapter Objectives (Part 1)Chapter Objectives (Part 1)Upon completion of this chapter, you Upon completion of this chapter, you should be able to:should be able to:

Principles of Information Security, 3rd Edition 4

IntroductionIntroduction

Risk Management◦ The process of identifying and controlling

risks facing an organization

Risk Identification◦ The process of examining an

organization’s current information technology security situation

Risk Control (next week)◦ Applying controls to reduce risks to an

organization’s data and information systems

Principles of Information Security, 3rd Edition 5

An Overview of Risk ManagementAn Overview of Risk ManagementSun Tzu - Chinese General, The Art of WarSun Tzu - Chinese General, The Art of War

Know yourself◦ Identify, examine, and understand the

information and systems currently in place.

Know the enemy◦ Identify, examine, and understand threats

facing the organization

Responsibility of each community of interest within an organization: ◦ To manage risks that are encountered

Principles of Information Security, 3rd Edition 6

Roles of the Communities of Roles of the Communities of InterestInterest

Information security, management and users, and information technology all must work together

Management review:◦ Verify completeness/accuracy of asset

inventory

◦ Review and verify threats as well as controls and mitigation strategies

◦ Review cost effectiveness of each control

◦ Verify effectiveness of controls deployed

Principles of Information Security, 3rd Edition 7

Risk IdentificationRisk Identification

Assets are targets of various threats and threat agents.

Risk management involves identifying organization’s assets and identifying threats/vulnerabilities to/of those assets.

Risk identification begins with identifying organization’s assets and assessing their value.

Principles of Information Security, 3rd Edition 8

Principles of Information Security, 3rd Edition 9

AssetAsset Identification, Valuation, and Identification, Valuation, and PrioritizationPrioritizationIterative process

◦ begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)

Assets are then classified and categorized

Principles of Information Security, 3rd Edition 10

Table 4-1 - Categorizing Table 4-1 - Categorizing ComponentsComponents

Principles of Information Security, 3rd Edition 11

People, Procedures, and Data People, Procedures, and Data Asset IdentificationAsset Identification

Human resources, documentation, and data information assets ◦ More difficult to identify than hardware

assets

People with knowledge, experience, and good judgment should be assigned this task

These assets should be recorded using reliable data-handling process

Principles of Information Security, 3rd Edition 12

People, Procedures, and Data People, Procedures, and Data Asset Identification (continued)Asset Identification (continued) Asset attributes for People:

◦ Position name/number/ID; Supervisor; Security clearance level; Special skills

Asset attributes for Procedures◦ Description; intended purpose; what elements it is

tied to; storage location for reference; storage location for update

Asset attributes for Data: ◦ Classification; owner/creator/ manager; data

structure size; data structure used; online/offline; location; backup procedures employed

Principles of Information Security, 3rd Edition 13

Hardware, Software, and Hardware, Software, and Network Asset IdentificationNetwork Asset Identification

What information attributes to track depends on:◦ Needs of organization/risk management efforts

◦ Management needs of information security/information technology communities

Asset attributes to be considered are:

◦ name; IP address; MAC address; element type; serial number; manufacturer name; model/part number; software version; physical or logical location; controlling entity

Principles of Information Security, 3rd Edition 14

Information Asset Information Asset ClassificationClassification

Many organizations use data classification schemes (e.g., confidential, internal, public data)

Classification of components must be specific to allow determination of priority levels

Categories must be comprehensive and mutually exclusive◦ An asset cannot belong to two categories at the same

time --- must belong to only 1 category

Principles of Information Security, 3rd Edition 15

Information Asset Information Asset ValuationValuationQuestions help develop criteria for asset

valuationWhich information asset:

◦ Is most critical to organization’s success?

◦ Generates the most revenue/profitability?

◦ Would be most expensive to replace or protect?

◦ Would be the most embarrassing or cause greatest liability if revealed?

Principles of Information Security, 3rd Edition 16

Figure 4-3 – Example Figure 4-3 – Example WorksheetWorksheet

Principles of Information Security, 3rd Edition 17

Information Asset Information Asset PrioritizationPrioritizationCreate weighting for each category

based on the answers to questionsCalculate relative importance of each

asset using weighted factor analysisList the assets in order of importance

using a weighted factor analysis worksheet

Principles of Information Security, 3rd Edition 18

Table 4-2 – Example Weighted Factor Table 4-2 – Example Weighted Factor AnalysisAnalysis

Principles of Information Security, 3rd Edition 19

Data Classification and Data Classification and Management Management Variety of classification schemes used by

corporate and military organizations

Information owners are responsible for classifying their information assets

Information classifications must be reviewed periodically

◦ At least annually

Most organizations do not need the detailed level of classification used by military or federal agencies; however, organizations may need to classify data to provide protection

Principles of Information Security, 3rd Edition 20

Personnel Security Clearances Personnel Security Clearances

In addition to data classification, personnel security clearances are also used.

Security clearance structure◦ Each data user assigned a single level of

authorization indicating classification level authorized to view.

Before accessing specific set of data, employee must meet need-to-know requirement.

This extra level of protection ensures information confidentiality is maintained.◦ Information is only released to employees with

verified need-to-know.

Principles of Information Security, 3rd Edition 21

Management of Classified Management of Classified DataData Includes storage, distribution, portability,

and destruction of classified data. Information that is not unclassified or

public must be clearly marked as such.Clean desk policy requires all

information be stored in appropriate storage container daily◦ Unneeded copies of classified information are

destroyed.

Dumpster diving can compromise information security.

Principles of Information Security, 3rd Edition 22

Threat IdentificationThreat Identification

Realistic threats need investigation; unimportant threats are set aside.

Threat assessment:◦ Which threats present danger to assets?

◦ Which threats represent the most danger to information?

◦ How much would it cost to recover from attack?

◦ Which threat requires greatest expenditure to prevent?

Principles of Information Security, 3rd Edition 23

Vulnerability IdentificationVulnerability Identification

Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities.

Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities.

Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions.

At the end of the risk identification process, a list of assets and their vulnerabilities is achieved. (Deliverable for Risk Identification Process)

Principles of Information Security, 3rd Edition 24

Risk AssessmentRisk Assessment

Risk assessment evaluates the relative risk for each vulnerability.

Assigns a risk rating or score to each information asset.

Principles of Information Security, 3rd Edition 25

LikelihoodLikelihood

The probability that a specific vulnerability will be the object of a successful attack.

Assign numeric value between 0.1 (low) and 1.0 (high), or a number between 1 and 100 (this is the rating model)

Zero is not used since vulnerabilities with zero likelihood removed from asset/vulnerability list.

Use the selected rating model consistently.

Use external references for values that have been reviewed/adjusted for your circumstances.

◦ Insurance charts, other references assigning ratings.

Principles of Information Security, 3rd Edition 26

Risk DeterminationRisk Determination

For the purpose of relative risk assessment, risk equals:

[ Asset value TIMES Likelihood of occurrence(%) ]

TIMES

[ 100% MINUS %risk already controlled PLUS %uncertainty ]

ExampleExample Asset A

◦ value = 50◦ Vulnerability 1

Likelihood 1.0 No current controls

◦ Estimate 90% accurate

Asset B◦ value = 100◦ Vulnerability 2

Likelihood = .5 Current control = 50%

◦ Vulnerability 3 Likelihood = 0.1 No current controls

◦ Estimate 80% accurate

27

Calculations: Asset A - Vulnerability 1

Risk = (50 * 1.0) * (100% - 0% + 10%) = 50 * 110% = 55 Relative Risk Rating

Asset B - Vulnerability 2Risk = (100 * 0.5) * (100% - 50% + 20%)

= 50 * (70%) = 35 Relative Risk Rating Asset B - Vulnerability 3

Risk = (100 * 0.1) * (100% - 0% + 20%) = 10 * (120%) = 12 Relative Risk Rating

Principles of Information Security, 3rd Edition 28

Identify Possible ControlsIdentify Possible Controls

For each threat and associated vulnerabilities that have residual risk, create preliminary list of control ideas.

Residual risk ◦ The risk that remains to information asset even

after existing control has been applied.3 general categories of controls

◦ policies - documents that specify approach to security

◦ programs - activities performed to improved security

◦ technologies - technical implementations of policies

Principles of Information Security, 3rd Edition 29

Access ControlsAccess Controls

Specifically address admission of a user into a trusted area of organization.

Access controls can be:

◦ Mandatory access controls (MAC): give users and data owners limited control over access to information.

◦ Nondiscretionary controls: managed by central authority in organization; can be role-based or task-based.

◦ Discretionary access controls (DAC): implemented at discretion or option of data user.

Principles of Information Security, 3rd Edition 30

Documenting the Results of Risk Documenting the Results of Risk AssessmentAssessment

Final summary given in a ranked vulnerability risk worksheet.

Worksheet details

◦ asset, asset impact, vulnerability, vulnerability likelihood, and risk-rating factor

Ranked vulnerability risk worksheet is initial working document for next step in risk management process: assessing and controlling risk.

Principles of Information Security, 3rd Edition 31