risk management (risk identification) principles of information security chapter 4 part 1 class...
TRANSCRIPT
Risk ManagementRisk Management(Risk Identification)(Risk Identification)Principles of Information SecurityChapter 4 Part 1
Class discussion: is this true? Provide examples and counterexamples.
ReferencesReferences
1.NIST Risk Management Guide for Information Technology Systems
◦ http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf#search=%22risk%20management%20phases%22
2.SANS Overview of Threat and Risk Assessment
◦ http://www.sans.org/rr/whitepapers/auditing/76.php
3.SANS Introduction to Information Risk Assessment
◦ http://www.sans.org/rr/whitepapers/auditing/1204.php
2
Principles of Information Security, 3rd Edition 3
Define risk management, risk identification, and risk control
Understand how risk is identified and assessed
Assess risk based on probability of occurrence and impact on an organization
Grasp the fundamental aspects of documenting risk through the creation of a risk assessment
Chapter Objectives (Part 1)Chapter Objectives (Part 1)Upon completion of this chapter, you Upon completion of this chapter, you should be able to:should be able to:
Principles of Information Security, 3rd Edition 4
IntroductionIntroduction
Risk Management◦ The process of identifying and controlling
risks facing an organization
Risk Identification◦ The process of examining an
organization’s current information technology security situation
Risk Control (next week)◦ Applying controls to reduce risks to an
organization’s data and information systems
Principles of Information Security, 3rd Edition 5
An Overview of Risk ManagementAn Overview of Risk ManagementSun Tzu - Chinese General, The Art of WarSun Tzu - Chinese General, The Art of War
Know yourself◦ Identify, examine, and understand the
information and systems currently in place.
Know the enemy◦ Identify, examine, and understand threats
facing the organization
Responsibility of each community of interest within an organization: ◦ To manage risks that are encountered
Principles of Information Security, 3rd Edition 6
Roles of the Communities of Roles of the Communities of InterestInterest
Information security, management and users, and information technology all must work together
Management review:◦ Verify completeness/accuracy of asset
inventory
◦ Review and verify threats as well as controls and mitigation strategies
◦ Review cost effectiveness of each control
◦ Verify effectiveness of controls deployed
Principles of Information Security, 3rd Edition 7
Risk IdentificationRisk Identification
Assets are targets of various threats and threat agents.
Risk management involves identifying organization’s assets and identifying threats/vulnerabilities to/of those assets.
Risk identification begins with identifying organization’s assets and assessing their value.
Principles of Information Security, 3rd Edition 8
Principles of Information Security, 3rd Edition 9
AssetAsset Identification, Valuation, and Identification, Valuation, and PrioritizationPrioritizationIterative process
◦ begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)
Assets are then classified and categorized
Principles of Information Security, 3rd Edition 10
Table 4-1 - Categorizing Table 4-1 - Categorizing ComponentsComponents
Principles of Information Security, 3rd Edition 11
People, Procedures, and Data People, Procedures, and Data Asset IdentificationAsset Identification
Human resources, documentation, and data information assets ◦ More difficult to identify than hardware
assets
People with knowledge, experience, and good judgment should be assigned this task
These assets should be recorded using reliable data-handling process
Principles of Information Security, 3rd Edition 12
People, Procedures, and Data People, Procedures, and Data Asset Identification (continued)Asset Identification (continued) Asset attributes for People:
◦ Position name/number/ID; Supervisor; Security clearance level; Special skills
Asset attributes for Procedures◦ Description; intended purpose; what elements it is
tied to; storage location for reference; storage location for update
Asset attributes for Data: ◦ Classification; owner/creator/ manager; data
structure size; data structure used; online/offline; location; backup procedures employed
Principles of Information Security, 3rd Edition 13
Hardware, Software, and Hardware, Software, and Network Asset IdentificationNetwork Asset Identification
What information attributes to track depends on:◦ Needs of organization/risk management efforts
◦ Management needs of information security/information technology communities
Asset attributes to be considered are:
◦ name; IP address; MAC address; element type; serial number; manufacturer name; model/part number; software version; physical or logical location; controlling entity
Principles of Information Security, 3rd Edition 14
Information Asset Information Asset ClassificationClassification
Many organizations use data classification schemes (e.g., confidential, internal, public data)
Classification of components must be specific to allow determination of priority levels
Categories must be comprehensive and mutually exclusive◦ An asset cannot belong to two categories at the same
time --- must belong to only 1 category
Principles of Information Security, 3rd Edition 15
Information Asset Information Asset ValuationValuationQuestions help develop criteria for asset
valuationWhich information asset:
◦ Is most critical to organization’s success?
◦ Generates the most revenue/profitability?
◦ Would be most expensive to replace or protect?
◦ Would be the most embarrassing or cause greatest liability if revealed?
Principles of Information Security, 3rd Edition 16
Figure 4-3 – Example Figure 4-3 – Example WorksheetWorksheet
Principles of Information Security, 3rd Edition 17
Information Asset Information Asset PrioritizationPrioritizationCreate weighting for each category
based on the answers to questionsCalculate relative importance of each
asset using weighted factor analysisList the assets in order of importance
using a weighted factor analysis worksheet
Principles of Information Security, 3rd Edition 18
Table 4-2 – Example Weighted Factor Table 4-2 – Example Weighted Factor AnalysisAnalysis
Principles of Information Security, 3rd Edition 19
Data Classification and Data Classification and Management Management Variety of classification schemes used by
corporate and military organizations
Information owners are responsible for classifying their information assets
Information classifications must be reviewed periodically
◦ At least annually
Most organizations do not need the detailed level of classification used by military or federal agencies; however, organizations may need to classify data to provide protection
Principles of Information Security, 3rd Edition 20
Personnel Security Clearances Personnel Security Clearances
In addition to data classification, personnel security clearances are also used.
Security clearance structure◦ Each data user assigned a single level of
authorization indicating classification level authorized to view.
Before accessing specific set of data, employee must meet need-to-know requirement.
This extra level of protection ensures information confidentiality is maintained.◦ Information is only released to employees with
verified need-to-know.
Principles of Information Security, 3rd Edition 21
Management of Classified Management of Classified DataData Includes storage, distribution, portability,
and destruction of classified data. Information that is not unclassified or
public must be clearly marked as such.Clean desk policy requires all
information be stored in appropriate storage container daily◦ Unneeded copies of classified information are
destroyed.
Dumpster diving can compromise information security.
Principles of Information Security, 3rd Edition 22
Threat IdentificationThreat Identification
Realistic threats need investigation; unimportant threats are set aside.
Threat assessment:◦ Which threats present danger to assets?
◦ Which threats represent the most danger to information?
◦ How much would it cost to recover from attack?
◦ Which threat requires greatest expenditure to prevent?
Principles of Information Security, 3rd Edition 23
Vulnerability IdentificationVulnerability Identification
Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities.
Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities.
Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions.
At the end of the risk identification process, a list of assets and their vulnerabilities is achieved. (Deliverable for Risk Identification Process)
Principles of Information Security, 3rd Edition 24
Risk AssessmentRisk Assessment
Risk assessment evaluates the relative risk for each vulnerability.
Assigns a risk rating or score to each information asset.
Principles of Information Security, 3rd Edition 25
LikelihoodLikelihood
The probability that a specific vulnerability will be the object of a successful attack.
Assign numeric value between 0.1 (low) and 1.0 (high), or a number between 1 and 100 (this is the rating model)
Zero is not used since vulnerabilities with zero likelihood removed from asset/vulnerability list.
Use the selected rating model consistently.
Use external references for values that have been reviewed/adjusted for your circumstances.
◦ Insurance charts, other references assigning ratings.
Principles of Information Security, 3rd Edition 26
Risk DeterminationRisk Determination
For the purpose of relative risk assessment, risk equals:
[ Asset value TIMES Likelihood of occurrence(%) ]
TIMES
[ 100% MINUS %risk already controlled PLUS %uncertainty ]
ExampleExample Asset A
◦ value = 50◦ Vulnerability 1
Likelihood 1.0 No current controls
◦ Estimate 90% accurate
Asset B◦ value = 100◦ Vulnerability 2
Likelihood = .5 Current control = 50%
◦ Vulnerability 3 Likelihood = 0.1 No current controls
◦ Estimate 80% accurate
27
Calculations: Asset A - Vulnerability 1
Risk = (50 * 1.0) * (100% - 0% + 10%) = 50 * 110% = 55 Relative Risk Rating
Asset B - Vulnerability 2Risk = (100 * 0.5) * (100% - 50% + 20%)
= 50 * (70%) = 35 Relative Risk Rating Asset B - Vulnerability 3
Risk = (100 * 0.1) * (100% - 0% + 20%) = 10 * (120%) = 12 Relative Risk Rating
Principles of Information Security, 3rd Edition 28
Identify Possible ControlsIdentify Possible Controls
For each threat and associated vulnerabilities that have residual risk, create preliminary list of control ideas.
Residual risk ◦ The risk that remains to information asset even
after existing control has been applied.3 general categories of controls
◦ policies - documents that specify approach to security
◦ programs - activities performed to improved security
◦ technologies - technical implementations of policies
Principles of Information Security, 3rd Edition 29
Access ControlsAccess Controls
Specifically address admission of a user into a trusted area of organization.
Access controls can be:
◦ Mandatory access controls (MAC): give users and data owners limited control over access to information.
◦ Nondiscretionary controls: managed by central authority in organization; can be role-based or task-based.
◦ Discretionary access controls (DAC): implemented at discretion or option of data user.
Principles of Information Security, 3rd Edition 30
Documenting the Results of Risk Documenting the Results of Risk AssessmentAssessment
Final summary given in a ranked vulnerability risk worksheet.
Worksheet details
◦ asset, asset impact, vulnerability, vulnerability likelihood, and risk-rating factor
Ranked vulnerability risk worksheet is initial working document for next step in risk management process: assessing and controlling risk.
Principles of Information Security, 3rd Edition 31