9781780172651 - information risk management.pdf

Download 9781780172651 - information risk management.pdf

Post on 16-Nov-2015




5 download

Embed Size (px)


<ul><li><p>InformatIon rIsk managementA practitioners guide</p><p>David Sutton</p><p>DRAF</p><p>T</p></li><li><p>INFORMATION RISK MANAGEMENT</p><p>Information Risk Management.indd 1 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>BCS, THE CHARTERED INSTITUTE FOR IT</p><p>BCS, The Chartered Institute for IT champions the global IT profession and the interests of individuals engaged in that profession for the benefit of all. We promote wider social and economic progress through the advancement of information technology science and practice. We bring together industry, academics, practitioners and government to share knowledge, promote new thinking, inform the design of new curricula, shape public policy and inform the public.</p><p>Our vision is to be a world-class organisation for IT. Our 70,000 strong membership includes practitioners, businesses, academics and students in the UK and internationally. We deliver a range of professional development tools for practitioners and employees. A leading IT qualification body, we offer a range of widely recognised qualifications.</p><p>Further InformationBCS, The Chartered Institute for IT,First Floor, Block D,North Star House, North Star Avenue,Swindon, SN2 1FA, United Kingdom.T +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contact</p><p>http://shop.bcs.org/</p><p>Information Risk Management.indd 2 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p><p>http://shop.bcs.org/</p></li><li><p>INFORMATION RISK MANAGEMENTA practitioners guide</p><p>David Sutton</p><p>Information Risk Management.indd 3 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>iv</p><p> 2014 David Sutton</p><p>The right of David Sutton to be identified as authors of this work has been asserted by him/her in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.</p><p>All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may be reproduced, stored or transmitted in any form or by any means, except with the prior permission in writing of the publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issued by the Copyright Licensing Agency. Enquiries for permission to reproduce material outside those terms should be directed to the publisher.</p><p>All trade marks, registered names etc acknowledged in this publication are the property of their respec-tive owners. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number 292786 (BCS).</p><p>Published by BCS Learning &amp; Development Ltd, a wholly owned subsidiary of BCS The Chartered Institute for IT, First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org</p><p>Paperback ISBN: 978-1-78017-265-1 PDF ISBN: 978-1-78017-266-8 ePUB ISBN: 978-1-78017-267-5 Kindle ISBN: 978-1-78017-268-2 </p><p>British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.</p><p>Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of the Institute orBCS Learning &amp; Development Ltd except where explicitly stated as such. Although every care has been taken by the authors and BCS Learning &amp; Development Ltd in the preparation of the publication, no warranty is given by the authors or BCS Learning &amp; Development Ltd as publisher as to the accuracy or completeness of the information contained within it and neither the authors nor BCS Learning &amp; Development Ltd shall be responsible or liable for any loss or damage whatsoever arising by virtue of such information or any instructions or advice contained within this publication or by any of the aforementioned.</p><p>BCS books are available at special quantity discounts to use as premiums and sale promotions, or for use in corporate training programs. Please visit our Contact us page at www.bcs.org/contact</p><p>Typeset by Lapiz Digital Services, Chennai, India.</p><p>Information Risk Management.indd 4 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>v</p><p>It is through the gradual development of trust and respect that acquaintances and colleagues become friends.</p><p>From 2001 to 2010 I had the great privilege of working with a group of highly dedicated people from the UK Cabinet Office, the </p><p>Department for Business Innovation and Skills, Ofcom, and organisations representing the whole of the electronic </p><p>communications industry. Many of us still meet socially at The Old Shades in Whitehall from time to time.</p><p>This book is for Fred Micklewright, whose insight, support and wisdom made the work a pleasure.</p><p>Information Risk Management.indd 5 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>vi</p><p>List of figures and tables ixAuthor xiAcknowledgements xiiAbbreviations xiiiDefinitions, standards and glossary of terms xviPreface xxx</p><p>1. THE NEED FOR INFORMATION RISK MANAGEMENT 1Introduction 1What is information? 4The information life cycle 6Who should use information risk management? 7The legal framework 8The context of risk in the organisation 9The benefits of taking account of information risk 11Overview of the information risk management process 13</p><p>2. REVIEW OF INFORMATION SECURITY FUNDAMENTALS 18Information Classification 20Plan, Do, Check, Act 24</p><p>3. THE INFORMATION RISK MANAGEMENT PROGRAMME 26Goals, scope and objectives 26Roles and responsibilities 27Governance of the risk management programme 28Information risk management criteria 29</p><p>4. RISK IDENTIFICATION 35The approach to risk identification 37Impact assessment 39Types of impact 42Qualitative and quantitative assessments 45</p><p>5. THREAT AND VULNERABILITY ASSESSMENT 51Conducting threat assessments 51Conducting vulnerability assessments 56Identification of existing controls 61</p><p>CONTENTS</p><p>Information Risk Management.indd 6 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>vii</p><p>6. RISK ANALYSIS AND RISK EVALUATION 65Assessment of likelihood 65Risk analysis 68Risk evaluation 70</p><p>7. RISK TREATMENT 74Strategic risk options 75Tactical risk management controls 78Operational risk management controls 79Examples of critical controls and control categories. 80</p><p>8. RISK REPORTING AND PRESENTATION 83Business cases 83Risk treatment decision-making 85Risk treatment planning and implementation 86Business continuity and disaster recovery 86</p><p>9. COMMUNICATION, CONSULTATION, MONITORING AND REVIEW 96</p><p>Communication 97Consultation 99Risk reviews and monitoring 100</p><p>10. THE CESG IA CERTIFICATION SCHEME 103The CESG IA Certification Scheme 103Skills Framework for the Information Age (SFIA) 106The IISP skills framework 108</p><p>11. HMG SECURITY-RELATED DOCUMENTS 118HMG Security Policy Framework 118UK Government Security Classifications 123</p><p> APPENDIX A TAXONOMIES AND DESCRIPTIONS 125Information risk 125Typical impacts or consequences 127</p><p> APPENDIX B TYPICAL THREATS AND HAZARDS 130Malicious intrusion (hacking) 130Environmental threats 133Errors and failures 134Social engineering 136Misuse and abuse. 137Physical threats 138Malware 139</p><p> APPENDIX C TYPICAL VULNERABILITIES 142Access control 142Poor procedures 144Physical and environmental security 145</p><p>CONTENTS</p><p>Information Risk Management.indd 7 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>viii</p><p>Communications and operations management 147People-related security failures 149</p><p> APPENDIX D INFORMATION RISK CONTROLS 151Strategic controls 151Tactical controls 152Operational controls 152Critical Security Controls Version 5.0 153ISO/IEC 27001 controls 156NIST Special Publication 800-53 Revision 4 162</p><p> APPENDIX E METHODOLOGIES, GUIDELINES AND TOOLS 169Methodologies 169Other guidelines and tools 176</p><p> APPENDIX F TEMPLATES 181</p><p> APPENDIX G HMG CYBER SECURITY GUIDELINES 187HMG Cyber Essentials Scheme 18710 Steps to Cyber Security 191</p><p> APPENDIX H REFERENCES AND FURTHER READING 193Primary UK legislation 193Good Practice Guidelines 194Other reference material 194CESG Certified Professional Scheme 195Other UK Government publications 196Risk management methodologies 197News articles, etc. 198UK and international standards 198</p><p>Index 205</p><p>CONTENTS</p><p>Information Risk Management.indd 8 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>ix</p><p>Figure 0.1 Concepts and relationships xviiFigure 1.1 The information lifecycle 6Figure 1.2 The overall risk management process 14Figure 2.1 The Plan-Do-Check-Act cycle 24Figure 4.1 A general view of the risk environment 35Figure 4.2 Typical types of information asset 36Figure 4.3 Generic sequence of situation management 39Figure 4.4 A simple threat, vulnerability and impact 40Figure 4.5 Multiple threats can exploit the same vulnerability 40Figure 4.6 A single threat can exploit multiple vulnerabilities 40Figure 4.7 A typical chain of consequence 41Figure 4.8 Impact types 42Figure 4.9 Potential losses over time following a disruptive event 49Figure 4.10 Typical impact assessment form 50Figure 5.1 Typical threats and hazards 52Figure 5.2 Typical threat assessment form 57Figure 5.3 Typical vulnerabilities 58Figure 5.4 Typical vulnerability assessment form 62Figure 5.5 The overall scheme of risk treatment options 64Figure 5.6 Typical existing controls identification form 64Figure 6.1 A typical risk matrix 68Figure 6.2 An enhanced risk matrix 69Figure 6.3 A typical risk register spreadsheet 71Figure 7.1 The overall scheme of risk treatment options 75Figure 7.2 The strategic risk management process 76Figure 7.3 Council on CyberSecurity critical security controls 80Figure 7.4 ISO/IEC 27001 control categories 81Figure 7.5 NIST SP 800-53 control categories 82Figure 8.1 The BCI lifecycle 88Figure 8.2 The generic business continuity incident timeline 90Figure 8.3 Overall structure for disaster recovery 91Figure 8.4 Cost versus availability 92Figure A.1 An overall taxonomy of information risk 125Figure A.2 Typical impacts or consequences 127Figure B.1 Typical threats and hazards 130Figure C.1 Typical vulnerabilities 142Figure D.1 Information risk controls 151Figure F.1 Typical impact assessment template 182Figure F.2 Typical threat assessment template 183</p><p>LIST OF FIGURES AND TABLES</p><p>Information Risk Management.indd 9 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>x</p><p>Figure F.3 Typical vulnerability assessment template 184Figure F.4 Typical existing controls assessment template 185Figure F.5 Typical risk register template 186</p><p>Table 4.1 The general properties of detrimental situations 38Table 4.2 Typical impact scales 46Table 6.1 Typical likelihood scales 68</p><p>LIST OF FIGURES AND TABLES</p><p>Information Risk Management.indd 10 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>xi</p><p>David Suttons career spans more than 45 years and includes radio transmission, international telephone switching, computing, voice and data networking, structured cabling systems, information security and critical information infrastructure protection.</p><p>He joined Cellnet (now Telefnica UK) in 1993, where he was responsible for ensuring the continuity and restoration of the core cellular and broadband networks, and represented the company in the electronic communications industrys national resilience forum, the EC-RRG. In December 2005 he gave evidence to the Greater London Authority enquiry into the mobile telecoms impact of the London bombings.</p><p>David has been a member of the BCS Professional Certification Information Security Panel since 2005 and delivers lectures on information risk management and business continuity at the Royal Holloway University of London, from which he holds an MSc in Information Security, and at which he is an external tutor on their open learning MSc course.</p><p>Since retiring from Telefnica UK in 2010, he has undertaken a number of critical information infrastructure projects for the European Network and Information Security Agency (ENISA), developed business continuity and information risk management training material for InfoSec Skills, and serves on the training accreditation panel for the Institute of Information Security Professionals (IISP).</p><p>David is a co-author of Information Security Management Principles, also published by BCS, ISBN 978-1-78017-175-3, now in its second edition.</p><p>AUTHOR</p><p>Information Risk Management.indd 11 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>xii</p><p>I would like to thank Jutta Mackwell and Matthew Flynn of BCS for kindly agreeing to publish this book, and my wife Sharon for putting up with my more grumpy moments and for her unceasing encouragement.</p><p>ACKNOWLEDGMENTS</p><p>Information Risk Management.indd 12 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>xiii</p><p>AIRMIC Association of Insurance and Risk ManagersAS/NZS Australian Standard/New Zealand StandardBC business continuityBCI Business Continuity InstituteBCM business continuity managementBCS BCS, The Chartered Institute for ITBIA business impact analysisBIS The Department for Business Innovation and SkillsBPSS baseline personnel security standardBR business resumptionBS British StandardBSI British Standards InstituteBYOD bring your own deviceCCA Civil Contingencies Act, 2004CCP CESG Certified ProfessionalCCTACCTV closed-circuit televisionCD compact discCDPA Copyright, Designs and Patents Act, 1988CESG Communications-Electronics Security GroupCIA confidentiality, integrity and availabilityCIO Chief Information OfficerCISO Chief Information Security OfficerCLAS CESG Listed Advisor SchemeCMA Computer Misuse Act, 1990CMM Capability Maturity ModelCNSS Committee on National Security SystemsCOMAH control of major accident hazardsCOMSO Communications Security OfficerCPNI Centre for the Protection of National InfrastructureCRAMM CCTA Risk Analysis and Management MethodCTC counter-terrorist checkDAS direct attached storageDNA Deoxyribonucleic acid</p><p>ABBREVIATIONS</p><p>Information Risk Management.indd 13 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>xiv</p><p>DMZ demilitarised zoneDoS denial of serviceDDoS distributed denial of serviceDPA Data Protection Act, 1998DR disaster recoveryDV developed vettingDVD digital versatile discENISA European Network and Information Security AgencyEU European UnionFAIR factor analysis of information riskFERMA Federation of European Risk Management AssociatesFoIA Freedom of Information Act, 2000GCHQ Government Communications Head Quarters (UK)GPG good practice guide(lines)GSI Government Secure IntranetHMG Her Majestys GovernmentIA information assuranceIASME information assurance for small and medium enterprisesICT information communications and technologyIEC International Electro-technical CommissionIISP Institute of Information Security ProfessionalsIM incident managementIP intellectual propertyIP Internet ProtocolIPR intellectual property rightsIRAM Information Risk Analysis MethodIRBC ICT readiness for business continuityIRM Institute of Risk ManagementISF Information Security ForumISMS Information Security Management SystemISO International Organisation for StandardisationISP Internet service providerIT information technologyITSO IT Security OfficerITU International Telecommunication UnionLAN local area networkMAO maximum acceptable outageMBCO minimum business continuity objectiveMoD Ministry of DefenceMR mandatory requirementMTDL maximum tolerable data lossMTPD maximum tolerable period of disruption</p><p>ABBREVIATIONS</p><p>Information Risk Management.indd 14 30/09/14 6:38 PM</p><p>DRAF</p><p>T</p></li><li><p>xv</p><p>NAS network attached storage...</p></li></ul>