building an information security risk assessment · pdf filebuilding an information security...
Post on 15-Mar-2018
220 Views
Preview:
TRANSCRIPT
BUILDING AN INFORMATION SECURITY RISK ASSESSMENT SECURITY RISK ASSESSMENT PROGRAM (WITH $0 BUDGET)Kathy Doolittle CISSP, CISM, CEH kathy.doolittle@onsemi.com10.23.08
Agendag
1. Background 2. Security risk assessments3 Creating a repeatable simple process essentially at 3. Creating a repeatable, simple process - essentially at
$0 cost (+ Labor, Existing Technology)4. Examples of tools5. Selling the idea to management6. Reassess & Fix
Blueprintsp
F d IT S it Ri kFocused on IT Security RiskBuild it with little outlay of tools/$
More manualLess complexGood starting point
Assess your needs (compliance, security, reporting)
Background: Issuesg
No security plans or risk assessment y pprogram in place; ad hoc tracking of issues
No money, very limited staff
R t it / i k t f Rare to no security/risk assessments for technology purchases, integrations, M&A
Very limited security integration or involvement into IT requirements gathering
Ad hoc security assessments for projects; limited risk assessment focused on SOX
Background: Goals g
Main goal Identify security risks in IT Needs & Requirements
Main goal: Identify security risks in IT projects and manage the risksCreate a process for assessmentCreate a process for assessmentCommunicate the need for Risk Management to management and peersg g pIntegrate process into current process for least impact and increased chance of usageGrow it
What is Risk?
• hazard: a source of danger; a possibility of incurring loss or misfortune
• adventure undertaken without regard to possible loss or injury
• exposure to a chance of loss or damage
What is Security Risk?y
Project RiskFactors that may cause
a failure to meeta project’s objectives
Business RiskFactors that may cause
a failure to meet a company’s objectives
Security RiskFactors that may cause
a failure to meeta company’s risk a project s objectives
Inexperienced personnelNew technology
company s objectives
Growth risk Technology risk
a company s risk acceptance level or
regulatory requirementImpacts to
Time constraintsBudget
Dependencies
Marketing riskFinancial risk
Team/Management risk
Confidentiality, Integrity,Availability due to
vulnerabilities& threats& threats
ACCEPT: Implement Workarounds -- Reactionary - UnfundedMITIGATE I l t S P ti C t l P ti ll F d dMITIGATE: Implement Some Preventive Controls --- Partially FundedTRANSFER/AVOID: Implement Strong Preventive Controls &/or Insurance – Fully Funded
Example: Assessment Outcomesp
Proactively identify risks that are posed to systems and data
Quickly identify and prioritize high risk projects
Assure adequate planning scoping and prioritization for new Assure adequate planning, scoping, and prioritization for new security services or protection methods
Outcome:Outcome:
Fully understand & communicate company risk posture & statusidentifies risks to core systems when integrating new systems identifies risks to core systems when integrating new systems Ability to measure risk and show value of security projectsHolistically manages risk in a global infrastructureManages risk in a repeatable way for compliance requirements
Creating the Process: Gap Analysisg p y
D i & O tDrivers & Outcomes• Drivers: Regulatory, best practices, certifications,
business• Outcomes: What do you want/need to meet drivers?• Outcomes: What do you want/need to meet drivers?
Components• Wh t d h & h t d d ( l • What do you have & what do you need (people,
processes, technology)• What is your timeline and who will be involved?• Do you have any funds? Do you have a sponsor?
Interaction•Who are the stakeholders? Educate or must sell?•Where are points of interaction for process?
Use What You Have
Technology• Office type apps or open
Processes• Methodologies (SDLC MSF
People• StakeholdersOffice type apps or open
source (databases, spreadsheets, presentations)
• SharePoint• Web servers• S it VA
Methodologies (SDLC, MSF, other Project Lifecycles)
• Purchase Approvals• Change Controls• Project Approval Process
C i i h (
Stakeholders• Security, Audit• Board of Directors• Communications Director• Application Developers
• Security VA programs• Maturity Modelers (Gartner)
• Communication paths (mgt meetings, HR, legal, audit committees
• Training (brown bag)
• Project Managers• C-Level Backing
Your wits Your wits, your intelligence,
your charm, your experience ,
your personal ‘hammer’
Example: RA in the Project Lifecyclep j y
RAD (Risk Acceptance Document), if necessary
Initial Risk QuestionnaireQuestionnaire (IRQ) for all projects
RISC plan (S i ) f(Security Plan) for high risk projects
Initial Process
IRQ - Information Risk QuestionnaireProject Managers or Sponsors
All Projects
RISC Plan – Risk & Information SecurityC l Pl
ONLY Moderate & High Risk IRQ Scored Projects
Controls PlanInformation Security Analyst ( + project architects)
ONLY Projects with Critical and High Risks to Accept
RAD – Risk AcceptanceDocument
ONLY Projects with Critical and High Risks to Accept
DocumentProject Managers & Sponsor
Identify the Focus & Priorityy y
Where will you focus out of Set achievable goals
Focus Priority
the gate and why?Regulatory systems
Security systems
Set achievable timelines and stick to them
Quarterly & YearlyNew technology or processes
Foundational systems
Critical processes
Quarterly & YearlySystem Focus
Prioritize based on what Application development
Use drivers & desired outcomes to help you focus
you can do with limited budget and personnel
outcomes to help you focus
Think in Terms of Standardization
DocumentationProcesses
Integration pointsStandard Assessment methodsStandard Assessment methods
Policies, standards (internal, best practices, etc)Conducting the assessmentProject Risk Levelsj
Follow up
Slight Guarded Moderate High
<28 points 29-33 points 34-39 points >40 points
ToolsCommunication methodsT i lTerminologyMetrics
Make It Repeatablep
D fi d Defined: Integration Points
Defined: processes for assessment
Defined: methods of
communication
Standard Defined: path for documentationfor
fix/assess/fix…
Create the Process
• Focus on your main priorities & goals• Prioritize your SRA process over time
C d d l & d• Create standard templates & documents• Use existing corporate processes & add to them• Keep it easy to use• Test it out prior to deployment• Re-evaluate over time (quarterly yearly)Re-evaluate over time (quarterly, yearly)
E lTh IRQ (I f ti Ri k Q ti i )
Examples• The IRQ (Information Risk Questionnaire)• The RISC (Risk and Information Security Controls)Th RAD (Ri k A t D t)• The RAD (Risk Acceptance Document)
Information Risk Questionnaire
A k k ti t i k The IRQ Requirements
Asks key questions to score risk Extremely easy to use by non-security ( dit) l(or audit) personnelQuick (~ 10 minutes at most)Implemented in early stage of project lifecycleLow cost (.xls and stored on SharePoint)
Risk & Information Security Controlsy
Repeatable processThe RISC Plan (aka Security Plan) Requirements
Repeatable processStandardize method to limit risk and control types, ability to add types
RequirementsProject, Foundational, Ad Hoc PlansLow cost (Access Database) to create & maintain (but can be ported later)maintain (but can be ported later)Ability to imbed design documentsAbility to report based on risks, controls, Ability to report based on risks, controls, outstanding issues, foundation & project plansMultiple associations between risks & plans ll dallowed
Risk Acceptance Documentp
M t i ff Hi h d RAD Requirements
Management signoff on High and Moderate (year 2) Risks D t d Documented Provides means to communicate on
it & i k security & risk Provides means to “include security
l i j t”early on in a project”
Process Development: Lessons Learned
1 Really understand the processes to integrate withProcess Development
1. Really understand the processes to integrate with2. Get to input from users3. Combine forces for IRQ development
Li it t f d t 4. Limit amount of new documents or processes5. Get a sponsor6. If you have no money, you can achieve a
t bl b t li it f & fi t repeatable process, but limit your focus & first year goals
7. Start focused and build from thereIf h li it d l k th 8. If you have limited personnel, make sure they are fully trained in process and goals for each year
Training Usersg
Introduce Security RiskIntroduce Security RiskIdentify the process (e.g. Slide 18)Explain impact to themExplain impact to themRequire training for IRQK di lKeep an open dialog
Have a Wiki (or FAQ site)H l f li i lHave lots of online material
Touch base and get feedback
Selling the Idea to Management g g
Introduce idea of Security Risk Use compliance requirements, security audits/VAs
What How
Be clear on impact to users and processes
Show high level plan
security audits/VAs
Grab metrics
Focus on goals of assessments
Focus on immediate impact & deliverables
Don’t oversell (too many
Advance simple ideas regarding process inclusion
Define impact of process at high Don t oversell (too many graphics, metrics, charts)
Define impact of process at high level
Don’t forget industry practices
Selling – Go In Knowing:g g
How: Process Will Integrate with Existing Business ProcessesExisting Business Processes
When: Who: Key Users When: Timeline
What:C t Eff t
What: Deliverables
What: Projected
Cost, Effort Deliverables Outcomes
Review & Reassess
IRQ Scoring
# of
Scoring
RISC Plan
# of Projects Using
ProcessRISC Plan
Identification, Scoring Values &
Validity
Next Logical Stepsg p
Shore up weak points in process or assessmentsMore Project Types (M&A, Applications, Partners)Increase RISC Plans for more types
Increase RADs for Moderate (add to Critical/High)
Slight Guarded Moderate High
<28 points 29-33 points 34-39 points >40 points
Increase RADs for Moderate (add to Critical/High)Globalize Process Require training 2x year for Security Assessors Give Audit/Compliance & Management Updates on Progress
top related