Download - Information Risk Management Overview
Texas Department of Information Resources
Information Risk Management Overview
Information
Risk
Management
OverviewNena Young, CRP, CBCP
Texas Department of Information Resourcesemail: [email protected]
Texas Department of Information Resources
Information Risk Management Overview
Principles for All Sub-Programs
Risk Assessment and Solutions
Centered Management
Implementation of Controls, including policies
Awareness
Monitor and Evaluation of Effectiveness
Ove
rvie
w
Texas Department of Information Resources
Information Risk Management Overview
Bonus
In-depth Assessment of risks
Comprehensive picture of business and technical processes
Identify opportunities for process enhancements and/or re-engineering
Rapid, precise, smooth recovery
“Insurance Policy” for staying in business.
Ove
rvie
w
Texas Department of Information Resources
Information Risk Management Overview
2. Information Security Program
3. Business Continuity Program
1. Risk Analysis & Risk Assessment
Risk Security BCP
Program Components:
Texas Department of Information Resources
Information Risk Management Overview
Information Risk Management Program
Roles and Responsibilities Defined
Roles and Responsibilities Defined
Data Classification
Assets Inventory
Ris
k A
nal
ysis
Info
Sec
uri
ty P
rog
ram
BC
P
Ove
rvie
w
Texas Department of Information Resources
Information Risk Management Overview
1. Risk Analysis & Risk AssessmentRisk Analysis - The process of identifying and documenting vulnerabilities and applicable threats to assets.
Risk Assessment - Projecting losses, assigning levels of risk, and recommending appropriate measures to protect assets.
Risk
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Snapshot in time.
Discover compliance with existing policies.
Basis for selecting cost-efficient, most appropriate protection measures for assets.
Equilibrium- asset loss to countermeasures
Provide information on likelihood of threat occurrence and asset impact.
Federal government and most states mandate.
Ensure reasonable steps are taken to prevent loss of assets.
Foundation of all risk management programs
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Risk Analysis & Assessment - (Proactive)
Initial process that identifies critical processes, evaluates current standards and countermeasures, determines cost-effective mitigation of identified risks, includes ALE.
Business Impact Analysis - (Reactive)
Quantifies risks to include exposure results such as financial loss, client good will, public confidence, etc
Risk Analysis vs BIA
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management OverviewJargon Assets - Anything with value and is worth protecting or
preserving.
Threats - Events or actions which always exists and can generate undesirable impacts or loss of assets. Can be either human or environmental.
Vulnerabilities - The “windows of opportunity” which allow threats to materialize. The exposures. Conditions of weakness.
Countermeasures - (Safeguards, Controls) - Devices, processes, actions, procedures that can reduce vulnerabilities. Preventive, Detective, Corrective.
Risk - Potential for a threat to exploit a vulnerability. A threat + a vulnerability = a RISK.
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
The Basics
Assets identified.
Threats identified.
Vulnerabilities identified.
Asset Losses identified.
Protective measures identified and proposed.Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management OverviewQuantitative Qualitativevs
Theoretically . . .
Quantitative
Objective Numeric Values
Asset Value
Impact
Frequency of Threats
Countermeasure Cost-Effectiveness
Use of Complex Calculations (confidence factors, probabilities, SLE, ALE, )
Qualitative
Descriptive, Immeasurable Values
Characteristics
No Quantifiable Data
No ALE
Yes/No; Low/Medium/High; Vital/Critical/Important; good/bad
Rankings based on judgement
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Risk Analysis Involves Both
Quantifiable measurements.
Judgements based on experience and knowledge.
In the Real World. . .
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management OverviewTen Steps
Organize and Define the Scope
Identify and Value the Assets
Identify Applicable Threats
Identify and Describe Vulnerabilities
Establish Pairings (relationships)
Determine the Impact of Threat Occurrence
Measure Existing Countermeasures
Determine Residual Risks
Recommend Additional Countermeasures
Prepare a Risk Analysis Report
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Types of Threats:Human - Intentional
Malicious Software Invasion
Fraud or embezzlement
Human - Unintentional
Programmer Error
User Error
Environmental - Natural
Earthquakes
Flood
Environmental - Fabricated
Fire
Electromagnetic interference
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Impact (Loss) Categories.
Disclosure - Classification or sensitivity of information. Who has access
Modification - A realized threat causes unauthorized changes in an asset.
Destruction - Threat activity causes damage to an asset, making it unusable.
Denial of Service - A realized threat causes a loss of availability.
Impact of Threat Occurrence
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Types of Countermeasures
Preventive
Detective
Corrective
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Residual Risks are accepted, mitigated, transferred.
Assets Vulnerabilities
Threats
Count
erm
easu
res
Impacts
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Knowledge Base Needed
Analysts Need to:
Know current and historical internal environment.
Know current and historical external environment.
Understand dependencies and vulnerabilities.
Understand threat profiles.
Understand countermeasure choices and related costs.
Be able to apply cost-benefit analysis to risks and countermeasures
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
Threats
Vulnerabilities
Assets
Confidentiality,Integrity &Availability
BusinessImpacts
Countermeasures
Start here
Exploit
RISKS
Reduce
Increase
Exposing
To aLoss ofCausing
Which areLimited by
WhichProtectAgainst
Increase
Increase
Modified from Len Watts, U.K., Computer /Security Risk Management Model Builders
Boundaries
Uncertainty
Cycle Drivers• Changing Requirements • Changing Systems• Changing Environment
Ris
k A
nal
ysis
Texas Department of Information Resources
Information Risk Management Overview
2. Information Security Program
Security
Protection of an organization’s information assets.Purpose - The preservation of the confidentiality, integrity, and availability” (CIA) of information. Can add utility and authenticity.
Texas Department of Information Resources
Information Risk Management Overview
Purpose: A Secure Enterprise
Protection of Assets
Protection of Goodwill
Integrity of Applications and Data
Due Diligence
Protection of Employees, Shareholders, Partners, ClientsS
ecu
rity
Texas Department of Information Resources
Information Risk Management Overview
Eight Steps
1. Management Sponsorship and Support
2. Organize and Define the Scope
3. Risk Analysis
4. Policies and Procedures
5. Controls
6. Security Breach Reporting and Investigation
7. Awareness Training
8. Monitor and Test
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
The Bad Guys
Competitors
Employees (58 - 80%)
Foreign Governments
Political Activists
Professional Spies
Reprinted from Cohen & Assc Presentation
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
Why Do They Attack? Testing
Coercion
Military Advantage
Economic Advantage
Evidence
Money
Fun/Challenge
Vengeance
Mental Instability
Religious/Political Beliefs
Self-Defense
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
Types of Attacks Antagonism
Denial of Service
Invasion of Privacy
System Modification
Some Hacker Tools
Logic Bombs
Trojan Horses
Worms
Viruses
Malicious Mobile Code
Over 1900 Web Sites (Free Hacking Tools)S
ecu
rity
Some Defense ToolsVirus Detection
Access Control
Firewalls
Dial-back Modems
Token-based Password
Public Cryptography
Biometrics
Texas Department of Information Resources
Information Risk Management OverviewInternet
Older than… “Pong”
Digital Watches
IBM PC
Disco
MicroSoft
Current Concept of “Hackers”+12M Hosts, 120M Users (70M-USA), 12% Growth a Month1Billion users by 2005, 66% abroadNew Web Site every 4 secondsElectronic Commerce - Single Sites Over 100,000 Requests a Day+ 80% Web Sites - Mobile Code Enabled+90% EC Applications use Mobile Code-50% Major Organizations w/Internet Use Firewall
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
Damage - Average cost of computer break-ins - +$136K
Of companies hit by viruses and espionage, most can't
estimate the value of the damage.
Chart Reprinted from Information Week
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
Paradox
IT MANAGERS SURVEYED BY E&Y
Security of Internet Connections
62% Satisfied
38% Not Satisfied
Increase Important Transactions if Security were Enhanced
73% Yes
27% No
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management OverviewS
ecu
rity
Increasing Need for Security Most Fortune 500 Companies Penetrated by
Cybercriminals
17% of Intrusion Victims Report to Authorities
FBI Estimate - $10B a year in Electronic Crimes
Increasing Scams
+100,000 Investors Victim to Phony Web Sites
High-tech revolutionary devices
Partnership with MicroSoft
Initial Public Offering with the SEC
Tens of Thousands Probing Attacks against Pentagon annually
Origin of Attacks Camouflaged through other Countries
DISA Vulnerability Testing
Texas Department of Information Resources
Information Risk Management Overview
Some Road Blocks to Security
Lack of Sufficient Budget
Lack of Resources - Management Support, Staff
Lack of Awareness
Lack of Tools
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management OverviewS
ecu
rity
Knowledge Base Needed (CISSP)Access controlTelecommunications and network securityBCPSecurity management practices – policies, standards, control of risk
control of Riskinformation classificationsecurity awarenessorganizational architecturepolicy developmentrisk management
Security architecture and models
Law, investigation, and ethics
Texas Department of Information Resources
Information Risk Management Overview
Application and system development security
Cryptography
Computer operations security
Physical security
threats and facility requirements
personnel physical access control
microcomputer physical security
Knowledge Base Needed (CISSP) (con’t)
“. . . information protection is not a simple matter, and it cannot be addressed from a single perspective. It is a pervasive problem that must be pursued in a holistic manner in order to provide its benefits.”
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
Define Environment& Assets
Risk Analysis
Policies, Stds, Procedures
Design &Implementation
SecurityAdministration
Monitoring &Audits
Sec
uri
ty
Texas Department of Information Resources
Information Risk Management Overview
Define Environment& Assets
Risk Analysis& Assessment
Policies, Stds, Procedures
Design &Implementation
Awareness& Administration
Monitoring,Testing & Audits
The Process
Texas Department of Information Resources
Information Risk Management Overview
3. Business Continuity Program
BCP - Spells out what, who, how, and when for a quick and smooth restoration of critical operations after a catastrophic disruptive event, minimizes losses, and eventually returns to business as normal.
BCP
Texas Department of Information Resources
Information Risk Management Overview
A Rose by Any Other Name . . .
Business Resumption Plan
Disaster Recovery Plan
Crisis Management Plan
Contingency Plan
Business Continuity Plan
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Goals
Identify weaknesses and implement a disaster prevention program
Minimize the duration of a serious disruption to business operations
Facilitate effective co-ordination of recovery tasks; and reduce the complexity of the recovery effort
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Sources of Interruptions are Numerous
Natural
Tornadoes, Floods, Fires . . .
Human
Terrorist’s Attacks . . .
Most Frequent (Less Sensational)
Equipment Failure, Theft, Employee Sabotage . . .
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Twelve Steps 1. Pre-planning
(Senior Mgmt Commitment/Support, Policies)
2. Risk Analysis
3. Business Impact Analysis
4. Identify Resources and Requirements Needed
5. Emergency Response
6. Coordination with Public Authorities
7. Public Relations and Crisis Communications
8. Strategic Alternatives
9. Plan Development/Implementation
10. Testing/Exercises
11. Awareness
12. Maintenance
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Business Impact Analysis (BIA)Foundation of BCP
Establishes the value of each major organizational function as it relates to the whole
Provides the basis for identifying the critical resources required to develop a business recovery strategy.
Establishes priority for restoring the functions of the organization in the event of a disaster.
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Impacts
Revenue
Legal - fines, penalties
Goodwill, Client & Stockholder Confidence
Note: Losses May not be Dollars.
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Six Steps to BIA
1. Identify the Critical Business Functions
2. Prioritize These Functions
3. Identify Dependencies and Resources Needed
4. Identify Points of Failure for Each Function
5. Estimate Probable Impact of Loss for Each Point of Failure
6. Determine if a Contingency Plan is Required
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Failing to Test
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Staying Current
Conduct BIA on planned periodic time or after major change
Make sure a plan is included for each critical function that has a critical impact on mission accomplishment
Continue to test and evaluate plans at least once a year
Keep personnel responsibilities up to date and test for readiness
Involve key personnel in operational planning
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Knowledge Base Needed (CRP, CBCP)
Project initiation and management
Risk evaluation and control
BIA
Developing business continuity strategies
Emergency response and operations
Developing and implementing business continuity
plans
Awareness and training programs
Maintaining and exercising business continuity plans
Public relations and crisis communications
Coordination with public authorities
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Scope/Maintenance
BIA
Strategic Alternatives,Teams
Plan Development,Implementation
Awareness
Testing
BC
P
Texas Department of Information Resources
Information Risk Management Overview
Financial Losses Reported
Viruses
EmployeeAbuse
UnauthorizedAccess
70%16%
31%
Importance of IRM Policy ElementsAwareness
BCP
IT Training
Encryption
Audits
Other
44%
17%9%11%
11%8%
Ove
rvie
w
Texas Department of Information Resources
Information Risk Management OverviewProcess
Obtain Sr. Mgmt Buy-in, Support
Assign Roles and Responsibilities
Inventory Assets
Classify Information
Assess Risks Business Continuity Plan BIA
BCP Teams
Requirements
BCP Development/Implementation
Testing
Awareness
Maintenance
Information Security Plan
Policies/Procedures
Incident Reporting/Investigation
Countermeasures
Awareness
Monitor/Audit
Ove
rvie
w
Texas Department of Information Resources
Information Risk Management Overview
“Risk is a part of every activity and can never be
eliminated, nor can all the risks ever be known. Risk in
itself is not bad; risk is often essential to progress. But
we must learn to balance the possible negative
consequences of risk [to assets] against the potential
benefits of its associated opportunity.”
“Risk Management in Practice,” SEI Technical Review
Go ahead and take risks… just be sure that everything will turn out..
Disasters are inevitable.... Survival isn't....
Last Words