information risk management overview

Texas Department of Information Resources

Information Risk Management Overview

Information

Risk

Management

OverviewNena Young, CRP, CBCP

Texas Department of Information Resourcesemail: [email protected]



Principles for All Sub-Programs

Risk Assessment and Solutions

Centered Management

Implementation of Controls, including policies

Awareness

Monitor and Evaluation of Effectiveness

Ove

rvie

w



Bonus

In-depth Assessment of risks

Comprehensive picture of business and technical processes

Identify opportunities for process enhancements and/or re-engineering

Rapid, precise, smooth recovery

“Insurance Policy” for staying in business.

Ove

rvie

w



2. Information Security Program

3. Business Continuity Program

1. Risk Analysis & Risk Assessment

Risk Security BCP

Program Components:



Information Risk Management Program

Roles and Responsibilities Defined

Roles and Responsibilities Defined

Data Classification

Assets Inventory

Ris

k A

nal

ysis

Info

Sec

uri

ty P

rog

ram

BC

P

Ove

rvie

w



1. Risk Analysis & Risk AssessmentRisk Analysis - The process of identifying and documenting vulnerabilities and applicable threats to assets.

Risk Assessment - Projecting losses, assigning levels of risk, and recommending appropriate measures to protect assets.

Risk

Ris

k A

nal

ysis



Snapshot in time.

Discover compliance with existing policies.

Basis for selecting cost-efficient, most appropriate protection measures for assets.

Equilibrium- asset loss to countermeasures

Provide information on likelihood of threat occurrence and asset impact.

Federal government and most states mandate.

Ensure reasonable steps are taken to prevent loss of assets.

Foundation of all risk management programs

Ris

k A

nal

ysis



Risk Analysis & Assessment - (Proactive)

Initial process that identifies critical processes, evaluates current standards and countermeasures, determines cost-effective mitigation of identified risks, includes ALE.

Business Impact Analysis - (Reactive)

Quantifies risks to include exposure results such as financial loss, client good will, public confidence, etc

Risk Analysis vs BIA

Ris

k A

nal

ysis


Information Risk Management OverviewJargon Assets - Anything with value and is worth protecting or

preserving.

Threats - Events or actions which always exists and can generate undesirable impacts or loss of assets. Can be either human or environmental.

Vulnerabilities - The “windows of opportunity” which allow threats to materialize. The exposures. Conditions of weakness.

Countermeasures - (Safeguards, Controls) - Devices, processes, actions, procedures that can reduce vulnerabilities. Preventive, Detective, Corrective.

Risk - Potential for a threat to exploit a vulnerability. A threat + a vulnerability = a RISK.

Ris

k A

nal

ysis



The Basics

Assets identified.

Threats identified.

Vulnerabilities identified.

Asset Losses identified.

Protective measures identified and proposed.Ris

k A

nal

ysis


Information Risk Management OverviewQuantitative Qualitativevs

Theoretically . . .

Quantitative

Objective Numeric Values

Asset Value

Impact

Frequency of Threats

Countermeasure Cost-Effectiveness

Use of Complex Calculations (confidence factors, probabilities, SLE, ALE, )

Qualitative

Descriptive, Immeasurable Values

Characteristics

No Quantifiable Data

No ALE

Yes/No; Low/Medium/High; Vital/Critical/Important; good/bad

Rankings based on judgement

Ris

k A

nal

ysis



Risk Analysis Involves Both

Quantifiable measurements.

Judgements based on experience and knowledge.

In the Real World. . .

Ris

k A

nal

ysis


Information Risk Management OverviewTen Steps

Organize and Define the Scope

Identify and Value the Assets

Identify Applicable Threats

Identify and Describe Vulnerabilities

Establish Pairings (relationships)

Determine the Impact of Threat Occurrence

Measure Existing Countermeasures

Determine Residual Risks

Recommend Additional Countermeasures

Prepare a Risk Analysis Report

Ris

k A

nal

ysis



Types of Threats:Human - Intentional

Malicious Software Invasion

Fraud or embezzlement

Human - Unintentional

Programmer Error

User Error

Environmental - Natural

Earthquakes

Flood

Environmental - Fabricated

Fire

Electromagnetic interference

Ris

k A

nal

ysis



Impact (Loss) Categories.

Disclosure - Classification or sensitivity of information. Who has access

Modification - A realized threat causes unauthorized changes in an asset.

Destruction - Threat activity causes damage to an asset, making it unusable.

Denial of Service - A realized threat causes a loss of availability.

Impact of Threat Occurrence

Ris

k A

nal

ysis



Types of Countermeasures

Preventive

Detective

Corrective

Ris

k A

nal

ysis



Residual Risks are accepted, mitigated, transferred.

Assets Vulnerabilities

Threats

Count

erm

easu

res

Impacts

Ris

k A

nal

ysis



Knowledge Base Needed

Analysts Need to:

Know current and historical internal environment.

Know current and historical external environment.

Understand dependencies and vulnerabilities.

Understand threat profiles.

Understand countermeasure choices and related costs.

Be able to apply cost-benefit analysis to risks and countermeasures

Ris

k A

nal

ysis



Threats

Vulnerabilities

Assets

Confidentiality,Integrity &Availability

BusinessImpacts

Countermeasures

Start here

Exploit

RISKS

Reduce

Increase

Exposing

To aLoss ofCausing

Which areLimited by

WhichProtectAgainst

Increase

Increase

Modified from Len Watts, U.K., Computer /Security Risk Management Model Builders

Boundaries

Uncertainty

Cycle Drivers• Changing Requirements • Changing Systems• Changing Environment

Ris

k A

nal

ysis



2. Information Security Program

Security

Protection of an organization’s information assets.Purpose - The preservation of the confidentiality, integrity, and availability” (CIA) of information. Can add utility and authenticity.



Purpose: A Secure Enterprise

Protection of Assets

Protection of Goodwill

Integrity of Applications and Data

Due Diligence

Protection of Employees, Shareholders, Partners, ClientsS

ecu

rity



Eight Steps

1. Management Sponsorship and Support

2. Organize and Define the Scope

3. Risk Analysis

4. Policies and Procedures

5. Controls

6. Security Breach Reporting and Investigation

7. Awareness Training

8. Monitor and Test

Sec

uri

ty



The Bad Guys

Competitors

Employees (58 - 80%)

Foreign Governments

Political Activists

Professional Spies

Reprinted from Cohen & Assc Presentation

Sec

uri

ty



Why Do They Attack? Testing

Coercion

Military Advantage

Economic Advantage

Evidence

Money

Fun/Challenge

Vengeance

Mental Instability

Religious/Political Beliefs

Self-Defense

Sec

uri

ty



Types of Attacks Antagonism

Denial of Service

Invasion of Privacy

System Modification

Some Hacker Tools

Logic Bombs

Trojan Horses

Worms

Viruses

Malicious Mobile Code

Over 1900 Web Sites (Free Hacking Tools)S

ecu

rity

Some Defense ToolsVirus Detection

Access Control

Firewalls

Dial-back Modems

Token-based Password

Public Cryptography

Biometrics


Information Risk Management OverviewInternet

Older than… “Pong”

Digital Watches

IBM PC

Disco

MicroSoft

Current Concept of “Hackers”+12M Hosts, 120M Users (70M-USA), 12% Growth a Month1Billion users by 2005, 66% abroadNew Web Site every 4 secondsElectronic Commerce - Single Sites Over 100,000 Requests a Day+ 80% Web Sites - Mobile Code Enabled+90% EC Applications use Mobile Code-50% Major Organizations w/Internet Use Firewall

Sec

uri

ty



Damage - Average cost of computer break-ins - +$136K

Of companies hit by viruses and espionage, most can't

estimate the value of the damage.

Chart Reprinted from Information Week

Sec

uri

ty



Paradox

IT MANAGERS SURVEYED BY E&Y

Security of Internet Connections

62% Satisfied

38% Not Satisfied

Increase Important Transactions if Security were Enhanced

73% Yes

27% No

Sec

uri

ty


Information Risk Management OverviewS

ecu

rity

Increasing Need for Security Most Fortune 500 Companies Penetrated by

Cybercriminals

17% of Intrusion Victims Report to Authorities

FBI Estimate - $10B a year in Electronic Crimes

Increasing Scams

+100,000 Investors Victim to Phony Web Sites

High-tech revolutionary devices

Partnership with MicroSoft

Initial Public Offering with the SEC

Tens of Thousands Probing Attacks against Pentagon annually

Origin of Attacks Camouflaged through other Countries

DISA Vulnerability Testing



Some Road Blocks to Security

Lack of Sufficient Budget

Lack of Resources - Management Support, Staff

Lack of Awareness

Lack of Tools

Sec

uri

ty


Information Risk Management OverviewS

ecu

rity

Knowledge Base Needed (CISSP)Access controlTelecommunications and network securityBCPSecurity management practices – policies, standards, control of risk

control of Riskinformation classificationsecurity awarenessorganizational architecturepolicy developmentrisk management

Security architecture and models

Law, investigation, and ethics



Application and system development security

Cryptography

Computer operations security

Physical security

threats and facility requirements

personnel physical access control

microcomputer physical security

Knowledge Base Needed (CISSP) (con’t)

“. . . information protection is not a simple matter, and it cannot be addressed from a single perspective. It is a pervasive problem that must be pursued in a holistic manner in order to provide its benefits.”

Sec

uri

ty



Define Environment& Assets

Risk Analysis

Policies, Stds, Procedures

Design &Implementation

SecurityAdministration

Monitoring &Audits

Sec

uri

ty



Define Environment& Assets

Risk Analysis& Assessment

Policies, Stds, Procedures

Design &Implementation

Awareness& Administration

Monitoring,Testing & Audits

The Process



3. Business Continuity Program

BCP - Spells out what, who, how, and when for a quick and smooth restoration of critical operations after a catastrophic disruptive event, minimizes losses, and eventually returns to business as normal.

BCP



A Rose by Any Other Name . . .

Business Resumption Plan

Disaster Recovery Plan

Crisis Management Plan

Contingency Plan

Business Continuity Plan

BC

P



Goals

Identify weaknesses and implement a disaster prevention program

Minimize the duration of a serious disruption to business operations

Facilitate effective co-ordination of recovery tasks; and reduce the complexity of the recovery effort

BC

P



Sources of Interruptions are Numerous

Natural

Tornadoes, Floods, Fires . . .

Human

Terrorist’s Attacks . . .

Most Frequent (Less Sensational)

Equipment Failure, Theft, Employee Sabotage . . .

BC

P



Twelve Steps 1. Pre-planning

(Senior Mgmt Commitment/Support, Policies)

2. Risk Analysis

3. Business Impact Analysis

4. Identify Resources and Requirements Needed

5. Emergency Response

6. Coordination with Public Authorities

7. Public Relations and Crisis Communications

8. Strategic Alternatives

9. Plan Development/Implementation

10. Testing/Exercises

11. Awareness

12. Maintenance

BC

P



Business Impact Analysis (BIA)Foundation of BCP

Establishes the value of each major organizational function as it relates to the whole

Provides the basis for identifying the critical resources required to develop a business recovery strategy.

Establishes priority for restoring the functions of the organization in the event of a disaster.

BC

P



Impacts

Revenue

Legal - fines, penalties

Goodwill, Client & Stockholder Confidence

Note: Losses May not be Dollars.

BC

P



Six Steps to BIA

1. Identify the Critical Business Functions

2. Prioritize These Functions

3. Identify Dependencies and Resources Needed

4. Identify Points of Failure for Each Function

5. Estimate Probable Impact of Loss for Each Point of Failure

6. Determine if a Contingency Plan is Required

BC

P



Failing to Test

BC

P



Staying Current

Conduct BIA on planned periodic time or after major change

Make sure a plan is included for each critical function that has a critical impact on mission accomplishment

Continue to test and evaluate plans at least once a year

Keep personnel responsibilities up to date and test for readiness

Involve key personnel in operational planning

BC

P



Knowledge Base Needed (CRP, CBCP)

Project initiation and management

Risk evaluation and control

BIA

Developing business continuity strategies

Emergency response and operations

Developing and implementing business continuity

plans

Awareness and training programs

Maintaining and exercising business continuity plans

Public relations and crisis communications

Coordination with public authorities

BC

P



Scope/Maintenance

BIA

Strategic Alternatives,Teams

Plan Development,Implementation

Awareness

Testing

BC

P



Financial Losses Reported

Viruses

EmployeeAbuse

UnauthorizedAccess

70%16%

31%

Importance of IRM Policy ElementsAwareness

BCP

IT Training

Encryption

Audits

Other

44%

17%9%11%

11%8%

Ove

rvie

w


Information Risk Management OverviewProcess

Obtain Sr. Mgmt Buy-in, Support

Assign Roles and Responsibilities

Inventory Assets

Classify Information

Assess Risks Business Continuity Plan BIA

BCP Teams

Requirements

BCP Development/Implementation

Testing

Awareness

Maintenance

Information Security Plan

Policies/Procedures

Incident Reporting/Investigation

Countermeasures

Awareness

Monitor/Audit

Ove

rvie

w



“Risk is a part of every activity and can never be

eliminated, nor can all the risks ever be known. Risk in

itself is not bad; risk is often essential to progress. But

we must learn to balance the possible negative

consequences of risk [to assets] against the potential

benefits of its associated opportunity.”

“Risk Management in Practice,” SEI Technical Review

Go ahead and take risks… just be sure that everything will turn out..

Disasters are inevitable.... Survival isn't....

Last Words

information risk management overview

Documents