overview of risk management - usalearning follow on to what do you do after . ... or some type of...

Overview of Risk Management

Table of Contents

Cyber Risk Management for Managers .......................................................................................... 2

Course Objectives ........................................................................................................................... 3

Course Agenda ................................................................................................................................ 4

Risk Management Overview ........................................................................................................... 5

Risk Management ........................................................................................................................... 6

Tiers of Risk Management -1 .......................................................................................................... 8

Tiers of Risk Management -2 ........................................................................................................ 11

Terms You Should Know ............................................................................................................... 12

Response vs. Recovery .................................................................................................................. 13

The Risk Equation .......................................................................................................................... 18

Notices .......................................................................................................................................... 21

of 21

Cyber Risk Management for Managers

© 2012 Carnegie Mellon University

Cyber Risk Management for Managers

**001 Chris Evans: This is the cyber risk management for managers class.

of 21

Course Objectives

5

Course Objectives

Understand Key Concepts and Issues in Risk Management

Knowledge of Risk Assessment and Analysis Methodologies

Understand Multiple Risk Management Frameworks

Understand the Cyber Threat Environment

Identify Information Security Controls and Countermeasures to Mitigate Risks to Acceptable Levels

Understand Appropriate Risk Mitigation Strategies

Determine Security Strategies for Risk Response and Recovery

**005 And what you're going to learn about over the course of this class is we'll teach you a little bit about risk management, what the key concepts and issues and considerations are for doing risk management. We'll talk about how to do a risk assessment and some of the risk assessment methodologies that are available to you that you can choose if you want to use those. We'll also talk about risk management frameworks, and again some of the various options that are out there for you to use should you decide to do that. We have some information on cyber threats and what is the realm of the possible in terms of threats. We'll talk

of 21

about that. We'll spend a lot of time talking about security controls and ways of mitigating risk and how you actually-- once you do your risk management, you find out what the problems are, how do you address them? What do you do to fix those problems? So, we'll talk about controls, risk mitigation, and mitigation strategies. And then we'll also talk about response and recovery strategies, kind of the follow on to what do you do after something bad has happened.

Course Agenda

6

Course Agenda

Risk Management Overview

Risk Management Frameworks

Critical Assets and Operations

Threat Primer

Threats and Vulnerabilities

Risk Analysis and Mitigation

Security Controls

Mitigation Strategy Maintenance

Response and Recovery

**006 So, this is the agenda for us. We'll start out with risk management. We'll talk about critical assets and operations, how to determine those in your organization.

of 21

We'll have a primer on cyber threats. We'll talk about how to determine threats and vulnerabilities to your organization or to your business function. Then we'll talk about how to do risk analysis and mitigation along with controls, strategies. And then we'll finish up with response and recovery.


7


**007 So, let's roll right into risk management and a quick overview of this.

of 21

Risk Management

8

Risk Management

NIST SP 800-30• Defines risk as “a function of the likelihood of a given threat-

source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”

— Threat-source – Natural, human, or environmental— Threat – Potential for threat-source to exploit vulnerability — Vulnerability – Flaw that can present a security breach — Likelihood – Probability of Threat combining with Vulnerability— Countermeasure – Control to reduce risk

At a high level, this is accomplished by balancing exposure to risks against cost of mitigation and implementing appropriate countermeasures/controls.

**008 When we say risk management, what do we actually mean? We'll, think about what a risk is. You'll see that a lot of definitions come from the various NIST-- National Institute Standard Special Publications. In this case this is NIST Special Pub 800-30, and it defines a risk as a combination of several different factors. So, you have a threat source. You have some type of threat. You have vulnerability. You have likelihood and some type of counter measure. So, what we mean by all of this is you put all of these five individual components together and that equates to some type of risk. So, by threat source, we're talking about an actor here, so a hacker, a fire, or a

of 21

flood, or some type of natural disaster. And there's also threats. So, this is a-- a threat is a potential for something to exploit a vulnerability or make something bad as it were. There's a vulnerability here. This is a weakness or a flaw that can be exploited. Likelihood is the probability of something actually happening, something bad happening. And counter measures, then, are how you would address that bad, or the likelihood, reduce the likelihood or reduce the impact from it. So, you put all those together again and you come up with this idea of I have a risk. It has to involve those five components. If any one of those are missing, you have no risk. So, at a very high level here, risk management is about understanding what your risks are, figuring out what you do about it, and then actually putting a plan in place to address those risks.

of 21

Tiers of Risk Management -1

9

Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization.

• The organization level• The mission and business process level• The information system level

Strategic Risk

Tactical Risk

• Multi-tier Organization-Wide Risk Management• Implemented by the Risk Executive Function• Tightly coupled to Enterprise Architecture and

Information Security Architecture• System Development Lifecycle Focus• Disciplined and Structured Process• Flexible and Agile Implementation

Ref: NIST SP 800-39

Tier 1 – Organization (Governance)

Tier 2 – Mission (Business Process)

Tier 3 – Information System (Environment

of Operations)


**009 You will see that there are several different tiers of risk management here because if you look at the risk management process overall, it affects and it influences various parts of the organization. And generally speaking, one person can't sit down and do risk management for the entire organization. It's a big job. So generally, what strategies are is people will break it up into the tiers. So, you have tier one risk management and that's focused at the strategic level within the organization. Strategy, the overall functioning of the business, how the business operates or how your organization operates, that's tier one. That functions at the governance level.

of 21

You have tier two risk management and this is usually focused on some business process or a specific function within the business, practice area, maybe some type of functional area or maybe a business unit if you're in a corporation that has multiple business units. So, tier two focuses on a particular silo or a particular function. And then if you look at tier three, these are actually information systems. So, you're actually concerned with risk management over a particular system. So, if I were to put this down into a little diagram, what you would see is something like this. So at the top of this diagram, if you look at this as an organization or maybe a business, what you have here is risk management. Tier one risk management is focused at the strategic level, right? So, it crosses the entire organization. Then you have tier two, which is business process or functional areas for risk management. And so, you might find that in a company you'll have multiple business areas or multiple functions. And that's tier two risk management. And then within each business and even sometimes across businesses-- we'll put a couple crosses in here. You will have information systems. So, each business area or each practice area might have specific systems. That's what these T3s are. This is tier three. Or you might have systems that cross between individual business units or practice areas. And so, you can have risk management on each of these different systems here.

of 21

So, at any given time with an organization, you might have at least three different risk management functions or processes going on, one concerned with the overall strategy and the overall health and welfare of the organization, one that is concerned about a specific business function or business unit, and then one that's concerned about individual systems. And again, the point being that risk management will follow generally these three tiers with different focus areas, all the way from strategic level, focusing on the entire organization down to I'm looking at a particular system. I'm looking at our Windows Exchange server, or our web application or something like that.

of 21


10

Tier 1 – Organization (Governance)• Addresses risk from an organizational perspective with the

development of a comprehensive governance structure and organization-wide risk management strategy

Tier 2 – Mission (Business Process)• Addresses risk from a mission and business process

perspective and is guided by the risk decisions at Tier 1• Associated with Enterprise Architecture

Tier 3 – Information System (Environment of Operations)• Risk decisions at Tiers 1 and 2 impact the ultimate selection

and deployment of needed safeguards and countermeasures at the information system level.


**010 So, here it is again just presented a little bit differently. Again, just remember that tier one risk management is focused on governance levels, strategic operation of the company or organization. Tier two is focused on a particular business process or business function within the organization. And tier three, you're focused on individual systems out there that you might have within your organization.

of 21

Terms You Should Know

11

Terms You Should Know

Response vs. Recovery

Threat, Vulnerability, and Risk

Risk Assessment

Business Continuity Management• Risk Assessment• Business Impact Analysis (BIA)• Business Continuity Planning (BCP)

**011 There are some terms that you should know when you start talking about risk management. It's very common that there are a lot of terms that are out there that look very similar. and sometimes they get confused. And, in fact, in some of the risk management documentation you'll see out there, the various standards, they aren't exactly clear on what the definitions of these are, or they'll use terms interchangeably. So, some of the ones that we found are difficult to keep track of, or there's common miscommunication or confusion on what they are are the idea of response versus recovery. What is incident response? What is recovery? What's the

of 21

difference between the two? Threats, vulnerability and risks and understanding why each component is necessary and why they're different from each other. Risk assessment and what that entails as opposed to impact analysis or risk management, why that's different. And then business continuity management, again you've got risk assessment, impact analysis, and continuity planning and there are differences between all of those. And so, we'll talk about that. We'll first start off with response versus recovery.


12


Planning, OperationsPrevention, Monitoring

ResponseContingencyRecovery Business

ContinuityBusinessRestoration

• Business as usual• Physical and Cyber

Security practices

• Life & Limb• Incident

Response• Blocking, limit

exposure

• Incident Response• Initial Damage

Assessment• Implement mutual

support arrangements

• Alternate site• Alternate processes• Operate under

mutual support agreements

• Return to old site or new permanent site

• Restore normal operations

Time

**012 So, if you look at this particular chart, this is a timeline running from left to right across the screen here.

of 21

So, if you start on the left here at this green triangle, at that point in time you can consider this normal. This is day-to- day operations. You're doing things like planning, or continuity planning, planning for future incidents or events or something like that. You're doing your normal operations to prevent things, maybe monitor for cyber attacks or trying to detect cyber attacks. And it's really business as usual. So, all of this is everything's fine, nothing's going on, we're happy. At some point, something happens. That's what this big red splotch in the timeline is for. This is your actual incident. This could be a fire. it could be a distributed denial of service attack. It's some type of incident that takes your business out of normal. So, it could be anything. Something happens right here. You immediately go into response mode. If there's a fire in the building, what do you do? You leave, right? If there's a cyber attack, what do you do? Well it depends on your processes and what you've got defined for that. But in the response phase you immediately go into this what do I do right now. Something is happening. What am I most concerned about? If it's a physical event, you're usually concerned more about life and limb. Like if it's a fire, get out. If the building is collapsed or something like that, searching for people who are injured or trapped. You go into this incident response mode. From a cyber perspective, you might be doing things like blocking traffic, limiting the exposure

of 21

to this particular attack or this particular vulnerability, preventing the spread of this type of attack or whatever is going on. This could last seconds. It could last minutes. It's usually a very short, defined period of time. It's the things you do right now. From there you move into the red triangle there, contingency recovery. These are things that you do after you get out of the building. Okay, what do I do now? I need to start thinking about starting up my business somewhere else. I need to start pulling people out, moving them around, shifting assets or resources. But you're doing things. It might be a continuation of incident response that you started here as soon as the incident happened. So, you might be doing something like that. You might sit back and go what just happened. You're doing a damage assessment. What happened? How bad are we? What was affected? So, you might do something like that. And also, at this point, you might start making a few initial phone calls to go and say we just lost our primary facility. I need to start activating service agreements or standing up the alternate site or something like that. And so, you do all of that within this contingency recovery phase right here. And this, again, this could start seconds after the incident. It's usually about an hour or so after the incident. You start shifting into this to see what you need to do. From there, at some point, you're going to shift into business continuity mode. And this is where you are really concerned

of 21

with what do I do about my business, I had an incident. Some parts of my business were affected. How do I pick the pieces up and keep moving? So, here business continuity, you're going to maybe go out and stand up your alternate site. If you had a server that was knocked offline maybe you're restoring that piece of equipment or rebuilding it. You're maybe activating your alternate processes. or if you have mutual aid agreements or support agreements, you're shifting all your operations to those. And why do you do that? You're doing that because you want the business operations to continue. That's why this is called the business continuity phase. You're concerned with continuing the business. And then the last one here, this could happen weeks-- well usually days, weeks or months after the incident. So, this is kind of the final phase of this incident timeline here. And in business restoration, you're concerned really with how do I get back to where I was all the way up here on the left side of the timeline. How do I get back to normal? And with that you might want to think about how do I move to-- I'm at my alternate site. How do I get back to where I was? How do I resume normal operations? And I can tell you from looking at the way companies and the way organizations do this, a lot of people focus here at the incident response phase. And they're really good at how do we take our initial steps after the incident. And they're really

of 21

good at business continuity. So, they know that they need to stand up an alternate site. Where the risk management process usually breaks down is here with business restoration. So everybody thinks about how do I get to my alternate site, how do I stand up all this additional capability, but then what's forgotten about is I've got to resume normal operations. How do I do that? What's the plan for that? And so, if you look at this as a physical example, if Cathy and I were standing right in front of each other, and she smacked me in the face, well that would be an incident, right? So, here we are. We're just having a normal conversation. She decides to push me. What happens? The push is the actual incident. What am I going to do as I'm falling backwards? Probably wonder why she did it, but second I'm going to worry about my own life and limb as I fall to the ground. So I'm probably going to try and turn and sort of cushion myself as I fall over. Then I'm going to go into contingency recovery. Well, what do I do? I'm probably laying there on the floor going what just happened. At that point, I might run into-- or I might go to business continuity. Okay, I'm going to get myself back up off the floor. I'm probably still wondering what happened. But I'm going to pick myself back up off the floor, and them I'm going to turn around and have a conversation with her again about why this happened. And we'll go back to our regular conversation, not saying that Cathy would push me over or anything like that, but you know.

of 21

So, if you look at this from the standpoint of here I got pushed. Here I fell to the ground and tried to cushion myself as I hit the ground, figure out what just happened and maybe why. Here I'm going to stand back up in the continuity phase. And then business restoration, turn around and dust myself off and let's continue on with our conversation.

The Risk Equation

13

Risk = Threat x (Likelihood x Vulnerability) x Impact

The Risk Equation

pact

pact

pact

pact

**013 So, the risk equation, as I said before, there were certain components of a risk. What defines a risk? Well, we said that you had to have some type of threat. You had to have some type of likelihood, vulnerability. And then there's also an impact component of this. So if this is the

of 21

risk equation, if you take any one of these components what do you have? Or what do you not have? Student: Risk. Chris Evans: You don't have a risk. Right. So, if I have a likelihood and a vulnerability, so there's a vulnerability on my system, it's highly likely somebody could take advantage of it, and the impact is really bad, it's going to knock this server offline, but there's nobody taking advantage of it. Do I have a risk? Probably not. The same thing holds true is if there's no vulnerability or no impact, or no likelihood. I still don't have an actual threat-- I'm sorry, an actual risk. So, look at this from the standpoint of patches. So, there's a missing patch on a Windows host, or on a Windows server let's say. That's a vulnerability. Is it likely that somebody's going to come along and take advantage of it? Well, it's a web server. It's hanging out there in the Internet. Yeah, it's likely that somebody might take advantage of that. What's the impact from that? Well, the server goes offline or they access information. Okay, generally that's a bad impact. But, if there's nobody with a proof of concept exploit, or there's nobody actually out there taking advantage of it, is it a risk I need to worry about? It's kind of a trick question. Generally, no I don't need to worry about it because I probably have twenty other things I need to worry about first. But at least I know about it. So, there's probably miniscule risk associated with it. But then you think

of 21

about well at any time somebody could stand up and go I've got the exploit for it and start hitting things. Let's take a look at this one here. So, take the same example. I have a Windows server that's running-- it's a website. There's a vulnerability available for it. There's an exploit available for it. And there are people actively exploiting it. But, I have two copies of my website, one running on Microsoft Windows and one running on Linux. And they fail over to each other. So, if one gets affected or crashes, the other one picks up the load. So, it's like a cluster, a shared service. Do I have a risk? So, I have hackers out there who are actively exploiting this. I have a vulnerability because it's a missing patch. And it's very likely that somebody is going to do something with it because there is an active exploit out there for it. But, if one of my servers goes down, it doesn't matter because I've got a second one. Do I have a risk here? Well, to my business, no, at least to my website, no. My website's still up and running because I've got that alternate server.

of 21

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

of 21

overview of risk management - usalearning follow on to what do you do after . ... or some type of...

Documents