paradigm shift! - customer information centric it risk assessments
DESCRIPTION
Readers will be exposed to a methodology for the evaluation of information security risks based on the “Value” of customer/employee information rather than on the “Economic Value” of the information to the organization.TRANSCRIPT
The CICRAMTM
Paradigm Shift!Customer Information Centric
IT Risk Assessments
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
The CICRAMIT Risk Assessment
Methodology for GLBA & HIPAA
Compliance
May 7th 2009
1
Why PerformIT Risk Assessments?
• Management Request• Regulatory Requirement• IT Best Practice
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 2
• IT Best Practice
What is “RISK”?• First and most obvious, “Risk” is a probability issue.
• “Risk” has both a frequency and a magnitude component.
• The fundamental nature of “Risk” is universal; regardlessof it’s context.
An Introduction to Factor Analysis of Information Risk (FAIR)A framework for understanding, analyzing, and measuring information risk
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 3
“Risk is the association of the probability/frequency of a negative
event occurrence, with the projected magnitude of a future loss.”
Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009
Jack A. Jones, CISSP, CISM, CISA
It’s All About IT Risk
The Basic “IT Risk” Formula
Information Security Professionals generally
can agree that:
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
IT Controls mitigate Risk bylowering the Probability of a
Threat acting on a Vulnerabilityto harm an organization’s Asset.
4
High Level Goals & Objectives• Assess current threats & vulnerabilities • Identity and assess “Risk Factors” to the Organization• Present information in a way that management canuse to make informed business decisions based on risk.
Assessing “IT Risk”
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 5
use to make informed business decisions based on risk.
• Identify assets – information stores & IT systems.• Quantify the probability of a negative event occurrence.• Determine the value of information & IT assets.• Assess the business impact of negative events.
Processes
Assessing “IT Risk”It’s a simple concept,
but a difficult and complex analytical problem to solve.
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Most IT Risk Assessment Methodologies Attempt to Determine the Threats,
Vulnerabilities, Negative Event Likelihood and Information Security
Impacts to Specific IT Assets.
6
What IT Risk AssessmentMethodology Should I Use?
Quantitative Risk Analysis-Two basic elements are assessed: the probability of a negative event – “ARO” (annual rate of occurrence) and the likely financial loss – the
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 7
occurrence) and the likely financial loss – the “SLE” (single loss expectancy). The Annual Loss is then calculated – “ALE”.
Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only the estimated financial loss is used.
“Published” IT Risk Assessment Methodologies
What IT Risk AssessmentMethodology Should I Use?
Quantitative Methodologies:
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 8
CRAMM BITS (Kalculator)FAIR FMEA
Quantitative Methodologies:
Qualitative Methodologies:
FRAP COBRAOCTAVE
Assessing IT Risk:“The Problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle.”
“We don’t know how well our
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 9
Does risk management make sense?Bruce Schneier – Oct 2008
“We don’t know how well our network security will keep the
bad guys out, and we don’t know the cost to the company if we
don’t keep them out.”
In Addition, Traditional IT Risk Assessments
Methodologies Do Not Assess IT Risks To
Customer Information
• Storage
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 10
I Stipulate That The IT Security Profession Has A Dirty Little Secret ...
• Storage• Transmission• Access & Processing
Randy Pausch Said In His Now Famous “Last Lecture” …
“When There Is An Elephant In The Room
Introduce Him” Randy Pausch
Graphic – www.thelastlecture.com
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 11
Randy Pausch
“Most IT SecurityProfessionals Can Not
Accurately Assess IT Risks.”
Graphic – www.thelastlecture.com
Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009
“Ask a dozen information security professionalsto define risk and you’re certain to get several different answers.“
In fact, many Information Security professionals cannot even agree
on a definition of IT Risk!
“Technically speaking, risk is the probability of a threat agent
An Introduction to Factor Analysis of Information Risk (FAIR)Jack A. Jones, CISSP, CISM, CISA
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 12
“Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact.”
Understanding RiskShon Harris CISSP - 2006
If security professional cannot agreeon what are the risks, how can we
accurately assess “IT Risks”?
What Are Leading Information Security Professionals Saying About Current
IT Risk Assessment Processes & Models?
Why Johnny Can’t Evaluate Security RiskGeorge Cybenko, Editor in Chief
Number-driven risk metrics 'fundamentally broken‘Gamit Yoran, former National Cyber Security Divison director
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
George Cybenko, Editor in Chief
Taking the risk out of IT risk managementJim Hietala – October 16, 2008
It’s time to think differently about protecting dataBill Ledingham – September 10, 2008
13
Why you shouldn’t wager the house on risk management models
Bruce Schneier and Marcus Ranum – Oct 2008
Traditional IT Risk Assessment Methodologies are Primarily Focused
on the Risks and Impacts to the Organization that is Being Assessed.
There Is A Problem With Many IT Risk Assessment Process.
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Organization that is Being Assessed.
Graphic - Microsoft
The Impact to the Confidentiality or Integrity
of Customers and Employee Information is
not Assessed!14
Why Are Risks to CustomerInformation Important?
• Regulatory Requirements Financial Industry – GLBA
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 15
Health Care – HIPAA Higher Education – FERPA State Data Breach
• Organizational Reputation • Industry Standards Retail - PCI
Graphic - Microsoft
The CICRAMTM
IT Risk Assessment Methodology for GLBA & HIPAA
Compliance
A Paradigm Shift In IT Risk
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
A Paradigm Shift In IT Risk Assessment Methodologies!
Assess Risks To Customer & Employee Information, Rather Than Operational
IT Risks To The Organization.
16
CICRAMTM IT Risk Assessment Methodology
Core Concepts:A Simplified View of IT Risks
X X
VulnerabilityThreat Asset Value
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
An IT Risk is defined within CICRAMTM, as the likelihood of a Threat acting on a Vulnerability to harm an asset which causes a negative impact.
17
X X
Risk =__________
Countermeasures
CICRAMTM IT Risk Assessment Methodology
• There are an infinite number of “Latent” vulnerabilities in softwaresystems that allow attackers to breach computer systems.
• There is a sufficiently high number of “Threats”, that given enoughtime, the likelihood of a vulnerability being exploited is 100%.
Core Concepts:
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 18
time, the likelihood of a vulnerability being exploited is 100%.
• “Customer Information” has an inherently high value.
• Assess “Risks” by following the movement of Customer Information.
• Assess the effects of an IT control failure. The “Worst Case Scenario”becomes the “Baseline” for the IT Risk Assessment.
• Effective IT controls reduce risks
• IT Risks are almost never reduced to zero by the implementation ofIT controls, there is usually some “Residual Risk”.
CICRAMTM IT Risk Assessment Methodology
There are a only a few actions that can be performed with an Organization’s Customer Information:
ACTIONINFORMATION
SECURITY RISK FACTOR
Core Concepts:
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 19
ACTIONSECURITY RISK FACTOR
View / Access / Use Confidentiality
Copy Confidentiality
Modify Integrity
Loss Confidentiality
Delete / Destroy Integrity and Availability
CICRAMTM IT Risk Assessment Methodology
• Use Qualitative Analysis methods to determine current IT “Threats”.
• Utilize “Data Flow” concepts to analyze risks to Customer Informationas it moves across various environments.
• Use Interogative & RIIOT methods to document the IT environment
“A Hybrid IT Risk Assessment Process”
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 20
• Use Interogative & RIIOT methods to document the IT environmentused to transmit, manipulate and store customer data.
• Use Qualitative Analysis methods to develop a “Baseline” of IT Risksfor an IT environment that does not have any IT controls.
• Use Control Maturity Modeling and Quantitative Analysis – methodsto assess the effectiveness of current IT controls.
• Use Quantitative Analysis methods to determine the risk reductionimpact of current IT controls.
CICRAMTM IT Risk Assessment Step#1 – Assess The Current
IT Threat EnvironmentAttack Motivational Factors External Threats
i. Criminal Cyber Gangsii. Former Employeesiii. Consultants & Contractorsiv. Casual Hackers & Script Kidde
Insider threatsi. Malicious Insiders: Corporate Spies & Disgruntled Employees
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 21
i. Malicious Insiders: Corporate Spies & Disgruntled Employeesii. Careless Staff: Policy Breakers and the Uninformed
Technical Attacks Malware Applications
i. Viruses, Worms, Trojansii. Spywareiii. Adware
Botnets DNS Denial of ServiceHuman Attacks Social Engineering Identity Theft Email Spam
Data Flow Regions
CICRAMTM IT Risk Assessment Step#2 – Determine Where
Customer Information Is Located
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Application Systems
Infrastructure
Business Partners
22
ITRisks
CICRAMTM IT Risk Assessment Step#3 – Document The IT Operational Environment: IT Systems & Applications
Use IT auditing tools and methods like questionnaires, interviewsand diagrams to document the IT systems and applications.
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 23
FFIEC & FTCStandards forsafeguarding
customerinformation
ISO 17799SecurityProgram
• Each “Standard” may contain similar information security controls.
• Resolve circular references andoverlapping IT controls across themultiple frameworks.
CICRAMTM IT Risk AssessmentStep#4 - Select an Information Security Controls Framework
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
NIST SP 800SANSPCI
Controls
COBIT&
ITGIControls
multiple frameworks.
• Use hierarchical clustering to groupIT Controls into categories.
Use current information from:
SANS Institute,Analysts,
Industry Best Practices
=
Your Organization’s
IT Security Control
Framework
+
24
IT Risk Assessment “Factors”: Customer Information Security (Confidentiality)
CICRAMTM IT Risk AssessmentStep#5: Select Key IT Risk
Assessment Factors
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Improper/Incorrect Transaction Data (Integrity) Infrastructure Stability/Change Control (Availability) Customer Confidence / Stewardship (Reputation) Regulatory Compliance (Legal) Fraud / Data Breach (Financial Loss)
25
CICRAMTM IT Risk AssessmentStep#6: Determine an IT Risks
Numerical Rating Scale
NUMERICAL IT RISK RATING DEFINITIONS
Level 0 - Functional control area is not relevant Color Range Risk
Level 1 - Functional control area poses an insignificant risk:the significance of a control failure is low or not relevant
White 0 N/A
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 26
the significance of a control failure is low or not relevantWhite 0 N/A
Level 2 - Functional control area poses a minimal risk potential: the significance of a control failure is minor
Green 1-2 Low
Level 3 - Functional control area poses a moderate risk potential:the significance of a control failure is considerable
Yellow 3-4 Medium
Level 4 - Functional control area poses an elevated risk potential: the significance of a control failure is extensive
Red 5 High
Level 5 - Functional control area poses a significant risk potential:the implications of a control failure is severe
CICRAMTM IT Risk AssessmentStep #7: Assess “Baseline”
High Level Risks
Use Control Matrix and Apply Threat Analysis to Develop a Heat Map of Baseline IT Risks
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 27
Information Security Technical Controls
External Network Security - Perimeter Defense Systems 5 4 4 3 5 3
Internal Network Security - Back Office User Authentication Systems 4 4 3 3 5 4
Virus and Malware Protection 4 4 4 4 3 4
Backup / Recovery 2 0 5 2 5 3
Monitoring and Logging 3 3 2 2 2 1
Heat Map of Baseline IT Risks
CICRAMTM IT Risk AssessmentStep#8: Determine an IT Control
Numerical Rating Scale
IT CONTROL MATURITY RATING
Stage 0 – Nonexistent
Stage 1 - Initial/Ad Hoc
Information SecurityControl Maturity Model-
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 28
Stage 1 - Initial/Ad Hoc
Stage 2 - Repeatable but Intuitive
Stage 3 - Defined Process
Stage 4 - Managed and Measurable
Stage 5 - Optimized
Control Maturity Model-CMM Ratings are
Based on Carnegie Mellon’s Process
Improvement Model Ratings Scale – CMMI.
www.sei.cmu.edu/cmmi/general/index.html
CICRAMTM IT Risk AssessmentStep #9: Assess IT Control
Effectiveness
PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref #Control Maturity
GA
P E
xist
s
Comments
Deployment of DMZ
Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability
IT.B.3.1
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 29
External Network Security -Perimeter Defense Systems
Impl.
Deployment of DMZ intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access.
Deployment of Network FIREWALL
Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access.
IT.B.3.1
Deployment of Network IDS/IPS
Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access.
IT.B.3.1
Deployment of Wireless Encryption - Authentication
Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access.
IT.B.3.1
9
CICRAMTM IT Risk AssessmentStep#10: Adjust Baseline Risks for
Control Effectiveness
Use Control Effectiveness Ratings to Adjust Baseline IT Risks
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Information Security Technical Controls
External Network Security -Perimeter Defense Systems 3 3 3 2 2 2
Internal Network Security - Back Office User Authentication Systems 4 4 3 3 2 3
Virus and Malware Protection 4 3 3 3 2 3
Backup / Recovery 1 0 3 3 2 2
Physical Security / Environmental 3 2 3 2 2 1
Heat Map of IT Risks Adjusted for Control Effectiveness
30
9
CICRAMTM IT Risk AssessmentStep#11: Generate Narrative
IT Risk Report Document
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 31
Develop aWritten Report
9
CICRAMTM IT Risk AssessmentStep#12: Present Risk Report and
Findings to Management
Congratulations,
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 32
Congratulations,You Get To Do
This AgainNext Year!
CICRAMTM IT Risk Assessment Methodology
Paradigm Shift!Customer Information
Centric IT Risk Assessments
CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Questions ?Fernando A. Reiser
33
Centric IT Risk Assessments