risk assessment, acceptance and exception with a - isaca · risk assessment, acceptance and...
TRANSCRIPT
ISACA Charlotte Chapter September Event Information Security, IT Governance & Risk Management
Risk Assessment, Acceptance and
Exception with a Process View
Shawn Swartout
Leviathan Security Group
2 Shawn Swartout
Agenda
• Risk assessment drivers
• Developing an assessment framework that fits your size & complexity
• Integrating your risk assessment
Assessment
• Acceptance
• Ownership and accountability
Response
• Exception handling
Monitoring
4 Shawn Swartout
Risk Assessment External Drivers
HIPAA A covered entity must, in accordance with §164.306:
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Federal Financial Institutions Examination Council (FFIEC) Risk Management of Remote Deposit Capture (RDC)
Risk Management: Risk Assessment Prior to implementing RDC, senior management should identify and assess the legal, compliance, reputation, and operational risks associated with the new system.
EXAMPLES
5 Shawn Swartout
Risk Assessment Internal Drivers
How Risk Management Can Turn into Competitive Advantage http://scholarworks.umb.edu/cgi/viewcontent.cgi?article=1006&context=management_wp
EXAMPLES
6 Shawn Swartout
7 Shawn Swartout
Assessment
Source: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
NIST Guide SP800-30 rev 1 includes: A taxonomy of threat sources, threat events, vulnerabilities, and inputs to your assessment of likelihood and impact calculations.
8 Shawn Swartout
Food for Thought
Alex Hutton RVAsec 2013: KEYNOTE: Towards A Modern Approach To Risk Management http://www.youtube.com/watch?v=icN40I3JJLY
Jet engine x peanut butter = shiny!
How awesome is your bridge?
– Wind has no motivation
– Rain does not evade defenses
– If system is faulty by design… reinforcement addresses only symptoms
“What our standards bodies do is typically do is enable us to justify our perspective by manipulating the inputs into a completely false model” –Alex Hutton http://newschoolsecurity.com/2011/04/what-is-risk-again/
9 Shawn Swartout
Assessment
Inherent risk – controls = residual risk
Lets at least agree on this for
the moment
11 Shawn Swartout
Factor Analysis of Information Risk (FAIR)
Complexity Level: Moderate
FAIR provides :
• A taxonomy of the factors that make up information risk and a set of standard definitions for our terms.
• A method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss.
• A computational engine that derives risk by mathematically simulating the relationships between the measured factors.
• A simulation model that allows us to apply the taxonomy, measurement
http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf
12 Shawn Swartout
Factor Analysis of Information Risk (FAIR)
Assumptions about key aspects of the risk environment can seriously weaken the overall analysis.
Example: Bald Tire Scenario
As you proceed through each of the steps within the scenario below, ask yourself how much risk is associated with what’s being described.
• Picture in your mind a bald car tire. How much risk is there?
• Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?
• Next, imagine that the rope is frayed about halfway through. How much risk is there?
• Finally, imagine that the tire swing is suspended over an 80-foot cliff. How much risk is there?
13 Shawn Swartout
Factor Analysis of Information Risk (FAIR)
Example: Bald Tire Scenario
Risk Level – Low Most people believe the risk is ‘High’ at the last stage of the Bald Tire scenario. The answer, however, is that there is very little probability of significant loss given the scenario exactly as described.
Who cares if an empty, old bald tire falls to the rocks below?
14 Shawn Swartout
Binary Risk Analysis
Complexity Level: Easy
Binary Risk Assessment provides :
• A tool that provides risk analysis based exclusively on yes or no responses to ten questions, a binary response. By forcing the tool user to choose one of two mutually exclusive answers the tool ensures speed and simplicity in its approach.
http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf
15 Shawn Swartout
Binary Risk Analysis
The central tenant to this tool Risk analysis is based exclusively on yes or no responses to ten questions, a binary response. https://binary.protect.io/BRA_draft1.1.pdf
16 Shawn Swartout
Integrating your Assessment
• Organizational changes
• Product selection
• New service offering
• System development life cycle (SDLC)
– Requirements definition stage
– Development/Acquisition stage
Others?
18 Shawn Swartout
Risk Response
Risk response (as described in) NIST Special Publication 800-39, organizations:
– analyze different courses of action
– conduct cost-benefit analyses
– examine the interactions/dependencies among risk mitigation approaches
– address schedule and performance issues
19 Shawn Swartout
Risk Response
• The methods available to mitigate risk
– application of appropriate controls
– acceptance of that risk
– transference of that risk (e.g. insurance)
– avoidance (e.g. product selection)
20 Shawn Swartout
Risk Treatment Plan
A Risk Treatment Plan (RTP) is used to identify each information asset flagged in the Risk Assessment report that has an unacceptable level of risk and shall state the method of treatment intended to mitigate that risk.
Asset(s) Container(s) Vulnerability Risk Risk
Treatment
Status
Customer
non-public
personal data.
Backup tapes
for File server
data, File
Server
Data
unencrypted at
rest
Medium Encrypt file
server files
and back-up
tapes.
Completion:
MM/DD/YY
Owner: CISO
Pending
On-hold
Complete
SAMPLE
21 Shawn Swartout
Risk Response
• Ownership and accountability
– Application owners/custodians
– Business owners
– Compliance
– Legal
– Audit
– Audit Committee
– Board of Directors
Show
me the
Risk!
23 Shawn Swartout
Monitoring Risk
Risk exception handling
• Exception often involves non-compliance with policies and standards (BUT THEY’RE OK!)
– Easily identified if policy requirements are clearly articulated
• Ownership and accountability
– Owner of the policy? Does materiality impact ownership?
• Review cycle
– Consider aligning with policy reviews
24 Shawn Swartout
Take away
• Risk is not a thing. We can’t see it, touch it, or measure it directly.
• It’s derived from the combination of threat event frequency, vulnerability, and asset value and liability characteristics.
Your organizations ability to “manage risk” may be exploited as a market differentiator.
Risk – The probable
frequency and
probable magnitude of
future loss
25 Shawn Swartout
Questions & Comments
Contact information: Shawn Swartout, CISSP, CISM, CAMS
Sr. Security Risk Management Consultant
Leviathan Security Group
Mobile: (509) 995-1083
http://www.leviathansecurity.com
Changing the face of information security and risk management.
Leviathan Security Group provides integrated Risk Management and Information Security solutions for our clients rather than patches, point fixes, or checking off little boxes with red ink pens. Our fortune one-hundred clients and governments rely on us to understand and mitigate their risks. We help them take the next steps in their evolution and help them maintain their stellar reputations.