Multiple choice
Akash
Chapter06.pptxManaging Risk in Information Systems
Lesson 6
Performing a Risk Assessment
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Steps Used in Risk Assessments
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
It takes time to complete a Risk Assessment and understanding the scope of the assessment. How do you know whether you will be taking a quantitative or qualitative approach? How do you know what is important and what is not?
The first step is to identify the assets that are part of the assessment.
Then look for the associated threat/vulnerability pairs and evaluate them.
Now look at the controls or countermeasures that can be used.
This allows you to assess the threats, vulnerability and exploits and evaluate the risk.
Finally put together and present your recommendations to management.
2
Identify assets and activities to address.
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate relevant countermeasures.
Assess threats, vulnerabilities, and exploits.
Evaluate risks.
Develop and present recommendations.
Prior to Conducting RA
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The first thing you need to do is thoroughly define the systems or process. Let’s consider the Reporting server that provided National ID numbers that were downloaded and lost. It is not enough to just say there is a problem. You must understand the reporting system and the processes that allow users to attain the information. Who needs the data; how do they obtain it; how are they authenticated; what are they supposed to do?
Remember the Risk Assessment looks at the system or process at a given point in time. Once the problems with the report server are resolved, the old Risk Assessment is no longer valid – controls would have been put into place and the potential for new threats and weaknesses may exist.
Start by defining the Operational Characteristics of the system or process. Are there any flow diagrams or documentation that identifies the input, output and processes? Are the other documents that explain how this system or process is related to other systems or processes – In our example, where does the data come from that is used in the Reporting system – was it input by users or was it exported from another systems. Are there other ways to provide information, using existing fields or processes that can provide the same information. Where do the reports go once they are processed? Can changes be make there that protect the assets. What is the mission of that system? Are there other ways to satisfy the mission that do not create the threat/vulnerability pair?
Next you can review any previous findings that dealt with the issue. Were there recommendations that already discussed the threats/vulnerabilities and needed controls? Did previous controls mitigate the issues? Were the controls that could have been implemented that are now acceptable to implement?
3
Define the assessment.
Operational characteristics
Review previous findings.
Recommendations
Mission of the system
Current status of accepted recommendations
Unapproved recommendations
Identifying the Management Structure
Refers to how responsibilities are assigned
Helpful to keep the scope within the ownership of a single entity
Large organization may have multiple divisions:
Network infrastructure
User and computer management
E-mail servers / Web servers / Database servers
Configuration and change management
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In our previous example, the servers that were unprotected existed within Enrollment Management and each of the colleges. We discussed the possibility of limiting our Assessment to only Enrollment Management to minimize the impact of dealing with multiple management structures. It was helpful to keep the scope of the assessment within the ownership of the single Enrollment Management Vice President. When you expand it into multiple management levels, you must either deal individually with each, try to come to a consensus with all or have to look for a management level above these managers where decisions can be made.
Smaller organizations are easier to work with because normally network and infrastructure assets are placed under a single IT manager. Larger organizations may have multiple divisions with their own assets. Consider a large International organizations with separate divisions responsible for distinct missions and deliverables. Each would have its own IT structure. When I worked for a major Army command, our CIO managed all mainframe computers, networks, telecommunications, databases and software systems in support of the command’s general officer but our CIO also was responsible to a commanding general in the Army Information Systems Command who had responsibility for policy and procedures for every automated system within the Army. Our CIO was responsible to complying with all Army policies while supporting the command’s missions and priorities. The systems that supported major command were inputs/feeds into other Army’s automated systems, either managed at other command levels or at the senior, Army command level so configuration and change management was critical to ensure changes made locally didn’t adversely affect systems that relied on the accuracy of data provided.
4
Identifying Assets and Activities
Perform asset valuation
Base on replacement or recovery value of the asset
Ensure RA performed on current systems
Evaluate only assets that are within the boundary of the RA
Prioritize importance
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When calculating the Cost Benefit Analysis, an assets value can be calculated as either the actual replacement value (a laptop costs $1500) or the recovery value which includes the cost to make that asset operational or a combination of both. The textbook example of a hard-drive replacement includes not only the cost of the new hard-drive but also the cost to restore data to that hard-drive.
Remember to stay within the scope of the assessment – the current systems and assets that are within this boundary and prioritize them accordingly.
5
Elements to Consider when Determining Asset Value
System access and system availability
System functions
Hardware and software assets
Personnel assets
Data and information assets
Facilities and supplies
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Beyond the assets value, you must consider a number of other elements. Does the system need to be available at all times or during specific hours during the day and week. Our old Enterprise system at the University was only accessed from 8am until 7pm to allow time for backups and scheduled maintenance to be performed. Our new Enterprise systems, with its Oracle database was available almost 24 hours a day, 7 days a week. However, the critical time was still only 8am – 7pm. If the system went down outside these hours, it was not critical that emergency maintenance be performed to bring them back up. However, during registration periods, when students might register anytime during the day or night, it was functionally critical that these systems be monitored and available for extended hours. The question that had to be asked was whether it was critical to spend money on redundant systems to provide 24/7 accessed and to pay for the technician’s overtime should they be forced to come to work and fix any problem.
I spoke earlier about the problem we had with retaining personnel. When we hired our Oracle DBA, we were unable to pay a competitive wage so a concession was to allow this person to work from home. The DBA was aware that should a problem occur at any time during the day or night, week-day or week-end, she was required to resolve the problem quickly, regardless of how long it took. Her working from home provided the incentive to accept these conditions.
A company’s Data and Information can be either Public (such as data located on webpages) or Private (protected from theft or disclosure such as personnel records) or Proprietary (of such worth that it might compromise the company’s profitability)
Finally, consider the company’s facilities. When I worked for the VA’s data center, the systems required 24/7, 99.9% availability. There were 3 redundant Hot Sites where everything was mirrored (hardware, software and data). Other organizations might maintain a Warm site where equipment was in place awaiting transfer of data from the main site. A computer center in the gulf coast might rent a building away from the area as a Cold Site and if a hurricane strikes, move hardware, software and data to it for processing.
6
Identifying and Evaluating Threats
Reviewing historical data
Threat modeling
Important to understand how threats interact with risks
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
This diagram is familiar. A threat exploits (attacks) a Vulnerability (weakness) in an Asset which results in a Loss. We can use historical data to look for previous attacks, or natural events, or accidents or failures (in equipment or software or data) to determine threats.
From there you can create Threat Models that show how an attacker might view your system and its weaknesses. The model should contain as much detail as possible to include all information on the system, a list of threats (its profile) and what the attacker might way to accomplish (the goal), leading to a full threat analysis of the threats, weaknesses and controls.
7
Identifying and Evaluating Vulnerabilities
A vulnerability is a weakness
Can be a weakness in physical security, technical security, or operational security
Can be procedural, technical, or administrative
All systems have vulnerabilities
Not all vulnerabilities result in a loss
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
We understand that a vulnerability is a weakness in the physical, technical or operational security of the system. It can be procedural, technical or physical. Again consider our example of the front counter operators at the university. If they don’t follow procedures, they may forget to logoff when away from their computer or the computer software may not log-off the user after a period of inactivity.
Regardless, all systems have some weaknesses but not all weaknesses result in loss.
You can assess the weaknesses in the system and prioritize which can lead to the most exposure. These weakness can be within the structure or organization or can be from outside the organization. Consider a company’s intranet. Since it is protected from outside access in most cases, you are more worried about threats from individuals or processes within the organization (data entry errors, theft, etc). The company’s internet however, is more vulnerable to threats from outside the organization.
You can also assess the exploits to the system by looking for ways to expose the vulnerabilities. Whereas the vulnerability assessment looks for weaknesses, the exploit assessment attempts to penetrate the system. The textbook cautions that these exploits may damage the system if not performed correctly.
8
Identifying and Analyzing Countermeasures
In-Place Controls
In place in the operational system
Supported by associated documentation
Planned Controls
Identified in planning documents
Specified implementation date
Control Categories
National Institute of Standards and Technology (NIST)
Three classes, 18 families of controls
Grouped as procedural, technical, and physical
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
As discussed earlier, a countermeasure is a control or safeguard used to reduce a weakness or reduce the impact of the threat.
In-place controls are already being used on the system and can be measured for effectiveness. If they are not effective they can be eliminated or replaced.
Planned controls are those that will be implemented at a later date. If not implemented in a timely manner, they should be re-evaluated to ensure they provide the countermeasures expected.
The textbook provides a table that discusses the NIST control family. Controls can be Procedural, Technical or Physical.
9
Control Classes
| Control Class | Control Family Examples |
| Procedural | Policies and procedures Security plans Insurance Awareness and training |
| Technical | Login identifier System logs Firewalls |
| Physical | Locked doors Video cameras Fire detection and suppression |
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A Procedural control includes Policies/procedures, Security Plans, Insurance, Personnel background and financial checks, Training and Awareness initiatives.
A Technical control uses software or equipment to protect the system. These include Login authentication, Session Timeouts, Logs, Audit trails, data ranges and reasonability checks, firewalls and encryption.
A Physical control includes locks, guards or access controls, cameras, fire detection and suppression, water detection, temperature and humidity detection, electrical grounding and circuit breakers.
10
Developing Mitigating Recommendations
After performing analysis, provide specific recommendations that mitigate risks
Supporting data may include:
Threat/vulnerability pairs
Estimate of cost and time to implement
Estimate of operational impact
Cost-benefit analysis
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Once the assessment is accomplished, recommendations are presented to management. These recommendations should include all the elements – all Threat/Vulnerability pairs, cost and time to implement (the Cost/Benefit Analysis, direct costs to purchase the control, the indirect costs such as labor), and the operational impact while the process is accomplished (downtime, backup and restore, installation).
11
Best Practices for Performing Risk Assessments
Ensure systems are fully described.
Review past audits.
Review past risk assessments.
Match the RA to the management structure.
Identify assets within the RA boundaries.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Best Practices for Performing Risk Assessments (Cont.)
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate countermeasures.
Track the results.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
