Risk Determination & Decision Tree Analysis
Harrisburg University ISEM 580 Summer 2017
IT Security Risk Management Overview
Objectives
What is Security Risk Management
The goals, value, and benefits of Security Risk Analysis
Security Program (Principles & Elements)
IT Security Risk Analysis Approaches (Quantitative & Qualitative)
IT Security Risk Analysis Report
Definitions & References
2
What is Security Risk Management?
Security Risk Management relies on properly identifying and valuing the company’s assets and implementing security policies, procedures, standards, and guidelines to protect and ensure the integrity, confidentiality, and availability of these assets.
3
IT Security Risk Analysis- Goals
Goals of Security Risk Analysis
Identify assets and their criticality and value to the organization
Identify vulnerabilities and threats
Quantify the probability and business impact of these potential threats
Provide an economic balance between the impact of the threat and the cost of the countermeasure
Determine the effectiveness of security program
4
IT Security Program- Principles
Security Program Main Principles:
Availability
Integrity
Confidentiality
5
IT Security Management Program
Security Program Elements
Security Governance & Management
Information Security Policies
Business Continuity & Disaster Recovery
Identity Access Management
Administrative, Technical, and Physical Controls
Software Development Lifecycle
Physical & Environmental Security
Security Architecture Model & Profile
Incident Response
Risk and Vulnerability Management
Asset Identification and Management
Logging and Monitoring
Compliance
Security Awareness and Training
6
IT Security Risk Analysis- Questions
Questions regarding IT Security Risk Analysis
Why should a risk analysis be conducted?
When should a risk analysis be conducted?
What can a risk analysis analyze?
What can the results of risk analysis tell an organization?
Who should review the results of a risk analysis?
How is the success of risk analysis measured?
7
IT Security Risk Analysis- Benefits
Customer, investor, stockbroker, investor, taxpayer confidence in the organization
Protect confidentiality of sensitive information
Protect sensitive operational data from inappropriate disclosure
Avoid third-party liability for legal or malicious acts committed with the organization systems
Ensure that the organization’s computer, network, and data are not misused or wasted
Avoid fraud
Avoid expense and disruptive incidents
Complied with pertinent laws and regulations
Avoid a unruly behaviors and incidents in the workplace
8
IT Security Risk Analysis
Components, Approaches, & Best Practices
9
IT Security Risk Analysis- Methodology
10
Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
IT Security Risk Analysis- Asset Identification
11
Asset: Anything that has value to an organization
Most enterprises divide assets into two major categories: Physical (or Fixed) Assets and Logical Assets
Asset identification is the use of attributes and methods to uniquely identify an asset
IT Security Risk Analysis- Methodology
12
Vulnerability: is a software, hardware, procedural , or human weakness that may provide an attacker the open door they are looking for to enter a computer network an obtain unauthorized access to resources within the environment.
Threat: is any potential danger to information systems. Hence, the threat is when someone or something can identify and take advantage of/exploit a vulnerability.
Risk: is a likelihood of a threat agent taking advantage of a vulnerability and corresponding business impact.
IT Security Risk Analysis- Threat Identification
13
Threats are normally classified into three main categories:
Natural Threats
Accidental Threats
Intentional Threats
IT Security Risk Analysis- Threat Identification
Some common natural threats are:
Flood
Ice storm
Severe thunderstorms
Blizzard
Earthquake
Flash flood
Tornado
14
IT Security Risk Analysis- Threat Identification
Some common accidental threats are:
Disclosure
Electrical disturbance
Environmental failure
Software error
Hardware failure
Operator/User error
Fire
Software error
15
IT Security Risk Analysis- Threat Identification
Some common intentional threats are:
Alteration of data
Alteration of software
Disclosure
Fraud
Theft
Employee sabotage
Strike
Unauthorized Use
16
IT Security Risk Analysis
Quantitative IT Security Risk Analysis Approach
17
Quantitative IT Security Risk Analysis
18
Quantitative IT Security Risk Analysis- ALE, SLE, ARO
19
Risk Analysis Calculations (Potential Loss per Threat)
Single Loss Expectancy (SLE)
SLE = (Asset Value) x (Exposure Factor) ; where Exposure factor (EF) represents the percentage loss a realized threat could have on a certain asset.
Annualized Loss Expectancy (ALE)
ALE = SLE x ARO ; where ARO is annualized rate of occurrence; frequency a specific threat takes place within one year timeframe.
IT Security Risk Analysis
Qualitative IT Security Risk Analysis Approach & Best Practices
20
Qualitative IT Security Risk Analysis
The steps involved in conducting a qualitative security risk analysis are as follows:
Define Scope (define what is to be examined and accomplished)
Assemble a competent team
Identify Threats (determine which threads can cause harm to the asset under review)
Determine threat probability and prioritization (determine how often each of the identified threats is likely to occur)
Determine Impact (determine the impact to the asset under review)
Calculate total threat impact (calculation of probability and impact rankings resulting in the overall Risk Factor)
Identify safeguards and cost to implement (controls and countermeasures, usually ranked in order)
Risk Analysis Report (the results of the risk analysis process must be presented to management in a formal report)
21
Qualitative IT Security Risk Analysis - Threat Probability and Prioritization
22
Once the threats have been identified, the risk analysis team will need to determine how often each of the identified threats is likely to occur. In a qualitative analysis the frequencies are expressed as low medium and high or some variation of and can be given a numeric value by applying an assigned number as outlined in the threat priority table illustrated above.
Qualitative IT Security Risk Analysis Threat Impact Level Values
23
The security risk analysis team defines threat levels and their associated values. They then determine the impact to the asset under review if the specific threat were to occur. In a qualitative analysis the threat levels are defined and apply an assigned number value, as illustrated in the table above
Qualitative IT Security Risk Analysis – Total Threat Impact
24
The security analysis team adds the threat priority figure to the impact value to achieve the overall risk factor for each verified threat.
After all the risk factors have been calculated, the team must sort the entire table by the values of the risk factor column in order of priority from the highest value to the lowest value. Those with a risk factor of 8 or greater are then moved to the safe guard identification worksheet.
Is important to note, no enterprise has sufficient resources to examine all the risk and pay to implement all of the safeguards, regardless of their impact and probability
Qualitative IT Security Risk Analysis – Risk Controls & Safegaurds
25
Risk Control Categories:
Avoidance Controls: our proactive safeguards that attempt to minimize the risk of accidental or intentional intrusions
Assurance Controls: our controls and strategies employed to ensure the ongoing effectiveness of the existing controls and safeguards
Detection Controls: our techniques and programs use to ensure early detection, interception, in response of security breaches
Recovery Controls: our planning and response services to rapidly restore and secure environments as well as investigating the source of the breaches
Qualitative IT Security Risk Analysis – Identify Safeguards
26
It is important to estimate the cost to implement each of the controls to be incorporated into the risk assessment report for senior management considered in the final determinations.
The cost analysis should ensure that the safeguard recommended meet the business objectives and provide adequate level of asset protection for the investment.
Qualitative IT Security Risk Analysis – Risk Analysis Report
27
The results of the risk analysis process must be presented to management in a form of formal report.
Report serves two purposes:
To report findings
To serve as a historical document
Qualitative IT Security Risk Analysis – Risk Analysis Report
28
Risk Analysis Report Outline
Executive Summary
Introduction
Threat Identification
Risk Factor Determination
Safeguard Determination
Cost Benefit Analysis
Recommendations
Appendix
IT Security Risk Management
Definitions & References
29
Security Management - Definitions
Vulnerability: is a software, hardware, procedural , or human weakness that may provide an attacker the open door they are looking for to enter a computer network an obtain unauthorized access to resources within the environment.
Threat: is any potential danger to information systems. Hence, the threat is when someone or something can identify and take advantage of/exploit a vulnerability.
Threat Agent: an entity that takes advantage of a vulnerability.
Risk: is a likelihood of a threat agent taking advantage of a vulnerability and corresponding business impact.
Exposure: is an instance of being exposed to losses from a threat agent.
Countermeasure: is a safeguard put in place to mitigate the potential risk (e.g., hardware device, software, procedure, controls, training, etc.)
Due Care: steps taken to show that the company has taken responsibility for the activities that occur within the organization and taken the necessary steps to protect the company, recourses, and employees
30
Security Management - Definitions
Privacy : a security principle that protects an individual’s information and employs controls to ensure that this information is not disseminated or accessed in an unauthorized manor.
Authentication: to verify the identity of a person requesting the use of a system and/or access to network resources.
Authorization (Access control): determine what access rights that person has and granting access after the person has been properly identified and authenticated.
Accountability (Auditing):
Assure that you can tell who did what when and convince yourself that the system keeps its security promises.
Includes non-repudiation (NR) -- the ability to provide proof of the origin or delivery of data.
NR protects the sender against a false denial by the recipient that the data has been received. Also protects the recipient against false denial by the sender that the data has been sent..
a receiver cannot say that he/she never received the data or the sender cannot say that he/she never sent any data
Permissions: the type of authorized interactions that a person can have with an object (e.g., read, write, execute, add, modify, delete).
Encryption: The transformation of plaintext into unreadable cipher text.
Due Diligence: The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.
31
Security Management - Definitions
Administrative Controls: Policies, standards, procedures, guidelines, screening, security awareness training
Technical Controls: Logical access controls, encryption, security devices, identification, and authentication
Physical Controls: Facilities protection, security guards, locks, monitoring, environmental controls, and intrusion detection
Identifying Information: The set of an asset’s attributes that may be useful for identifying that asset, including discoverable information about the asset and identifiers assigned to the asset
32
Security Management - Definitions
Disclosure: the unauthorized or premature exit door release of proprietary, classified, company confidential, personal, or otherwise sensitive information
Electrical disturbance: a momentary fluctuation in political power source
Environmental failure: an interruption in the supply of controlled environment support such as air quality, air conditioning, humidity, heating, and water
Hardware failure: a unit or component failure of sufficient magnitude to cause delays in processing or monetary loss to the enterprise
Operator/User error: an accidental, improper, or otherwise ill-chosen act by an employee that results in processing delays, equipment damage, data loss, or modify data
Fire: an instance of combustion that produces damage through heat, smoke, or suppression agent
Software error: an extraneous or erroneous data in an operating system or application program that results in processing errors, data output errors, or processing delays
33
Security Management - Definitions
Alteration of data: an unintentional modification, insertion, or deletion of data, rather by an authorized user or not
Alteration of software: an unintentional modification, insertion, or deletion of an operating system or application system program, whether by an authorized user or not
Disclosure: the unauthorized or premature intentional release a proprietary, classified, company confidential, personal, or otherwise sensitive information
Fraud: a deliberate unauthorized manipulation of hardware, software, or information
Theft: the unauthorized appropriation of hardware, software, you, computer supplies, or data of the classified nature
Employee sabotage: a deliberate action taken by an employee, group of employees, or not employees working together to disrupt enterprise operations
Strike: an organized employee action designed to halt or disrupt normal business operations
Unauthorized use: an unauthorized use of the computer equipment or programs
34
Security Management - Standards
ISO/IEC 27001 & 27002: guidelines for establishment, implementation, control, and improvement of information security management systems
ISO/IEC 27004: standard for information security management
ISO/IEC 27005: guideline for establishing a risk management approach to information security
ISO/IEC 27006: guideline for certification/registration Process
ISO/IEC 27799: guide for protecting personal health information
NIST Special Publication (SP) 800-53: outlines security requirements and security controls federal information systems and pass IT security audits performed under the Federal Information Security Management Act
NIST Cybersecurity Framework Version 1.0: risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks.
NIST Special Publication 800-39: guidance for an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, and other organizations
35
Assignments
Chapter 8 (IT Managers Handbook)
Homework 5: Risk Management
Project 2
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications
36