Risk Determination & Decision Tree Analysis

profilepraveen1993
ISEM580_Security-RiskManagent_Overview-Lecture-11.pptx

Harrisburg University ISEM 580 Summer 2017

IT Security Risk Management Overview

Objectives

What is Security Risk Management

The goals, value, and benefits of Security Risk Analysis

Security Program (Principles & Elements)

IT Security Risk Analysis Approaches (Quantitative & Qualitative)

IT Security Risk Analysis Report

Definitions & References

2

What is Security Risk Management?

Security Risk Management relies on properly identifying and valuing the company’s assets and implementing security policies, procedures, standards, and guidelines to protect and ensure the integrity, confidentiality, and availability of these assets.

3

IT Security Risk Analysis- Goals

Goals of Security Risk Analysis

Identify assets and their criticality and value to the organization

Identify vulnerabilities and threats

Quantify the probability and business impact of these potential threats

Provide an economic balance between the impact of the threat and the cost of the countermeasure

Determine the effectiveness of security program

4

IT Security Program- Principles

Security Program Main Principles:

Availability

Integrity

Confidentiality

5

IT Security Management Program

Security Program Elements

Security Governance & Management

Information Security Policies

Business Continuity & Disaster Recovery

Identity Access Management

Administrative, Technical, and Physical Controls

Software Development Lifecycle

Physical & Environmental Security

Security Architecture Model & Profile

Incident Response

Risk and Vulnerability Management

Asset Identification and Management

Logging and Monitoring

Compliance

Security Awareness and Training

6

IT Security Risk Analysis- Questions

Questions regarding IT Security Risk Analysis

Why should a risk analysis be conducted?

When should a risk analysis be conducted?

What can a risk analysis analyze?

What can the results of risk analysis tell an organization?

Who should review the results of a risk analysis?

How is the success of risk analysis measured?

7

IT Security Risk Analysis- Benefits

Customer, investor, stockbroker, investor, taxpayer confidence in the organization

Protect confidentiality of sensitive information

Protect sensitive operational data from inappropriate disclosure

Avoid third-party liability for legal or malicious acts committed with the organization systems

Ensure that the organization’s computer, network, and data are not misused or wasted

Avoid fraud

Avoid expense and disruptive incidents

Complied with pertinent laws and regulations

Avoid a unruly behaviors and incidents in the workplace

8

IT Security Risk Analysis

Components, Approaches, & Best Practices

9

IT Security Risk Analysis- Methodology

10

Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.

IT Security Risk Analysis- Asset Identification

11

Asset: Anything that has value to an organization

Most enterprises divide assets into two major categories: Physical (or Fixed) Assets and Logical Assets

Asset identification is the use of attributes and methods to uniquely identify an asset

IT Security Risk Analysis- Methodology

12

Vulnerability: is a software, hardware, procedural , or human weakness that may provide an attacker the open door they are looking for to enter a computer network an obtain unauthorized access to resources within the environment.

Threat: is any potential danger to information systems. Hence, the threat is when someone or something can identify and take advantage of/exploit a vulnerability.

Risk: is a likelihood of a threat agent taking advantage of a vulnerability and corresponding business impact.

IT Security Risk Analysis- Threat Identification

13

Threats are normally classified into three main categories:

Natural Threats

Accidental Threats

Intentional Threats

IT Security Risk Analysis- Threat Identification

Some common natural threats are:

Flood

Ice storm

Severe thunderstorms

Blizzard

Earthquake

Flash flood

Tornado

14

IT Security Risk Analysis- Threat Identification

Some common accidental threats are:

Disclosure

Electrical disturbance

Environmental failure

Software error

Hardware failure

Operator/User error

Fire

Software error

15

IT Security Risk Analysis- Threat Identification

Some common intentional threats are:

Alteration of data

Alteration of software

Disclosure

Fraud

Theft

Employee sabotage

Strike

Unauthorized Use

16

IT Security Risk Analysis

Quantitative IT Security Risk Analysis Approach

17

Quantitative IT Security Risk Analysis

18

Quantitative IT Security Risk Analysis- ALE, SLE, ARO

19

Risk Analysis Calculations (Potential Loss per Threat)

Single Loss Expectancy (SLE)

SLE = (Asset Value) x (Exposure Factor) ; where Exposure factor (EF) represents the percentage loss a realized threat could have on a certain asset.

Annualized Loss Expectancy (ALE)

ALE = SLE x ARO ; where ARO is annualized rate of occurrence; frequency a specific threat takes place within one year timeframe.

IT Security Risk Analysis

Qualitative IT Security Risk Analysis Approach & Best Practices

20

Qualitative IT Security Risk Analysis

The steps involved in conducting a qualitative security risk analysis are as follows:

Define Scope (define what is to be examined and accomplished)

Assemble a competent team

Identify Threats (determine which threads can cause harm to the asset under review)

Determine threat probability and prioritization (determine how often each of the identified threats is likely to occur)

Determine Impact (determine the impact to the asset under review)

Calculate total threat impact (calculation of probability and impact rankings resulting in the overall Risk Factor)

Identify safeguards and cost to implement (controls and countermeasures, usually ranked in order)

Risk Analysis Report (the results of the risk analysis process must be presented to management in a formal report)

21

Qualitative IT Security Risk Analysis - Threat Probability and Prioritization

22

Once the threats have been identified, the risk analysis team will need to determine how often each of the identified threats is likely to occur. In a qualitative analysis the frequencies are expressed as low medium and high or some variation of and can be given a numeric value by applying an assigned number as outlined in the threat priority table illustrated above.

Qualitative IT Security Risk Analysis Threat Impact Level Values

23

The security risk analysis team defines threat levels and their associated values. They then determine the impact to the asset under review if the specific threat were to occur. In a qualitative analysis the threat levels are defined and apply an assigned number value, as illustrated in the table above

Qualitative IT Security Risk Analysis – Total Threat Impact

24

The security analysis team adds the threat priority figure to the impact value to achieve the overall risk factor for each verified threat.

After all the risk factors have been calculated, the team must sort the entire table by the values of the risk factor column in order of priority from the highest value to the lowest value. Those with a risk factor of 8 or greater are then moved to the safe guard identification worksheet.

Is important to note, no enterprise has sufficient resources to examine all the risk and pay to implement all of the safeguards, regardless of their impact and probability

Qualitative IT Security Risk Analysis – Risk Controls & Safegaurds

25

Risk Control Categories:

Avoidance Controls: our proactive safeguards that attempt to minimize the risk of accidental or intentional intrusions

Assurance Controls: our controls and strategies employed to ensure the ongoing effectiveness of the existing controls and safeguards

Detection Controls: our techniques and programs use to ensure early detection, interception, in response of security breaches

Recovery Controls: our planning and response services to rapidly restore and secure environments as well as investigating the source of the breaches

Qualitative IT Security Risk Analysis – Identify Safeguards

26

It is important to estimate the cost to implement each of the controls to be incorporated into the risk assessment report for senior management considered in the final determinations.

The cost analysis should ensure that the safeguard recommended meet the business objectives and provide adequate level of asset protection for the investment.

Qualitative IT Security Risk Analysis – Risk Analysis Report

27

The results of the risk analysis process must be presented to management in a form of formal report.

Report serves two purposes:

To report findings

To serve as a historical document

Qualitative IT Security Risk Analysis – Risk Analysis Report

28

Risk Analysis Report Outline

Executive Summary

Introduction

Threat Identification

Risk Factor Determination

Safeguard Determination

Cost Benefit Analysis

Recommendations

Appendix

IT Security Risk Management

Definitions & References

29

Security Management - Definitions

Vulnerability: is a software, hardware, procedural , or human weakness that may provide an attacker the open door they are looking for to enter a computer network an obtain unauthorized access to resources within the environment.

Threat: is any potential danger to information systems. Hence, the threat is when someone or something can identify and take advantage of/exploit a vulnerability.

Threat Agent: an entity that takes advantage of a vulnerability.

Risk: is a likelihood of a threat agent taking advantage of a vulnerability and corresponding business impact.

Exposure: is an instance of being exposed to losses from a threat agent.

Countermeasure: is a safeguard put in place to mitigate the potential risk (e.g., hardware device, software, procedure, controls, training, etc.)

Due Care: steps taken to show that the company has taken responsibility for the activities that occur within the organization and taken the necessary steps to protect the company, recourses, and employees

30

Security Management - Definitions

Privacy : a security principle that protects an individual’s information and employs controls to ensure that this information is not disseminated or accessed in an unauthorized manor.

Authentication: to verify the identity of a person requesting the use of a system and/or access to network resources.

Authorization (Access control): determine what access rights that person has and granting access after the person has been properly identified and authenticated.

Accountability (Auditing):

Assure that you can tell who did what when and convince yourself that the system keeps its security promises.

Includes non-repudiation (NR) -- the ability to provide proof of the origin or delivery of data.

NR protects the sender against a false denial by the recipient that the data has been received. Also protects the recipient against false denial by the sender that the data has been sent..

a receiver cannot say that he/she never received the data or the sender cannot say that he/she never sent any data

Permissions: the type of authorized interactions that a person can have with an object (e.g., read, write, execute, add, modify, delete).

Encryption: The transformation of plaintext into unreadable cipher text.

Due Diligence: The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.

31

Security Management - Definitions

Administrative Controls: Policies, standards, procedures, guidelines, screening, security awareness training

Technical Controls: Logical access controls, encryption, security devices, identification, and authentication

Physical Controls: Facilities protection, security guards, locks, monitoring, environmental controls, and intrusion detection

Identifying Information: The set of an asset’s attributes that may be useful for identifying that asset, including discoverable information about the asset and identifiers assigned to the asset

32

Security Management - Definitions

Disclosure: the unauthorized or premature exit door release of proprietary, classified, company confidential, personal, or otherwise sensitive information

Electrical disturbance: a momentary fluctuation in political power source

Environmental failure: an interruption in the supply of controlled environment support such as air quality, air conditioning, humidity, heating, and water

Hardware failure: a unit or component failure of sufficient magnitude to cause delays in processing or monetary loss to the enterprise

Operator/User error: an accidental, improper, or otherwise ill-chosen act by an employee that results in processing delays, equipment damage, data loss, or modify data

Fire: an instance of combustion that produces damage through heat, smoke, or suppression agent

Software error: an extraneous or erroneous data in an operating system or application program that results in processing errors, data output errors, or processing delays

33

Security Management - Definitions

Alteration of data: an unintentional modification, insertion, or deletion of data, rather by an authorized user or not

Alteration of software: an unintentional modification, insertion, or deletion of an operating system or application system program, whether by an authorized user or not

Disclosure: the unauthorized or premature intentional release a proprietary, classified, company confidential, personal, or otherwise sensitive information

Fraud: a deliberate unauthorized manipulation of hardware, software, or information

Theft: the unauthorized appropriation of hardware, software, you, computer supplies, or data of the classified nature

Employee sabotage: a deliberate action taken by an employee, group of employees, or not employees working together to disrupt enterprise operations

Strike: an organized employee action designed to halt or disrupt normal business operations

Unauthorized use: an unauthorized use of the computer equipment or programs

34

Security Management - Standards

ISO/IEC 27001 & 27002: guidelines for establishment, implementation, control, and improvement of information security management systems

ISO/IEC 27004: standard for information security management

ISO/IEC 27005: guideline for establishing a risk management approach to information security

ISO/IEC 27006: guideline for certification/registration Process

ISO/IEC 27799: guide for protecting personal health information

NIST Special Publication (SP) 800-53: outlines security requirements and security controls federal information systems and pass IT security audits performed under the Federal Information Security Management Act

NIST Cybersecurity Framework Version 1.0: risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks.

NIST Special Publication 800-39: guidance for an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, and other organizations

35

Assignments

Chapter 8 (IT Managers Handbook)

Homework 5: Risk Management

Project 2

Part A: Create an IT Governance Matrix

Part B: Create a Governance Charter for Enterprise Security Committee

Part C: Write a Information Security Policy for Data Classifications

36