Reserve for Catherine Owens Only

Part4pdf.pdf

Home >Information Systems homework help >Reserve for Catherine Owens Only

Unless the organization increases the level of security on its Web site, it can expect to lose $50,000 every year. Armed with this figure, the organization’s information security design team can justify expenditures for controls and safeguards and deliver a budgeted value for planning purposes. Note that noneconomic factors are sometimes considered in this process, so even in cases when ALE amounts are not huge, control budgets can be justified.

The Cost-Benefit Analysis (CBA) Formula In its simplest definition, CBA (or economic feasibility) determines whether a particular control is worth its cost. CBAs may be calculated before a control or safeguard is implemented to determine if the control is worth implementing. CBAs can also be calculated after controls have been functioning for a while. Observation over time adds precision to evaluating the benefits of the safeguard and determining whether it is functioning as intended. While many techniques exist, the CBA is most easily calculated using the ALE from earlier assessments before implementation of the proposed control, which is known as ALE(prior). Subtract the revised ALE, which is esti- mated based on the control being in place; this revised value is known as ALE(post). Com- plete the calculation by subtracting the annualized cost of a safeguard (ACS).

CBA ¼ ALE(prior) � ALE(post) � ACS For another perspective on cost-benefit analyses, read the SEI Report entitled “SQUARE Project: Cost-Benefit Analysis Framework for Information Security Improvement Projects in Small Companies.” The report is available from www.sei.cmu.edu/reports/04tn045.pdf.

� Implementation, Monitoring, and Assessment of Risk Controls The selection of a control strategy is not the end of a process. The strategy and its accompa- nying controls must be implemented and then monitored on an ongoing basis to determine their effectiveness and to accurately calculate the estimated residual risk. Figure 5-14 shows how this cyclical process is used to ensure that risks are controlled. Note that there is no exit from this cycle; it continues as long as the organization continues to function.

The implementation process follows the standard SDLC approach outlined in Chapter 1. The monitoring process involves the selection and adoption of effective performance measures (metrics), as discussed in greater detail in Chapter 12. As the organization conducts ongoing operations, information security staff must continuously observe the performance of all implemented controls, including those outsourced to external companies. Staff must also observe the adopted mitigation strategies to ensure that they keep the organization’s residual risk at the determined level, below its risk appetite.

Once controls are implemented, it is crucial to continually examine their benefits to deter- mine when they must be upgraded, supplemented, or replaced. As Frederick Avolio stated in his article “Best Practices in Network Security”:

Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business’ viability.23

Risk Control 305

Exercises 1. If an organization must evaluate the following three information assets for risk man-

agement, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

• Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.

• Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.

• Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

2. Using the data classification scheme in this chapter, identify and classify the informa- tion in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

3. Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

Threat Category Cost per Incident (SLE) Frequency of Occurrence

Programmer mistakes $5,000 1 per week

Loss of intellectual property $75,000 1 per year

Software piracy $500 1 per week

Theft of information (hacker) $2,500 1 per quarter

Theft of information (employee) $5,000 1 per 6 months

Web defacement $500 1 per month

Theft of equipment $5,000 1 per year

Viruses, worms, Trojan horses $1,500 1 per week

Denial-of-service attacks $2,500 1 per quarter

Earthquake $250,000 1 per 20 years

Flood $250,000 1 per 10 years

Fire $500,000 1 per 10 years

320 Chapter 5

4. How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and fre- quency of occurrence.

5. Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.

Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

Case Exercises As Charlie wrapped up the meeting, he ticked off a few key reminders for everyone involved in the asset identification project.

“Okay, everyone, before we finish, please remember that you should try to make your asset lists complete, but be sure to focus your attention on the more valuable assets first. Also, remember that we evaluate our assets based on business impact to profitability first, and then economic cost of replacement. Make sure you check with me about any questions that come up. We will schedule our next meeting in two weeks, so please have your draft inventories ready.”

Threat Category Cost per Incident

Frequency of Occurrence

Cost of Control

Type of Control

Programmer mistakes $5,000 1 per month $20,000 Training

Loss of intellectual property $75,000 1 per 2 years $15,000 Firewall/IDS

Software piracy $500 1 per month $30,000 Firewall/IDS

Theft of information (hacker) $2,500 1 per 6 months $15,000 Firewall/IDS

Theft of information (employee)

$5,000 1 per year $15,000 Physical security

Web defacement $500 1 per quarter $10,000 Firewall

Theft of equipment $5,000 1 per 2 years $15,000 Physical security

Viruses, worms, Trojan horses $1,500 1 per month $15,000 Antivirus

Denial-of-service attacks $2,500 1 per 6 months $10,000 Firewall

Earthquake $250,000 1 per 20 years $5,000 Insurance/ backups

Flood $50,000 1 per 10 years $10,000 Insurance/ backups

Fire $100,000 1 per 10 years $10,000 Insurance/ backups

Case Exercises 321