WITH INDUSTRY COMPLIANCY AND INFORMATION SECURITY laws and mandates

Transcription

1 3 Why Risk Assessmet WITH INDUSTRY COMPLIANCY AND INFORMATION SECURITY laws ad madates beig itroduced i the past four years, the eed for coductig a vulerability ad risk assessmet is ow paramout.these recet laws ad madates iclude the followig: The Healthcare Iformatio Privacy ad Portability Act (HIPPA) is drivig the eed for vulerability ad risk assessmets to be coducted withi ay health-care or health-care-related istitutio. The recet Gramm-Leach-Bliley Act (GLBA) is drivig the eed for vulerability ad risk assessmets to be coducted withi ay bakig or fiacial istitutio i the Uited States. The recet Federal Iformatio Security Maagemet Act (FISMA) is drivig the eed for vulerability ad risk assessmets to be coducted for all Uited States federal govermet agecies. The recet Sarbaes-Oxley Act affects all publicly traded compaies withi the Uited States that have a market cap greater tha $75 millio; they are ow subject to compliace with the Sarbaes-Oxley Act, Sectio 404, which also is drivig the eed for vulerability ad risk assessmets to be coducted for publicly traded compaies. The recet Caadia Maagemet of Iformatio Security Stadard (MITS) requires regular security assessmets for all Caadia federal govermet agecies. The eed to coduct vulerability ad risk assessmets is beig drive by these ew laws ad madates. Orgaizatios must ow be iformatio security coscious ad must develop ad implemet proper security cotrols based o the results of their iteral risk assessmet ad vulerability assessmet. By coductig a risk assessmet ad vulerability assessmet, a orgaizatio ca ucover kow weakesses ad vulerabilities i its existig IT ifrastructure, prioritize the impact of these vulerabilities based o the value ad importace of affected IT ad data assets, ad the implemet the proper security cotrols ad security coutermeasures to mitigate those idetified weakesses.this risk

2 38 Chapter 3 Why Risk Assessmet mitigatio results i icreased security ad less probability of a threat or vulerability impactig a orgaizatio s productio eviromet. Risk Termiology With ay ew techology topic, termiology, sematics, ad the use of terms withi the cotext of the techology topic ca be cofusig, misused, ad misrepreseted. Risk itself ecompasses the followig three major areas: risks, threats, ad vulerabilities. Risk is the probability or likelihood of the occurrece or realizatio of a threat.there are three basic elemets of risk from a IT ifrastructure perspective: Asset A IT ifrastructure compoet or a item of value to a orgaizatio, such as data assets. Threat Ay circumstace that could potetially cause loss or damage to a IT ifrastructure asset. Vulerability A weakess i the IT ifrastructure or IT compoets that may be exploited i order for a threat to destroy, damage, or compromise a IT asset. A IT asset or data asset is a item or collectio of items that has a quatitative or qualitative value to a orgaizatio. Examples of IT assets that orgaizatios may put a dollar value or criticality value o iclude the followig: Workstatios Hardware, software, ad data assets stored at the ed user s workstatio locatio (PCs, PDAs, phoes, ad so o). Operatig systems software Operatig system software, software updates, software patches, ad their cofiguratio ad deploymet o productio services ad workstatios. Applicatio systems software Applicatio software such as databases, cliet/server applicatios, software updates, software patches, ad their cofiguratio o productio servers. Local area etwork hardware ad software Local area etwork ifrastructure,tcp/ip, LAN switches, routers, hubs, operatig system ad applicatio software withi the LAN CPE equipmet. Wide area etwork hardware ad software Wide area etwork ifrastructure,tcp/ip, routers, operatig system ad applicatio software withi the WAN CPE equipmet. Network maagemet hardware ad software SNMP etwork maagemet ifrastructure, operatig system ad NMS applicatio software, productio NMS servers, data collectio SNMP pollig servers, etwork-moitorig CPE devices, SNMP MIB I ad MIB II data collectio ad archivig. Telecommuicatio systems Voice commuicatio systems (PBX or IP Telephoy), telephoe CPE devices o desktops, operatig system ad applicatio software (IP Telephoy), voic systems, automated attedats, ad so o.

3 Risk Termiology 39 IT security hardware ad software Operatig system ad security applicatio software, productio servers, DMZs, firewalls, itrusio detectio moitorig systems, security moitorig, ad alarm otificatio systems. Systems ad applicatio servers, hardware, ad software Operatig systems, applicatio software, cliet/server applicatio software, productio servers, ad software code/itellectual property. Itellectual property Customer data, customer databases, applicatio data, applicatio databases, iformatio, ad data assets. Itellectual property may have a itrisic value to a orgaizatio depedig o what the itellectual property is ad whether the orgaizatio geerates reveue from this itellectual property. IT ifrastructure documetatio, cofiguratios, ad backup files ad backup data Complete ad accurate physical, logical, cofiguratio, ad setup documetatio of the etire IT ifrastructure, icludig backup files, backup data, disk storage uits, ad data archivig systems. A threat is ay aget, coditio, or circumstace that could potetially cause harm, loss, damage, or compromise to a IT asset or data asset. From a IT ifrastructure perspective, threats may be categorized as circumstaces that ca affect the cofidetiality, itegrity, or availability of the IT asset or data asset i terms of destructio, disclosure, modificatio, corruptio of data, or deial of service. Examples of threats i a IT ifrastructure eviromet iclude the followig: Uauthorized access The ower of the access rights, user ids, ad passwords to the orgaizatio s IT systems ad cofidetial iformatio is compromised, ad uauthorized access is grated to the uauthorized user who obtaied the user ids ad passwords. Stole/lost/damaged/modified data Loss or damage of a orgaizatio s data ca be a critical threat if there are o backups or exteral archivig of the data as part of the orgaizatio s data recovery ad busiess cotiuity pla. Also, if the data was of a cofidetial ature ad is compromised, this ca also be a critical threat to the orgaizatio, depedig o the potetial damage that ca arise from this compromise. Disclosure of cofidetial iformatio Disclosure of cofidetial iformatio ca be a critical threat to a orgaizatio if that disclosure causes loss of reveue, potetial liabilities, or provides a competitive advatage to a adversary. Hacker attacks Uauthorized perpetrator who purposely ad kowigly attacks a IT ifrastructure ad/or the compoets, systems, ad data. Cyber terrorism Because of the vulerabilities that are commoplace i operatig systems, software, ad IT ifrastructures, terrorists are ow usig computers, Iteret commuicatios, ad tools to perpetrate critical atioal ifrastructures such as water, electric, ad gas plats, oil ad gasolie refieries, uclear power plats, waste maagemet plats, ad so o.

4 40 Chapter 3 Why Risk Assessmet Viruses ad malware Malware is short for malicious software, which is a geeral term used to categorize software such as a virus, worm, or Troja horse that is developed to damage or destroy a system or data. Viruses are executable programs that replicate ad attach to ad ifect other executable objects. Some viruses also perform destructive or discrete activities (payload) after replicatio ad ifectio is accomplished. Deial of service or distributed deial of service attacks A attack o a TCP/IP-based etwork that is desiged to brig the etwork ad/or access to a particular TCP/IP host/server to its kees by floodig it with useless traffic. May DoS attacks, such as the Pig of Death ad Teardrop attacks, exploit limitatios i the TCP/IP protocols. For all kow DoS attacks, system admiistrators ca istall software fixes to limit the damage caused by the attacks. But, like viruses, ew DoS attacks are costatly beig dreamed up by hackers. Acts of God, weather, or catastrophic damage Hurricaes, storms, weather outages, fires, floods, earthquakes, ad total loss of IT ifrastructures, data ceters, systems, ad data. A vulerability is a weakess i the system desig, a weakess i the implemetatio of a operatioal procedure, or a weakess i how the software or code was developed (for example, bugs, back doors, vulerabilities i code, ad so o).vulerabilities may be elimiated or reduced by the correct implemetatio of safeguards ad security coutermeasures. Vulerabilities ad weakesses are commo with software maily because there is t ay software or code i existece that does t have bugs, weakesses, or vulerabilities. May vulerabilities are derived from the various kids of software that is commoplace withi the IT ifrastructure.this type of software icludes the followig: Firmware Software that is usually stored i ROM ad loaded durig system power up. Operatig system The operatig system software that is loaded i workstatios ad servers. Cofiguratio files The cofiguratio file ad cofiguratio setup for the device. Applicatio software The applicatio or executable file *.exe that is ru o a workstatio or server. Software Patch A small piece of software or code sippet that the vedor or developer of the software typically releases as software updates, software maiteace, ad kow software vulerabilities or weakesses.

5 Risk Termiology 41 Note Why do software vedors ad applicatio software compaies have Software Licesig Agreemets (SLAs) that protect them from their ow software vulerabilities? Why do software compaies have striget Limited Warraty, Disclaimer of Warraties, Exclusio of Icidetal, Cosequetial, ad Certai Other Damages, ad Limitatios of Liability clauses i all their software products SLAs? The aswer to these questios ca be summarized quite simply: software vedors kow they ca t create ad sell perfect code because of the huma elemet. Software bugs ad vulerabilities are commoplace. Simply put, software vedors caot guaratee that their software is bug-proof ad free of vulerabilities, so they must protect themselves from potetial liability ad damages that may be the result of a software vulerability that is exploited by a hacker or uauthorized user. Herei lies the fudametal problem software has vulerabilities, hackers ad perpetrators kow there are vulerabilities, ad orgaizatios attempt to put the proper software patches ad updates i place to combat this fudametal problem before beig attacked. The key word here is before beig attacked. May orgaizatios lack sufficiet fuds for securig their IT ifrastructure by madatig a vulerability widow of 0 days or 0 hours, thus elimiatig ay software vulerability potetial threats. Achievig a vulerability widow of 0 days or 0 hours is virtually impossible give that software vedors caot provide software patches fast eough to the geeral public after a vulerability is exposed. I additio, the time required to deploy ad istall the software patch o productio servers ad workstatios exposes a orgaizatio s IT ifrastructure to potetial threats from that vulerability. This gap i time is reality i IT ifrastructures, especially because a majority of IT assets ad devices have some kid of software loaded i them. Remember, vulerabilities i software exted to firmware, operatig systems, cofiguratio files, ad applicatios, ad must be combated with a software maiteace, update, ad patch maiteace pla.this ecompasses the etire software, operatig, ad applicatio software eviromet exposig potetial vulerabilities i ay device that houses ad rus this vulerable software. I large orgaizatios, combatig the software vulerability issue requires a eterprise, automated software patch-maagemet solutio. The Computer Emergecy Respose Team (CERT) is a orgaizatio sposored by Caregie-Mello Uiversity s Software Egieerig Istitute. Util 2003, CERT was the orgaizatioal body that was resposible for collectig, trackig, ad moitorig vulerability ad icidet reportig statistics. CERT ca be foud at CERT publishes statistics for the followig: Vulerabilities Reported This compilatio is for vulerabilities reported, ot those that go ureported. Vulerability Notes Published These otes are published by CERT from data that is compiled from users ad the vedor commuity describig kow ad documeted vulerabilities.

6 42 Chapter 3 Why Risk Assessmet Natioal Cyber Alert System Documets Published Iformatio previously published i CERT advisories, icidet otes, ad summaries are ow icorporated ito Natioal Cyber Alert System documets. Security Alerts Published The total umber of validated security alerts published by CERT. Mail Messages Hadled The total umber of messages hadled by CERT. Hotlie Calls Received The total umber of phoe calls hadled by CERT. Icidets Reported Give the widespread use ad availability of automated attack tools, attacks agaist Iteret-coected orgaizatios are commo give the umber of icidets reported. As of 2004, CERT o loger publishes the umber of icidets reported. Istead, CERT is workig with others i the commuity to develop ad report o more meaigful metrics for icidet reportig, such as the 2004 E-Crime Watch Survey. Figure 3.1 shows the dramatic icrease i kow ad documeted vulerabilities ad the umber of icidets that have occurred ad have bee recorded by durig the past few years. Note that as the umber of vulerabilities icreases, the umber of icidets has also icreased, but this value is misleadig because the umber of icidets that go ureported is ukow. Vulerability / Icidet Growth ,529 Reported Icidets Vulerabilities Icidets 3784 New Vulerabilities Figure 3.1 Rise i vulerabilities ad icidets. May of the security icidets idicated i 2003 o the website were the direct result of software vulerabilities that were exploited by a attacker. These security icidets ca be attributed to the vulerability widow, which is the amout

7 Risk Termiology 43 of time that lapses betwee whe a kow vulerability is idetified ad documeted to whe a orgaizatio implemets the vulerability fix or deploys the appropriate software patch. Because of this vulerability widow issue, SQL Slammer, which was a kow vulerability posted by Microsoft i July 2002, affected early 90% of the world s SQL databases o Super Bowl Suday, Jauary 2003, six moths after the vulerability was exposed. The stages of vulerability i software are as follows: 1. Vedors release software ad code with ukow vulerabilities to the geeral public. 2. Vulerability is discovered, commuicated, documeted, ad published by the vedor.whe the vulerability is idetified ad commuicated to the geeral public, this defies whe the vulerability widow is ope.this is referred to as VTope. 3. A cofiguratio-based software coutermeasure (software patch) is created by the vedor ad made available to the public. 4. The software patch is released ad made available to the public. 5. The software patch is received, deployed, ad istalled o the affected devices. Whe the software patch is deployed ad istalled o the affected device, this defies whe the vulerability widow is closed.this is referred to as VTclosed. I Figure 3.2, the stages i vulerabilities i software are defied.this gap i time betwee whe a kow vulerability is idetified ad commuicated to whe that kow vulerability is mitigated through a software patch is referred to as the vulerability widow. The Stages of Vulerability i Software Are: Vedors release software ad code to the geeral public (with ukow vulerabilities) Vulerability is discovered, commuicated, ad published by the Vedor (Vulerability widow is ope, VTope) VT A cofiguratio-based software coutermeasure (patch) is created by the Vedor ad made available to the public The patch is released ad made available to the public The patch is received ad istalled o the affected devices (Vulerability widow is closed, VT closed) Figure 3.2 The vulerability widow. From a vulerability perspective, a IT asset or IT ifrastructure is most vulerable durig the vulerability widow exposure time.this exposure time is referred to as vulerability time: Vulerable Time (Vt) = Vt(ope) - Vt(closed)

8 44 Chapter 3 Why Risk Assessmet Most orgaizatios, whe they first coduct a vulerability assessmet o their IT ifrastructure, servers, workstatios, ad systems, are shocked to realize that they are vulerable because of software vulerabilities iheret i the code. Upo realizig this, the ultimate goal for a orgaizatio is to prioritize those IT assets ad IT ifrastructure compoets to assess which IT assets should have their vulerability time reduced. Reducig the vulerability time will assist orgaizatios i miimizig the potetial risk ad threats caused by software vulerabilities. May orgaizatios create iteral policies that state the maximum vulerability time exposure for their missio critical IT assets ad systems. Orgaizatios are ow realizig that havig a IT security architecture ad framework cosistig of policies, stadards, procedures, ad guidelies for their productio IT systems, software, ad applicatios is critical. May orgaizatios are apt to create a policy that defies the maximum acceptable vulerability widow for its missio-critical ad productio IT systems.this policy the drives the priorities for how fuds are to be ivested for risk mitigatio via a eterprise patch-maagemet solutio. Tip Whe defiig a policy for software vulerability maagemet, idetifyig ad prioritizig missio-critical IT assets to prioritize the cofidetiality, availability, ad itegrity of iformatio assets is paramout. Software vulerabilities are documeted ad tracked by the U.S. Computer Emergecy Readiess Team (US-CERT) i a public-accessible list called the Commo Vulerabilities ad Exposures (CVEs) list. I 1999, the MITRE orgaizatio was cotracted by the U.S. Computer Emergecy Readiess Team to track, moitor, ad update the CVE list.today, the CVE list has grow to more tha 7,000 uique documeted vulerability items, ad approximately 100 ew cadidate ames are added to the CVE list each moth, based o ewly discovered vulerabilities.the CVE list ca be foud at The CVE is merely a list or dictioary of publicly kow iformatio security vulerabilities ad exposures ad is iteratioal i scope ad free for public use. Each vulerability or exposure icluded o the CVE list has oe commo, stadardized CVE ame.the CVE list is a commuity effort that ecourages the support of hardware ad software vedors.the CVE list is free ad ca be dowloaded or accessed olie at the previously metioed website. Tip Use of the CVE list alog with idetifyig IT ad data assets are ecessary first steps i coductig a iteral risk assessmet of a orgaizatio. The risk ad vulerability assessor should first idetify all kow IT assets ad build a IT asset ivetory usig a spreadsheet or similar tool. The, for each IT asset, the assessor should list the firmware, the operatig system software, the applicatio software, ad the software patches ad their versio umbers curretly loaded i that IT asset. Usig the CVE list, a quick global search o kow software vulerabilities to the orgaizatio s IT asset list ca be coducted, especially if the software versio ad software patch umbers from the software vedor ca be obtaied. This quick examiatio of kow software vulerabilities will help a orgaizatio ucover kow software vulerabilities. This iformatio ca be used to assess whether the value of the IT asset or the data asset requires remediatio.

9 Laws, Madates, ad Regulatios 45 Prior to coductig a iteral risk assessmet, it is importat to uderstad the ew laws, madates, ad regulatios that are drivig orgaizatios to create ad implemet iformatio systems security plas ad coduct vulerability assessmets.these ew laws, madates, ad regulatios are impactig IT ifrastructures ad their assets ad are drivig the eed for coductig a thorough risk ad vulerability assessmet o a IT ifrastructure ad its assets. Laws, Madates, ad Regulatios The U.S. federal govermet has take a active role i dealig with computer, Iteret, privacy, ad corporate threats, vulerabilities, ad exploits durig the past five years.this is exemplified by the icrease i ew laws ad madates that were passed recetly.these ew laws ad madates ecompass the followig areas: Cyber Laws ad Crimes U.S. Code 1029 defies what a crimial activity is i regard to uauthorized access to devices ad what the pealties for such crimes will be. U.S. Code 1030 defies what computer fraud is ad other related activities i coectio with computers. Privacy New laws were eacted that protect a idividual s cofidetiality of persoal iformatio, such as social security umber, passport umber, driver s licese umber, ID umbers, ad so o. Fiacial Records Cofidetiality New laws were eacted that protect a idividual s cofidetial fiacial iformatio, credit report, ad ay iformatio pertaiig to fiacial records such as user ids, passwords, bak accout umbers, ad fiacial data. Corporate Itegrity New laws were eacted to hold officers of publicly traded compaies resposible ad accoutable for the accuracy ad release of fiacial ad aual reports as well as for documetig ad esurig that a proper iformatio security architecture ad framework with processes ad cotrols are i place. Whe dealig with risk assessmet i a orgaizatio, there are ow may ew laws ad madates that impact the requiremets ad scope of the risk assessmet. Depedig o the orgaizatio s vertical idustry category, differet laws ad madates will impact how that orgaizatio approaches its iteral risk assessmet ad vulerability assessmet. May of these ew laws ad madates will assist i defiig the scope of the risk assessmet ad vulerability assessmet, give the IT ad data assets that must ow have the proper security cotrols, procedures, ad guidelies.the followig ew laws ad madates curretly impact iformatio security requiremets ad are briefly described i this chapter: HIPAA Health Isurace Portability ad Accoutability Act, GLBA Gramm-Leach-Bliley Act,

10 46 Chapter 3 Why Risk Assessmet FISMA Federal Iformatio Security Maagemet Act, SOX, Sectio 404 Sarbaes-Oxley Act, Sectio 404, Health Isurace Portability ad Accoutability Act (HIPAA) The Health Isurace Portability ad Accoutability Act (HIPAA) was siged ito law i 1996 to address the lack of portability that idividuals ad their families had to deal with whe chagig jobs. HIPAA provides a way that idividuals ad their family members ca have a cotiuity of health isurace eve through job chages ad perhaps eve uemploymet. Note It used to be people stayed i oe or two jobs throughout a whole career. I those days people had o eed for HIPAA. But today, i a time whe jobs ad eve careers are costatly chagig, HIPAA ca make a big differece i your persoal welfare or the welfare of your family. Title I of the Health Isurace Portability ad Accoutability Act of 1996 (HIPAA) protects health isurace coverage for workers ad their families whe they chage or lose their jobs. Title II requires the Departmet of Health ad Huma Services to establish atioal stadards for electroic health care trasactios ad atioal idetifiers for providers, health plas, ad employers. Uder HIPAA law, the U.S. Departmet of Health ad Huma Services (DHHS) was required to publish a set of rules regardig privacy.the Privacy Rule was published o August 14, 2002, ad the Security Rule was published i the Federal Register o February 20, The privacy rule states three major purposes: To protect ad ehace the rights of cosumers by providig them access to their health iformatio ad cotrollig the iappropriate use of that iformatio. To improve the quality of health care i the Uited States by restorig trust i the health care system amog cosumers, health care professioals, ad the multitude of orgaizatios ad idividuals committed to the delivery of care. To improve the efficiecy ad effectiveess of health care delivery by creatig a atioal framework for health privacy protectio that builds o efforts by states, health systems, ad idividual orgaizatios ad idividuals. The security rule states the followig: I additio to the eed to esure electroic health care iformatio is secure ad cofidetial, there is a potetial eed to associate sigature capability with iformatio beig electroically stored or trasmitted.

11 Laws, Madates, ad Regulatios 47 Today, there are umerous forms of electroic sigatures, ragig from biometric devices to digital sigature.to satisfy the legal ad time-tested characteristics of a writte sigature, however, a electroic sigature must do the followig: Idetify the sigatory idividual; Assure the itegrity of a documet s cotet; ad Provide for orepudiatio; that is, strog ad substatial evidece that will make it difficult for the siger to claim that the electroic represetatio is ot valid. Curretly, the oly techically mature electroic sigature meetig the above criteria is the digital sigature. Gramm-Leach-Bliley-Act (GLBA) The Gramm-Leach-Bliley Act (GLBA) was siged ito law i 1999 ad resulted i the most sweepig overhaul of fiacial services regulatio i the Uited States by elimiatig the log-stadig barriers betwee bakig, ivestmet bakig, ad isurace. Title V addresses fiacial istitutio privacy with two subtitles. Subtitle A addresses this by requirig fiacial istitutios to make certai disclosures about their privacy policies ad to give idividuals a opt-out capability. Subtitle B crimializes the practice kow as pretextig, where someoe will misrepreset themselves to collect iformatio regardig a third party from a fiacial istitutio. Various sectios of the GLBA provide support to Title V i a variety of ways. For example: Sectio 502 Requires that a fiacial istitutio ot disclose, directly or idirectly or through ay affiliate, ay persoal iformatio to a third party. Sectio 503 Requires the fiacial istitutio to disclose its policies aually durig the istitutio s relatioship with a give customer. Sectio 504 Requires that the Office of the Comptroller of the Currecy (OCC), the Board of Goverors of the Federal Reserve System (FRB), the Federal Deposit Isurace Corporatio (FDIC), the Office of Thrift Supervisio (OTS), the Secretary of the Treasury, the Natioal Credit Uio Admiistratio (NCUA), the Securities ad Exchage Commissio (SEC), ad the Federal Trade Commissio (FTC), after cosultatio with represetatives of state isurace authorities desigated by the Natioal Associatio of Isurace Commissioers, are to prescribe regulatios to carry out subtitle A. Uder GLBA law, fiacial istitutios are required to protect the cofidetiality of idividual privacy iformatio. Uder the GLBA defiitio, fiacial istitutios may iclude baks, isurace compaies, ad other third-party orgaizatios that have access to a idividual s private ad cofidetial fiacial, bakig, or persoal iformatio. As specified i GLBA law, fiacial istitutios are required to develop, implemet, ad maitai a comprehesive iformatio security program with appropriate admiistrative,

12 48 Chapter 3 Why Risk Assessmet techical, ad physical safeguards.this iformatio security program must iclude the followig: Assigig a desigated program maager for the orgaizatio s iformatio security program Coductig periodic risk ad vulerability assessmets Performig regular testig ad moitorig Defiig procedures for makig chages i lieu of test results or chages i circumstace Federal Iformatio Security Maagemet Act (FISMA) The Federal Iformatio Security Maagemet Act (FISMA) was siged ito law i 2002 as part of the E-Govermet Act of 2002, replacig the Govermet Iformatio Security Reform Act (GISRA). FISMA was eacted to address the iformatio security requiremets for o-atioal-security govermet agecies. FISMA provides a statutory framework for securig govermet-owed ad operated IT ifrastructures ad assets. FISMA requires the CIO to carry out the followig resposibilities: Develop ad maitai a agecywide iformatio assurace (IA) program with a etire IT security architecture ad framework. Esure that iformatio security traiig is coducted aually to keep staff properly traied ad certified. Implemet accoutability for persoel with sigificat resposibilities for iformatio security. Provide proper traiig ad awareess to seior maagemet such that proper security awareess programs ca be deployed. The FISMA law also requires the agecy head, i this case the secretary of the Navy, to Develop ad maitai a agecywide iformatio assurace (IA) program with a etire IT security architecture ad framework. Esure each agecy has a sufficiet umber of traied iformatio security persoel to esure agecywide IA. Require aual reports from the CIO regardig the effectiveess of the agecy s IA programs ad progress o ay required remedial actios. The FISMA law also requires each federal agecy to develop, documet, ad implemet a agecywide iformatio security program that icludes the followig elemets: Periodic risk assessmets (at least aually). Risk-assessmet policies ad procedures that cost-effectively reduce the risk to a acceptable level, esure that iformatio security is addressed throughout the life cycle of each agecy iformatio system, ad esure compliace with FISMA.

13 Laws, Madates, ad Regulatios 49 Subordiate plas for etworks, facilities, ad groups of systems as appropriate. Security awareess traiig for agecy persoel, icludig cotractors ad system users. Periodic (at least aually) testig ad evaluatio of the effectiveess of iformatio security policies, procedures, ad practices. Processes for plaig, implemetig, evaluatig, ad documetig remedial actio to address deficiecies i agecy iformatio security policies, procedures, ad practices. Procedures for detectig, reportig, ad respodig to security icidets. Plas ad procedures to esure cotiuity of operatios for iformatio systems that support agecy operatios ad assets. Fially, FISMA law requires each federal agecy to report to Cogress aually by March 1.The agecy FISMA report must address the adequacy ad effectiveess of iformatio security policies, procedures, ad practices. I additio to the aual report, FISMA requires that each agecy coduct a aual, idepedet evaluatio of the IA program ad practices to determie their effectiveess. FISMA requiremets brought about for the first time i U.S. federal govermet history a defiitio for agecy iformatio security ad huma accoutability for the protectio of federal govermet IT ifrastructure ad data assets. Sarbaes-Oxley Act (SOX) The Sarbaes-Oxley Act (SOX) was siged ito law i 2002 ad amed after its authors: Seator Paul Sarbaes (D-MD) ad Represetative Paul Oxley (R-Ohio).This act madated a umber of reforms to ehace corporate resposibility, ehace fiacial disclosures, ad combat corporate ad accoutig fraud. Corporate ad accoutig fraud became commoplace thaks to the Ero ad MCI Worldcom fiascos, which were the drivig force i the creatio ad adoptio of the SOX law.this was the first law of this kid that requires U.S.-based corporatios to abide by ew aticrime laws, address a broad rage of wrogdoigs, ad requires a set of comprehesive cotrols be put i place while holdig the CEO ad CFO accoutable for the accuracy of the iformatio. SOX law applies to U.S.-based publicly traded compaies with market capitalizatios of $75 millio or more. SOX compliacy commeced i fiscal year 2004, with fiscal year 2005 beig the first full year of SOX compliacy. May orgaizatios are ow assessig ad elimiatig idetified gaps i defied cotrol objectives ad i particular, iformatio-security-related cotrol objectives. The SOX structure ad charter cosists of the followig orgaizatioal elemets: Public Compay Accoutig Oversight Board (PCAOB) The SOX law created ad eacted the PCAOB to oversee ad guide auditors i maitaiig SOX compliacy.

14 50 Chapter 3 Why Risk Assessmet PCAOB Was Charted with Creatig Proposed Auditig Stadards for SOX Compliacy PCAOB was tasked with creatig cosistet auditig stadards for SOX compliacy. PCAOB Selected Cotrols Frameworks from Committee of Sposorig Orgaizatios (COSO) The goal of the COSO was to develop a stadardized cotrol framework that provided structured guidelies for implemetig iteral cotrols. To supplemet the cotrol framework structure created by the COSO, the PCAOB selected Iformatio Systems Audit ad Cotrol Associatio s (ISACA) cotrol objectives for iformatio ad related techology framework (COBIT). Assistace from the IT Goverace Istitute used COSO ad COBIT frameworks to create specific IT cotrol objectives for SOX.The IT Goverace Istitute Framework icludes the followig major areas: Security Policies Policies are the most importat cotrol objectives to defie because they ecompass the etire orgaizatio ad act as a elemet of that orgaizatio s overall IT security architecture ad framework. Security Stadards Stadards allow the etire orgaizatio to follow a cosistet defiitio for how securig the IT ifrastructure ad assets will be implemeted usig hardware ad software security tools ad systems. Access ad Autheticatio Requires that the orgaizatio have a cosistet defiitio for ed user access cotrol ad how those users will be autheticated prior to access beig grated to the systems ad iformatio. User Accout Maagemet Requires that access cotrol ad maagemet of access cotrol be defied cosistetly across the orgaizatio with striget cotrols put i place to track, moitor, ad esure system access is ot compromised. Network Security Requires that the etwork ifrastructure (LAN,WAN, Iteretworkig, Egress Poits, Iteret Access, DMZ, ad so o) be desiged ad cofigured accordig to the IT security architecture ad framework that is defied for the orgaizatio. Moitorig Requires that the orgaizatio have a pla to adequately moitor the security of the IT ifrastructure ad the various IT systems ad assets.this pla udoubtedly requires IT security tools ad systems to moitor, audit, ad report o etwork activity ad system access. Segregatio of Duties Requires that the IT orgaizatio ad, i particular, the roles, resposibilities, ad accoutabilities for iformatio security be defied ad documeted i a segregated maer give the layers of resposibilities that are typical i a IT ifrastructure. Physical Security Requires that physical access ad physical security be defied that house ad protect the IT ifrastructure ad assets (for example, data ceters, computer rooms, server rooms).

15 Laws, Madates, ad Regulatios 51 Two sectios idirectly ad directly impact IT ifrastructures ad iformatio security: Sectio 302 ad Sectio 404. Sectio 302 impacts iformatio security idirectly i that the CEO ad CFO must persoally certify that their orgaizatio has the proper iteral cotrols. Sectio 302 madates that the CEO ad CFO must persoally certify that fiacial reports are accurate ad complete ad that the data they use for fiacial reportig is accurate ad secure. I additio, the CEO ad CFO must also report o effectiveess of iteral cotrols aroud fiacial reportig. Sectio 404 madates that certai maagemet structures, cotrol objectives, ad procedures be put ito place. Compliace with Sectio 404 requires compaies to establish a ifrastructure that is actually desiged to protect ad preserve records ad data from destructio, loss, uauthorized alteratio, or other misuse. Whe developig maagemet structures, cotrol objectives, ad procedures for SOX Sectio 404 to protect ad preserve records ad data from destructio, loss, uauthorized alteratio or other misuse, five major areas must be addressed: Cotrol Eviromet The Cotrol Eviromet defies the scope of the SOX Sectio 404 resposibility, which icludes a orgaizatio s IT ifrastructure ad assets. Risk Assessmet As per SOX Sectio 404, a risk assessmet for the Cotrol Eviromet that icludes a orgaizatio s IT ifrastructure ad assets is to be coducted. Cotrol Activities Specific cotrol activities (for example, asset maagemet, chage cotrol board/procedures, cofiguratio maagemet) must be defied ad documeted for the Cotrol Eviromet, which usually icludes the IT ifrastructure ad IT ad data assets. Iformatio ad Commuicatios Documetatio ad commuicatio of the fidigs ad assessmet for the Cotrol Eviromet must be doe such that maagemet ca take the appropriate steps to mitigate idetified risks, threats, ad vulerabilities. Moitorig Cotiuous moitorig, cofiguratio chage update trackig, ad other iteral ad exteral iflueces to the Cotrol Eviromet must be doe to maitai compliacy with SOX Sectio 404 o a aual basis. Orgaizatios today are beig forced to create IT security architectures ad frameworks to properly address the requiremets of these ew laws, madates, ad regulatios. After a IT security architecture ad framework is i place, risk ad vulerability assessmets are eeded to idetify weakesses ad gaps i the deploymet of iformatio security architectures ad frameworks. By coductig a risk ad vulerability assessmet, a orgaizatio will be able to idetify ad get a baselie for their curret level of iformatio security.this baselie will form the foudatio for how that orgaizatio eeds to icrease or ehace its curret level of security based o the criticality or exposure to risk that is idetified durig

16 52 Chapter 3 Why Risk Assessmet the risk ad vulerability assessmet coducted o the IT ifrastructure ad assets. From here, it is importat to uderstad risk assessmet best practices ad what the goal of a risk assessmet should be for a orgaizatio. Risk Assessmet Best Practices Whe you re coductig a risk assessmet, it is importat to defie what the goals ad objectives are for the risk assessmet ad what that orgaizatio would like to accomplish by coductig oe. Risk ad vulerability assessmets provide the ecessary iformatio about a orgaizatio s IT ifrastructure ad its asset s curret level of security.this level of security allows the assessor to provide recommedatios for icreasig or ehacig that IT asset s level of security based o the idetified ad kow vulerabilities that are iheret i the IT ifrastructure ad its assets. There are may best practices or approaches to cosider whe coductig a risk ad vulerability assessmet o a IT ifrastructure ad its assets.these best practices or approaches will vary depedig o the scope of the IT ifrastructure ad its assets.to properly secure ad protect a orgaizatio s IT ifrastructure ad assets, a sigificat amout of desig, plaig, ad implemetatio expertise is required to esure that the proper level of security is desiged ad implemeted properly.while preparig ad coductig a risk assessmet, the followig best practices or approaches should be cosidered: Create a Risk Assessmet Policy A risk assessmet policy will defie what the orgaizatio must do periodically (aually i may cases), how risk is to be addressed ad mitigated (for example, a miimum acceptable vulerability widow), ad how that orgaizatio must carry out a risk assessmet for its IT ifrastructure compoets ad its assets. Creatio of a risk assessmet policy is usually doe after the first risk assessmet is coducted as a post-assessmet activity. I some cases, orgaizatios create a risk assessmet policy ad the implemet the recommedatios that the policy defies. Ivetory ad Maitai a Database of IT Ifrastructure Compoets ad IT Assets Oe of the most tedious but importat first steps i coductig a risk or vulerability assessmet is to idetify ad ivetory all kow IT ifrastructure compoets ad assets.without a complete ad accurate ivetory of IT ifrastructure compoets ad IT assets, a asset valuatio, criticality, or importace evaluatio caot be performed. Defie Risk Assessmet Goals ad Objectives i Lie with Orgaizatioal Busiess Drivers Defiig the risk assessmet s goals ad objectives is the secod step i coductig a risk assessmet for your IT ifrastructure compoets ad IT assets. Aligig these goals ad objectives with the orgaizatio s busiess drivers will allow the orgaizatio to prioritize ad focus o critical systems ad assets first give the budget limitatios that most orgaizatios face.

17 Risk Assesmet Best Practices 53 Idetify a Cosistet Risk Assessmet Methodology ad Approach for Your Orgaizatio Defiig ad selectig the risk assessmet methodology ad approach for your orgaizatio will be depedet o the orgaizatio s ability to idetify accurate IT ifrastructure compoets ad assets, the ability to idetify asset value ad/or asset importace/criticality to the orgaizatio, ad how the orgaizatio makes busiess decisios.this will be further examied i Chapter 4, Risk Assessmet Methodologies. Coduct a Asset Valuatio or Asset Criticality Valuatio as per a Defied Stadard Defiitio for the Orgaizatio Depedig o the accuracy ad availability of ivetory documetatio ad asset valuatio data (for example, capital dollars spet o hardware, software, itegratio, maiteace, staff salaries, G&A overhead), the orgaizatio should coduct a asset valuatio or asset criticality (importace) assessmet to prioritize ad determie which IT ifrastructure compoets ad assets are most importat to the orgaizatio (either i moetary value or importace value).this will be further examied i Chapter 4. Defie ad/or Limit the Scope of the Risk Assessmet Accordigly by Idetifyig ad Categorizig IT Ifrastructure Compoets ad Assets as Critical, Major, ad Mior Depedig o the scope of the risk assessmet, a orgaizatio may or may ot be faced with a limited budget to coduct a thorough risk ad vulerability assessmet. I may cases, orgaizatios have limited budgets to coduct a risk ad vulerability assessmet ad must limit the scope o the missio-critical IT ifrastructure compoets ad assets oly. Although this solutio exposes the orgaizatio to potetial risks, threats, ad vulerabilities, a defese-i-depth approach to assessig ad mitigatig risks, threats, ad vulerabilities ca still be pursued. Uderstad ad Evaluate the Risks, Threats, ad Vulerabilities to Those Categorized IT Ifrastructure Compoets ad Assets After the IT ifrastructure compoets ad assets are idetified ad a asset valuatio or asset criticality assessmet is coducted, the ext step i the risk assessmet ad vulerability assessmet is to assess the impact that potetial risks, threats, ad vulerabilities have o the idetified IT ifrastructure compoets ad assets. By aligig the potetial risks, threats, ad vulerabilities to the prioritized IT ifrastructure compoets ad assets, maagemet ca make soud busiess decisios based o the value or criticality of that IT asset ad the potetial risk, threats, ad vulerabilities that are kow. Defie a Cosistet Stadard or Yardstick of Measuremet for Securig the Orgaizatio s Critical, Major, ad Mior IT Ifrastructure Compoets ad Assets To properly categorize IT ifrastructure compoets ad assets, a cosistet stadard defiitio or yardstick of measuremet eeds to be defied.this stadard defiitio refers to how the orgaizatio will defie ad

18 54 Chapter 3 Why Risk Assessmet categorize IT ifrastructure compoets ad assets to be Critical, Major, or Mior. This defiitio ca be based o moetary value, requiremet by law or madate, or criticality or importace to the orgaizatio.the selectio criteria or requiremets for defiig this stadard defiitio should be defied by maagemet ad icorporated ito the risk assessmet policy whe it is drafted ad implemeted. Perform the Risk ad Vulerability Assessmet as per the Defied Stadard or Yardstick of Measuremet for the Orgaizatio s IT Ifrastructure Assets After the stadard defiitio or yardstick of measuremet is defied for IT asset categorizatio, the risk ad vulerability assessmet ca be aliged to the priorities as defied by the results of the stadard defiitio for categorizatio of the orgaizatio s IT ifrastructure compoets ad assets.this is importat give that most orgaizatios have a limited budget for implemetig iformatio security coutermeasures ad must prioritize how they sped fuds o iformatio security, especially if they are uder compliace requiremets with ew laws, madates, ad regulatios that require them to do so or be subject to pealties. Prepare a Risk ad Vulerability Assessmet Fial Report That Captures the Goals ad Objectives Aliged with the Orgaizatio s Busiess Drivers, Provides a Detailed Summary of Fidigs, Provides a Objective Assessmet ad Gap Aalysis of Those Assessmet Fidigs to the Defied Stadard, ad Provides Tactical ad Strategic Recommedatios for Mitigatig Idetified Weakesses The risk ad vulerability assessmet fial report is the primary documet that presets all the fidigs, iformatio, assessmets, ad recommedatios for the orgaizatio.the fial assessmet report becomes the istrumet for maagemet to make soud busiess decisios pertaiig to the orgaizatio s overall risk ad vulerability assessmet ad how that orgaizatio will mitigate the idetified risks, threats, ad vulerabilities. Prioritize, Budget, ad Implemet the Tactical ad Strategic Recommedatios Idetified Durig the Risk ad Vulerability Assessmet Aalysis After the fidigs, assessmet, ad recommedatios are preseted to maagemet, it is importat to prioritize them, create a budget, ad have a tactical ad strategic pla for implemetig the recommedatios preseted i the fial report.these recommedatios may impact the etire orgaizatio ad may take moths, if ot years, to fully implemet.this prioritizatio of tactical ad strategic recommedatios will eable the orgaizatio to make soud busiess decisios with the defied goals ad objectives of the risk ad vulerability assessmet. Implemet Orgaizatioal Chage Through a Ogoig Security Awareess ad Security Traiig Campaig to Maitai a Cosistet Message ad Stadard Defiitio for Securig the Orgaizatio s IT

19 Uderstadig the IT Security Process 55 Ifrastructure ad Assets Implemetig orgaizatioal chage requires a educatio ad security awareess traiig pla for all employees or authorized users of the orgaizatio s IT systems, resources, ad data. Mitigatig risk requires all employees ad users withi the orgaizatio to abide by security awareess traiig. Defiig ad implemetig these risk assessmet best practices does ot come easily ad requires careful aalysis ad decisio makig uique to the orgaizatio s busiess drivers ad priorities as a orgaizatio. For example, a bak or fiacial istitutio requires more striget use of ecryptio techology to esure cofidetiality of privacy data, whereas a orgaizatio that is ot subject to striget cofidetiality requiremets may put less ivestmet i ecryptio techology ad more ivestmet i other areas. These risk assessmet best practices allow a orgaizatio to cosider the big picture of why that orgaizatio should coduct a risk ad vulerability assessmet ad how they should methodically approach the assessmet. More importatly, these best practices alig that orgaizatio s busiess drivers ad defied stadards to the risk ad vulerability assessmet to assist maagemet i makig soud busiess decisios based o available budgets, miimum acceptable vulerability widows, ad importace ad criticality of IT ifrastructure compoets ad assets. Uderstadig the IT Security Process As defied earlier i Chapter 2, Foudatios ad Priciples of Security, desigig ad implemetig a soud IT security architecture ad framework requires a thorough aalysis ad examiatio of how availability, itegrity, ad availability (A-I-C Triad) is desiged ad implemeted o the IT ifrastructure compoets ad assets i the overall iformatio security pla. Attacks o a IT ifrastructure ad assets ca disrupt availability of service resultig i the followig: Loss of Productivity Dowtime equals lost productivity to orgaizatios. Lost productivity ca result i loss i dollars ad time. Violatio of Service Level Agreemets Service providers or outsourcig service orgaizatios ca be i violatio of cotractual service level agreemets (SLAs) that may result i pealties ad fiacial compesatio. Fiacial Loss Lost productivity ad violatio of SLAs all result i fiacial loss. Depedig o the criticality of the fiacial loss, this may chage the prioritizatio of how that orgaizatio fuds ad secures its IT ifrastructure compoets ad assets. Loss of Life System dowtime or eve loss of data ca impact IT ifrastructures ad systems that are used to maitai, support, ad respod to huma life issues.

20 56 Chapter 3 Why Risk Assessmet Attacks o a IT ifrastructure ad assets ca disrupt the itegrity of iformatio that orgaizatios dissemiate: Attack Agaist the Itegrity of a System A system s itegrity requires soud access cotrol processes ad autheticatio that the user is authorized to access the system. Attacks agaist the itegrity of the system start with access cotrol ad iclude the maipulatio of iformatio or data, icludig destructio of data. Iformatio or Data Ca Be Modified, Altered, or Destroyed A system s itegrity ca be compromised if access is grated to a perpetrator ad the orgaizatio s iformatio or data is modified, altered, or destroyed. Cautio Attacks o a IT ifrastructure ad assets ca disrupt the cofidetiality of iformatio ad data assets. Attacks ca expose cofidetial iformatio such as corporate or itellectual property secrets, fiacial iformatio, ad health records, which ca result i idetity theft. Maitaiig the cofidetiality of privacy records ad fiacial data pertaiig to idividuals is ow subject to laws, madates, ad regulatios dictated by HIPAA ad GLBA. Ufortuately, implemetig a robust IT security architecture ad framework ad coductig a risk ad vulerability assessmet is ot somethig that ca be take lightly by a orgaizatio.this is true give that may IT systems ad applicatios were ot desiged with security i mid; may orgaizatios are strugglig to deal with the lack of security i their IT ifrastructure compoets ad applicatios that are curretly i productio. Security was always a afterthought ad ow for the first time, iformatio security is i the forefrot of system requiremets defiitios ad system desigs. Security as a process would defie a etire developmet life cycle that icorporates security requiremets ito the system or applicatio desig from the very begiig. By desigig a system (hardware, software, or multiplatforms) or applicatio (software code) from the groud up that icludes security requiremets for availability, itegrity, ad cofidetiality, miimizatio of the risks, threats, ad vulerabilities ca be desiged ito the system or applicatio up frot. Security as a process would have security requiremets icorporated throughout all the steps of the system or applicatio developmet ad desig life cycle.these steps iclude the followig: Risk/Threat/Vulerability Aalysis Ideally, this is doe prior to ay system requiremets or applicatio requiremets beig defied ad documeted.this iitial risk, threat, ad vulerability aalysis will attempt to idetify ad mitigate the exposure by icorporatig appropriate security coutermeasure requiremets ito the overall system or applicatio desig.