RISK MANAGEMENT THE DRIVE BY SHOTING VERSION. CIO Symposium Sioux Falls SD November 7, 2013

Transcription

1 RISK MANAGEMENT THE DRIVE BY SHOTING VERSION CIO Symposium Sioux Falls SD November 7, 2013

2 What is Risk? Threat Threat Assessment Impact on CIA Vulnerability Vulnerability Assessment Logs, scans, audits, Process analysis, testing Exploit Assessment Loss Identify, mitigate, implement, remediation Tangible Intangible

3 Security Domains User domain Workstation Domain LAN Domain LAN to Wan Domain Remote Access Domain System/Application Domain Network Systems Applications Data Users

4 CIA Confidentiality Integrity Availability Impact

5 Compliance Federal Information Security management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Graham Leach Bliley Act (GLBA) Sarbanes Oxley Act (SOX) Federal Education Reform Privacy Act (FERPA) Children s Internet Protection Act (CIPA)

6 Regulations/Regulators Securities and Exchange commission (SEC) Federal Trade Commissions (FTC) State Regulations Organizational Policies

7 Guidance Payment Card Industry (PCI-DSS) National Institute of Standards and Technology (NIST) Control Framework for Information and Technology (COBIT) International Standards Organization (ISO) Information Technology Infrastructure Library (ITIL) Capability Maturity Model Integration (CMMI) Defense Information Assurance Certification and Accreditation Process (DIACAP) And many more

8 Governance Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. (COBIT 5, 2012)

9 Management Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (COBIT )

10 Governance Process Promote alignment of business and IT Organizes service lifecycle and governance processes Defines management requirements Provides metrics and maturity models (Hojaji, 2010) (COBIT )

11 Management Process 1. Align, Plan and Organize (APO) 2. Build, Acquire and Implement (BAI) 3. Deliver, Service and Support (DSS) 4. Monitor Evaluate and Assess (MEA)

12 (Shivashankarappa, et al. 2012). Governance and Information Security Information security is a top down management issue Governance needs to address security architecture Security needs to be a part of planning from the beginning Protection of sensitive data Application services security Legacy integration Incident management Decision rights and accountability are critical parts of governance. Increased scrutiny on IT requires a well defined governance framework

13 Governance, Risk, and Compliance GRC Methodology for building IT Policy, priorities and practices Need to improve security Means of measuring risk Security needs business visibility What assets are at risk What needs to be patched How much budget is needed Elevate inefficiency by integrated governance and security risk Management

14 Threat, Vulnerability, and Risk Threat is an agent that might result in harm to the organization Vulnerability is the flaw that will allow the threat to be exercised Exploit is the tool the attackers use to exercise the vulnerability to gain Information or access. Risk = Potential for Loss times the Magnitude of Loss

15 Value of IT Assets Data and Information What was cost to create Cost to reproduce Data classification public, private, PII, and property Government -Top Secret, Secret, Confidential, SBU Hardware Software Personnel Any asset can be replaced in the face of a disaster except your data

16 Mitigation Threats Internal and External Risk Cost Benefit analysis Mitigation Avoidance Transfer Acceptance Residual risk

17 Threat and vulnerabilities Threat source Fire, tornado, hacker, negligence Vulnerability Sprinkler systems can damage computer hardware No off site backups Application and systems not patched Poorly written processes Threat action Sprinklers turned on Category 5 hits data center Hacker exploits vulnerability in Java User not following process

18 Threat Characterization Man-Made Specific Threat Man-Made Administrative Error Bomb Threat Computer Virus Disgruntled employee or Citizen Incident Human Error/Omission Industrial Espionage Intentional Modification of Data Probability of Occurance Potential Impact Confidentiality Integrety Availability Management Error/Omission Sabotage/Terrorist Attack Theft of Assets Unuathoized Access to Client facilities Unauthorized Access to Client System

19 Threat Characterization Natural Natural Drought Earthquake Specific Threat Electrical Interference/disruption Extreme Tempretures Flood Flash Flood Hurricane Lightning Tornado Wildfire Winter Storm Probability of Occurance Potential Impact Confidentiality Integrety Availability

20 Threat Characterization Environmental Specific Threat Environmental Aircraft Accident Fire Hazardous Material Incident HVAC Failure HW/SW Failure Illness/Epidemic Power Outage/Failure Radiological Incident Rodent/Insect Infestation Structural Fire Substance Abuse Transportation Accident Probability of Occurance Potential Impact Confidentiality Integrety Availability

21 Risk Management Identifies threats and vulnerabilities Reduces adverse impact Improves organization survivability Enhances cost-benefit awareness Shows need for risk reduction

22 Risk Management What not to do. Apply same security to all IT Assets Putting all data and information into same security bucket Not looking to the value of the asset in deciding security posture Looking to the number of vulnerabilities and not looking enterprise wide Company is small to worry about security We must be secure because we have not been compromised responsibility ability to make decisions

23 Managing risk Identify and reduce threat impact Vulnerabilities Exploits Initiatives NIST Special Pubs DHS CERT MITRE (CVE)

24 Components Risk management Budget Asset Valuation Risk Assessment Identification Analysis Prioritization Risk Control Planning Resolution Monitoring

25 Risk Management Plan Scope Responsibilities RA Team makes recommendations Senior Management Makes decisions Procedures and schedule Gantt chart Reporting Requirements

26 Business Planning Business Impact Analysis (BIA) - What is needed to bring the business back from disaster Data Assets System assets What gets restored first Maximum acceptable Outage Create Service level agreements Develop Disaster Recovery Plan Continuation of Operations Plan (COOP)

27 Risk Assessment Scope Complete system, Network, DMZ, Critical Areas Team Separation of duties

28 RA Types Quantitative Risk Assessments Calculates absolute financial values, losses, and costs Objective, Monetary values, historical data Single Loss Expectancy (SLE) Annual Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) Qualitative Risk Assessments Calculates relative values, losses, and costs Subjective, Word values, Expert Opinions, probability and impact

29 Steps of Risk Assessment Identify assets Identify relevant threats Identify relevant vulnerabilities Assess threats, vulnerabilities and exploits Evaluate Risk Develop and present recommendations

30 Mitigating risk Countermeasures Cannot reduce threat evaluate and model Reduce vulnerability Vulnerability and exploit assessment Reduce impact of loss Assessing risk Probability Likelihood of threat exploiting a vulnerability Impact negative result Risk cannot be eliminated Protect Assets and Avoid Downtime

31 NIST Control Categories Select, Document, and Implement controls Evaluate effectiveness, cost, and operational impact Management Risk Assessment System and Services Acquisition Program Management Technical Access Control Audit and Accountability Identification and Authentication Operational Awareness and Training Configuration Management Incident Response

32 System Testing Both for controls and patching Functional testing Access controls Pen Testing Testing transactions