PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

Transcription

1 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1 Version: 1.0 Date of Version: 20/09/2006

2 Security Risk Management IT Systems History of Changes Date In charge of Changes Changes / Additions (reference of specific unit) Approval Version Number Date of Application 20/9/2006 B. Kolias Initial Version IT Manager 1.0 1/1/2007 Version 1.0 Page 2 of 46 20/9/2006

3 Security Risk Management IT Systems TABLE OF CONTENTS HISTORY OF CHANGES INTRODUCTION GENERAL OVERVIEW OF SECURITY RISK MANAGEMENT PROCEDURE FOR IT SYSTEMS 7 3. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE - SUMMARY TABLE IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE - DETAILED DESCRIPTION PREPARATION PHASE Determination of Scope of Operational risk management areas Selection of Measurement Methods RISK ASSESSMENT Identifying and Assessing Complex IT assets Identifying Composite IT Assets IT assets assessment Impact identification and assessment Identifying and Assessing Risks Classification of threats Identifying and assessing physical threats Identification and assessment of threats from human intervention Making Detailed Threat Table Identifying and Assessing Vulnerabilities Preparation of detailed vulnerability table Assessment of Risk Exposure Level Correlation of threats and vulnerabilities for each composite IT asset Preparation of detailed risk table Version 1.0 Page 3 of 46 20/9/2006

4 Security Risk Management IT Systems 4.3 RISK REDUCTION Risk Tolerance Level Assessment Comparison of Risk Exposure Levels with Risk Tolerance Levels Selection of Additional Protection Measures Assessment and Acceptance of Residual Risk MONITORING THE SYSTEM AND ITS ENVIRONMENT FOR CHANGES Identifying Endogenous Changes Monitoring IT assets Monitoring IT asset vulnerabilities Monitoring operational / organizational changes Identifying Exogenous Changes Monitoring the threat environment Monitoring the legal environment Management of Changes ANNEX A: INDICATIVE THREAT LIST ANNEX B: INDICATIVE VULNERABILITY LIST ANNEX C: INDICATIVE CONTROLS LIST ANNEX D: INDICATIVE ELECTRONIC SOURCES OF INFORMATION RELATING TO SECURITY THREATS AND VULNERABILITY ISSUES Version 1.0 Page 4 of 46 20/9/2006

5 Security Risk Management IT Systems 1. INTRODUCTION In the contemporary business environment, information is one of the most valuable assets of an enterprise, and the protection of the integrity, confidentiality and accessibility of IT assets is a necessary condition for the smooth and unhindered achievement of business goals. The Public Power Corporation S.A. (hereinafter referred to as PPC or the Corporation ), as an organization that relies on IT systems for the processing and management of operational information to support its business activity, has implemented a security framework for IT systems for the effective protection of its IT assets. IT Systems Security Risk Management (ITSSRM) is one of the components of this framework and includes the methodological approach required for the identification and effective management of the risks associated with the security of PPC IT assets. The ITSSRM procedure, which is based on the internationally recognized BS ISO/IEC standards, is an integrated approach, which is supported by the PPC IT systems security policy and includes the following stages: Recording and evaluating PPC IT assets. Identifying and assessing security threats and vulnerabilities of IT assets and existing protection measures. Assessment of security risks arising from the exploitation of the vulnerability of IT assets by recognized threats. Reduction of risks, through the implementation of suitable controls. Assessment and acceptance of residual risk, after implementation of protective measures. Continuous monitoring of systems and environment for changes and repetition of procedure if significant changes are detected. Version 1.0 Page 5 of 46 20/9/2006

6 Security Risk Management IT Systems The most important advantage of this approach is that it handles the security risks of information systems as issues concerning the entire Corporation, by examining the cost of the implementation of protective measures in correlation with the benefits resulting from the reduction of risks. The benefits of the implementation of this procedure are summarized as follows: The implementation of the procedure allows the PPC to focus on the achievement of its operational goals, through ensuring an acceptable level of risk. It provides the Corporation with the opportunity to evaluate its IT assets, by identifying threats and vulnerabilities, assessing the respective risks and by selecting the protection methods for limiting them through a cost-benefit analysis. Leads to the creation of an organized and controlled environment through which the Corporation can collect, process, transfer and store information in a secure way. In the following sections, the ITSSRM procedure is presented in detail, as well as the detailed individual guidelines for its implementation. Version 1.0 Page 6 of 46 20/9/2006

7 Security Risk Management IT Systems 2. GENERAL OVERVIEW OF THE SECURITY RISK MANAGEMENT PROCEDURE FOR IT SYSTEMS The following flow chart presents the steps to be followed in execution of the ITSSRM procedure. The chart graphically presents the successive stages of the approach, as well as the conditions that govern their relationship. Determination of the Scope of Operational risk management area Selection of Measurement Methods Identification and Assessment of IT assets Identification and Assessment of Risks Identification and Assessment of Vulnerabilities Identification and Assessment of Risk Exposure Selection and implementation of additional protection measures Determination of Risk Tolerance Level Does exposure to risk lie inside the Risk Tolerance Levels? YES Risk Acceptance Monitoring the system and its environment for changes Important changes to the IT system and/or its environment detected? NO Management of protective measures (controls) Repetition of Risk Assessment Procedure Version 1.0 Page 7 of 46 20/9/2006

8 Security Risk Management IT Systems 3. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE SUMMARY TABLE The following table summarizes the basic stages that must be followed for the implementation and the completion of the PPC ITSSRM procedure. ITSSRM procedure Preparation Phase Risk Assessment Risk Reduction Monitoring the Environment for Changes Determination of Scope of Operational risk management area Identifying and Assessing Composite IT assets Determination of Risk Tolerance Levels Identifying Endogenous Changes Selection of Measurement Methods Identifying and Assessing Risks Comparison of Risk Exposure Levels with Risk Tolerance Levels Identifying Endogenous Changes Identifying and Assessing Vulnerabilities Selection of Additional Protection Measures Management of Changes Assessment of Risk Exposure Assessment and Acceptance of Level Residual Risk Version 1.0 Page 8 of 46 20/9/2006

9 Security Risk Management IT Systems 4. IT SYSTEMS SECURITY RISK MANAGEMENT PROCEDURE DETAILED DESCRIPTION 4.1 Preparation Phase This phase is necessary to complete the appropriate preparation required before starting the ITSSRM procedure. The tasks to be undertaken at this phase are analyzed in the following paragraphs Determination of Scope of Operational risk management area Before the commencement of the risk management procedure, the scope and extent of the operational risk management area must be accurately determined, in order facilitate the prompt recognition of the critical IT assets which must be examined during the procedure. Within the scope of the PPC ITSSRM procedure, we determine four levels of study: the Computer System Level, the IT System Level, the Operating Unit Level and the Overall Corporation Level. Computer System Level: At this level, an integrated and complete risk management study is implemented for the selected computer system. A computer system is the IT system where the following elements have been subtracted : human resources and procedures. The software, hardware (e.g. servers, workstations, data transfer networks, etc.) and the data of the Payroll application or the e- mail system or the internet access infrastructure, are examples of computer systems, where we can implement the ITSSRM procedures. Therefore, at this level we focus mainly on the security risks related to the PPC technical IT infrastructure. IT System Level: At this level, the risk management study must be implemented for all the elements of the computer system, as described above (see Computer System Level). Furthermore, the risks must be analyzed for security issues related both to the personnel who operate and manage the computer system in question, and the procedures they carries out. This analysis may be carried out through interviews (e.g. with the use of questionnaires and checklists that arise from international standards, such as the ISO/IEC 17799) or with the use of adapted control programs or other special analysis tools. At this level we focus on the security risks related both to the PPC technical infrastructure and the procedures and people who operate and provide support for this infrastructure. Operating Unit Level: At this level, the IT systems security risk management procedure must be implemented for all IT systems supporting the operating unit under examination (e.g. General Division, Division, Subdivision, Section, Department, etc.). Version 1.0 Page 9 of 46 20/9/2006

10 Security Risk Management IT Systems Overall Corporation level: At this level the ITSSRM procedure is implemented for the entire Corporation, and all IT systems used by PPC must be recognized as fully as possible Selection of Measurement Methods The selection of the measurement methods of the individual components of the risk (i.e. the asset value, threat and vulnerability), and especially the determination of their correlation, is a prerequisite for the execution of the risk assessment procedure. For the combination of a series of different variables to be feasible during the calculation of the individual and final figures, a measurable rating for each variable under examination must be established. The variables used in assessmeny of risk exposure establish the value rating of IT assets, the threat assessment rating, the vulnerability assessment rating and the risk assessment rating. For the purposes of the security risk management procedure, the use of a scale is established for the measurement of the relevant importance of each variable, which is presented in the following tables: Version 1.0 Page 10 of 46 20/9/2006

11 Security Risk Management IT Systems IT Assets Assessment Rating Scale Value Description 1 Negligible / Very Low 2 Low 3 Medium 4 High 5 Very High Threat Assessment Rating Scale Value Description 1 Low 2 Medium 3 High Vulnerability Assessment Rating Scale Value Description 1 Low 2 Medium 3 High Version 1.0 Page 11 of 46 20/9/2006

12 Security Risk Management IT Systems IT Systems Security Risk Assessment Rating Scale Minimum Risk Maximum Risk Low Medium High It is noted that the risk is the outcome derived from the three variables (value of IT asset, threat, vulnerability) and for the purposes of this ITSSRM procedure, it is assessed using a measurement scale with values ranging between 0 (negligible/minimum risk) and 8 (maximum risk). 4.2 Risk Assessment The effective management of PPC IT systems security risks requires the identification and assessment of the risks which threaten its IT assets. In this context, an analytical and detailed risk assessment approach is established, which is described in the following paragraphs and consists of the following steps: Identifying and evaluating IT assets Identifying and assessing threats Identifying and assessing vulnerabilities Assessment of risk exposure level In order to better understand the procedure in more depth, the definitions of the basic terms of the risk assessment procedure are presented below: Vulnerability: Refers to the weak spot or susceptibility of an IT asset or a group of IT assets which may be utilized / exploited by a threat. It is the condition that allows a threat to have impact at greater frequency, with greater consequences or both. Version 1.0 Page 12 of 46 20/9/2006

13 Security Risk Management IT Systems Threat: An activity or event which may have an undesirable result. An incident or action, which may have undesirable results if it occurs. Information Systems Security Risk: The potential of a specific threat to exploit one or more vulnerabilities of an IT asset (or a group of IT assets) leading to loss or damage to this asset. Impact: The damage or downgrading of the operational value (money, reputation, trust, etc) or any other loss which could be the consequence of a potential violation of the PPC systems security Identifying and Assessing Composite IT assets It should be stressed that this phase is very important and is critical to the successful completion of the entire ITSSRM procedure, because all subsequent phases are based on the initial identification and evaluation of PPC IT assets. Additionally, for the better and more efficient execution of this phase, and by extension of the ITSSRM procedures, PPC IT assets are grouped based on their physical nature and in this context they are called composite IT assets. More specifically, in the context of an IT system, one or more composite IT assets, which are composed of a number of individual IT assests, are identified and examined. It is noted that in the context of this ITSSRM program, the analysis and assessment of risks is carried out based solely on identification of IT systems and the composite IT assets they contain, without carrying out further analysis at the level of individual IT assets Identifying Composite IT Assets At this stage, all composite IT assets falling within the defined scope of an operational risk management area must be identified and recorded (Computer System Level, IT System Level, Operating Unit Level, PPC Level). For their more effective identification, the following types of composite IT assets are determined, and their definitions presented in the following table: Version 1.0 Page 13 of 46 20/9/2006

14 Security Risk Management IT Systems Composite IT Assets Table Composite IT Asset Description Servers Risk assessment must cover any physically separate server or mainframe as a composite IT asset. The server includes the hardware, software and the information stored in the servers. Network Risk assessment must cover any physically separate component of the network as a different system component. The group of network components includes routers, hubs, switches, cabling, etc. Risk assessment here must ignore risks created by network servers. For each component, the hardware, software and transmitted information must be taken into account. Clients / Workstations Workstations include the hardware, software and the information stored in the equipment. Miscellaneous etc. Storage devices, ATMs, Printers, FAX machines, PBX call center, IT assets assessment Impact identification and assessment The valuation of IT assets will be carried out based on the assessment of the impact for each IT asset identified. Therefore, the impact from the violation of the security of an IT asset indicates its value to the Corporation. The following two parameters are considered fundamental to the effective identification of the impact: Version 1.0 Page 14 of 46 20/9/2006

15 Security Risk Management IT Systems Impact factors / Basic security principles - Confidentiality, Integrity and Accessibility Main impact areas Namely, critical areas where the violation of one of the basic security principles has serious consequences All IT assets identified are assigned values ranging between 1 and 5 for each of the critical impact areas in case of violation of each of the basic security principles (confidentiality/ integrity / accessibility). A detailed description of the scale of the degree of impact is presented in the following table. IT Assets Assessment Rating Scale Value Description Interpretation 1 Negligible / Very Low The violation of one of the security principles (confidentiality / integrity / accessibility) has a negligible or very low impact on the operation of the system and the Corporation. 2 Low The violation of one of the security principles (confidentiality / integrity / accessibility) may cause loss or damage of minimum importance. 3 Medium The violation of one of the security principles (confidentiality / integrity / accessibility) may cause significant loss or damage, which could have adverse effects on the operational procedure. 4 High The violation of one of the security principles (confidentiality / integrity / accessibility) may cause extensive damage or loss with significant adverse effects on the operation of the system and the PPC. 5 Very High The violation of one of the security principles (confidentiality / integrity / accessibility) has extremely significant impact on the operation of the system and the Corporation. Version 1.0 Page 15 of 46 20/9/2006

16 Security Risk Management IT Systems The assessment rating of IT assets is then calculated, based on the above scale, with the help of the following table. Version 1.0 Page 16 of 46 20/9/2006

17 Security Risk Management IT Systems Impact Identification and Assessment for each IT Resource Impact factors / Basic security principles Confidentiality Integrity Accessibility Main impact areas Personal safety Personal information Legal and regulatory obligations Commercial and economic interests Financial loss Disruption of activities Public order Compliance with business policies and standards Public image and PPC brand reputation Business performance Environmental safety Note: The values in the table are indicative Version 1.0 Page 17 of 46 20/9/2006

18 Security Risk Management IT Systems In this context, an impact rating of 3 in the personal safety area, in the event of violation of the accessibility of the IT asset under examination, implies that loss of the accessibility to this asset may contribute to the loss of human life. The total impact rating for each basic security principle is the maximum of the individual values assessed for each main impact area. The total impact rating for the IT asset under examination is the maximum of the three values estimated for each basic security principle Identifying and Assessing Risks The identification and assessment of the IT assets is achieved through identification of security threats and their properties and features, in order facilitae effective and detailed risk assessment for each PPC composite IT asset Classification of threats The first step in specifying threats is distinguishing between threats caused by human intervention and physical threats. The further analysis and classification of threats arising from human intervention uses the following features: Threat Intent: deliberate (D) or random (A) Threat Origin: internal (Int), external associates (X) and external (ex) intervention: By combining the above features, we can form the following threat categories arising from human Internal and Deliberate (IntD) Internal and Random (IntR) External Associates and Deliberate (XD) Version 1.0 Page 18 of 46 20/9/2006

19 Security Risk Management IT Systems External Associates and Random (XR) External and Deliberate (ExD) External and Random (ExR) Physical threats (e.g. fires, floods, earthquakes, etc) belong to the ExR category (external random threats). The above threat classification contributes to the risk assessment procedure in the following ways: It assists PPC personnel in the identification of threats. It will contribute to risk assessment evaluation: For example, an internal deliberate threat has a greater probability of occurring, given that the threat agent has the required knowledge and resources available, though there is reduced motivation, since he is aware of the higher risk of being caught. It will contribute to selection of suitable protection measures to reduce risk Identifying and assessing physical threats Physical threats are assessed separately, because their features differ from the features of human intervention threats. Physical threats are easier to determine and have a general impact, and therefore their assessment must be carried out according to the different locations of the PPC composite IT assets. The ITSSRM group must prepare tables for composite IT assets of the Corporation classified by location, according to the example shown in the following table. Computer System 1 Building A Building B Building C Building D Building E Composite IT Asset 1 Office 3C Version 1.0 Page 19 of 46 20/9/2006

20 Security Risk Management IT Systems Computer System 1 Building A Building B Building C Building D Building E Composite IT Asset 2 Network equipment storage area Secure area A1 Composite IT Asset 3 Offices, 3 rd floor Composite IT Asset 4 Kitchen Composite IT Asset 5 Corridor 3 rd floor Subsequently, based on historical data and with the assistance of specialized personnel, an assessment of the probability or frequency of threats arising for each location must be carried out. With the use of the Threat Assessment Rating Scale (High Medium Low), as presented in the following table, an assessment rating for threats may be specified. It is noted that if a physical threat is not related to a specific location, no assessment grade will be specified, since it does not need to be included in the risk assessment. Composite IT Asset Physical Threat Assessment Table Computer System 1 Physical Threat Physical Threat Assessment Rating Composite IT Asset 1 Physical Threat 1 Physical Threat 2 Physical Threat 3 Physical Threat 4 H L M M Version 1.0 Page 20 of 46 20/9/2006

21 Security Risk Management IT Systems Composite IT Assets Physical Threat Assessment Table Computer System 1 Physical Threat Physical Threat 5 Physical Threat Assessment Rating L Composite IT Asset 2 Physical Threat 1 Physical Threat 2 Physical Threat 3 Physical Threat 4 Physical Threat 5 H L M M L Composite IT Asset x Physical Threat 1 H It should be stressed that the above table must be completed for each composite IT asset and for all physical threats identified Identification and assessment of threats from human intervention Threats from human intervention are characterized by a different group of features. These threats must be identified and assessed for each composite PPC IT asset and cannot be grouped according to location. The first step in the assessment of the threats from human intervention is the identification variables and the use of a single scale for measuring these threats. As already specified (start of paragraph 4.2), a threat is an activity or event which may give rise to undesirable results. Based on this definition, we can distinguish two factors which may be used in order to measure the relative importance of threats: the agent of the threat, i.e. the agent whose actions may create this threat and the probability of the threat, i.e. how probable it is that the threat will arise. For the assessment of the two factors (agent and probability of occurrence of the threat) we can use the following variables: Version 1.0 Page 21 of 46 20/9/2006

22 Security Risk Management IT Systems Capability: The volume of information available to the threat agent (knowledge, education, technological specialization, etc) and the availability of the required resources. Motivation: The perception of the threat agent with regard to the interest value of PPC IT assets, in relation to the risk of being identified and caught, and motivation to violate policy, standards and PPC security procedures in general. The following table may be used as an example for calculation of the risk assessment rating. Each threat must be assessed with the use of the recognized features of the threats described above (capability, motivation and probability) and specify the risk assessment rating, using the Threat Assessment Rating Scale (paragraph 4.1.2). Threat Assessment Table from Human Intervention Computer System 1 Threat from Human Intervention Type of Threat Capability Motivation Threat Assessment Rating from Human Intervention Composite IT Asset 1 Threat 1 ExR L L L Threat 2 ExD L M L or M Threat 3 ExD M M M Threat 4 IntD H H H Threat 5 IntD H L L or M Composite IT Asset 2 Threat 1 ExR H H H Threat 2 ExD H L L or M Threat 3 ExD M H L or M Version 1.0 Page 22 of 46 20/9/2006

23 Security Risk Management IT Systems Threat Assessment Table from Human Intervention Computer System 1 Threat from Human Intervention Type of Threat Capability Motivation Threat Assessment Rating from Human Intervention Threat 4 IntD M L M or L Threat 5 IntD L L L Composite IT Asset x Threat 1 ExR H H H Preparation of Detailed Threat Table At this point, a detailed threat table should be prepared for each IT system, which will present the recognized threats (from human and physical interventions), their classification and the assessment rating of each threat. Detailed Threat Table Computer System 1 Threat Type of Threat Composite IT Asset 1 Threat Assessment Rating from Human Intervention Threat 1 ExR H Threat 2 IntD L Threat 3 ExD M Threat 4 ExR M Threat 5 ExR L Composite IT Asset 2 Threat 1 IntD H Threat 2 IntD L Version 1.0 Page 23 of 46 20/9/2006

24 Security Risk Management IT Systems Threat 3 ExD M Detailed Threat Table Computer System 1 Threat Type of Threat Threat Assessment Rating from Human Intervention Threat 4 ExR M Threat 5 ExR L Composite IT Asset x Threat 1 IntD H Identifying and Assessing Vulnerabilities The purpose of vulnerability identification and assessment is to identify and distinguish between security vulnerabilities and subsequently proceed with the assessment of vulnerabilities as a whole. At this point it should be noted that the terms related to security risk and vulnerability assessment frequently acquire a different significance depending on the context they are used in. For the purpose of the ITSSRM procedures, the term security vulnerability refers to a feature of the system whose security may be violated in order to gain access to it and allow use of its resources for purposes other than the original ones. Furthermore, vulnerabilities are the weak spots or susceptibilities, as well as inadequate security or disadvantages associated with the implementation of a system which is likely to be affected by a threat. Additionally, it should be emphasized that the existence of vulnerabilities does not depend on the actual realization of any cases of threat or attack. During the performance of the vulnerability assessment tasks, various methods and techniques may be used to identify and assess the risks related to PPC IT assets. These include the following: Version 1.0 Page 24 of 46 20/9/2006

25 Security Risk Management IT Systems Vulnerability scanning With the use of automated software tools, the ITSSRM group periodically scans IT assets for vulnerabilities. Attack and penetration testing in the PPC network: The ITSSRM team periodically coordinates the performance of such activities, in order to identify unknown vulnerabilities, not only from an external but also from internal points of access to PPC IT assets. Vulnerability updates: The ITSSRM team is responsible for maintaining contact with the suitable suppliers or organizations, in order to remain up to date regarding the appearance of new vulnerabilities related to PPC IT assets at all times. Technical security architecture assessment: The ITSSRM team periodically coordinates the execution of such assessments, in order to identify any vulnerability in the PPC technical security architecture. Security configuration assessment: The ITSSRM team periodically carries out security configuration assessments in specific systems, in accordance with internationally recognized security practices and configuration standards. The calculation of the assessment rating for each vulnerability identified will subsequently be based on the following features: Severity: The severity of the impact in case of exploitation of a specific vulnerability. This includes the range of impact and the probability of escalation (e.g. where the utilization / exploitation of a specific vulnerability might lead). Exposure: The ease of exploitation of a specific vulnerability via physical or electronic means (required expertise, required resources). Version 1.0 Page 25 of 46 20/9/2006

26 Security Risk Management IT Systems Preparation of the detailed vulnerability table At this point a detailed vulnerability table should be prepared for each IT system, which shall include the respective vulnerabilities and their assessment ratings, by using the example of the following table: Vulnerability Table Computer System 1 Vulnerability Severity Exposure Vulnerability Assessment Rating Composite IT Asset 1 Vulnerability 1: H H H Vulnerability 2: M L M or L Vulnerability 3: L L L Vulnerability 4: H M M Composite IT Asset 2 Vulnerability 1: H H H Vulnerability 2: M L M or L Vulnerability 3: L L L Vulnerability 4: H M M Vulnerability 5: H L M Composite IT Asset x Vulnerability 1: H H H Specifically with regard to security vulnerabilities which are related to computer system configuration issues (e.g. lack of service pack, security fixes, upgrades, etc), carrying out the respective adjustments and installation of improved versions is recommended, directly after discovery of the vulnerability in question. Version 1.0 Page 26 of 46 20/9/2006