Risk Management. Upasna Saluja, PhD Candidate. Dato Dr Norbik Bashah Idris

Transcription

1 Risk Management Upasna Saluja, PhD Candidate Dato Dr Norbik Bashah Idris 1. Abstract Information is a key asset for organizations across industries as they seek to use IT as a differentiator and key business enabler. Just as individuals practice risk assessment on a daily basis in routine activities and in protecting their physical assets, organizations are beginning to realize that they need to create a culture of risk assessment under an overall risk management program. In the absence of a uniform code of practice across industries and countries organizations across different industry sectors and geographies are adopting standards and practices that most closely address their risk perceptions. Some international standards like the ISO and the Australia New Zealand Standard AS NZS 4360:2004: Risk management provide managers with guidance on how to tackle security management of which risk assessment is one part. On the one hand the AS NZS standard provides a generic guide for managing risk from an operational stand point while ISO provides a standard that emphasizes on a security management framework and implementation of necessary controls to mitigate risks to information assets of the organization. A key challenge in the organizations quest to manage risk is to measure it and rank it relative to each other. This is turning out to be essential before managers can decide how much attention (and resources) to allocate towards mitigation of what risks. This paper brings out the efforts being made as part of the research towards designing a framework that addresses security management in line with ISO while providing more quantitativeness in the risk measurement and management process. Such a framework would help organizations in prioritization and there by optimum allocation of resources. Keywords: Information Security, SME, Security, Enterprise Risk, Risk Analysis, Risk Management, IT Risk. 2. Introduction Information is a key asset in most businesses today. Information flow is mandatory for successful running of operations in any organization. Organizations across industry sectors are embracing IT to improve operational efficiencies and automate routine tasks. As a result, most of the information gets handled by computers. One can see this information stored in Personal Computers & servers; could be travelling on the Local Area Network LAN / WAN; could be travelling on the internet within some account; could be getting printed at Printer; could be residing in telecommunication over mobiles by two managers. It could be lying in a hard copy folder on employee s desk. Information can be easily destroyed, copied, stolen, modified, misused or even lost if not managed effectively. Most of this information is available in digital format. Digital information has more risks than hard copy information. A lot of critical business processes and functions depend on the security of information, making it important to manage and protect information. By itself information is often considered intangible therefore businesses and organizations take a stock of their information in terms of information assets. Information assets are all forms of equipment, storage devices, computers, IT systems, paper document, files and even people who carry the organizational information. Upasna Saluja Page 1 of 6

2 The rapid evolution of information technology (IT) during the last few years is challenging information security professionals to rethink the very nature of risk & the ways to manage / mitigate them. The elements of risk is dependent on numerous factors and tends to be dynamic with reference to time, organizational growth / structure, location, type of business / role, complexity of network, information systems etc. At all the times, it is crucial for organization to know, what are the current risks & how can they be managed. 3. Increasing focus on Risk Measurement Look at the trend of the past ten years, brings out very clearly the increasing importance of Information Security. Number of magazines, articles, websites, forums relating to Information Security tells us lot about the awareness / concerns common people have. Today, people are looking for Return on Investment (ROI) analysis as mentioned in Quantifying IT Risks. In olden days, when people wanted to secure their information, they used to secure their network perimeter; but today people have realized that securing network is not adequate. What is required is much more than Network Security. That s how Network Security has been lead to / evolved into Information Security. The paper on Information technology risk management talks about the concept of information technology (IT) risk and it is argued that the generally held conception is too narrow. Information security is an organization s approach to maintain confidentiality, availability, integrity, and reliability of its IT systems. Information Security Management System helps an organization to manage information security in an effective manner. There are many frameworks which help towards this. The most established standard is ISO which has evolved from the British standard BS 7799: 2005 after adoption by ISO. It is today emerging as the de facto standard for organizations to demonstrate measurable efforts in security implementation towards the eventual goal of addressing business risks that their information architecture is exposed to. 4. Associated Frameworks There are a number of Security Management Frameworks & Guidelines to support organizations to address risks faced by them. The fact is that, the most of them need substantial infrastructure in place to implement them. As a result, it is possible for large scale organizations to implement them, whereas Small & Medium Enterprises find it difficult to implement such framework. A few existing guidelines (to be applied manually) or interactive software packages are listed below: 4.1. OCTAVE - The Software Engineering Institute (SEI), a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University has introduced the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), a framework for identifying and managing information security risks CRAMM is based on the UK Government's preferred risk assessment methodology. CRAMM by Siemens provides an approach to both technical (e.g. IT hardware and software) and non-technical (e.g. physical and human) aspects of security. CRAMM includes a comprehensive range of risk assessment tools that are fully compliant with BS NIST has provided a free software program called ASSET to document and manage the risk assessment process Risk Management Guide for Information Technology Systems (SP ) issued by US National Institute of Standards and Technology in July 2002 provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems In July 2003 NIST published the NIST Special Publication Security Metrics Guide for Information Technology Systems that highlights that the requirement to measure IT security performance is driven by regulatory, financial, and organizational reasons Australia and New Zealand have come up with a joint standard AS/NZS 4360:2004: Risk management. The standard provides a generic guide for managing risk. It may be applied to a wide range of activities or operations of any public, private or community enterprise, or group Information Security Management Standards - ISO which was recently adopted by ISO based on the British standard BS The Common Sense Guide to Cyber Security for Small Businesses, Recommended Actions for Information Security, 1st Edition March 2004 from Internet Security Alliance lays down their recommended Best Practices A Twelve Step Program to Cyber Security Homeland Security: Tools for Small Business workbook that was compiled by Risk Management Small Business Development Center, USA argues that there are still far too many small businesses that have unprotected computer systems. It stresses that security for business should be built in layers, it should be appropriate for the location and type of Upasna Saluja Page 2 of 6

3 business and it should be in the form of a written plan. Small businesses will have many variables that are unique to SMEs that the security assessment needs to cover. 5. Risk Assessment Standards Risk Assessment is the first logical step in the pursuit of Risk Management. It is strongly recommended that organizations should not only develop and practice Risk Management but also to go just another mile to accredit it to the standards as well. In Asia Pacific region, the two standards most commonly referred are Australian / New Zealand Standard - AS/NZS 4360 & ISO/IEC IS Risk Assessment Standard. It has been observed that in Malaysia, most of the established big organizations are using Australian / New Zealand Standard - AS/NZS 4360 whereas In India, the most commonly used standard is ISO/IEC IS Risk Assessment Standard. Since AS/NZS 4360 is popular in Malaysia, the research zooms into this area. The standard is good but there is no detailed framework which guides security managers to implement this. The standard outlines what is required but does not provide How Tos of doing it. The detailed methodology based on this is not available. Practitioners (including the researcher) working in the field of information security management systems, are beginning to realize that AS/NZ 4360 caters for operational risk and is qualitative in nature. 6. Requirement for ISMS The best way to strengthen information security is to treat it as a corporate governance matter that involves the attention of senior management, ideally up to the board-level. By developing ISMS an organization expresses its commitment to establishing an appropriate information security framework that: ensures that a high level information security policy is written creates an organizational structure to ensure that roles and responsibilities are established assures the organization that personnel security issues are highlighted confirms that an information assets register is created validates the adequacy of physical & environmental security arrangements substantiates the adequacy of IT technical security measures including communications and operational procedures; logical access controls; systems development / maintenance arrangements; and vulnerability management establishes an effective incident management process validates the existence or adequacy of business continuity arrangements ensures that there is an ongoing compliance and monitoring mechanism is in place. ISO is the de-facto international standard on establishing, maintaining and improving an Information Security Management System (ISMS) for both public and private sector organizations. ISO has been evolved from the British standard BS 7799: 2005 after adoption by ISO. Normally organizations not only develop ISMS but also get certified against the standard. Compliance is important for organizations / business because By having formal documented ISMS which has been independently assessed, an organization can demonstrate to its customers and clients that they are committed to security, and have the ability to handle information in a secure manner. This in turn may improve customer confidence, thereby increasing trust in the brand or image. In respect to regulatory requirement, the organization would be more readily compliant to its security statutory stipulations. The ability to respond quickly to any information security breaches or incidents is one of the key clauses in ISO The ability to minimize the opportunity to incidents to occur is a major advantage for business/service resilience. It also links closely with IT Disaster and Business Continuity work Therefore, gaining compliance to ISO ensures that an organization has addressed confidentiality, integrity and availability of information adequately, thus being seen as a trusted organization which is proving crucial in this fast moving world. 7. Practical requirement As mentioned earlier, ISO is the most established standard for Information Security today across the globe. Organizations everywhere are getting certified against it. The standard is based on Risk Assessment. It is Risk based approach. The standard doesn t quantify which methodology should be executed. There are certain specific requirements which should be met by Risk Assessment methodology. The standard requires organization to conducts Risk Assessment but there are no detailed framework to guide security mangers. How to conduct Risk Assessment which is in line with ISO completely? Upasna Saluja Page 3 of 6

4 8. Quest for an Innovative Framework It would be very good for the industry to have a detailed methodology & framework for this purpose. Research looks at Risk Assessment from the perspective of security managers in small and medium enterprises primarily. It highlights the limitations and challenges faced by SMEs in measuring and consequently managing information security risks. After analyzing the current scenario, it was concluded that the research should formulate a risk assessment framework. It should cater for primarily small and medium enterprises. It is recommended that Risk Assessment should be simple. The adoption of a highly quantitative tool for IT risk management is not advocated. Rather, a more modest approach has been suggested. The knowledge base and the risk assessment methodology would not focus only on network risks but rather cover the other risks areas affecting information security posture like physical risks, operational risks as well as telecommunications related risks. It goes on to propose a methodology for relative risk benchmarking through application of statistics. Effort is to establish a security measurement framework / metrics that would improve security management by giving small and medium enterprises a basis for security assessment. Endeavour would be to make SMEs enable to use this framework to make business decisions about managing security risks. Besides risk assessment this would help in resource prioritization and budgeting. Overview of proposed solution There would be three essential steps in the research Step 1 Consider appropriate Risk Assessment standard Step 2 Develop Risk Assessment Framework based on the above mentioned standard. Work out a framework which is in compliance with ISO Step 3 - Apply Statistics to the results of Risk Assessment & derive RRB - Relative Risk Benchmark Step 1 Consider Appropriate Risk Assessment Methodology It has been observed that in Malaysia, most of the established big organizations are using Australian / New Zealand Standard - AS/NZS 4360 for Risk Assessment. A detailed Risk Assessment Framework could be generated based on this standard. This framework needs to be based on the fundamentals of Information Security. To justify the effectiveness of this framework, this could be judged against the benchmark of ISO Step 2 Develop Risk Assessment Framework Research is pointing towards establishing a framework that would be more quantitative better understood, if the proposed methodology could be implemented in an organization. Step 3 - Apply Statistics to derive RRB - Relative Risk Benchmark Relative Risk Benchmark (RRB) could help in determining these interrelations between different risk elements, understanding relative importance of impacts that each risk element could have on the overall security posture (e.g. determine how the Network Security impacts the overall security posture) and thus provide guidance on which risks need what kind of attention and resources. Upasna Saluja Page 4 of 6

5 This plays an important role not only in resource managers can better manage budgets based on the Assessment Mechanism Results of Assessment Relative Risk Benchmarking Model Relative Risk Measurement Guidance for Resource Allocation and Risk Mitigation prioritization Figure 2: RRB model allocation but also for budget allocation. Step 4 - Model for Relative Risk Benchmarking It is imperative that the assessment mechanism (which maybe in the form of a questionnaire, checklist or such other evaluation method) for risk assessment be based on a comprehensive and complete knowledgebase, which caters for SMEs specific security requirements. The security elements could include but not be limited to Network Security, Physical Security, Administrative Security and Telecommunication Security. The outputs of the assessment mechanism for each separate risk element are used as the input for further derivation of the Relative Risk Benchmark. The information security status (s1, s2, s3) of the organization in terms of each element of information security using statistical measures and methods is linked relative to each other and to the overall security posture of the organization. For example, we can consider s1 as physical security, s2 as network security and s3 as operational security. S represents the overall information security status of the organization. Refer to fig 2. Measures of associations between overall information security status of the enterprise and the different elements are calculated and linked statistically. Drawing from the much established field of financial risk management the methodology based on a mathematical function, models the relationship between the elements of security vis-à-vis the overall security posture of the enterprise, thus making the RA process more quantitative than previously possible. Such a security measurement framework that caters for the specific requirements of the SMEs and is based on relative risk benchmarking would give enterprises a basis for quantifiable security measurement and assessment that would in turn enable them to make business decisions about resource allocation and prioritization (for managing security risks). Security relative importance of different elements of Information Security to the business which can lead to a sort of cost / benefit analysis regarding various controls & measures. In other words relative risk benchmark could help lay down the basis of a sound framework for an Information Security Management System (ISMS) for organizations. 9. References: a. Data-Centric Quantitative Computer Security Risk Assessment - racticals/gsec/3177.php b. A GENERAL, BUT READILY ADAPTABLE MODEL OF INFORMATION SYSTEM RISK - Communications of the Association for Information Systems (Volume14, 2004) 1-28 c. This Risk Management Standard from UK - The Institute of Risk Management (IRM). d. Why ICT Is Important To SMEs ; By By Musalmah Johan In Thestar Online Of May 30, e. Resources for organisations: Small Enterprises ; Middlesex University. f. Information Security is Information Risk Management by Cloudcroft, New Mexico; New Security Paradigms Workshop Proceedings workshop on New security paradigms g. Homeland Security Tools for Small Businesses, Risk Management Small Business Development Center ( 2004 Risk Management Small Business Development Center, 1402 Corinth Street, Suite #1537, Dallas, TX 75215, (214) ). Upasna Saluja Page 5 of 6

6 h. An Evaluation of SME Development in Malaysia by Ali Salman Saleh and NelsonOly Ndubisi; International Review of Business Research Papers; August i. (TEISMEs) (Advances in Information Security) [Year of Publication: 2005; Author: Charles A. Shoniregun, Publisher Springer- Verlag New York, Inc. Secaucus, NJ, USA] j. Information Technology Security Risk Management ; A thesis of Taxas at Dallas; May 2006 k. How much is enough: Approach to information security - A thesis by Kevin John Soo Hoo, University of Stanford. May 2000 l. Developing a Risk Management System for Information Systems Security Incidents - A thesis by Fariborz Farahmand College of Computing; Georgia Institute of Technology; 2004 m. Small and Medium Enterprise (SME) risk metrics - r. A Practical Approach to Security Assessment - ACM: Darrell M. Kienzle, kienzle@mitre.org; William A. Wulf; Department of Computer Science; University of Virginia; wulf@cs.virginia.edu s. Publications/Industry-Sectors/ICT/ICTstandards/BS-ISOIEC-TR / t. AS/NZS 4360:2004: Risk management dard.pdf u. COBIT v. CRAMM w. ASSET ml x. Security Metrics Guide for Information Technology Systems, NIST Special Publication , July 2003, authored by Marianne Swanson, Nadya Bartol, John Sabato, Joan Ha n. Risk Metrics Needed for IT Security, Vol. 6, April 1, 2003, By Will Ozier, President, OPA Inc quoted on IT Audit journal of The Institute of Internal Auditors. o. Metrics Based Security Assessment (MBSA): Combining the ISO Standard with the Systems Security by Jim Goldman & V.R. Christie p. COTS International Conference on Software Engineering; Proceeding of the 28th international conference on Software engineering; Shanghai, China; SESSION: papers: risk analysis table of contents; Pages: ; Year of Publication: 2006 q. Paper Outsourcing to Ensure Successful ICT Systems Implementation and Maintenance by Dr Lim Tong Ming, School Of Information Technology, Monash University Malaysia; ml End of the paper. Upasna Saluja Page 6 of 6