Effectively Completing and Documenting a Risk Analysis Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS Session Objectives Identify the difference between risk analysis and risk assessment Define the basic steps used in completing a risk analysis: how to identify threats, evaluate current security controls, determine vulnerabilities, and prioritize risks Demonstrate how to perform and document a risk analysis through hands-on exercises Describe how to present a risk analysis report and manage risks through a remediation plan Introduction Tom Walsh Certified Information Systems Security Professional (CISSP) 11 years Tom Walsh Consulting (tw-security) Co-authored four books on security Former information security manager for large healthcare system in Kansas City, MO A little nerdy, but overall, a nice guy 1
Risk Analysis Risk Analysis vs. Risk Assessment Assessment A judgment about something based on an understanding of the situation; a method of evaluating performance Analysis The close examination of something in detail in order to understand it better or draw conclusions from it; the separation of something into its constituents in order to find out what it contains, to examine individual parts, or to study the structure of the whole Source: Encarta Dictionary Risk Analysis A systematic and ongoing process of identifying threats, controls, vulnerabilities, likelihood, impact, and an overall rating of risk NIST Risk Assessment Process Note: NIST SP 800-30 Guide for Conducting Risk Assessments, Revision 1, is the source for this diagram. NIST often refers to the term assessment to imply the risk analysis process. 2
PCI DSS Requirement 12.2 PCI DSS Requirement 12.2 A closer look at the requirement Key words: performed at least annually and upon significant changes Threats, controls, vulnerabilities, likelihood, and impact PCI DSS Risk Assessment Guidelines 3
HIPAA Risk Analysis 164.308(a)(1)(ii)(A) Risk analysis (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity [or business associate]. Risk Assessment / Analysis Each organization has to: Assess its own security risks Determine its risk tolerance or risk aversion Devise, implement, and maintain appropriate security to address its business requirements Document its security decisions Two types: Risk Analysis Qualitative (Easiest and most common) Rating risks on a scale such as: Quantitative (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations 4
Risk Analysis The nine steps in the risk analysis process: 1. System characterization 2. Threat identification 3. Control assessment 4. Vulnerability identification 5. Likelihood determination 6. Impact analysis 7. Risk determination 8. Control recommendations 9. Results documentation Based upon the original National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems 1. System Characterization Create an inventory of applications and systems Major applications General support systems Computer workstations Laptops and tablets Smartphones Network (LAN, wireless, extranet, etc.) Data Center Threats are based upon information assets. 5
2. Threat Identification Identify reasonably anticipated threats Acts of nature Natural disaster that is beyond our control Threats affecting the organization as a whole Acts of man Unintentional or accidental Intentional Environmental threats Generally, threats affecting Data Center operations Risk Analysis Exercise Identify reasonably anticipated threats for each threat category (as they pertain to applications and information systems): Acts of nature (for the Midwest) Human actions Environmental threats affecting Data Center operations Common mistake: Listing an impact as a threat. #2 Unreasonable Threats Chemical spills Biological contamination Nuclear mishaps Aircraft accident Civil unrest / Rioting Bomb threats Sinking ground Tsunami Volcano eruption Blackmail Substance abuse Inflation Thorough does not mean unreasonable. 6
3. Control Assessment Assess current controls Technical (tools) Existing security features not in use Purchase software and/or hardware Non-technical Policies, procedures, plans, etc. Training (Practices and behavior) Checklists are usually used to assess existing controls. Purpose of Controls and Examples Prevention (proactive) Access controls Detection (reactive) Audit logs Assurance (proactive) Evaluation or assessment Recovery (reactive) Disaster recovery plan 4. Vulnerability Identification Hardware Improperly configured equipment Software Operating systems needing patching Poorly written applications Environmental Lack of physical or environmental controls Operational practices Lack of policies and procedures Untrained personnel 7
Checklist SAMPLE Yes = Control; No = Vulnerability Control Assessment Checklists How many questions do you really need to ask? Critical few versus the trivial many Diminishing returns Value of answers Number of questions Risk Analysis Exercise Developing checklist questions State one or two checklist questions for assessing controls to address each threat below: Authorized user misusing their access privileges (snooping) Unauthorized user or inappropriate access (internal) Hacking or tampering (external) Program error, application bug, and/or system failure Bonus: How do you rank the importance of one question from another? 8
5. Likelihood Determination What is the likelihood or probability of each threat circumventing the existing controls? Likelihood can be rated as being: High, Medium, or Low To maintain consistency your organization should include some definitions of those ratings 6. Impact Determination Evaluate what that would do to your organization if a threat was realized. Impact can be rated as being High, Medium, or Low To maintain consistency, your organization should include some definitions of those ratings It can be difficult to precisely quantify the impacts if a threat was realized. 6. Impact Possible Consequences Confidentiality Integrity Availability Opportunity (financial) Reputation Litigation 9
7. Risk Determination Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Source: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Guide for Conducting Risk Assessments 7. Risk Determination The OCTAVE approach to calculate a risk score: Risk Score SAMPLE #1 Likelihood Impact Risk Score Color Rating H H 9 H M 6 M H 6 M M 4 H L 3 L H 3 M L 2 L M 2 L L 1 Red Yellow Green 10
Risk Score SAMPLE #2 Source: PCI DSS Risk Assessment Guidelines (November 2012) created by the Risk Assessment Special Interest Group (SIG) Risk Score SAMPLE #3 Risk Analysis Exercise 11
8. Recommended Controls Provide recommendations to address each vulnerability (if possible) to reduce or manage risks appropriately 9. Results Documentation Create a summary of key findings, recommendations and estimates to implement Document management's decisions: Avoid the risk (Many times not an option) Mitigated/Reduced (Applying controls) Transferred/Shared (Insuring against a loss) or Accepted (Doing nothing, but recognizing risk) Risk should be handled in a cost-effective manner relative to the value of the asset Management Decisions 12
Risk Analysis Reports Risk Profile SAMPLE #1 Risk Profile SAMPLE #2 Source: PCI DSS Risk Assessment Guidelines (November 2012) created by the Risk Assessment Special Interest Group (SIG) 13
Risk Profile SAMPLE #3-1 Source: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Guide for Conducting Risk Assessments Risk Profile SAMPLE #3-2 Source: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Guide for Conducting Risk Assessments Major App 1 Data Application Network Hardware & Operating System Physical/ Environment Risk Profile Approach Operational Practices Assessing Controls Major App 2 Data Application Network Hardware & Operating System Physical/ Environment Operational Practices Assessing Controls 14
Major App 1 Data Application Network Hardware & Operating System Physical/ Environment Assessing Operational Practices Risk Profile Approach Major App 2 Data Application Network Hardware & Operating System Physical/ Environment Assessing Operational Practices A hierarchical approach to assessing controls and risks Risk Profile Risk Profile Risk Profile Risk Profile Risk Analysis Picture Application Data Center Workstation Network Risk Analysis Report SAMPLE #1 Topics to address in a report: Overview (Report date, Information/Data Owner, author of report) Scope (Application(s) and General Support System(s) (Business functions, data sensitivity, criticality of system) Description of Risk Analysis Approach Risk Analysis Team Members Findings (Vulnerabilities unacceptable risks) Recommendations Information/System Owner Comments Statement of Understanding 15
Risk Analysis Report SAMPLE #2 Topics to address in a report: Scope of Risk Assessment Asset Inventory Threats Vulnerabilities Risk Evaluation Risk Treatment Version History Executive Summary Source: PCI DSS Risk Assessment Guidelines (November 2012) created by the Risk Assessment Special Interest Group (SIG) Risk Management Process Risk Profiles Risk Analysis Output Risk Analysis Reports (Communicate risks to Owners ) Validation Internal Audit or Evaluation Trust but verify Are safeguards and controls functioning as stated? Prove it! Output Vulnerability Scans Penetration Testing Risk Management Output Risk Remediation Plan Audit Trails Change Control Configuration Management / Patch Management Incident Reports Goal To meet business objectives while managing risks to an acceptable level Security Plans Contingency Plans Disaster Recovery Plans Remediation Plan SAMPLE 16
Conclusion Risk Likelihood Impact Connect the Dots References NIST Computer Security Resource Center, SP 800-30 Guide for Conducting Risk Assessments: http://csrc.nist.gov/publications/pubssps.html PCI DSS Risk Assessment Guidelines: https://www.pcisecuritystandards.org/documents/pci_dss_ Risk_Assmt_Guidelines_v2.pdf Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE): http://www.cert.org/octave/ Risk Analysis Myths: http://www.healthit.gov/providers-professionals/top-10- myths-security-risk-analysis 17
Just released Risk Tool Physician Practices SRA Tool Content Administrative Safeguards (192 pages) SRA Tool Content Physical Safeguards (104 pages) SRA Tool Content Technical Safeguards (140 pages) SRA Tool Content Technical Safeguards (What is missing in the 140 pages?) Hacker Scan, intrusion, penetration Firewall (only one question and it pertains to audit logs; not if you have one or how it is configured) Network interruptions Wireless (appears once, but not as an assessment question) Bandwidth System administrator Mobile, mobile devices, mobile device management, BYOD Data loss prevention / Data loss protection Change control, change management Configuration management Leakage, data leakage Text, texting, text messaging Protocol, VPN, https Portal Telecommute, telemedicine, teleradiology Remote access (no questions; once in comment on Things to consider ) Biomed, biomedical 18
Questions? Thanks for Attending! Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS www.tw-security.com tom.walsh@tw-security.com 913-696-1573 19