Improving Residual Risk Management Through the Use of Security Metrics



Similar documents
Improving residual risk management through the use of security metrics

A blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP

Information security controls. Briefing for clients on Experian information security controls

Enterprise Computing Solutions

Third Party Security Requirements Policy

Field Research: Security Metrics Programs

Certified Information Security Manager (CISM)

How small and medium-sized enterprises can formulate an information security management system

Nine Steps to Smart Security for Small Businesses

Domain 5 Information Security Governance and Risk Management

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ

Cyber Essentials Scheme

Aberdeen City Council IT Security (Network and perimeter)

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Data Access Request Service

A complete Information Risk Management solution for ISF Members using IRAM and STREAM

HIPAA Compliance Evaluation Report

HSCIC Audit of Data Sharing Activities:

I D C A N A L Y S T C O N N E C T I O N

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

Achieving SOX Compliance with Masergy Security Professional Services

Information Security Policy

Lot 1 Service Specification MANAGED SECURITY SERVICES

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

How to ensure control and security when moving to SaaS/cloud applications

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Cybersecurity: What CFO s Need to Know

Risk Management Policy

IT Security Testing Services

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

Committees Date: Subject: Public Report of: For Information Summary

Cyber Security & Managing KYC Data

Security Controls What Works. Southside Virginia Community College: Security Awareness

Assessing the Effectiveness of a Cybersecurity Program

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Achieving Business Imperatives through IT Governance and Risk

Bridgend County Borough Council. Corporate Risk Management Policy

The Protection Mission a constant endeavor

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

THE TOP 4 CONTROLS.

Central Agency for Information Technology

Defending Against Data Beaches: Internal Controls for Cybersecurity

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

INTERMEDIATE QUALIFICATION

DATA AUDIT: Scope and Content

Enterprise Security Tactical Plan

Security. Security consulting and Integration: Definition and Deliverables. Introduction

INFORMATION SECURITY GUIDELINES

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Extreme Networks Security Analytics G2 Vulnerability Manager

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

How To Secure Your Store Data With Fortinet

Taxonomy of Intrusion Detection System

The Education Fellowship Finance Centralisation IT Security Strategy

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

A practical guide to IT security

Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. v2.0 March 2014

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Cyber Security. John Leek Chief Strategist

External Supplier Control Requirements

University System of Maryland University of Maryland, College Park Division of Information Technology

Guideline on Auditing and Log Management

Attachment A. Identification of Risks/Cybersecurity Governance

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

(Instructor-led; 3 Days)

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Defending against modern cyber threats

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

STREAM Cyber Security

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

DBC 999 Incident Reporting Procedure

PATCH MANAGEMENT POLICY IT-P-016

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

Policy : Enterprise Risk Management Policy

Looking at the SANS 20 Critical Security Controls

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

UF IT Risk Assessment Standard

Patching & Malicious Software Prevention CIP-007 R3 & R4

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

A Guide to the Cyber Essentials Scheme

A HELPING HAND TO PROTECT YOUR REPUTATION

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Transcription:

Improving Residual Risk Management Through the Use of Security Metrics Every investment in security should be effective in reducing risk, but how do you measure it? Jonathan Pagett and Siaw-Lynn Ng introduce the Information Security Effectiveness Framework, which aims to facilitate the definition, visualisation and comparison of security metrics. 1

abstract After purchasing and configuring the latest security appliance or introducing a new security procedure, how can you be sure that the security control is operating at its full effectiveness? By introducing measurements of real world effectiveness into an organisation s risk management activities, organisations can improve their understanding of their current risk exposure. They can also ensure they are achieving the most risk reduction for their investments and identify where resources are best focused in order to improve security. In this article, and the associated thesis, we introduce the Information Security Effectiveness Framework (ISEF) to facilitate the definition, visualisation and comparison of security metrics in order to improve residual risk management. R eported security breaches over the last few years suggest that a large number of security procedures are not currently operating at full effectiveness 1. It is highly likely that the organisations involved in these security breaches performed risk assessments for their information assets and implemented a range of security controls to manage these risks, leading to the resulting residual risks being within acceptable risk limits. But as investigations into security breaches have shown, these controls are often ignored, bypassed or incorrectly implemented 2. Organisations may not currently understand how ineffectively their security controls are being managed, resulting in higher levels of risk exposure. Only a very few organisations are fully effective at managing their IT operations. Critically, an IT department s portfolio includes a range of technical security controls which, by extension, are also not being run at full effectiveness. While security practitioners can define the theoretical risk exposure for an organisation based on risk assessment and risk reduction activities, without understanding how these risk 2

FIGURE 1 THEORETICAL VS. ACTUAL RISK EXPOSURE Theoretical Risk Exposure Actual Risk Exposure Initial risk level Initial risk level Risk Risk reduction when control is operating at 100% effectiveness Risk Real residual risk level (risk exposure) Risk x Residual risk level (risk exposure) Risk x Risk reduction when control is actually operating at 50% effectiveness reduction activities are actually implemented an organisation cannot know its actual risk exposure. To solve this problem, organisations have started looking at security metrics in order to measure the management of security activities. Security metrics are used in the process of risk management as part of the continual assessment of risks and effectiveness of controls as the threat and technological landscape changes new vulnerabilities are found, controls bypassed and policies ignored. The Information Security Effectiveness Framework (ISEF) has been designed to help organisations with a number of issues in identifying ineffective security controls: Definition: Metrics that measure effectiveness can be difficult to define. Reporting: Resulting measurements can be difficult to interpret by non-security professionals. Comparison: Effectiveness metrics cannot be 3

easily compared to allow benchmarking of an organisation s performance. FIGURE 2 FRAMEWORK V1.0 COMPONENTS BENEFITS Understanding the effectiveness of security controls has been found to be beneficial in a number of situations where: Organisations require an understanding of their current level of operational risk based on where security controls are ineffective; Security management programmes require a method of ensuring that security controls in place are operating correctly; Formal security management structures such as defined in ISO/IEC 27001, require an organisation to define how the effectiveness of implemented security controls are to be measured; Organisations require a method of comparing the effectiveness of their security management programme with others within an industry or between organisational groups. INTRODUCING ISEF has been designed to complement other standards and guidance in the area of security metrics such COBIT, NIST and ISO 27004. These Metric Definition Process FIGURE 3 Risk Register Control Catalogue Inputs Information Security Effectiveness Framework v1.0 Data Visualisation Scheme FRAMEWORK INPUT AND OUTPUTS Information Effectiveness Framework v1.0 Metric Definition Process Data Visualisation Scheme Effective Comparison Index Effectiveness Comparison Index Effective Index CIO Dashboard Security Dashboard Outputs standards and IT governance models are more focused on the what needs to be measured rather than the how. A full analysis can be found in Chapter four of the full report. ISEF has been designed to provide the how by using three components that aim to help with 4

the definition, reporting and comparison of security metrics. The framework is designed to be used in conjunction with risk management activities and requires a number of outputs from this process as shown in Figure 3. DESIGN APPROACH A commonly suggested method for measuring the effectiveness of a control is through measuring the absence of what the control is trying to prevent. For example, the effectiveness of antimalware controls could be measured through the absence of any malware infections. This however requires the use of a trusted and proven malware detection method. Without a proven detection or measurement mechanism any attempts to determine the effectiveness of the preventative controls are flawed. Another approach to measuring effectiveness is through the relationship between the effectiveness of a control and the correctness of its implementation. Since a control's implementation can be measured directly, this allows for actual repeatable measurements to be made. The framework uses this approach as the basis for its design. This approach is not without its problems. As the ISEF measures the controls functionality and not its appropriateness, it is reliant on the correct control being implemented for a specific risk. In order to gain a full assessment the ISEF should be used with other methods that measure the effects of the control as suggested in ISO 27004 although these can be more difficult to define. PROCESS In order to define a metric the specific security characteristics that will be measured must also be defined. The framework suggests a three step process for defining a metric. STEP 1 - Control Grouping Due to the vast number of security controls currently deployed within organisations and with new controls being constantly developed, it would be impractical to try and define a set of metrics for each possible security control that could exist. Instead the framework recommends a set of characteristics inherent in different types of controls that can be measured. In order to determine these characteristics the framework groups controls based on the following categories: Procedural 5

Technical Physical In order for a more granular classification, the security control can be aligned with its objective from the following categories based on a temporal variable. Preventative A control that attempts to stop security incidents from occurring Detective A control that identifies a security incident has occurred Corrective A control that attempts to reverse the effects and/or causes of a security incident This allows a control matrix with the previous categories as axis. Table 1 shows the matrix illustrated with example security controls. For example, using this method a firewall is a preventative technical control whereas a building TABLE 1 SECURITY CONTROL PLACEMENT WITH EXAMPLES Preventative Detective Corrective Procedural Personnel Vetting Audit Technical Firewall Anti-malware Backup Physical Guard force Burglar Alarm security alarm is a detective physical control. STEP 2 - Metric Characteristics Once the control is categorised, Table 2 is used as a lookup to determine the characteristics to be measured. ISEF suggests the following as common characteristics for a control that contribute to its effectiveness. Configuration - is the control configured in line with policy? Currency - is the controls reference data or components updated in line with policy? Timeliness - has the control responded in time as defined in policy? - does the control cover all the elements it should? For example, a network firewall is a preventative TABLE 2 Preventative Detective Corrective CONTROL CHARACTERISTICS Procedural Timeliness Technical Configuration Currency Configuration Timeliness Physical Timeliness 6

technical control. Using Table 2 the coverage and configuration characteristics of the firewall should be used in defining the metrics. STEP 3 Specify Metric In order to measure the effectiveness of a control its fully effective state must be known. A control's fully effective state (in terms of desired risk reduction) is its state that is defined in formal security policy or design for the control, and is the basis for the original risk assessment. The original risk treatment assumes the control will be deployed in line with a set policy or design for an appropriate risk reduction to be claimed. For example, the original risk reduction assessment for signature based anti-malware will assume its signatures are kept up-to-date. It is against this specific policy or design that the characteristic must be measured. To illustrate using an anti-malware control, the grouping places it as a technical detective control and specifies, Currency and Configuration as the characteristics of the implementation to be measured. In order to phrase the metric in a way that can be measured, details from the security policy are required. The security policy may state that all computer workstations must have a specific anti-malware control installed, configured to update every hour and must perform a full system scan at midnight. Using the specific requirements from the security policy a metric can be defined for each characteristic. Anti-malware: metric - what percentage of computer workstations have the anti-malware control installed? Currency what percentage of anti-malware controls have been updated within the last two hours? Configuration what percentage of anti-malware controls are configured to perform a full system scan at midnight? If these characteristics are not defined in the security policy or do not exist, then they should be defined as they will be required to gain full use of the control as well as providing a baseline for measurement. The outcome of the metric must be a percentage of the overall fully effective state to allow the metric to be used to modify residual risk levels. VISUALISATION SCHEME Understanding metric data can be difficult for non-security professionals, therefore it is impor- 7

tant to visualise data in an easy-to-understand format to inform and enhance expert security advice in decisions such as the direction of security investment. For this reason, the framework has been designed to provide a number of viewpoints that are strongly connected and aligned with the risk management process. These viewpoints can otherwise be known as information dashboards. The three viewpoints representing the different identified stakeholders for metric data are: Organisation level (management board) Risk-based view Security operations Security control view IT operations Security metric view Figure 4 shows the three viewpoints and how they are related. More information regarding the creation of each view point can be found in the full report. VIEW The metric viewpoint will have an entry for every metric defined in the metric definition process. This could be a number of metrics per control. The metric viewpoint is designed for the entry and management of metric information rather than visualisation. For this reason a simple spreadsheet format is used to facilitate this. CONTROL VIEW In order to provide a control viewpoint, the many characteristic metrics for one control has to be aggregated to reflect the controls overall effectiveness. The control view takes the average for all of the controls metrics and displays the effectiveness on a circular visual using green and red colour coding to allow the viewer to see at a glance the overall effectiveness of the entire control catalogue. To understand the impact of this effectiveness metric, it needs to be viewed within the context of the risk it is mitigating, as shown in the following risk view. RISK VIEW The framework is designed to view two sets of data on one visualisation. The total risk carried by an organisation is shown as a wheel graphic. The wheel is divided up into smaller segments representing the different security risks present within the organisation. The size of the risk segment is proportionate to the risk share of the total risk value.the colour of each risk segment 8

FIGURE 4 Reporting and visualisation framework REPORTING AND VISUALISATION CONCEPTS Risk View (CIO) Control View (Security Dept.) Anti-virus 87% 18% ABC 18% Unauthorised modification of financial data by external parties Laptop Encryption 25% 39% Unauthorised access to sensitive data on lost assets 25% Unauthorised access to sensitive data on corporate systems by external parties Network Firewalls 95% Data Enrichment Enrich with risk information, risk share aggregate with other control values Title Property Description Current Measurement Measurement Date Metric View (IT Live Services) Network Firewall Network Firewall Anti-malware Software Anti-malware Software Configuration Currency Percentage of external network connections mediated by a firewall Percentage of firewall configuration in line with firewall policy Percentage of antivirus deployments with up to date definition set Percentage of workstations with antivirus software installed 97% 93% 74% 100% Data Enrichment Enrich with control information and aggregate with other metric values 9

displays the current effectiveness of the controls implemented to counter the specific risk. For example the use of the colour green for greater than 90% effectiveness. By overlaying colour on the risk wheel, risk share and effectiveness can be displayed on one graphic. This alignment of two security variables allows organisations to make more informed decisions on where to focus remedial efforts. For example, if the controls mitigating two risks are both operating at a low effectiveness the organisation may wish to focus efforts on improving the controls which counter the largest risk. This allows a greater overall risk reduction per unit of effort expended. COMPARISON INDEX In order to benchmark organisations against each other, the measurement of effectiveness needs to be made against a common scale. For example, if one organisation is better at configuration management than another, does this equate to a more effective security management regime? Not necessarily, as with all areas of security it depends on how important configuration management is to that organisation. Therefore all security metrics need to be compared in context to its importance to the organisation. One common security variable that exists across all organisations is risk, therefore the effectiveness of security procedures can be redefined as the organisations effectiveness at reducing risk to information assets. Using risk as a common scale allows the differing importance of security controls between organisations to be factored into the overall measurement. This does not imply that organisations have the same absolute risks but rather the organisations effectiveness at mitigating risks relatively can be compared. The ISEF uses a comparison index based on the financial markets index. These indices include weightings so controls that reduce high impact risks affect the index value more than controls that reduce small risks at an organisational level. The resulting index is a sum of the weighted values shown in Equation 1. (In the equation, n refers to the total number of risks in the index, e i refers to effectiveness of controls implemented to mitigate a risk i, and r i refers to the share value of risk i.) The effectiveness of controls can be calculated using a metric defined in the process discussed earlier. The share value of a risk is calculated as a percentage of the total risk value. In an example where risk is measured 10

on a financial scale, if a particular risk is valued at 25,000 and the total value of all risks is 50,000 then the share value of risk is 50%. The property of calculating risk share values allows organisations with different risks measurement scales to be compared. More details on the construction of the comparison index can be found in the full report. The index provides a single overall effectiveness value for the organisation s security management activities. Effectiveness index =Σ ((e i r i )) Equation 1 Effectiveness index equation Representing the overall effectiveness index as a single numerical value allows the data to be plotted against time and allows trends in risk exposure to be identified. As the index is based on relative risk share percentages that always total 100%, changes in individual risk levels still allows the index to be compared over time. The use of a single numerical value also allows organisations to share index values without having to reveal specific security control information. n i = 1 INTEGRATING MEASUREMENTS WITH RISK ASSESSMENTS In order to gain a better understanding of an organisation's residual risk, the effectiveness measurements need to be incorporated into the risk assessment activities. The framework is designed to represent effectiveness measurements as a percentage which allows them to be incorporated into any risk assessment methodology. Where a risk reduction is being claimed for a particular control, this risk reduction needs to be modified appropriately depending on its current effectiveness measurement. For a quantitative risk assessment scale the incorporation of a percentage effectiveness can be completed in one step, however for a qualitative scale, the levels must be converted into a numerical scale for the effectiveness to be applied. Figure 5 shows a worked example for a firewall control operating at 57% effectiveness. The risk assessment scale used is a basic 0-10 with a risk reduction of 7 points on this scale for a firewall. TESTING The ISEF was tested in two different sized organisations with security management programs of high and low maturity. Initial preparation work 11

was required to use the ISEF in organisations that did not use a risk management approach. However, where an organisation already employed a risk management approach to information security the ISEF integrated with existing activities. More information and the results of testing can be found in Chapter nine of the full thesis. ABOUT THE AUTHORS Jonathan Pagett is a security architect working within Central Government. Siaw-Lynn Ng is a lecturer at Royal Holloway University of London. Her research interests include combinatorics and finite geometry and their applications in information security. FIGURE 5 10 INCORPORATION OF MEASUREMENTS INTO RISK ASSESSMENT ACTIVITIES Before Effectiveness Measurements Initial risk level assessed as 9 After effectiveness measurements 10 Initial risk level Risk Firewall gives a reduction of 7 points on risk reduction scale Risk Firewall gives a risk reduction of 7* 57% = 4 Actual residual risk level of 5 Residual risk level of 2 0 Risk x 0 Risk x 12

[1] Department of Business Enterprise & Regulatory Reform, 2008 Information Security Breaches Survey, Technical Report, April 2008 [2] Confidential details lost by Revenue and Customs, Richard Thomas, Information Commissioners Office, 20th November 2007 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information