INFORMATION RISK MANAGEMENT Today’s Reference: Whitman & Mattord, Management of Information Security, 2nd edition Chapters 7 & 8

What’s the problem ? Management still ask – “How secure are we ?” “Are our controls adequate ?” “Do we comply with Standards?” “Do we have the best blend of controls in place ?” “How do we measure our IS security ?” “What controls do I need ?” “How much will controls cost ?”

Overview What is Risk Management? Why is it important? Risk Analysis Risk Control Strategies Other Risk Management Techniques Summary

Australian Standard AS/NZS 4360:2004 Risk Management Extracted from Australian Standard AS/NZS 4360:2004 Risk Management Process Communicate & Consult Communication & consultation AT EACH STEP of the RM process. Not to be a one-way flow of info. Involve stakeholders, so they will own the issues & solutions. All stakeholder perceptions of risk recorded. Establish the Context Defines the parameters or scope of the RM process. E.g. goals, objectives strategies, costs, benefits resources required. Consider internal & external environments Develop risk criteria (like a benchmark to be evaluated against) Identify Risks What can happen? When & where? How & why? Analyse Risks Identify existing controls Determine consequences Determine likelihood Determine level of risk Evaluate Risks Compare risks against criteria Set treatment priorities Consider orgs. risk profile Treat Risks Identify options Assess options Prepare & implement treatment plans Analyse & evaluate residual risk Monitor & Review Is the management plan still relevant? Changes may necessitate different treatment Record the process at each stage

Why is it important? Subsidiaries of large orgs. Have an obligation (e.g. Agencies of SA Govt.) Corporate management may wish to compare these subsidiaries Shareholders may demand a certain level of compliance with Standards Directors have a ‘duty of care’ responsibility Trading partners may need you to prove your level of security (or they won’t trade with you)

Managing Risk The goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’s risk appetite

Residual Risk When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for.

Risk Tolerance Risk tolerance (also known as risk appetite) defines the quantity and nature of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility

Risk Analysis (RA) Various methods The quantitative approach- Qualitative Quantitative Software packages (e.g. RiskPac, RiskCalc, CRAMM, SPAN, Courtney’s Method, Rank-it) The quantitative approach- Identify IS assets Identify threats to those assets Estimate probability of occurrence Estimate cost of impact of threat Calculate Annual Loss Exposure (ALE) Build a control profile to match risk profile

Identify Assets Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking) Assets are then classified and categorized. For example: Unclassified Sensitive but unclassified Confidential Secret Top secret

Identify Threats Realistic threats need investigation; unimportant threats are set aside Threat assessment: Which threats present danger to assets? Which threats represent the most danger to information? How much would it cost to recover from attack? Which threat requires greatest expenditure to prevent?

Threat Analysis Risk Exposure (H, M, L) Impact (H, M, L) Probability Errors & omissions Data network breakdowns Software errors & omissions Computer-based fraud Accidental & natural disasters Equipment failure Unauthorised access Deliberate destruction of equipment Misuse of computing equipment Theft of computers Loss of key personnel Theft of information Logical sabotage Software piracy Loss of vital services Low Low Low High Medium Medium Medium Medium Medium High High High Low Medium Medium

The Metrics Annual Loss Expectancy (ALE) = Threat probability (ARO) X Single Loss Expectancy(SLE) ROI is the reduction in ALE due to the implementation of the control Uses Courtney’s Scales Temptation to ‘manufacture’ desired outcome

Courtney’s Scales for calculating Annual Loss Exposure (ALE) Probability of occurrence of threat Once in 100 years Once in 10 years Once per year 10 times per year 100 times per year 1000 times per year Impact of threat $100 million $10 million $1 million $100, 000 $10,000 $1,000

T H R E A T S A S S E T S Virus Attack Risk Exposure per asset per annum Hardware Malfunction Physical Sabotage Input Errors 1:1 year $1000 $1000 pa Application Software $1000 1:1 year $1000 $1000 pa 1:1 year $10000 $10000 pa 1:1 year $10000 $10000 pa Network Server & OS $21000 A S S E T S 1:1 year $10000 $10000 pa 1:1 year $10000 $10000 pa 1:10 yrs $100000 $10000 pa 10:1 year $100 $1000 pa Database $31000 IS People Risk Exposure per threat per annum $12000 $20000 $20000 $1000 $53000

Benefits of RA Improves awareness by involving people Relate security mission to management objectives Identifies assets, vulnerabilities and controls Improves basis for decision Helps justify expenditure for security

Arguments against RA Not precise Hard to perform False sense of precision & confidence Never up-to-date No scientific foundation Not designed for small business Not self assessment method

Risk Control Strategies An organization must choose one of four basic strategies to control risks Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Transference: shifting the risk to other areas or to outside entities Mitigation: reducing the impact should the vulnerability be exploited Acceptance: understanding the consequences and accepting the risk without control or mitigation

Avoidance Attempts to prevent exploitation of the vulnerability Preferred approach; accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards Three common methods of risk avoidance: Application of policy Training and education Applying technology

Transference Control approach that attempts to shift risk to other assets, processes, or organizations If lacking, organization should hire individuals/firms that provide security management and administration expertise Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks

Mitigation Attempts to reduce impact of vulnerability exploitation through planning and preparation Approach includes three types of plans: Incident response plan (IRP) Disaster recovery plan (DRP) Business continuity plan (BCP)

Acceptance Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify cost of protection Risk appetite describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls

Other RM Techniques Baselining Benchmarking Best Practices Due Care Due Diligence

Baselining Baselining is the analysis of measures against established standards In information security, baselining is the comparison of security activities and events against the organization’s future performance

Benchmarking Benchmarking is seeking out and studying the practices from other organizations that produce the results desired, and then measuring the differences between the way the organizations conduct business In the field of information security, two categories of benchmarks are used: Standards of due care and due diligence Best practices

Best Business Practices Security efforts that seek to provide a superior level of performance are referred to as best business practices Best security practices are those that are among the best in the industry, balancing access to information with adequate protection, while maintaining a solid degree of fiscal responsibility

Due Care and Due Diligence For legal reasons, an organization may be forced to adopt a certain minimum level of security When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances This is referred to as a standard of due care Due diligence is the demonstration that the organization is persistent in ensuring that the implemented standards continue to provide the required level of protection

What you need to know The risk analysis process The risk analysis metrics Risk control strategies The terminology used in this presentation