Risk-Assessment Acceptance Exception
advertisement
Risk Assessment, Acceptance and Exception with a Process View ISACA Charlotte Chapter September Event Information Security, IT Governance & Risk Management Shawn Swartout Leviathan Security Group Agenda Assessment • Risk assessment drivers • Developing an assessment framework that fits your size & complexity • Integrating your risk assessment Response • Acceptance • Ownership and accountability Monitoring • Exception handling Shawn Swartout 2 Shawn Swartout 3 Risk Assessment External Drivers HIPAA EXAMPLES A covered entity must, in accordance with §164.306: (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Federal Financial Institutions Examination Council (FFIEC) Risk Management of Remote Deposit Capture (RDC) Risk Management: Risk Assessment Prior to implementing RDC, senior management should identify and assess the legal, compliance, reputation, and operational risks associated with the new system. Shawn Swartout 4 Risk Assessment Internal Drivers EXAMPLES How Risk Management Can Turn into Competitive Advantage http://scholarworks.umb.edu/cgi/viewcontent.cgi?article=1006&context=management_wp Shawn Swartout 5 Shawn Swartout 6 Assessment NIST Guide SP800-30 rev 1 includes: A taxonomy of threat sources, threat events, vulnerabilities, and inputs to your assessment of likelihood and impact calculations. Source: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf Shawn Swartout 7 Food for Thought Alex Hutton RVAsec 2013: KEYNOTE: Towards A Modern Approach To Risk Management http://www.youtube.com/watch?v=icN40I3JJLY Jet engine x peanut butter = shiny! How awesome is your bridge? – Wind has no motivation – Rain does not evade defenses – If system is faulty by design… reinforcement addresses only symptoms “What our standards bodies do is typically do is enable us to justify our perspective by manipulating the inputs into a completely false model” –Alex Hutton http://newschoolsecurity.com/2011/04/what-is-risk-again/ Shawn Swartout 8 Assessment Inherent risk – controls = residual risk Lets at least agree on this for the moment Shawn Swartout 9 Assessment Develop an assessment framework that fits your size & complexity Shawn Swartout 10 Factor Analysis of Information Risk (FAIR) Complexity Level: Moderate FAIR provides : • A taxonomy of the factors that make up information risk and a set of standard definitions for our terms. • A method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss. • A computational engine that derives risk by mathematically simulating the relationships between the measured factors. • A simulation model that allows us to apply the taxonomy, measurement http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf Shawn Swartout 11 Factor Analysis of Information Risk (FAIR) Assumptions about key aspects of the risk environment can seriously weaken the overall analysis. Example: Bald Tire Scenario As you proceed through each of the steps within the scenario below, ask yourself how much risk is associated with what’s being described. • Picture in your mind a bald car tire. How much risk is there? • Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there? • Next, imagine that the rope is frayed about halfway through. How much risk is there? • Finally, imagine that the tire swing is suspended over an 80-foot cliff. How much risk is there? Shawn Swartout 12 Factor Analysis of Information Risk (FAIR) Example: Bald Tire Scenario Risk Level – Low Most people believe the risk is ‘High’ at the last stage of the Bald Tire scenario. The answer, however, is that there is very little probability of significant loss given the scenario exactly as described. Who cares if an empty, old bald tire falls to the rocks below? Shawn Swartout 13 Binary Risk Analysis Complexity Level: Easy Binary Risk Assessment provides : • A tool that provides risk analysis based exclusively on yes or no responses to ten questions, a binary response. By forcing the tool user to choose one of two mutually exclusive answers the tool ensures speed and simplicity in its approach. http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf Shawn Swartout 14 Binary Risk Analysis The central tenant to this tool Risk analysis is based exclusively on yes or no responses to ten questions, a binary response. https://binary.protect.io/BRA_draft1.1.pdf Shawn Swartout 15 Integrating your Assessment • • • • Organizational changes Product selection New service offering System development life cycle (SDLC) – Requirements definition stage – Development/Acquisition stage Others? Shawn Swartout 16 Risk Response Shawn Swartout 17 Risk Response Risk response (as described in) NIST Special Publication 800-39, organizations: – analyze different courses of action – conduct cost-benefit analyses – examine the interactions/dependencies among risk mitigation approaches – address schedule and performance issues Shawn Swartout 18 Risk Response • The methods available to mitigate risk – application of appropriate controls – acceptance of that risk – transference of that risk (e.g. insurance) – avoidance (e.g. product selection) Shawn Swartout 19 Risk Treatment Plan SAMPLE Asset(s) Container(s) Vulnerability Risk Risk Treatment Status Customer non-public personal data. Backup tapes for File server data, File Server Data unencrypted at rest Medium Encrypt file server files and back-up tapes. Completion: MM/DD/YY Owner: CISO Pending On-hold Complete A Risk Treatment Plan (RTP) is used to identify each information asset flagged in the Risk Assessment report that has an unacceptable level of risk and shall state the method of treatment intended to mitigate that risk. Shawn Swartout 20 Risk Response • Ownership and accountability – – – – – – – Application owners/custodians Business owners Compliance Legal Audit Audit Committee Board of Directors Shawn Swartout Show me the Risk! 21 Monitoring Risk Shawn Swartout 22 Monitoring Risk Risk exception handling • Exception often involves non-compliance with policies and standards (BUT THEY’RE OK!) – Easily identified if policy requirements are clearly articulated • Ownership and accountability – Owner of the policy? Does materiality impact ownership? • Review cycle – Consider aligning with policy reviews Shawn Swartout 23 Take away Risk – The probable • Risk is not a thing. We can’t frequency and probable magnitude of see it, touch it, or measure it future loss directly. • It’s derived from the combination of threat event frequency, vulnerability, and asset value and liability characteristics. Your organizations ability to “manage risk” may be exploited as a market differentiator. Shawn Swartout 24 Questions & Comments Contact information: Shawn Swartout, CISSP, CISM, CAMS Sr. Security Risk Management Consultant Leviathan Security Group shawn.swartout@leviathansecurity.com Mobile: (509) 995-1083 http://www.leviathansecurity.com Changing the face of information security and risk management. Leviathan Security Group provides integrated Risk Management and Information Security solutions for our clients rather than patches, point fixes, or checking off little boxes with red ink pens. Our fortune one-hundred clients and governments rely on us to understand and mitigate their risks. We help them take the next steps in their evolution and help them maintain their stellar reputations. Shawn Swartout 25
