Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Chapter 2 - McGraw Hill Higher Education

Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker
Chapter 2
Assessing Risk
McGraw-Hill/Irwin
Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Objectives
Elements of risk assessment
 Role and purpose of risk assessment in
information assurance
 Fundamentals of performing a risk assessment
 Audit process to identify and track risks

2-2
Information
Information assurance process is founded on
the ability to anticipate and manage risk
 Risk – possibility that a threat is capable of
exploiting a known weakness or vulnerability
 Risk assessment – operational process by
which risks are identified and characterized


2-3
Explicit, repeatable process, which is well
understood and followed continuously by all
responsible parties
Risk – An Overview

Risk assessments help decision makers
understand:
The things that could go wrong
 How likely they are to occur
 The consequences if it were to happen

2-4
Knowing Where You Stand

Understanding threats


Once all the information has been identified, the
next logical step is to itemize the risks
Identifying risks versus managing them

Risk assessments
• Preventative measures
• Reactive measures

Risk management
• Maintains the effectiveness of measures once they
have been put in place
• Operational security
2-5
Knowing Where You Stand

Providing useful answers
What is the certainty of the risk?
 What is the anticipated impact?


Shaping the response
Probability of occurrence
 Estimate of the consequences


Priorities: matching resources against potential
harm
Maximize operational deployment and resource
use
 Identifying risks with the greatest probability of
occurrence, causing the greatest degree of harm

2-6
Knowing Where You Stand

Methodology: ensuring confidence in
assessment

Built around tangible evidence:
•
•
•
•

Conducting interviews
Documenting observations
Auditing system logs
Examining other relevant records
Scope: making overall assessment process
efficient

Defined precisely and limited to a particular
problem
• Threat picture – basis for deciding how each threat will
be addressed
2-7
Knowing Where You Stand

Ensuring continuity: tracking evolving threats

Maintaining continuous knowledge of three
critical factors:
• Existence and interrelationships among all of the
organization’s information assets
• Specific threat to each asset
• Precise business, financial, and technological issues
associated with each threat
2-8
Making Threats Visible

Risk Classification
Risk identification
 Risk estimation

• Both entail assessment of risks to an entity
• Both tend to be more qualitative than quantitative
• Both result in plausible evidence to support decision
making about the response
2-9
Making Threats Visible

2-10
Relationship between identification and
estimation
Gap Analysis

A standard approach to identifying risk

2-11
Identification of gaps between ideal practice and
the current operation
Gap Analysis

Four major universal standards
ISO 27000 series
 NIST 800-18 (NIST SP 800-37)
 GASSP
 COBIT

2-12
Risk Identification

A range-finding activity
Simplest form of risk classification
 Identify potentially harmful risks

• Gap analysis

Document characteristics of every vulnerability
• Itemize a list of threats that would be able to exploit it

2-13
Track latent threats that could exploit a known
vulnerability
Risk Estimation

A data-driven process

Measure and quantitatively describe each
potential risk
• Assets affected
• Potential duration of the threat
• Severity of adverse impact
Provides substantive data that will serve as the
basis for the risk analysis
 Determines the probability and impact of
identified threats
 Provides data for the analysis and decision
making

2-14
Strategy Formulation

Deciding about the response

ROI
• Identify the adverse impact of threat in terms of cost
• Ensure that the countermeasure does not cost more
than the harm that the threat could cause

Trade-offs
• Likelihood of occurrence
• Frequency of occurrence
• Unit cost for each occurrence
2-15
Strategy Formulation

Making a practical decision
• Annualized Loss Exposure (ALE) = Annual Cost of
Deployment − (Annual Rate of Occurrence × Cost per
Occurrence)

Certainty factors – assuring credibility
• Express degree of certainty of the estimate as a level
of confidence from 0 to 100 percent

Documenting outcomes
• Risk mitigation report specifies:
• Steps selected for each risk
• Countermeasures that will be implemented
• Parties responsible for accomplishing each task
2-16
Security Solution

Deploying countermeasures


2-17
Operational security analysis: in-depth analysis
Implementation stage puts the response in place
Security Solution

Risk analysis
Task – understand precisely the implications of
the threat picture
 Goal – refine further to a point that can be acted
on by decision makers
 Specify a minimum degree of protection to
assess the risk-tolerance


Assigning priorities
Understanding the cost/benefit situation
 Making a risk-mitigation decision

• To reduce the severity or effect of a known risk
• To ensure recovery through a risk transfer
2-18
Security Solution

Asset valuation methods include:






2-19
Applied information economics – assigns a standard unit
of measure (usually financial) to variables
The balanced scorecard – associates organizational
performance with information value using global factors
Economic value added – assigns value by subtracting
costs from any value returned
Economic values sourced – assigns value four ways:
increased revenue, improved productivity, decreased
cycle time, or decreased risk
Portfolio management – considerations like size, age,
performance, and risk determine the value of each item
Real option valuation – constantly considers the value of
each information item over time in order to determine
what the asset contributes
Security Solution: Sample Approach

2-20
The balanced scorecard
Security Solution

Ensuring confidence

The value of a standard method
• Organization will have data to support decisions about
which item to secure and in what order
• Organization will be able to increase its predictive
accuracy and thus sharpen its security control
2-21
Operational Risk Assessment

Continuing periodic assessments of risks
because the security situation is changing
Assures the validity of the strategy and
countermeasures on a periodic basis
 The report is passed on to the people
responsible for maintaining the operational
security and assurance system
 Provides explicit implementation advice about
changes that must be made to countermeasures

2-22
Establishment

Planning for operational risk assessment
Establishing a standard schedule for the
performance of each assessment
 Defined process for problem reporting and
corrective action

2-23
Establishment

Judging performance – importance of standard criteria

Allows to judge with certainty, at any time, for any
countermeasure, whether:
• That control is performing as desired
• It continues to achieve its purpose


Implementing the operational risk assessment process


2-24
The data is used to monitor and ensure the effectiveness
of its information assurance scheme
Ensures that adequate resources are available to support
the assessment activities
Plan should specify the means or criteria that will be used
to determine whether the goals of the process are met
Establishment

Standard measurement

Plans for risk assessment should ensure that
each assessment produces consistent data
• Interprets the degree of risk exposure, as well as the
types of countermeasures that have to be deployed
• Provides an understanding of the precise nature of the
threats and the required response
2-25
Audit

2-26
Assures the integrity of the security solution
from the pervasive influence of process entropy
Audit
Follow-up audit – if a previous audit indicates
the requirement of a follow-up
 Internal audit – conducted within the
organization
 Security audits – to verify compliance with a
specified requirement
 Contractual audit – to determine whether a
specific situation, or deliverable, meets a
customer’s contractual requirements

2-27
Audit

Information assurance audits
Completeness and correctness of the policies
that guide the process
 Execution of the procedures to carry out the
process
 Capability of the management


Aims of an audit
Identify noncompliances (nonconformances),
with particular, specified audit criteria
 Certification, the basis for the audit is a general
standard, or model that is typically specified by a
third party

2-28
Audit

Ensuring continuity

The audit framework specific to information
assurance:
•
•
•
•
•
2-29
Software integrity and controls
Hardware integrity and controls
Database integrity and controls
Compliance with contracts and procedures
Event and incident logs
Audit

Audit and accountability


Control objectives – focused behaviors with
observable outcomes
Committing: establishing the audit process
Normally established by contracts or regulation
 Parties have to agree on specific audit criteria,
scope, procedures, and entry and exit criteria
 Results must be documented and provided
 Responsibility of the party who requests the audit
to define its overall purpose

2-30
Managing the Audit Process

An audit manager is appointed to:
Ensure the audit process is managed separately
and is independent
 Supervise, monitor, and evaluate the activities of
the audit team
 Plan and schedule audit activities
 Assume responsibility for the audit reporting
process
 Control the follow-up procedures

2-31
Managing the Audit Process

2-32
Auditing report process
Managing the Audit Process

Audit planning
Requires the organization to confirm that the
necessary resources are in place
 Types of participants in an audit process:

•
•
•
•
2-33
Auditee – The organization being audited
Lead auditor – The chief auditor
Auditor – The audit team
Client – The organization that engaged the auditors
Details of Execution

Performing the audit – activity at each stage
revolves around either preparing or reviewing
audit documentation
Preparation of working documents from each
audit
 Preparation, validation, and distribution of the
audit forms and checklists

• A good checklist is a key success factor in IA audits

Records generated are kept in event logs
• Automatically maintained by the system and
essentially invisible to users
2-34
Details of Execution

Structure of the overall process requires that:
• Records have to be audited using consistent
methodology and a set level of rigor
• Outcomes and conclusions have to be integrated and
appropriately supported in the body of audit findings
• Audit evidence is typically collected by:
•
•
•
•
•
•
•
2-35
Interviewing personnel
Reading documents
Reviewing operational manuals
Studying operational records
Analyzing operating data
Observing routine activities
Examining routine environmental conditions
Authenticating Audit Evidence

2-36
Evidence obtained must be authenticated
Authenticating Audit Evidence

Critical success factors that must be considered:
Confidentiality – specifically with respect to audit
findings
 Impartiality – all findings are supported by
unambiguous evidence
 High degree of competence
 Discussion with senior managers on findings,
observations, conclusions, and nonconformities
for finalization

2-37
Preparing the Audit Report

The final report will contain statements outlining:
The purpose and scope of the audit
 The audited organization
 Audit targets
 Applicable control structures and standards
 Evaluation criteria
 Observation list classified by major and minor
findings
 The timing of follow-up activities

2-38
Importance of Validation

Actual reporting is a multi-stage activity built
around an iterative communication process
between the auditor and the auditee’s
management and staff

Much of audit is a matter of expert opinion, it is
important to ensure that the perspective is
correct
• Test inferences with the people who do the work
• Validate perspectives by discussing them with
participants
2-39
Certification and Accreditation

Federal Governments use of audit
Documents that can be used to identify and
accept the residual risk – a product-oriented
approach
 Comprehensive evaluation of the technical and
non-technical security features
 Outcome of a C&A process is in the form of a
recommendation that the system should be
accredited as secure, provisionally accredited, or
not accredited

2-40
Certification and Accreditation

Certification covers the following areas:
•
•
•
•
•
•

Physical
Personnel
Administrative
Information
Information systems
Communications
Advantage of using this type of process:
Relies on defined steps that bring responsible
participants together to implement uniform C&A
practice
 Practice is applicable throughout the life cycle of
the system

2-41
Example of C&A Process

The Federal Government’s DITSCAP

There are four phases to a DITSCAP evaluation:
• Phase 1: Definition – agreement on mission,
requirements, scope, audit schedule, level of effort,
and resource commitment
• Phase 2: Verification – certifiers determine the
system’s compliance with SSAA requirements
• Phase 3: Validation – compliance with the SSAA
requirements
• Phase 4: Post Accreditation – review configuration and
security management
2-42
Example of C&A Process

2-43
At minimum, the SSAA should contain the
following information:
Related documents
Marketing Plan Rubric
Marketing Plan Rubric
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Most Important Issues Confronting Colleges
Most Important Issues Confronting Colleges
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Download