EPAM Systems Creating trend analysis and calculating risks by security incidents for ISMS on ISO/IEC 27001:2005 compliance using @RISK and StatTools 2011 © EPAM Systems Introduction to ISMS of EPAM Systems EPAM Systems, the leading provider of IT outsourcing and software services and solutions in Central and Eastern Europe, provides software development, e-commerce and content management services to forward-thinking companies and government organizations in over 30 countries worldwide. EPAM Systems Integrated Quality Management System is based on the EPAM Quality Policy and Information Security Policy reflecting most of the requirements of: ISO 9001:2008, Quality Management Systems – Requirements ISO/IEC 27001:2005, Information technology - Security techniques Information security management systems – Requirements CMMI® for Development, Version 1.2 ISAE 3000 (SAS 70) TYPE II COBIT V4.1 ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. 2011 © EPAM Systems 2 My Introduction. Prerequisites for this work • • • • Huge Project Management Scientist experience: Creation and Implementation of Industrial Project Management Systems for Nuclear and Thermal Power Plants, Power Systems Ph.D. Thesis was defended For that purpose System Development Strategy, Vision, Requirements, Design, Mathematical Models, Algorithms, Database and Software were developed Optimization models were elaborated using: LP, NLP, IP, Heuristic Models, Network and Flow Algorithms Large CMMI experience (SPICE, CMM, CMMI x.x) from 1999 BSI Management Systems certificates: Information Security Management System BS ISO/IEC 27001 Implementation, BS ISO/IEC 27001 Internal Auditor (November, 2007) www.bsi-global.com; Basic statistical tools and approaches we are using for CMMI ML4: Regression Analysis, Control Charts, ANOVA, Pareto Analysis Hypothesis Test, Confidence Interval, Time Series Analysis, Monte Carlo Simulation, Earned Value Management 2011 © EPAM Systems 3 ISO/IEC 27001:2005 ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties Features of ISO/IEC 27001:2005: Plan, Do, Check, Act (PDCA) Process Model Process Based Approach Stress on Continual Process Improvements Covers People, Process and Technology 11 Domains, 39 Control objectives, 133 controls 2011 © EPAM Systems 4 ISMS main processes are presented in the layer view 2011 © EPAM Systems 5 Information Security Risk Management Process by ISO 27005 Risk Management is composed of the following parts: • Defining the risk assessment approach of the organization, context • Identifying risks • Estimating and evaluating risks • Identifying and evaluating options for the treatment of risks • Selecting control objectives and controls for the treatment of risks • Obtaining management approval of the proposed residual risks • Obtaining management authorization to implement and operate the ISMS • Preparing the Statement of Applicability • Preparing the Risk Treatment Plan • Implementing the Risk Treatment Plan 2011 © EPAM Systems 6 Risk Assessment for 2011(fragment) Asset Name Threat Vulnerability Likelihood Likelihood level Impact Impact level Risk Risk Level Residual Risk 2010 Residual Risk Level Residual Risk 2011 Residual Risk Level Backup equipment Environmental issues Fire 0.1 Unlikely 0.6 Damaging 0.06 Low 0.0005 Low 0.0005 Low Backup equipment Environmental issues Loss of power 0.1 Unlikely 0.1 Minor 0.01 Low 0.0050 Low 0.0050 Low Backup equipment Environmental issues Unlikely 0.6 Damaging 0.12 Medium 0.0100 Low 0.0100 Low Human error Snow/Ice/Hail/Rain Storm/Flood Lack of awareness training and training 0.2 Backup equipment 0.1 Unlikely 0.4 Significant 0.04 Low 0.0200 Low 0.0150 Low Backup equipment Ineffective Security Safeguards Lack of adequate physical controls to protect assets 0.2 Unlikely 0.1 Minor 0.02 Low 0.0100 Low 0.0050 Low Backup equipment System failure Technical failures 0.3 Fairly likely 0.2 Minor 0.05 Low 0.0100 Low 0.0100 Low Backup equipment Unauthorized entry into premises Unauthorized access to sensitive areas 0.2 Unlikely 0.2 Serious 0.16 Medium 0.0300 Low 0.0150 Low Backup tape Environmental issues Fire 0.1 Unlikely 0.3 Significant 0.03 Low 0.0005 Low 0.0005 Low Backup tape Environmental issues Snow/Ice/Hail/Rain Storm/Flood 0.2 Unlikely 0.3 Significant 0.06 Low 0.0100 Low 0.0100 Low Backup tape Ineffective Security Safeguards Lack of adequate physical controls to protect assets 0.2 Unlikely 0.2 Minor 0.04 Low 0.0100 Low 0.0100 Low Backup tape System failure Technical failures 0.3 Fairly likely 0.4 Significant 0.05 Low 0.0100 Low 0.0100 Low Backup tape Unauthorized entry into premises Unauthorized access to sensitive areas 0.2 Unlikely 0.2 Serious 0.16 Medium 0.0300 Low 0.0150 Low Building space H29 Environmental issues Explosion, Terrorist Action, Sabotage 0.01 Very unlikely 0.8 Serious 0.008 Low 0.0001 Low 0.0001 Low Building space H29 Environmental issues Fire 0.25 Unlikely 0.4 Significant 0.1 Medium 0.0009 Low 0.0009 Low Building space H29 Environmental issues High humidity 0.2 Unlikely 0.3 Significant 0.06 Low 0.0200 Low 0.0200 Low Building space H29 Environmental issues Loss of power 0.2 Unlikely 0.2 Minor 0.04 Low 0.0100 Low 0.0100 Low Building space H29 Environmental issues Snow/Ice/Hail/Rain Storm/Flood/Earthquake 0.1 Unlikely 0.2 Minor 0.02 Low 0.0100 Low 0.0100 Low Building space H29 Environmental issues Water 0.4 Fairly likely 0.3 Significant 0.12 Medium 0.0400 Low 0.0400 Low 2011 © EPAM Systems 7 Ranges Likelihood Value Uncertainty Statement 0 Impossible 0.01 Very unlikely 0.1 Unlikely 0.3 Fairly likely 0.5 Likely 0.7 Very likely 0.9 Certain Explanation Impact Value Explanation No impact Minor impact to business objectives Tangible harm, extra effort required to repair Significant expenditure of resources required Extended outage and / or loss of connectivity Permanent shutdown 0 0.01 0.3 0.5 0.7 0.9 Risk Value Impossible Unlikely to occur 2-3 times every 5 year Up to twice a year Up to once per month More than once a month Several times a week or a day Impact Statement Insignificant Minor Significant Damaging Serious Grave Statement 0 Low 0.07 Medium 0.45 High 0 0.01 0.3 0.5 0.7 0.9 Explanation Minor impact and unlikely to occur at a maximum. Acceptable risk, treatment plan is not mandatory. Medium risk. Action is required within 1 year. At least very likely with serious impact. Immediate action (within 1-3 months) is required. 0 0 0 0 0 0 0 0.01 0 0.0001 0.003 0.005 0.007 0.009 2011 © EPAM Systems 0.1 0 0.001 0.03 0.05 0.07 0.09 0.3 0 0.003 0.09 0.15 0.21 0.27 0.5 0 0.005 0.15 0.25 0.35 0.45 0.7 0 0.007 0.21 0.35 0.49 0.63 0.9 0 0.009 0.27 0.45 0.63 0.81 8 Pareto Chart of Residual Risk by Asset Group and Assets 2011 © EPAM Systems 9 Overlay results graphs of Residual Risks Risk 2011 Residual Risk 2011 Risk 2012 Residual Risk 2012 166 166 166 166 Mean (Average of Risks) 0.05261 0.02088 0.05261 0.01931 Standard Deviation 0.04366 0.01661 0.04366 0.01514 Statistical Inferences Size (Number of Risks) 2011 © EPAM Systems 10 Security Incidents Summary Security Incidents - 2011 Country Office Jan BY Brest 1 BY Grodno 0 BY Gomel 0 BY Minsk 13 BY Mogilev 0 HU Budapest 2 KZ Astana 0 KZ Karaganda 1 RU Izhevsk 0 RU Moscow 1 RU St. Petersburg 0 RU Ryazan 0 RU Samara 0 RU Saratov 1 RU Tver 0 UA Dnipropetrovsk 0 UA Kharkov 0 UA Kyiv 5 UA Lviv 2 UA Vinnitsa 0 US Newtown 0 26 Total by EPAM Feb 0 1 0 11 0 0 0 1 0 1 1 0 1 0 0 1 0 2 1 0 0 20 Mar 0 0 0 14 0 0 0 0 0 4 0 0 1 0 1 0 0 3 0 1 0 24 Apr 0 1 0 10 0 0 0 2 0 0 0 1 2 0 0 0 1 0 2 1 0 20 May 0 0 0 17 0 0 0 1 0 0 0 0 0 0 0 0 0 3 2 0 0 23 Jun 0 0 2 13 0 0 0 0 2 6 3 0 0 3 0 0 1 9 4 1 0 44 Jul 0 1 0 19 1 0 0 0 2 0 0 0 0 0 0 1 2 14 2 0 0 42 Aug 0 1 0 16 0 0 0 3 2 2 1 0 3 0 0 0 1 8 4 0 0 41 Sep 1 0 1 11 0 0 1 4 2 5 2 0 0 2 0 0 1 10 0 1 0 41 Oct 0 3 2 13 0 0 0 3 3 2 2 3 2 2 0 0 2 17 3 1 0 58 Nov 1 0 0 8 0 1 0 6 1 2 2 0 6 2 0 3 1 15 4 1 0 53 2011 © EPAM Systems Dec 2 0 0 6 0 0 0 3 0 2 4 0 4 3 0 1 2 9 3 0 0 39 Security Incidents by Offices 5 7 5 151 1 3 1 24 12 25 15 4 19 13 1 6 11 95 27 6 0 431 Risks by Offices 2011 0.41666667 0.58333333 0.41666667 12.5833333 0.08333333 0.25 0.08333333 2 1 2.08333333 1.25 0.33333333 1.58333333 1.08333333 0.08333333 0.5 0.91666667 7.91666667 2.25 0.5 0 35.9166667 SERVER S 5 20 34 1198 26 236 7 207 30 133 93 61 107 161 16 4 70 247 156 8 1 2820 Work Stations 75 103 175 2783 70 428 42 167 90 172 160 182 126 285 36 75 188 740 285 46 110 6338 Security Security Total Incident/Wor Incident/Total Equipment kstation, % Equipment, % 80 123 209 3981 96 664 49 374 120 305 253 243 233 446 52 79 258 987 441 54 111 9158 6.67 6.80 2.86 5.43 1.43 0.70 2.38 14.37 13.33 14.53 9.38 2.20 15.08 4.56 2.78 8.00 5.85 12.84 9.47 13.04 0.00 6.80 6.25 5.69 2.39 3.79 1.04 0.45 2.04 6.42 10.00 8.20 5.93 1.65 8.15 2.91 1.92 7.59 4.26 9.63 6.12 11.11 0.00 4.71 11 Security Incidents by Offices using Control Charts One of the techniques that are used to establish operational limits for acceptable variation is the use of Control Charts. It is used for quantifying process behavior. Security Incidents Jan-Dec 2011 Security Incidents, mean Center Line, Mean Lower Sig1 Limit Upper Sig1 Limit Lower Ctrl Limit, (LCL) Upper Ctrl Limit, (UCL) 1.63 1.632575758 1.298060606 1.967090909 0.629030303 2.636121212 2011 © EPAM Systems 12 Regression Analysis • • Simple Multiple is used for predictions. It builds an equation using the selected explanatory variables. Regression equation: SECURITY INCIDENTS TOTAL BY OFFICES = 3.392 + 0.0393 * TOTAL EQUIPMENT 2011 © EPAM Systems 13 Regression Analysis reports Reports from each analysis include summary measures of each regression equation run, an ANOVA table for each regression, and a table of estimated regression coefficients, their standard errors, their tvalues, their p-values, and 95% confidence intervals for them for each regression. Multiple Summary ANOVA Table Explained Unexplained R R-Square Adjusted StErr of R-Square Estimate 14.74269784 0.9176 0.8420 0.8336 Degrees of Sum of Mean of Freedom Squares Squares 1 19 21999.64245 4129.59565 21999.64245 217.3471395 F-Ratio p-Value 101.2189 < 0.0001 Standard Confidence Interval 95% Regression Table Coefficient t-Value Constant Total Equipment 3.392079508 3.639983727 0.9319 0.039284378 0.003904712 10.0608 p-Value Error 2011 © EPAM Systems Lower Upper 0.3631 -4.22649399 11.01065301 < 0.0001 0.031111721 0.047457034 14 Time Series and Forecasting of Security Incidents • The Forecasting provides a number of methods for forecasting a time series variable. We are using Holt's exponential smoothing method for capturing trend. • The forecast reports include a set of columns to show the various calculations (for example, the smoothed levels and trends for Holt's method, and so on), the forecasts, and the forecast errors. 2011 © EPAM Systems 15 Pareto Chart of Security Incidents by Offices and by Countries 2011 © EPAM Systems 16 Monte Carlo Simulation • @RISK uses Monte Carlo simulation to analyze thousands of different possible outcomes, showing us the likelihood of each occurring. Monte Carlo simulation is a computer-intensive technique for assessing how a statistic will perform under repeated sampling. In Monte Carlo methods, the computer uses random number simulation techniques to mimic a statistical population. • Outcomes of Monte Carlo Simulation using Confidence Intervals are prediction number of incidents expected in each office. • The predictions are represented by the upper control limit, the central value and the lower control limit and the confidence of achieving them. • The model summarizes also the total number of incidents expected at organizational level, represented too by the upper control limit, the central value and the lower control limit and the confidence of achieving them, and the associated confidence interval. 2011 © EPAM Systems 17 Define Distribution of Risks by Offices and Risks by Offices 2011 2011 © EPAM Systems 18 Output results summary by Offices (fragment) Name Worksheet Cell Graph Min Mean Max 5% 95% Errors Brest / Risks by Offices 2011 Summary_2 P3 011 -2.175979 0.4166674 3.026024 -0.683154 1.516106 0 Grodno / Risks by Offices 2011 Summary_2 P4 011 -3.347512 0.5833397 4.634865 -0.8977569 2.063855 0 Gomel / Risks by Offices 2011 Summary_2 P5 011 -2.547892 0.4167063 3.856878 -0.8877159 1.720214 0 Minsk / Risks by Offices 2011 Summary_2 P6 011 -2.499412 12.58321 26.73282 6.48934 18.67316 0 Mogilev / Risks by Offices 2011 Summary_2 P7 011 -1.001166 0.08333025 1.179311 -0.3915962 0.5579265 0 Budapest / Risks by Offices 2011 Summary_2 P8 011 -2.080682 0.2500368 2.960976 -0.7725362 1.272372 0 Astana / Risks by Offices 2011 Summary_2 P9 011 -1.020973 0.08333907 1.237291 -0.391588 0.5580279 0 Karaganda / Risks by Offices 2011 Summary_2 P10 011 -5.932271 1.999917 8.974371 -1.057276 5.05664 0 Izhevsk / Risks by Offices 2011 Summary_2 P11 011 -3.62505 1.000029 6.004847 -0.8563967 2.854966 0 Moscow / Risks by Offices 2011 Summary_2 P12 011 -5.311656 2.083381 9.774927 -1.16638 5.332192 0 St. Petersburg / Risks by Offices 2011 Summary_2 P13 011 -4.094762 1.249985 6.313061 -0.9817926 3.480608 0 2011 © EPAM Systems 19 Output results by Offices (fragment)– Cumulative function 2011 © EPAM Systems 20 Security Incident / Workstation /Total Equipment, % 2011 © EPAM Systems 21 Overlay Graphs Security Incident/Workstation/Total Equipment, % 2011 © EPAM Systems 22 Summary Thanks to @Risk and StatTools applications of Palisade software EPAM Systems has effectively implemented statistical process control to manage and improve of trend analysis of security incidents for ISMS on ISO/IEC 27001:2005 compliance. EPAM Systems has used the following basic statistical techniques: Regression Analysis, Control Charts, ANOVA, Hypothesis Test, Confidence Interval, Time Series Analysis, Monte Carlo Simulation. To support CMMI High Maturity of Process Performance Baselines and Models EPAM Systems is going to implement additionally tools and approaches of DecisionTools Suite: Six Sigma, Decision Tree Analysis, Sensitivity Analysis and others. 2011 © EPAM Systems 23 Questions Thanks for your attention Creating trend analysis and calculating risks by security incidents for ISMS on ISO/IEC 27001:2005 compliance using @RISK and StatTools By Vladimir Savin, Ph.D. Vladimir_Savin@epam.com EPAM Systems 41 University Drive, Suite 202 | Newtown, PA 18940 p: +1 267 759 9000 | f: +1 +1 267 759 8989 | e: info@epam.com | w: www.epam.com