Add to collection(s) Add to saved
  1. Business
  2. Management

Managing Risk Security Planning Susan Lincke

advertisement 
Managing Risk
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 6/21/2016 | 2
Objectives
Students should be able to:
Define risk management process: risk management, risk assessment, risk analysis, risk
appetite, risk treatment, accept residual risk
Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk
mitigation/risk reduction, risk transference
Describe threat types: natural, unintentional, intentional, intentional (non-physical)
Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders
Describe risk analysis strategies: qualitative, quantitative
Define vulnerability, SLE, ARO, ALE, due diligence, due care
Security Planning: An Applied Approach | 6/21/2016 | 3
How Much to Invest in Security?
How much is too much?
Firewall
Intrusion Detection/Prevention
Guard
Biometrics
Virtual Private Network
Encrypted Data & Transmission
Card Readers
Policies & Procedures
Audit & Control Testing
How much is too little?
Hacker attack
Internal Fraud
Loss of Confidentiality
Stolen data
Loss of Reputation
Loss of Business
Penalties
Legal liability
Theft & Misappropriation
Antivirus / Spyware
Wireless Security
Security is a Balancing Act between Security Costs & Losses
Security Planning: An Applied Approach | 6/21/2016 | 4
Risk Management
Structure
Internal Factors
External Factors
Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with
Security Planning: An Applied Approach | 6/21/2016 | 5
Risk Appetite
Do you operate your computer with or without antivirus
software?
Do you have antispyware?
Do you open emails with forwarded attachments from friends or
follow questionable web links?
Have you ever given your bank account information to a foreign
emailer to make $$$?
What is your risk appetite?
If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after evaluating risk
Security Planning: An Applied Approach | 6/21/2016 | 6
Risk Management Process
Security Planning: An Applied Approach | 6/21/2016 | 7
Continuous Risk Mgmt Process
Risk
Appetite
Risks change with time as
business & environment changes
Controls degrade over time
and are subject to failure
Countermeasures may open
new risks
Identify &
Assess Risks
Develop Risk
Mgmt Plan
Proactive
Monitoring
Implement Risk
Mgmt Plan
Security Planning: An Applied Approach | 6/21/2016 | 8
Risk Assessment Overview
Five Steps include:
1.Assign Values to Assets:
Where are the Crown Jewels?
2.Determine Loss due to Threats & Vulnerabilities
Confidentiality, Integrity, Availability
3.Estimate Likelihood of Exploitation
Weekly, monthly, 1 year, 10 years?
4.Compute Expected Loss
Loss = Downtime + Recovery + Liability + Replacement
Risk Exposure = ProbabilityOfVulnerability * $Loss
5.Treat Risk
Reduce, Transfer, Avoid or Accept Risk
Risk Leverage = (Risk exposure before reduction) – (risk exposure after
reduction) / (cost of risk reduction)
Security Planning: An Applied Approach | 6/21/2016 | 9
Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
Assets include:
• IT-Related: Information/data, hardware, software, services, documents,
personnel
• Other: Buildings, inventory, cash, reputation, sales opportunities
What is the value of this asset to the company?
How much of our income can we attribute to this asset?
How much would it cost to recover this?
How much liability would we be subject to if the asset were
compromised?
Helpful websites: www.attrition.org
Security Planning: An Applied Approach | 6/21/2016 | 10
Determine Cost of Assets
Costs
Tangible $
Sales
Risk:
Product A
Risk:
Product B
Product C
Risk:
Intangible: High/Med/Low
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Security Planning: An Applied Approach | 6/21/2016 | 11
Matrix of Loss Scenario
(taken from CISM Exhibit 2.16)
Size
of
Loss
Repu- Lawtation suit
Loss
Fines/
Reg.
Loss
Market
Loss
Exp.
Yearly
Loss
Hacker steals customer
data; publicly blackmails
company
1-10K
Recor
ds
$1M$20M
$1M$10M
$1M$35M
$1M$5M
$10M
Employee steals strategic
plan; sells data to
competitor
3-year Min.
Min.
Min.
$20M $2M
Backup tapes and Cust.
data found in garbage;
makes front-page news
10M
Recor
ds
$20M
$20M
$10M
$5M
$200K
Contractor steals employee
data; sells data to hackers
10K
Recor
ds
$5M
$10M
Min.
Min.
$200K
Security Planning: An Applied Approach | 6/21/2016 | 12
Step 1:
Determine Value of Assets
Asset
Name
$ Value
Direct Loss:
Replacemen
t
$ Value
Consequential
Financial Loss
Registration $10,000
Server
Breach Not.
Law=$804,000
Registration loss per
day =$16,000
Forensic help =
$100,000
Grades
Server
Lawsuit = $1 million
FERPA = $1 million
Forensic help =
$100,000
$10,000
Work
book
Confidentiality, Integrity,
and Availability
Notes
Affects: Confidentiality,
Availability.
Conf=> Breach Notification
Law
=>Possible FERPA Violation
=>Forensic Help
Availability=> Loss of
Registrations
Affects: Confidentiality,
Integrity.
Integrity => Student Lawsuit
Confidentiality => FERPA
violation
Both => Forensic help
Security Planning: An Applied Approach | 6/21/2016 | 13
Consequential Financial Loss Calculations
Consequential
Financial Loss
Total
Loss
Lost business for one
day (1D)
Breach not. law
1D=
$16,000
$804,000
Lawsuit
Forensic Help
$1 Million
$100,000
FERPA
$1 Million
Calculations or Notes
Registration = $0-500,000 per day in
income (avg. $16,000)
Breach Not. Law Mailings=
$201 x 4000 Students =$804,000
Student lawsuit may result as a liability.
Professional forensic/security help will be
necessary to investigate extent of attack
and rid system of hacker
Violation of FERPA regulation can lead
to loss of government aid, assumes
negligence.
Security Planning: An Applied Approach | 6/21/2016 | 14
Statistics from Ponemon Data Breach
Study 2014
sponsored by IBM
Category
Data breach
cost – total
Data breach
cost –
components
Breach Type
Malicious or criminal attack (44% of
breaches)
Employee error (31% of breaches)
System glitch (25% of breaches)
Average
Indirect costs: Internal employee time
and abnormal churn of customers
External expenses: forensic expertise,
legal advice, victim identity protection
services
Avg. cost per
compromised record
$246
$160
$171
$201
$134
$67
Security Planning: An Applied Approach | 6/21/2016 | 15
More 2014 Ponemon Statistics
Prob of Breach
Communications
Consumer
Education
Energy
Financial
Health care
Hospitality
Industry
Media
Pharmaceutical
Public sector
Research
Retail
Services
Technology
Transportation
15.6%
19.9%
21.1%
7.5%
17.1%
19.2%
19.5%
9.0%
19.7%
16.9%
23.8%
11.5%
22.7%
19.8%
18.9%
13.5%
Cost per record
219
196
259
237
236
316
93
204
183
209
172
73
125
223
181
286
Churn rate
1.2
2.6
2.0
4.0
7.1
5.3
2.9
3.6
1.9
3.8
0.1
0.7
1.4
4.2
6.3
5.5
Security Planning: An Applied Approach | 6/21/2016 | 16
Step 2: Determine Loss
Due to Threats
Human Threats
Physical Threats
Natural: Flood, fire, cyclones,
hail/snow, plagues and earthquakes
Ethical/Criminal: Fraud, espionage,
hacking, social engineering, identity theft,
malware, vandalism, denial of service
Unintentional: Fire, water, building
damage/collapse, loss of utility
services and equipment failure
External Environmental: industry
competition, contract failure, or changes
in market, politics, regulation or tech.
Intentional: Fire, water, theft and
vandalism
Internal: management error, IT
complexity, organization immaturity,
accidental data loss, mistakes, software
defects, incompetence and poor risk
evaluation
Security Planning: An Applied Approach | 6/21/2016 | 17
Threat Agent Types
Hackers/
Crackers
Criminals
Challenge, rebellion
Financial gain,
Disclosure,
destruction of info.
Spying, destruction,
revenge, extortion
Unauthorized
access
Fraud, computer
crimes
Terrorists/
Hostile Intel.
Service
Industry Spies Competitive
advantage
DOS, info warfare
Insiders
Fraud/ theft,
malware, abuse
Opportunity, personal
issues
Info theft, econ.
exploitation
Security Planning: An Applied Approach | 6/21/2016 | 18
Step 2: Determine Threats
Due to Vulnerabilities
System
Vulnerabilities
Behavioral:
Disgruntled employee,
uncontrolled processes,
poor network design,
improperly configured
equipment
Misinterpretation:
Poorly-defined
procedures,
employee error,
Insufficient staff,
Inadequate mgmt,
Inadequate compliance
enforcement
Coding
Problems:
Security ignorance,
poorly-defined
requirements,
defective software,
unprotected
communication
Physical
Vulnerabilities:
Fire, flood,
negligence, theft,
kicked terminals,
no redundancy
Security Planning: An Applied Approach | 6/21/2016 | 19
Step 3: Estimate Likelihood of
Exploitation
Best sources:
Past experience
National & international standards & guidelines: NIPC,
OIG, FedCIRC, mass media
Specialists and expert advice
Economic, engineering, or other models
Market research & analysis
Experiments & prototypes
If no good numbers emerge, estimates can be used, if
management is notified of guesswork
Security Planning: An Applied Approach | 6/21/2016 | 20
Category
Who: Internal
Incidents (14%)
Who: External
Incidents (92%)
Malware (40%)
Hacking (52%)
Social (29%)
Misuse (13%)
Physical (35%)
Error (2%)
Error (67%)
(VERIS Study)
Specific Threats
Cashier, waiter, bank teller (financial)
End user (mix: finance and espionage)
System admin (mainly espionage)
Organized crime (financial)
State-affiliated (espionage)
Activist, Former Employee
Spyware (keystroke loggers, form grabbers)
Backdoor (secret computer access)
Small-Medium
Org.
60%
13%
4%
57%
20%
<3%
86%
51%
Large
Businesses
14%
24%
31%
49%
24%
<2%
55%
82%
Stealing data (mainly for spying)
Password copying or guessing
54%
88%
73%
74%
Remote control (botnet, backdoor)
36%
62%
71%
43%
52%
54%
74%
Not avail.
Not avail.
82%
87%
22%
4%
95%
Not avail.
Not avail.
Phishing (email 79%, in person 13%)
Privilege Abuse
Unapproved hardware
Embezzlement
Tampering (ATM, PoS device)
Misconfigurations (violations of policy)
Media confidentiality (loss of media) (29%),
user confidentiality (20%), user availability
(18%)
Security Planning: An Applied Approach | 6/21/2016 | 21
Threats by Industry
Adapted: Verizon 2014 Data Breach Investigations Report
40% or Higher
Accommodation
Administrative
Construction
Education
Entertainment
Finance
Healthcare
Information
Management
PoS Intrusion-75%
Misc. error-43%
20-39%
Insider Misuse-27%
Crimeware-33%
Misc. error-20%
10-19%
5-10%
DoS-10%
Theft/Loss-12%
Insider Misuse-13%
Theft/Loss-13%
Cyber Espionage-13%
Web App Attack-19%
Theft/Loss-15%
Insider Misuse-8%
Web App Attack-8%
PoS Intrusion-7%
Misc. Error-7%
DoS-32%
Misc. Error-12%
Web App Attack-22% Insider Misuse-10%
Web App Attack-27%
Payment Card
Skimmer-22%
DoS-26%
Insider Misuse-15%
Theft/Loss-46%
Misc. Error-12%
Web App Attack-41% Crimeware-31%
Web App Attack-11%
DoS-44%
Payment Card Skimmer11%
Cyber Espionage-11%
Insider Misuse-8%
Crimeware-6%
DoS-6%
PoS Intrusion-7%
Theft/Loss-7%
Insider Misuse-7%
Misc. Error-5%
PoS Intrusion-9%
DoS-9%
Insider Misuse-6%
Theft/Loss-6%
Misc. Error-6%
Security Planning: An Applied Approach | 6/21/2016 | 22
Manufacturing
Mining
Cyber Espionage-30%
DoS-24%
Cyber-Espionage- Insider Misuse-25%
40%
Trade
DoS-37%
Cyber Espionage-29%
Misc. Error-34%
Insider Misuse-24%
Crimeware-21%
Insider Misuse-37%
Misc. Error-20%
DoS-33%
PoS Intrusion-31%
Web App Attack-30%
Transportation
Cyber-Espionage-24%
Utilities
Web App Attack-38%
Crimeware-31%
Professional
Public
Real Estate
Retail
Web App Attack-14% Crimeware-9%
Insider Misuse-8%
Misc. Error-5%
Theft/Loss-10%
Crimeware-5%
Payment Card Skimmer-5%
DoS-5%
Web App Attack-9%
Insider Misuse-6%
Theft/Loss-19%
Theft/Loss-13%
Crimeware-7%
Web App Attack-10%
Web App Attack-10% Payment Card Skimmer-6%
Crimeware-9%
Misc. Error-9%
PoS Intrusion-6%
Insider Misuse-6%
Theft/Loss-6%
Insider Misuse-16% Theft/Loss-7%
Web App Attack-15% Misc Error-6%
Crimeware-15%
Payment Card Skimmer-5%
DoS-14%
Cyber Espionage-7%
Security Planning: An Applied Approach | 6/21/2016 | 23
Step 4: Compute Expected Loss Risk
Analysis Strategies
Qualitative: Prioritizes risks so that highest risks can be
addressed first
• Based on judgment, intuition, and experience
• May factor in reputation, goodwill, nontangibles
Quantitative: Measures approximate cost of impact in financial
terms
Semiquantitative: Combination of Qualitative & Quantitative
techniques
Security Planning: An Applied Approach | 6/21/2016 | 24
Step 4: Compute Loss Using
Qualitative Analysis
Qualitative Analysis is used:
• As a preliminary look at risk
• With non-tangibles, such as reputation, image -> market share,
share value
• When there is insufficient information to perform a more
quantified analysis
Security Planning: An Applied Approach | 6/21/2016 | 25
Vulnerability Assessment
Quadrant Map
Snow emergency
Intruder
Work
book
Threat
(Probability)
Hacker/Criminal
Malware
Disgruntled Employee
Vulnerability
(Severity)
Flood
Spy
Fire
Terrorist
Security Planning: An Applied Approach | 6/21/2016 | 26
Step 4: Compute Loss Using
Semi-Quantitative Analysis
1.
2.
3.
4.
5.
Impact
Insignificant: No meaningful
impact
Minor: Impacts a small part
of the business, < $1M
Major: Impacts company
brand, >$1M
Material: Requires external
reporting, >$200M
Catastrophic: Failure or
downsizing of company
Likelihood
1. Rare
2. Unlikely: Not seen within
the last 5 years
3. Moderate: Occurred in last
5 years, but not in last year
4. Likely: Occurred in last year
5. Frequent: Occurs on a
regular basis
Risk = Impact * Likelihood
Security Planning: An Applied Approach | 6/21/2016 | 27
SemiQuantitative Impact Matrix
Catastrophic
(5)
Impact
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Likelihood
Likely (4)
Frequent(5)
Security Planning: An Applied Approach | 6/21/2016 | 28
Step 4: Compute Loss Using
Quantitative Analysis
Single Loss Expectancy (SLE): The cost to the organization if one
threat occurs once
Eg. Stolen laptop=
Replacement cost +
Cost of installation of special software and data
Assumes no liability
SLE = Asset Value (AV) x Exposure Factor (EF)
With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or frequency
of the threat occurring in one year
If a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expected financial
loss to an asset, resulting from a specific threat
ALE = SLE x ARO
Security Planning: An Applied Approach | 6/21/2016 | 29
Risk Assessment Using Quantitative
Analysis
Quantitative:
Cost of HIPAA accident with insufficient protections
SLE = $50K + (1 year in jail:) $100K = $150K
Plus loss of reputation…
Estimate of Time = 10 years or less = 0.1
Annualized Loss Expectancy (ALE)= $150K x .1 =$15K
Security Planning: An Applied Approach | 6/21/2016 | 30
Annualized Loss Expectancy
Asset
Value->
1 Yr
5 Yrs
10 Yrs
20 Yrs
$1K
$10K
$100K
$1M
1K
200
100
50
10K
2K
1K
1K
100K
20K
10K
5K
1000K
200K
100K
50K
Asset Costs $10K
Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
Security Planning: An Applied Approach | 6/21/2016 | 31
Quantitative
Risk
Asset
Threat
Work
book
Single Loss
Expectancy (SLE)
Registra- System or
tion
Disk Failure
Server
System failure: $10,000
Registration x 2 days:
$32,000
Registra- Hacker
tion
penetration
Server
Breach Not. Law: $804,000
Forensic help: $100,000
Registration x 2days:
$32,000
Lawsuit: $1 million
FERPA: $1 million
Forensic help: $100,000
Loss of Reputation =
Grades
Server
Hacker
penetration
Annualized
Rate of
Occurrence
(ARO)
0.2
(5 years)
Annual Loss
Expectancy
(ALE)
$8,400
0.20
(5 years)
$936,000x.2
=$187,200
0.05
(20 years)
$2110,000x
0.05
=$105,500
Security Planning: An Applied Approach | 6/21/2016 | 32
Step 5: Treat Risk
Risk Acceptance: Handle attack when necessary
E.g.: Comet hits
Ignore risk if risk exposure is negligible
Risk Avoidance: Stop doing risky behavior
E.g.: Do not use Social Security Numbers
Risk Mitigation: Implement control to minimize vulnerability
E.g. Purchase & configure a firewall
Risk Transference: Pay someone to assume risk for you
E.g., Buy malpractice insurance (doctor)
While financial impact can be transferred, legal responsibility
cannot
Risk Planning: Implement a set of controls
Security Planning: An Applied Approach | 6/21/2016 | 33
Security Planning: An Applied Approach | 6/21/2016 | 34
Controls & Countermeasures
Cost of control should never exceed the expected loss assuming
no control
Countermeasure = Targeted Control
• Aimed at a specific threat or vulnerability
• Problem: Firewall cannot process packets fast enough due to IP
packet attacks
• Solution: Add border router to eliminate invalid accesses
Security Planning: An Applied Approach | 6/21/2016 | 35
Analysis of Risk vs. Controls
Workbook
Risk
Stolen Faculty
Laptop
Registration
System or
Disk Failure
Registration
Hacker
Penetration
ALE Score
$2K
$10,000
(FERPA)
$8,400
$176,800
Control
Encryption
RAID
(Redundant
disks)
Unified Threat
Mgmt
Firewall
Cost of
Control
$60
$750
Cost of Some Controls is shown in Case Study Appendix
$1K
Security Planning: An Applied Approach | 6/21/2016 | 36
Extra Step:
Step 6: Risk Monitoring
Stolen Laptop
In investigation
$2k, legal issues
HIPAA Incident
Response
Procedure being defined –
incident response
$200K
Cost overruns
Internal audit investigation
$400K
HIPAA: Physical
security
Training occurred
$200K
Security Dashboard, Heat chart or Stoplight Chart
Report to Mgmt status of security
• Metrics showing current performance
• Outstanding issues
• Newly arising issues
• How handled – when resolution is expected
Security Planning: An Applied Approach | 6/21/2016 | 37
Training
Training shall cover:
Importance of following policies & procedures
Clean desk policy
Incident or emergency response
Authentication & access control
Privacy and confidentiality
Recognizing and reporting security incidents
Recognizing and dealing with social engineering
Security Planning: An Applied Approach | 6/21/2016 | 38
Security Control Baselines & Metrics
Baseline: A measurement of
performance
Metrics are regularly and
consistently measured,
quantifiable, inexpensively
collected
Leads to subsequent
performance evaluation
E.g. How many viruses is help
desk reporting?
90
80
70
Stolen Laptop
Virus/Worm
% Misuse
60
50
40
30
20
10
0
Year 1 Year 2 Year 3 Year 4
(Company data - Not real)
Security Planning: An Applied Approach | 6/21/2016 | 39
Risk Management
Risk Management is aligned with business strategy & direction
Risk mgmt must be a joint effort between all key business units & IS
Business-Driven (not Technology-Driven)
Steering Committee:
• Sets risk management priorities
• Define Risk management objectives to
achieve business strategy
Security Planning: An Applied Approach | 6/21/2016 | 40
Risk Management Roles
Governance & Sr Mgmt:
Info. Security Mgr
Allocate resources, assess
Develops, collaborates, and
& use risk assessment results manages IS risk mgmt process
Business Managers
(Process Owners)
Make difficult decisions
relating to priority to
achieve business goals
System / Info Owners
Responsible to ensure
controls in place to
address CIA.
Sign off on changes
Chief Info Officer
IT planning, budget,
performance incl. risk
IT Security Practitioners
Implement security requirem
into IT systems: network,
system, DB, app, admin.
Security Trainers
Develop appropriate
training materials, including
risk assessment, to
educate end users.
Security Planning: An Applied Approach | 6/21/2016 | 41
Due Diligence
Due Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt Support
Security Planning: An Applied Approach | 6/21/2016 | 42
Three Ethical Risk Cases
1. On eve of doomed Challenger space shuttle launch, an
executive told another: “Take off your engineering hat and put
on your management hat.”
2. In Bhopal, India, a chemical leak killed approx. 3000 people,
settlement was < 1/2 Exxon Valdez oil spill’s settlement.
•
Human life = projected income (low in developing nations)
3. The Three Mile Island nuclear disaster was a ‘success’ because
no lives were lost
•
Public acceptance of nuclear technologies eroded due to the
environmental problems and the proven threat
It is easy to underestimate the cost of others’ lives, when your
life is not impacted.
Security Planning: An Applied Approach | 6/21/2016 | 43
Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk acceptance, and
risk monitoring
2. Answers the question: What risks are we prone to, and what
is the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and prioritization of
risks, and evaluation of controls
Security Planning: An Applied Approach | 6/21/2016 | 44
Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk acceptance, and
risk monitoring
2. Answers the question: What risks are we prone to, and what
is the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and prioritization of
risks, and evaluation of controls
Security Planning: An Applied Approach | 6/21/2016 | 45
Question
The FIRST step in Security Risk Assessment is:
1. Determine threats and vulnerabilities
2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls
Security Planning: An Applied Approach | 6/21/2016 | 46
Question
Single Loss Expectancy refers to:
1. The probability that an attack will occur in one year
2. The duration of time where a loss is expected to occur (e.g.,
one month, one year, one decade)
3. The cost when the risk occurs to the asset once
4. The average cost of loss of this asset per year
Security Planning: An Applied Approach | 6/21/2016 | 47
Question
1.
2.
3.
4.
The role(s) responsible for deciding whether risks should be
accepted, transferred, or mitigated is:
The Chief Information Officer
The Chief Risk Officer
The Chief Information Security Officer
Enterprise governance and senior business management
Security Planning: An Applied Approach | 6/21/2016 | 48
Question
1.
2.
3.
4.
Which of these risks is best measured using a
qualitative process?
Temporary power outage in an office building
Loss of consumer confidence due to a
malfunctioning website
Theft of an employee’s laptop while traveling
Disruption of supply deliveries due to flooding
Security Planning: An Applied Approach | 6/21/2016 | 49
Question
1.
2.
3.
4.
The risk that is assumed after implementing controls
is known as:
Accepted Risk
Annualized Loss Expectancy
Quantitative risk
Residual risk
Security Planning: An Applied Approach | 6/21/2016 | 50
Question
1.
2.
3.
4.
The primary purpose of risk management is to:
Eliminate all risk
Find the most cost-effective controls
Reduce risk to an acceptable level
Determine budget for residual risk
Security Planning: An Applied Approach | 6/21/2016 | 51
Question
1.
2.
3.
4.
Due Diligence ensures that
An organization has exercised the best possible security
practices according to best practices
An organization has exercised acceptably reasonable security
practices addressing all major security areas
An organization has implemented risk management and
established the necessary controls
An organization has allocated a Chief Information Security
Officer who is responsible for securing the organization’s
information assets
Security Planning: An Applied Approach | 6/21/2016 | 52
Question
1.
2.
3.
4.
ALE is:
The average cost of loss of this asset, for a single incident
An estimate using quantitative risk management of the
frequency of asset loss due to a threat
An estimate using qualitative risk management of the priority
of the vulnerability
ALE = SLE x ARO
Security Planning: An Applied Approach | 6/21/2016 | 53
Financial Aspects – Larger Organizations
ADVANCED
Input
Security Planning: An Applied Approach | 6/21/2016 | 54
Hardware, software
Company history
Intelligence agency
data: NIPC, OIG
Audit &
test results
Current and Planned
Controls
Threat motivation/
capacity
Business Impact
Analysis
Data Criticality &
Sensitivity analysis
Likelihood of threat
exploitation
Magnitude of impact
Plan for risk
NIST Risk
Assessment
Methodology
Activity
System Characterization
Identify Threats
Output
System boundary
System functions
System/data criticality
System/data sensitivity
Identify Vulnerabilities
List of threats
& vulnerabilities
Analyze Controls
List of current &
planned controls
Determine Likelihood
Likelihood Rating
Analyze Impact
Impact Rating
Determine Risk
Documented Risks
Recommend Controls
Recommended Controls
Document Results
Risk Assessment
Report
Security Planning: An Applied Approach | 6/21/2016 | 55
Metrics & Baselines
Previous history help s to generate an accurate likelihood
A well-selected set of metrics or statistics are:
• Quantifiable
• collected periodically
• preferably automated
Example metric: The number of viruses the help desk reports per
month
Baseline: a measurement of performance at a particular point in
time.
Metrics (consistently measured) enables:
• observe changes in the metrics over time,
• discover trends for future risk analysis,
• measure the effectiveness of controls.
Security Planning: An Applied Approach | 6/21/2016 | 56
Layered Risk Management
Process of Assessment
Perform Risk Analysis at all Levels
At each level, risk assessment should be
Consistent with higher levels and related
risk assessments
Scoped to cohesively focus on selected
area
Consider details associated with the scope
or project (e.g., specific software
development project)
Generate a Risk Assessment Report as
final output
• report ensures that security controls
were tested and pass inspection
Certify product or area for use
Strategic
Tactical
Operational
• Organizational
Level
• Business Process
• Business Project
• IS Project
• Operational
Security Planning: An Applied Approach | 6/21/2016 | 57
Cost-Benefit Analysis
Security Planning: An Applied Approach | 6/21/2016 | 58
Internal Rate of Return
Security Planning: An Applied Approach | 6/21/2016 | 59
Example: Purchase Encryption Software
Net Present Value
Calculation
Year $ Value Present
Value
0 – 3500
-3500
1
1000
909.09
2
1000
826.45
3
1000
751.31
4
1000
683.01
5
1000
620.92
Total 1500
290.78
Explanation
Encryption software costs
• $35 per license
• 100 laptops with confidential
data
• Cost = 3500
Estimated savings for 5 years:
• $1000 per year
• SCBA = -3500 + 5*1000 = 1500
• Discounted interest = 10%.
• NPV = $290.78
• IRR = 13.2%.
Security Planning: An Applied Approach | 6/21/2016 | 60
Summary
1.
2.
3.
4.
5.
Risk Assessment Process:
Assign Values to Assets:
Determine Loss due to Threats & Vulnerabilities
Estimate Likelihood of Exploitation
Compute Expected Loss
Treat Risk
Consider:
Financial Analysis
Real World Data: Professional versus Own Metrics
Ethical Impact
Continual Process
Coverage – Prioritized versus Complete
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Pat
Licensed
Software Consultant
Practicing Nurse
HEALTH FIRST CASE STUDY
Analyzing Risk
Security Planning: An Applied Approach | 6/21/2016 | 62
Step 1: Define Assets
Security Planning: An Applied Approach | 6/21/2016 | 63
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name
$ Value
$ Value
Direct Loss:
Consequential
Financial Loss
Replacement
Medical DB
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
Confidentiality, Integrity,
and Availability Notes
C? I? A?
Security Planning: An Applied Approach | 6/21/2016 | 64
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name
$ Value
$ Value
Direct Loss:
Consequential
Financial Loss
Replacement
Medical DB
DO+M_H+NL
Daily Operation (DO)
$
Medical Malpractice (M)
$
HIPAA Liability (H)
$
Notification Law Liability (NL)
$
Confidentiality, Integrity,
and Availability Notes
C IA
Security Planning: An Applied Approach | 6/21/2016 | 65
HIPAA Criminal Penalties
$ Penalty
Imprisonment
Up to $50K
Up to one
year
Up to
$100K
Up to
$500K
Up to 5
years
Up to 10
years
Offense
Wrongful disclosure of
individually identifiable health
information
…committed under false
pretenses
… with intent to sell, achieve
personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Security Planning: An Applied Approach | 6/21/2016 | 66
HITECH Act (2009)
Each
Violation
Max $ Per
Year
CE/BA exercised reasonable diligence
but did not learn about violation
$100-$50k
$1.5
Million
Violation is due to reasonable cause
$1k$50k
$1.5
Million
CE/BA demonstrated willful neglect but $10k-$50k
corrected violation
$1.5
Million
CE/BA demonstrated willful neglect and
took no corrective action
$1.5
Million
$50k
Penalties are prohibited if problem is corrected within 30 days and no willful neglect
Penalties pay for enforcement and redress for harm caused
Security Planning: An Applied Approach | 6/21/2016 | 67
Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
Normal threats: Threats common to all organizations
Inherent threats: Threats particular to your specific industry
Known vulnerabilities: Previous audit reports indicate
deficiencies.
Security Planning: An Applied Approach | 6/21/2016 | 68
Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
Slow Down Business
1 week
2
1 year
Temp. Shut Down Business
Threaten Business
Threat
(Probability)
Hacker/Criminal
Loss of Electricity
Snow Emergency
1
Malware
Pandemic
Failed Disk
Tornado/Wind Storm
Stolen Laptop
5 years
(.2)
Stolen Backup Tape(s)
10 years
(.1)
Vulnerability
(Severity)
Flood
20 years
(.05)
4
50 years
(.02)
Earthquake
Social Engineering
Intruder
Fire
3
Security Planning: An Applied Approach | 6/21/2016 | 69
Step 4: Compute Expected Loss
Step 5: Treat Risk
Step 4: Compute E(Loss)
ALE = SLE * ARO
Asset
Threat
Single Annualiz Annual
Loss
ed Rate
Loss
of
Expecta
Expecta
Occurre
ncy
ncy
nce
(ALE)
(SLE)
(ARO)
Step 5: Treat Risk
Risk Acceptance: Handle attack
when necessary
Risk Avoidance: Stop doing risky
behavior
Risk Mitigation: Implement
control to minimize vulnerability
Risk Transference: Pay
someone to assume risk for you
Risk Planning: Implement a set
of controls
Related documents
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
A 3 week literacy and numeracy program for students
A 3 week literacy and numeracy program for students
Download
advertisement