Understanding Facilitated Risk
Analysis Process (FRAP)
and
Security Policies for Organizations
Infocomm Security
and
Computer Security Institute
23 January 2003
© All rights Reserved, 2002
ABSTRACT

Facilitated Risk Analysis Process (FRAP)

The dictionary defines RISK as "someone or something that creates or suggests
a hazard". In today's environment, it is one of the many costs of doing business
or providing a service. Information security professionals know and understand
that nothing ever runs smoothly for very long. Any manner of internal or external
hazard or risk can cause a well running organization to lose competitive
advantage, miss deadline and/or suffer embarrassment. As security
professionals, management is looking to us to provide a process that allows for
the systematic review of risk, threats, hazards and concerns and provide costeffective measures to lower risk to an acceptable level. This session will review
the current practical application of cost-effective risk analysis.
23 January 2003
© All Rights Reserved
AGENDA




23 January 2003
Risk Analysis Basics
Difficulties and Pitfalls
Making the FRAP a Business
Process
Key FRAP Issues
© All Rights Reserved
Effective Risk Analysis

Frequently Asked Questions








23 January 2003
Why should a risk analysis be conducted?
When should a risk analysis be conducted?
Who should conduct the risk analysis?
How long should a risk analysis take?
What can a risk analysis analyze?
What can the results of a risk analysis tell an organization?
Who should review the results of a risk analysis?
How is the success of the risk analysis measured?
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

1. Scope



23 January 2003
This standard gives recommendations for information security
management for use by those who are responsible for initiating,
implementing or maintaining security in their organization.
It is intended to provide a common basis for developing
organizational security standards and effective security management
practice and to provide confidence in inter-organizational dealings.
Recommendations from this standard should be selected and used in
accordance with applicable laws and regulations.
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

2. Terms and definitions



23 January 2003
2.1 Information Security
 Confidentiality
 Integrity
 Availability
2.2 Risk Assessment
 Assessment of threats to, impacts on and vulnerabilities of
information and information processing facilities and the
likelihood of their occurrences
2.3 Risk Management
 Process of identifying, controlling and minimizing or eliminating
risks that may affect information systems, for an acceptable cost.
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

3. Security Policy


4. Asset Classification and Control


maintain appropriate protection of corporate assets
5. Computer and Network Management



23 January 2003
provide management direction and support
ensure the correct and secure operation of information processing
facilities
minimize risk of system failures
protect integrity of software and information
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

5. Communications and Network Management




23 January 2003
maintain integrity and availability of information processing and
communications
ensure the safeguarding of information networks and protection of the
supporting infrastructure
prevent damage to assets and interruptions to business activities
prevent loss, modification or misuse exchanged between
organizations
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

6. Security Organization



23 January 2003
to manage information security within the enterprise
maintain security of enterprise information processing facilities and
information assets by third parties
maintain the security of information when the responsibility for
information processing has been outsourced to another organization
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

7. Personnel Security



23 January 2003
to reduce risks of human error, theft, fraud or misuse of facilities
ensure user are aware of information security threats and concerns
and are equipped to support the enterprise security policy
minimize the damage from security incidents and malfunctions
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

8. Compliance



23 January 2003
to avoid breaches of any criminal or civil law, statutory, regulatory or
contractual obligations and of any security requirements
ensure compliance of systems with enterprise security policy and
standards
maximize the effectiveness of and to minimize interference to/from
system audit process
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

9. Physical and Environmental Security



23 January 2003
to prevent unauthorized access, damage and interference to business
premises and information
prevent loss, damage or compromise of assets and interruption to
business activities
prevent compromise or theft of information and information
processing facilities.
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

10. System Development and Maintenance





23 January 2003
ensure security is built into operational systems
prevent loss, modification or misuse of user data in application
systems
protect the confidentiality, authenticity and integrity of information
ensure IT projects and support activities are conducted in a secure
manner
maintain the security of application system software and data.
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

11. System Access Control






23 January 2003
control access to information
prevent unauthorized access to information systems
ensure the protection of networked services
prevent unauthorized system access
detect unauthorized activities
ensure information security when using mobile computing and
networking facilities
© All Rights Reserved
Effective Risk Analysis

ISO 17799 Information Security Standard

12. Business Continuity Planning

23 January 2003
counteract interruptions to business activities and to critical business
processes from the effects of major failures or disasters.
© All Rights Reserved
Effective Risk Analysis

The United States National Institute of Standards and
Technology (NIST) has published valuable information
security documents that can be obtained by accessing their
web site at csrc.nist.gov/publications/nistpubs/.





SP 800-12An Introduction to Computer Security: The NIST
Handbook
SP 800-18Guide for Developing Security Plans for Information
Technology Systems
SP 800-26Security Self-Assessment Guide for Information
Technology Systems
SP 800-30Risk Management Guide for Information Technology
Systems
SP 800-47Security Guide for Interconnecting Information
Technology Systems
23 January 2003
© All Rights Reserved
Effective Risk Analysis

Information protection in quality assurance works with
three key elements:



23 January 2003
Integrity - the information is as intended without inappropriate
modification or corruption
Confidentiality - the information is protected from unauthorized or
accidental disclosure
Availability - authorized users can access applications and systems
when required to do their job
© All Rights Reserved
Effective Risk Analysis

No matter what risk analysis process is used, the method is
always the same:





Identify the asset
Ascertain the risk
Determine the probability
Identify the corrective action
Remember - sometimes accepting the risk is the
appropriate corrective action.
23 January 2003
© All Rights Reserved
Effective Risk Analysis
23 January 2003
© All Rights Reserved
Effective Risk Analysis

Definitions




Threat - an undesirable event
Impact - Effect on the business objectives or mission of the
enterprise
Probability - Likelihood that the risk may occur
Losses - these include direct and indirect loss



23 January 2003
disclosure
integrity
denial of service
© All Rights Reserved
Effective Risk Analysis



Accreditation - formal acceptance of system’s overall
security by management
Certification - process of assessing security mechanisms
and controls and evaluating their effectiveness.
Vulnerability - a condition of a missing or ineffectively
administered safeguard or control that allows a threat to
occur with a greater impact or frequency or both.
23 January 2003
© All Rights Reserved
Effective Risk Analysis

Definitions


Safeguard/Control - a countermeasure that acts to prevent, detect,
or minimize the consequences of threat occurrence.
Exposure Factor - how much impact or loss of asset value is
incurred



23 January 2003
from 0% to 100%
Single-time Loss Algorithm (SLA) - when a threat occurs, how
much the loss of asset value is expected to be in monetary terms
Annualized Rate of Occurrence (ARO) - how often a threat might
be expected to happen in a one year period.
© All Rights Reserved
Effective Risk Analysis

Risk Analysis Objectives

Identify potential undesirable or unauthorized events, “RISKS”,
that could have a negative impact on the business objectives or
mission of the enterprise.

Identify potential “CONTROLS” to reduce or eliminate the impact
of RISK events determined to be of MAJOR concern.
23 January 2003
© All Rights Reserved
Effective Risk Analysis
Attempts to
access private
information
Fraud
Malicious
attacks
Threats
Sabotage
Natural
disasters
Pranks
User
error
Systems/Applications
Supporting Enterprise
Operations
Assets lost
Customer
loss of
confidence
23 January 2003
Sensitive
information
disclosed
Services and
benefits
interrupted
Potential
Damage
Critical
operations
halted
© All Rights Reserved
Integrity of data
and reports
compromised
Failure to
meet contractual
obligations
Effective Risk Analysis




Maintain customer, constituent,
stockholder, or taxpayer confidence
in the organization
Protect confidentiality of sensitive
information (personal, financial,
trade secret, etc.)
Protect sensitive operational data
for inappropriate disclosure
Avoid third-party liability for
illegal or malicious acts committed
with the organization’s systems
23
January
2003
Source
GAO/AIMD
98-68





Ensure that organization computer,
network, and data are not misused
or wasted
Avoid fraud
Avoid expensive and disruptive
incidents
Comply with pertinent laws and
regulations
Avoid a hostile workplace
atmosphere
© All Rights Reserved
Effective Risk Analysis

Risk Management Principles
 Assess risk and determine needs
 Establish a central management focal point
 Implement appropriate policies and related controls
 Promote awareness
 Monitor and evaluate policy and control effectiveness
23
January
2003
Source
GAO/AIMD
98-68
© All Rights Reserved
Effective Risk Analysis
Risk Management Cycle
Assess Risk
& Determine
Needs
Implement
Policies &
Controls
Central
Focal
Point
Promote
Awareness
23
January
2003
Source
GAO/AIMD
98-68
© All Rights Reserved
Monitor &
Evaluate
Effective Risk
Analysis
Sixteen Practices Employed by Leading Organizations
to Implement the Risk Management Cycle
Principle
1. Assess Risk and
Determine Needs
23 January 2003
Practices
1. Recognize information resources as
essential organizational assets
2. Develop practical risk assessment
procedures that link security to
business needs
3. Hold program and business
managers accountable
4. Manage risk on a continuing basis
© All Rights Reserved
Effective Risk
Analysis
Sixteen Practices Employed by Leading Organizations
to Implement the Risk Management Cycle
Principle
Practices
2. Establish a Central
Management Focal Point
23 January 2003
5. Designate a central group to carry
out key activities
6. Provide the central group ready and
independent access to senior
executives
7. Designate dedicated funding and
staff
8. Enhance staff professionalism and
technical skills
© All Rights Reserved
Effective Risk Analysis
Sixteen Practices Employed by Leading Organizations
to Implement the Risk Management Cycle
Principle
Practices
3. Implement Appropriate
Policies and Related Controls
23 January 2003
9. Link policies to business risks
10. Distinguish between policies and
guidelines
11. Support policies through central
security group
© All Rights Reserved
Effective Risk Analysis
Sixteen Practices Employed by Leading Organizations
to Implement the Risk Management Cycle
Principle
4. Promote Awareness
23 January 2003
Practices
12. Continually educate users and
others on the risks and related
policies
13. Use attention-getting and userfriendly techniques
© All Rights Reserved
Effective Risk Analysis
Sixteen Practices Employed by Leading Organizations
to Implement the Risk Management Cycle
Principle
5. Monitor and Evaluate
Policy and Control
Effectiveness
23 January 2003
Practices
14. Monitor factors that affect risk and
indicate security effectiveness
15. Use results to direct future efforts
and hold managers accountable
16. Be alert to new monitoring tools
and techniques
© All Rights Reserved
Effective Risk Analysis

Assess Risk and Determine Needs




Risk considerations and related cost-benefit trade-off are the
primary focus of a security program.
Security is not an end in itself
Controls and safeguards are identifies and implemented to address
specific business risks
Understanding the business risks associated with
information security is the starting point of an effective
risk analysis and management program
23 January 2003
© All Rights Reserved
Effective Risk Analysis

Organizations that are most satisfied with their risk
analysis procedures are those that have defined a relatively
simple process that can be adapted to various
organizational units and involved a mix of individuals with
knowledge of business operations and technical aspects of
the enterprise’s systems and security controls.*
*Source
98-68
23
January GAO/AIMD
2003
© All Rights Reserved
Effective Risk Analysis

Facilitated Risk Analysis Process (FRAP)





23 January 2003
FRAP analyzes one system, application or segment of business
process at a time
Team of individuals that include business managers and support
groups is convened
Team brainstorms potential threats, vulnerabilities and resultant
negative impacts to data integrity, confidentiality and availability
Impacts are analyzed to business operations
Threats and risks are prioritized
© All Rights Reserved
Effective Risk Analysis

Facilitated Risk Analysis Process (FRAP)

The FRAP users believe that additional effort to develop precisely
quantified risks are not cost effective because:



23 January 2003
such estimates are time consuming
risk documentation becomes too voluminous for practical use
specific loss estimates are generally not needed to determine if
controls are needed
© All Rights Reserved
Effective Risk Analysis

Facilitated Risk Analysis Process (FRAP)

After identifying and categorizing risks, the Team identifies
controls that could mitigate the risk



23 January 2003
A common group of controls are used as a starting point
The decision for what controls are needed lies with the business
manager
The Team’s conclusions as to what risks exist and what controls
are needed are documented along with a related action plan for
control implementation
© All Rights Reserved
Effective Risk Analysis

Facilitated Risk Analysis Process (FRAP)




23 January 2003
Each risk analysis session takes approximately 4 hours
Includes 7 to 15 people
Additional time is required to develop the action plan
Results remain on file for same time as Audit papers
© All Rights Reserved
Effective Risk Analysis

Facilitated Risk Analysis Process (FRAP)



Team does not attempt to obtain or develop specific numbers for
threat likelihood or annual loss estimates
It is the team’s experience that sets priorities
After identifying and categorizing risks, the groups identifies
controls that can be implemented to reduce the risk

23 January 2003
focusing on cost-effective
© All Rights Reserved
Effective Risk Analysis


Business managers bear the primary responsibility for
determining the level of protection needed for information
resources that support business operations.
Security professionals must play a strong role in educating
and advising management on exposures and possible
controls.
23 January 2003
© All Rights Reserved
Understanding Facilitated Risk
Analysis Process (FRAP)
and
Security Policies for Organizations
Infocomm Security
and
Computer Security Institute
23 January 2003
© All rights Reserved, 2002