Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security and Computer Security Institute 23 January 2003 © All rights Reserved, 2002 ABSTRACT Facilitated Risk Analysis Process (FRAP) The dictionary defines RISK as "someone or something that creates or suggests a hazard". In today's environment, it is one of the many costs of doing business or providing a service. Information security professionals know and understand that nothing ever runs smoothly for very long. Any manner of internal or external hazard or risk can cause a well running organization to lose competitive advantage, miss deadline and/or suffer embarrassment. As security professionals, management is looking to us to provide a process that allows for the systematic review of risk, threats, hazards and concerns and provide costeffective measures to lower risk to an acceptable level. This session will review the current practical application of cost-effective risk analysis. 23 January 2003 © All Rights Reserved AGENDA 23 January 2003 Risk Analysis Basics Difficulties and Pitfalls Making the FRAP a Business Process Key FRAP Issues © All Rights Reserved Effective Risk Analysis Frequently Asked Questions 23 January 2003 Why should a risk analysis be conducted? When should a risk analysis be conducted? Who should conduct the risk analysis? How long should a risk analysis take? What can a risk analysis analyze? What can the results of a risk analysis tell an organization? Who should review the results of a risk analysis? How is the success of the risk analysis measured? © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 1. Scope 23 January 2003 This standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings. Recommendations from this standard should be selected and used in accordance with applicable laws and regulations. © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 2. Terms and definitions 23 January 2003 2.1 Information Security Confidentiality Integrity Availability 2.2 Risk Assessment Assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrences 2.3 Risk Management Process of identifying, controlling and minimizing or eliminating risks that may affect information systems, for an acceptable cost. © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 3. Security Policy 4. Asset Classification and Control maintain appropriate protection of corporate assets 5. Computer and Network Management 23 January 2003 provide management direction and support ensure the correct and secure operation of information processing facilities minimize risk of system failures protect integrity of software and information © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 5. Communications and Network Management 23 January 2003 maintain integrity and availability of information processing and communications ensure the safeguarding of information networks and protection of the supporting infrastructure prevent damage to assets and interruptions to business activities prevent loss, modification or misuse exchanged between organizations © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 6. Security Organization 23 January 2003 to manage information security within the enterprise maintain security of enterprise information processing facilities and information assets by third parties maintain the security of information when the responsibility for information processing has been outsourced to another organization © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 7. Personnel Security 23 January 2003 to reduce risks of human error, theft, fraud or misuse of facilities ensure user are aware of information security threats and concerns and are equipped to support the enterprise security policy minimize the damage from security incidents and malfunctions © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 8. Compliance 23 January 2003 to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements ensure compliance of systems with enterprise security policy and standards maximize the effectiveness of and to minimize interference to/from system audit process © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 9. Physical and Environmental Security 23 January 2003 to prevent unauthorized access, damage and interference to business premises and information prevent loss, damage or compromise of assets and interruption to business activities prevent compromise or theft of information and information processing facilities. © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 10. System Development and Maintenance 23 January 2003 ensure security is built into operational systems prevent loss, modification or misuse of user data in application systems protect the confidentiality, authenticity and integrity of information ensure IT projects and support activities are conducted in a secure manner maintain the security of application system software and data. © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 11. System Access Control 23 January 2003 control access to information prevent unauthorized access to information systems ensure the protection of networked services prevent unauthorized system access detect unauthorized activities ensure information security when using mobile computing and networking facilities © All Rights Reserved Effective Risk Analysis ISO 17799 Information Security Standard 12. Business Continuity Planning 23 January 2003 counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters. © All Rights Reserved Effective Risk Analysis The United States National Institute of Standards and Technology (NIST) has published valuable information security documents that can be obtained by accessing their web site at csrc.nist.gov/publications/nistpubs/. SP 800-12An Introduction to Computer Security: The NIST Handbook SP 800-18Guide for Developing Security Plans for Information Technology Systems SP 800-26Security Self-Assessment Guide for Information Technology Systems SP 800-30Risk Management Guide for Information Technology Systems SP 800-47Security Guide for Interconnecting Information Technology Systems 23 January 2003 © All Rights Reserved Effective Risk Analysis Information protection in quality assurance works with three key elements: 23 January 2003 Integrity - the information is as intended without inappropriate modification or corruption Confidentiality - the information is protected from unauthorized or accidental disclosure Availability - authorized users can access applications and systems when required to do their job © All Rights Reserved Effective Risk Analysis No matter what risk analysis process is used, the method is always the same: Identify the asset Ascertain the risk Determine the probability Identify the corrective action Remember - sometimes accepting the risk is the appropriate corrective action. 23 January 2003 © All Rights Reserved Effective Risk Analysis 23 January 2003 © All Rights Reserved Effective Risk Analysis Definitions Threat - an undesirable event Impact - Effect on the business objectives or mission of the enterprise Probability - Likelihood that the risk may occur Losses - these include direct and indirect loss 23 January 2003 disclosure integrity denial of service © All Rights Reserved Effective Risk Analysis Accreditation - formal acceptance of system’s overall security by management Certification - process of assessing security mechanisms and controls and evaluating their effectiveness. Vulnerability - a condition of a missing or ineffectively administered safeguard or control that allows a threat to occur with a greater impact or frequency or both. 23 January 2003 © All Rights Reserved Effective Risk Analysis Definitions Safeguard/Control - a countermeasure that acts to prevent, detect, or minimize the consequences of threat occurrence. Exposure Factor - how much impact or loss of asset value is incurred 23 January 2003 from 0% to 100% Single-time Loss Algorithm (SLA) - when a threat occurs, how much the loss of asset value is expected to be in monetary terms Annualized Rate of Occurrence (ARO) - how often a threat might be expected to happen in a one year period. © All Rights Reserved Effective Risk Analysis Risk Analysis Objectives Identify potential undesirable or unauthorized events, “RISKS”, that could have a negative impact on the business objectives or mission of the enterprise. Identify potential “CONTROLS” to reduce or eliminate the impact of RISK events determined to be of MAJOR concern. 23 January 2003 © All Rights Reserved Effective Risk Analysis Attempts to access private information Fraud Malicious attacks Threats Sabotage Natural disasters Pranks User error Systems/Applications Supporting Enterprise Operations Assets lost Customer loss of confidence 23 January 2003 Sensitive information disclosed Services and benefits interrupted Potential Damage Critical operations halted © All Rights Reserved Integrity of data and reports compromised Failure to meet contractual obligations Effective Risk Analysis Maintain customer, constituent, stockholder, or taxpayer confidence in the organization Protect confidentiality of sensitive information (personal, financial, trade secret, etc.) Protect sensitive operational data for inappropriate disclosure Avoid third-party liability for illegal or malicious acts committed with the organization’s systems 23 January 2003 Source GAO/AIMD 98-68 Ensure that organization computer, network, and data are not misused or wasted Avoid fraud Avoid expensive and disruptive incidents Comply with pertinent laws and regulations Avoid a hostile workplace atmosphere © All Rights Reserved Effective Risk Analysis Risk Management Principles Assess risk and determine needs Establish a central management focal point Implement appropriate policies and related controls Promote awareness Monitor and evaluate policy and control effectiveness 23 January 2003 Source GAO/AIMD 98-68 © All Rights Reserved Effective Risk Analysis Risk Management Cycle Assess Risk & Determine Needs Implement Policies & Controls Central Focal Point Promote Awareness 23 January 2003 Source GAO/AIMD 98-68 © All Rights Reserved Monitor & Evaluate Effective Risk Analysis Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle 1. Assess Risk and Determine Needs 23 January 2003 Practices 1. Recognize information resources as essential organizational assets 2. Develop practical risk assessment procedures that link security to business needs 3. Hold program and business managers accountable 4. Manage risk on a continuing basis © All Rights Reserved Effective Risk Analysis Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle Practices 2. Establish a Central Management Focal Point 23 January 2003 5. Designate a central group to carry out key activities 6. Provide the central group ready and independent access to senior executives 7. Designate dedicated funding and staff 8. Enhance staff professionalism and technical skills © All Rights Reserved Effective Risk Analysis Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle Practices 3. Implement Appropriate Policies and Related Controls 23 January 2003 9. Link policies to business risks 10. Distinguish between policies and guidelines 11. Support policies through central security group © All Rights Reserved Effective Risk Analysis Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle 4. Promote Awareness 23 January 2003 Practices 12. Continually educate users and others on the risks and related policies 13. Use attention-getting and userfriendly techniques © All Rights Reserved Effective Risk Analysis Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle 5. Monitor and Evaluate Policy and Control Effectiveness 23 January 2003 Practices 14. Monitor factors that affect risk and indicate security effectiveness 15. Use results to direct future efforts and hold managers accountable 16. Be alert to new monitoring tools and techniques © All Rights Reserved Effective Risk Analysis Assess Risk and Determine Needs Risk considerations and related cost-benefit trade-off are the primary focus of a security program. Security is not an end in itself Controls and safeguards are identifies and implemented to address specific business risks Understanding the business risks associated with information security is the starting point of an effective risk analysis and management program 23 January 2003 © All Rights Reserved Effective Risk Analysis Organizations that are most satisfied with their risk analysis procedures are those that have defined a relatively simple process that can be adapted to various organizational units and involved a mix of individuals with knowledge of business operations and technical aspects of the enterprise’s systems and security controls.* *Source 98-68 23 January GAO/AIMD 2003 © All Rights Reserved Effective Risk Analysis Facilitated Risk Analysis Process (FRAP) 23 January 2003 FRAP analyzes one system, application or segment of business process at a time Team of individuals that include business managers and support groups is convened Team brainstorms potential threats, vulnerabilities and resultant negative impacts to data integrity, confidentiality and availability Impacts are analyzed to business operations Threats and risks are prioritized © All Rights Reserved Effective Risk Analysis Facilitated Risk Analysis Process (FRAP) The FRAP users believe that additional effort to develop precisely quantified risks are not cost effective because: 23 January 2003 such estimates are time consuming risk documentation becomes too voluminous for practical use specific loss estimates are generally not needed to determine if controls are needed © All Rights Reserved Effective Risk Analysis Facilitated Risk Analysis Process (FRAP) After identifying and categorizing risks, the Team identifies controls that could mitigate the risk 23 January 2003 A common group of controls are used as a starting point The decision for what controls are needed lies with the business manager The Team’s conclusions as to what risks exist and what controls are needed are documented along with a related action plan for control implementation © All Rights Reserved Effective Risk Analysis Facilitated Risk Analysis Process (FRAP) 23 January 2003 Each risk analysis session takes approximately 4 hours Includes 7 to 15 people Additional time is required to develop the action plan Results remain on file for same time as Audit papers © All Rights Reserved Effective Risk Analysis Facilitated Risk Analysis Process (FRAP) Team does not attempt to obtain or develop specific numbers for threat likelihood or annual loss estimates It is the team’s experience that sets priorities After identifying and categorizing risks, the groups identifies controls that can be implemented to reduce the risk 23 January 2003 focusing on cost-effective © All Rights Reserved Effective Risk Analysis Business managers bear the primary responsibility for determining the level of protection needed for information resources that support business operations. Security professionals must play a strong role in educating and advising management on exposures and possible controls. 23 January 2003 © All Rights Reserved Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security and Computer Security Institute 23 January 2003 © All rights Reserved, 2002