Security Risk Management Paula Kiernan Ward Solutions Session Prerequisites Basic understanding of network security fundamentals Basic understanding of security risk management concepts Level 300 Target Audience This session is primarily intended for: Systems architects and planners Members of the information security team Security and IT auditors Senior executives, business analysts, and business decision makers Consultants and partners Session Overview Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Security Risk Management Concepts Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Why Develop a Security Risk Management Process? Security risk management: A process for identifying, prioritizing, and managing risk to an acceptable level within the organization Developing a formal security risk management process can address the following: Threat response time Regulatory compliance Infrastructure management costs Risk prioritization and management Identifying Success Factors That Are Critical to Security Risk Management Key factors to implementing a successful security risk management program include: Executive sponsorship Well-defined list of risk management stakeholders Organizational maturity in terms of risk management An atmosphere of open communication and teamwork A holistic view of the organization Security risk management team authority Comparing Approaches to Risk Management Many organizations have approached security risk management by adopting the following: Reactive approach A process that responds to security events as they occur Proactive approach The adoption of a process that reduces the risk of new vulnerabilities in your organization Comparing Approaches to Risk Prioritization Approach Benefits Drawbacks Quantitative Risks prioritized by financial impact; assets prioritized by their financial values Results facilitate management of risk by return on security investment Results can be expressed in management-specific terminology Impact values assigned to risks are based upon subjective opinions of the participants Very time-consuming Can be extremely costly Qualitative Enables visibility and understanding of risk ranking Easier to reach consensus Not necessary to quantify threat frequency Not necessary to determine financial values of assets Insufficient granularity between important risks Difficult to justify investing in control as there is no basis for a cost-benefit analysis Results dependent upon the quality of the risk management team that is created Introducing the Microsoft Security Risk Management Process 4 3 Measuring Program Effectiveness 1 Assessing Risk Implementing Controls 2 Conducting Decision Support Identifying Security Risk Management Prerequisites Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Risk Management vs. Risk Assessment Goal Risk Management Manage risks across business to acceptable level Risk Assessment Identify and prioritize risks Cycle Overall program across all four phases Single phase of risk management program Schedule Scheduled activity Continuous activity Alignment Aligned with budgeting cycles Not applicable Communicating Risk Asset Threat Vulnerability Mitigation What are you trying to protect? What are you afraid of happening? How could the threat occur? What is currently reducing the risk? Impact What is the impact to the business? Probability How likely is the threat given the controls? Well-Formed Risk Statement Determining Your Organization’s Risk Management Maturity Level Publications to help you determine your organization’s risk management maturity level include: National Institute of Standards and Technology Security Self-Assessment Guide for Information Technology Systems (SP-800-26) IT Governance Institute Control Objectives for Information and Related Technology (CobiT) International Standards Organization ISO Code of Practice for Information Security Management (ISO 17799) Performing a Risk Management Maturity Self-Assessment Level State 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized Defining Roles and Responsibilities Executive Sponsor “What's important?” Information Security Group “Prioritize risks” IT Group “Best control solution” Determine acceptable risk Assess risks Define security requirements Measure security solutions Design and build security solutions Operate and support security solutions Assessing Risk Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Overview of the Assessing Risk Phase • Plan risk data gathering • Gather risk data • Prioritize risks 4 Measuring Program Effectiveness 3 Implementing Controls 1 Assessing Risk 2 Conducting Decision Support Understanding the Planning Step The primary tasks in the planning step include the following: Alignment Scoping Stakeholder acceptance Setting expectations Understanding Facilitated Data Gathering Elements collected during facilitated data gathering include: Keys to successful data gathering include: Organizational assets Meet collaboratively with stakeholders Asset description Build support Security threats Understand the difference between discussing and interrogating Vulnerabilities Current control environment Proposed controls Build goodwill Be prepared Identifying and Classifying Assets An asset is anything of value to the organization and can be classified as one of the following: High business impact Moderate business impact Low business impact Organizing Risk Information Use the following questions as an agenda during facilitated discussions: What asset are you protecting? How valuable is the asset to the organization? What are you trying to avoid happening to the asset? How might loss or exposures occur? What is the extent of potential exposure to the asset? What are you doing today to reduce the probability or the extent of damage to the asset? What are some actions that you can take to reduce the probability in the future? Estimating Asset Exposure Exposure: The extent of potential damage to an asset Use the following guidelines to estimate asset exposure: High exposure Severe or complete loss of the asset Medium exposure Limited or moderate loss Low exposure Minor or no loss Estimating Probability of Threats Use the following guidelines to estimate probability for each threat and vulnerability identified: High threat Likely—one or more impacts expected within one year Medium threat Probable—impact expected within two to three years Low threat Not probable—impact not expected to occur within three years Facilitating Risk Discussions The facilitated risk discussion meeting is divided into the following sections: 1 Determining Organizational Assets and Scenarios 2 Identifying Threats 3 Identifying Vulnerabilities 4 Estimating Asset Exposure 5 Estimating Probability of Exploit and Identifying Existing Controls 6 Meeting Summary and Next Steps Defining Impact Statements Impact data includes the following information: Understanding Risk Prioritization Start risk prioritization Conduct summarylevel risk prioritization Summary level risk prioritization Review with stakeholders Conduct detailed-level risk prioritization Detailed level risk prioritization End of risk prioritization Conducting Summary-Level Risk Prioritization 1 2 3 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years 4 The summary-level prioritization process includes the following: 1 2 3 4 Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders Conducting Detailed Level Risk Prioritization The following four tasks outline the process to build a detailed-level list of risks: 1 Determine impact and exposure 2 Identify current controls 3 Determine probability of impact 4 Determine detailed risk level Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls) Quantifying Risk The following tasks outline the process to determine the quantitative value: 1 Assign a monetary value to each asset class 2 Input the asset value for each risk 3 Produce the single-loss expectancy value (SLE) 4 Determine the annual rate of occurrence (ARO) 5 Determine the annual loss expectancy (ALE) Assessing Risk: Best Practices Analyze risks during the data gathering process Conduct research to build credibility for estimating probability Communicate risk in business terms Reconcile new risks with previous risks Conducting Decision Support Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Overview of the Decision Support Phase 4 Measuring Program Effectiveness 3 Implementing Controls 1 2 Assessing Risk Conducting Decision Support 1. 2. 3. 4. 5. 6. Define functional requirements Identify control solutions Review solution against requirements Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Identifying Output for the Decision Support Phase Key elements to gather include: Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented Considering the Decision Support Options Options for handling risk: Accepting the current risk Implementing controls to reduce risk Overview of the Identifying and Comparing Controls Process Mitigation owner Identifies potential control solutions Determines types of costs Security risk management team Estimates level of risk reduction Security steering committee Final list of control solutions Step 1: Define Functional Requirements Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 2: Identify Control Solutions Security risk management team 1 Mitigation owner 2 Identify control Security steering committee Define functional requirements 3 Review solutions against requirements 4 5 solutions 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 3: Review Solutions Against Requirements Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 4: Estimate Degree of Risk Reduction Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 5: Estimate Cost of Each Solution Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 6: Select the Risk Mitigation Strategy Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Conducting Decision Support: Best Practices Consider assigning a security technologist to each identified risk Set reasonable expectations Build team consensus Focus on the amount of risk after the mitigation solution Implementing Controls and Measuring Program Effectiveness Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Implementing Controls 4 Measuring Program Effectiveness 3 Implementing Controls • Seek a holistic approach • Organize by defense-in-depth 1 2 Assessing Risk Conducting Decision Support Organizing the Control Solutions Critical success determinants to organizing control solutions include: Communication Team scheduling Resource requirements Organizing by Defense-in-Depth Physical Network Host Application Data Measuring Program Effectiveness • Develop scorecard • Measure control effectiveness 4 Measuring Program Effectiveness 3 Implementing Controls 1 Assessing Risk 2 Conducting Decision Support Developing Your Organization’s Security Risk Scorecard A simple security risk scorecard organized by the defense-in-depth layers might look like this: FY05 Q1 FY05 Q2 Physical H M Network M M Host M M Application M H Data L L FY05 Q3 Risk Levels (H, M, L) FY05 Q4 Measuring Control Effectiveness Methods to measure the effectiveness of implemented controls include: Direct testing Submitting periodic compliance reports Evaluating widespread security incidents Session Summary One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks Microsoft Security Risk Management Guide provides a number of The tools and templates to assist with the entire risk management process Microsoft defense-in-depth approach organizes controls into The several broad layers that make up the defense-in-depth model Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance Questions and Answers