Session 3:
Security Risk Management
Eduardo Rivadeneira
IT Pro
Microsoft Mexico
Agenda
Dia 1
 Comunidades Technet Mexico
 Entrenamiento Comunidades Mexico
 Essentials of Security Parte 1
Dia 2
 Essentials of Security Parte 2
 Security Risk Management Parte 1
Dia 3
 Security Risk Managemnt Parte 2
 Peguntas y Respuestas
Puntos de interes
User grup IT pro Mexico
 http://groups.msn.com/itpromexico
Gaia Security Risk Management
Walk-through Scenario 1:
Facilitating Risk Discussions
Facilitating a risk discussion meeting for
Woodgrove Bank
Defining Impact Statements
Impact data includes the following information:
Walk-through Scenario 2:
Defining Impact Statements
Defining an impact statement for
Woodgrove Bank
Scenario 2: Defining An Impact Statement For
Woodgrove Bank
Asset
Name
Consumer
financial
investment
data
Consumer
financial
investment
data
Consumer
financial
investment
data
Asset DID
Class Level
HBI
HBI
HBI
Threat
Description
Vulnerability
Description
Host
Unauthorized
access to consumer
data through theft of
Financial Advisor
credentials
Theft of credentials
of managed LAN
client via outdated
security
configurations
H
H
Host
Unauthorized
access to consumer
data through theft of
Financial Advisor
credentials
Theft of credentials
off managed remote
client vial outdated
security
configurations
H
H
Data
Unauthorized
access to consumer
data through theft of
Financial Advisor
credentials
Theft of credentials
by trusted employee
abuse, via nontechnical attacks.
L
M
ER
(H,M,L)
IR
(H,M,L)
Understanding Risk Prioritization
Start risk
prioritization
Conduct
summarylevel risk
prioritization
Summary
level risk
prioritization
Review with
stakeholders
Conduct
detailed-level
risk
prioritization
Detailed
level risk
prioritization
End of risk
prioritization
Conducting Summary-Level Risk Prioritization
1
2
3
High. Likely—one or more impacts expected within one year
Medium. Probable—impact expected within two to three years
Low. Not probable—impact not expected to occur within three years
4
The summary-level prioritization process includes the following:
1
2
3
4
Determine impact level
Estimate summary-level probability
Complete the summary-level risk list
Review with stakeholders
Walk-through Scenario 3: Conducting SummaryLevel Risk Prioritization
Conducting a summary-level risk
prioritization for Woodgrove Bank
Conducting Detailed Level Risk Prioritization
The following four tasks outline the process to build a
detailed-level list of risks:
1 Determine impact and exposure
2 Identify current controls
3 Determine probability of impact
4 Determine detailed risk level
Use the Detailed-Level Risk Prioritization template
(SRJA3-Detailed Level Risk Prioritization.xls)
Walk-through Scenario 4: Conducting DetailedLevel Risk Prioritization
Conducting a detailed-level risk
prioritization for Woodgrove Bank
Quantifying Risk
The following tasks outline the process to determine
the quantitative value:
1 Assign a monetary value to each asset class
2 Input the asset value for each risk
3 Produce the single-loss expectancy value (SLE)
4 Determine the annual rate of occurrence (ARO)
5 Determine the annual loss expectancy (ALE)
Walk-through Scenario 5: Quantifying Risk
Quantifying risk for Woodgrove Bank
Scenario 5:
Quantifying Risk For Woodgrove Bank
Task 2:
the
Asset
Value:
1:
Assign
Monetary
Values
to
Asset
Classes:
4:
Determine
Annual
Rate
of
Occurrence
3:
Produce
thethe
Single
Loss
Expectancy
Value
5: Identify
Loss
Expectancy
(ALE)
Task
1:* Assign
Monetary
Values
Asset
Classes
(SLE):
(ARO):
(SLE
ARO)
Consumer
financial
data
= HBItoAsset
Class
Using
5% Materiality
Guideline
for valuing
assets
LAN
Leveraging
the qualitative
assessment
of Medium
HBI
=Host
$10ARO:
Million
Asset
Class
Exposure
Exposure
Asset
Net
Income:
$200
Million
annually
Risk
Description
SLE
Risk the Security Exposure
Exposure
probability,
Risk
Management
estimates
risk
Value
RatingTeam
Value
Class
SLE
ARO the
ALE
TaskAsset
2:
Identify
the
Asset
Value
Description
Rating
ValueClass:
= $10$10
Million
HBI
Asset
Million (200Value
* 5%)
toLAN
occur
atRisk
leastValue
once in two years; thus, the estimated ARO is .5
Host
$10
4
80%
$8
($LAN
inAsset
millions)
Host
Remote
HostClass:
ARO: $5
Leveraging
the qualitative
MBI
Million (based
on pastassessment
spending) of High
Risk
$10Single
4 Management
80% Team$8
0.5(SLE)
Hostthe
Risk
probability,
Security
Risk
estimates
the$4risk
TaskRemote
3:
Produce
the
Loss
Expectancy
Value
$10
4
80%
$8
LBI
Asset
Class:
$1
Million
(based
on
past
spending)
($
in
millions)
($
in
millions)
to occur at least once per year; thus, the estimated ARO is 1.
Remote Host
Exposure
Qualitative
Rating
Description
Description
Risk
$10 Value =ARO
4 range 80%
$8 Examples
1 Factor$8
High
Business
Impact
$M
Exposure
%
Task ($4:inDetermine
the
Annual
Rate
of
Occurrence
(ARO)
Rating
millions)
High
Likely
>=1
Asset Class
Medium
.33
HBIDetermine
Value Probable
$ M .99 toLoss
Task 5:
the Annual
MBI
Value
$M/2
(SLE
*
ARO)
Low
LBI Value Not probable$ M / 4.33
Impact5 once or more
100 per year
4
80
At
least
once
every
3
601-3 years
Expectancy
(ALE)
2
40
At least
1 once greater
20 than 3 years
Estimated Risk Value = Asset Class Value * Exposure Factor % = SLE
Assessing Risk: Best Practices
 Analyze risks during the data gathering process
 Conduct research to build credibility for estimating
probability
 Communicate risk in business terms
 Reconcile new risks with previous risks
Conducting Decision Support
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Overview of the Decision Support Phase
4
Measuring Program
Effectiveness
3
Implementing
Controls
1
2
Assessing Risk
Conducting
Decision Support
1.
2.
3.
4.
5.
6.
Define functional requirements
Identify control solutions
Review solution against requirements
Estimate degree of risk reduction
Estimate cost of each solution
Select the risk mitigation strategy
Identifying Output for the Decision Support Phase
Key elements to gather include:
Decision on how to handle each risk
Functional requirements
Potential control solutions
Risk reduction of each control solution
Estimated cost of each control solution
List of control solutions to be implemented
Considering the Decision Support Options
Options for handling risk:
 Accepting the current risk
 Implementing controls to reduce risk
Overview of the Identifying and Comparing
Controls Process
Mitigation owner
Identifies potential control solutions
Determines types of costs
Security risk
management team
Estimates level of risk reduction
Security steering
committee
Final list of control solutions
Step 1: Define Functional Requirements
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 2: Identify Control Solutions
Security risk
management
team
1
Mitigation
owner
2 Identify control
Security
steering
committee
Define
functional
requirements
3
Review
solutions against
requirements
4
5
solutions
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 3: Review Solutions Against Requirements
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 4: Estimate Degree of Risk Reduction
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 5: Estimate Cost of Each Solution
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Step 6: Select the Risk Mitigation Strategy
Security risk
management
team
1
Mitigation
owner
2
Security
steering
committee
Define
functional
requirements
Identify control
solutions
3
Review
solutions against
requirements
4
5
6
Estimate
degree of risk
reduction
Estimate
cost of
each solution
Select the risk
mitigation
strategy
Conducting Decision Support: Best Practices
 Consider assigning a security technologist to each
identified risk
 Set reasonable expectations
 Build team consensus
 Focus on the amount of risk after the mitigation
solution
Implementing Controls and Measuring
Program Effectiveness
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program
Effectiveness
Implementing Controls
4
Measuring Program
Effectiveness
3
Implementing
Controls
• Seek a holistic approach
• Organize by defense-in-depth
1
2
Assessing Risk
Conducting
Decision Support
Organizing the Control Solutions
Critical success determinants to organizing control
solutions include:
 Communication
 Team scheduling
 Resource requirements
Organizing by Defense-in-Depth
Physical
Network
Host
Application
Data
Measuring Program Effectiveness
• Develop scorecard
• Measure control effectiveness
4
Measuring Program
Effectiveness
3
Implementing
Controls
1 Assessing Risk
2
Conducting
Decision Support
Developing Your Organization’s Security
Risk Scorecard
A simple security risk scorecard organized by the
defense-in-depth layers might look like this:
FY05 Q1
FY05 Q2
Physical
H
M
Network
M
M
Host
M
M
Application
M
H
Data
L
L
FY05 Q3
Risk Levels (H, M, L)
FY05 Q4
Measuring Control Effectiveness
Methods to measure the effectiveness of implemented
controls include:
 Direct testing
 Submitting periodic compliance reports
 Evaluating widespread security incidents
Session Summary
One common thread between most risk management methodologies
 is that each is typically based on quantitative risk management,
qualitative risk management, or a combination of the two
Determining your organization’s maturity level will help focus on the
 appropriate implementation and timeframe for your risk management
strategy
Risk assessment consists of conducting a summary-level risk
 prioritization, and then conducting a detailed-level risk prioritization
on high-impact risks
Microsoft Security Risk Management Guide provides a number of
 The
tools and templates to assist with the entire risk management process
Microsoft defense-in-depth approach organizes controls into
 The
several broad layers that make up the defense-in-depth model
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/
default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance
Questions and Answers