Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico Agenda Dia 1 Comunidades Technet Mexico Entrenamiento Comunidades Mexico Essentials of Security Parte 1 Dia 2 Essentials of Security Parte 2 Security Risk Management Parte 1 Dia 3 Security Risk Managemnt Parte 2 Peguntas y Respuestas Puntos de interes User grup IT pro Mexico http://groups.msn.com/itpromexico Gaia Security Risk Management Walk-through Scenario 1: Facilitating Risk Discussions Facilitating a risk discussion meeting for Woodgrove Bank Defining Impact Statements Impact data includes the following information: Walk-through Scenario 2: Defining Impact Statements Defining an impact statement for Woodgrove Bank Scenario 2: Defining An Impact Statement For Woodgrove Bank Asset Name Consumer financial investment data Consumer financial investment data Consumer financial investment data Asset DID Class Level HBI HBI HBI Threat Description Vulnerability Description Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials of managed LAN client via outdated security configurations H H Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials off managed remote client vial outdated security configurations H H Data Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials by trusted employee abuse, via nontechnical attacks. L M ER (H,M,L) IR (H,M,L) Understanding Risk Prioritization Start risk prioritization Conduct summarylevel risk prioritization Summary level risk prioritization Review with stakeholders Conduct detailed-level risk prioritization Detailed level risk prioritization End of risk prioritization Conducting Summary-Level Risk Prioritization 1 2 3 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years 4 The summary-level prioritization process includes the following: 1 2 3 4 Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders Walk-through Scenario 3: Conducting SummaryLevel Risk Prioritization Conducting a summary-level risk prioritization for Woodgrove Bank Conducting Detailed Level Risk Prioritization The following four tasks outline the process to build a detailed-level list of risks: 1 Determine impact and exposure 2 Identify current controls 3 Determine probability of impact 4 Determine detailed risk level Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls) Walk-through Scenario 4: Conducting DetailedLevel Risk Prioritization Conducting a detailed-level risk prioritization for Woodgrove Bank Quantifying Risk The following tasks outline the process to determine the quantitative value: 1 Assign a monetary value to each asset class 2 Input the asset value for each risk 3 Produce the single-loss expectancy value (SLE) 4 Determine the annual rate of occurrence (ARO) 5 Determine the annual loss expectancy (ALE) Walk-through Scenario 5: Quantifying Risk Quantifying risk for Woodgrove Bank Scenario 5: Quantifying Risk For Woodgrove Bank Task 2: the Asset Value: 1: Assign Monetary Values to Asset Classes: 4: Determine Annual Rate of Occurrence 3: Produce thethe Single Loss Expectancy Value 5: Identify Loss Expectancy (ALE) Task 1:* Assign Monetary Values Asset Classes (SLE): (ARO): (SLE ARO) Consumer financial data = HBItoAsset Class Using 5% Materiality Guideline for valuing assets LAN Leveraging the qualitative assessment of Medium HBI =Host $10ARO: Million Asset Class Exposure Exposure Asset Net Income: $200 Million annually Risk Description SLE Risk the Security Exposure Exposure probability, Risk Management estimates risk Value RatingTeam Value Class SLE ARO the ALE TaskAsset 2: Identify the Asset Value Description Rating ValueClass: = $10$10 Million HBI Asset Million (200Value * 5%) toLAN occur atRisk leastValue once in two years; thus, the estimated ARO is .5 Host $10 4 80% $8 ($LAN inAsset millions) Host Remote HostClass: ARO: $5 Leveraging the qualitative MBI Million (based on pastassessment spending) of High Risk $10Single 4 Management 80% Team$8 0.5(SLE) Hostthe Risk probability, Security Risk estimates the$4risk TaskRemote 3: Produce the Loss Expectancy Value $10 4 80% $8 LBI Asset Class: $1 Million (based on past spending) ($ in millions) ($ in millions) to occur at least once per year; thus, the estimated ARO is 1. Remote Host Exposure Qualitative Rating Description Description Risk $10 Value =ARO 4 range 80% $8 Examples 1 Factor$8 High Business Impact $M Exposure % Task ($4:inDetermine the Annual Rate of Occurrence (ARO) Rating millions) High Likely >=1 Asset Class Medium .33 HBIDetermine Value Probable $ M .99 toLoss Task 5: the Annual MBI Value $M/2 (SLE * ARO) Low LBI Value Not probable$ M / 4.33 Impact5 once or more 100 per year 4 80 At least once every 3 601-3 years Expectancy (ALE) 2 40 At least 1 once greater 20 than 3 years Estimated Risk Value = Asset Class Value * Exposure Factor % = SLE Assessing Risk: Best Practices Analyze risks during the data gathering process Conduct research to build credibility for estimating probability Communicate risk in business terms Reconcile new risks with previous risks Conducting Decision Support Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Overview of the Decision Support Phase 4 Measuring Program Effectiveness 3 Implementing Controls 1 2 Assessing Risk Conducting Decision Support 1. 2. 3. 4. 5. 6. Define functional requirements Identify control solutions Review solution against requirements Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Identifying Output for the Decision Support Phase Key elements to gather include: Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented Considering the Decision Support Options Options for handling risk: Accepting the current risk Implementing controls to reduce risk Overview of the Identifying and Comparing Controls Process Mitigation owner Identifies potential control solutions Determines types of costs Security risk management team Estimates level of risk reduction Security steering committee Final list of control solutions Step 1: Define Functional Requirements Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 2: Identify Control Solutions Security risk management team 1 Mitigation owner 2 Identify control Security steering committee Define functional requirements 3 Review solutions against requirements 4 5 solutions 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 3: Review Solutions Against Requirements Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 4: Estimate Degree of Risk Reduction Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 5: Estimate Cost of Each Solution Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Step 6: Select the Risk Mitigation Strategy Security risk management team 1 Mitigation owner 2 Security steering committee Define functional requirements Identify control solutions 3 Review solutions against requirements 4 5 6 Estimate degree of risk reduction Estimate cost of each solution Select the risk mitigation strategy Conducting Decision Support: Best Practices Consider assigning a security technologist to each identified risk Set reasonable expectations Build team consensus Focus on the amount of risk after the mitigation solution Implementing Controls and Measuring Program Effectiveness Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness Implementing Controls 4 Measuring Program Effectiveness 3 Implementing Controls • Seek a holistic approach • Organize by defense-in-depth 1 2 Assessing Risk Conducting Decision Support Organizing the Control Solutions Critical success determinants to organizing control solutions include: Communication Team scheduling Resource requirements Organizing by Defense-in-Depth Physical Network Host Application Data Measuring Program Effectiveness • Develop scorecard • Measure control effectiveness 4 Measuring Program Effectiveness 3 Implementing Controls 1 Assessing Risk 2 Conducting Decision Support Developing Your Organization’s Security Risk Scorecard A simple security risk scorecard organized by the defense-in-depth layers might look like this: FY05 Q1 FY05 Q2 Physical H M Network M M Host M M Application M H Data L L FY05 Q3 Risk Levels (H, M, L) FY05 Q4 Measuring Control Effectiveness Methods to measure the effectiveness of implemented controls include: Direct testing Submitting periodic compliance reports Evaluating widespread security incidents Session Summary One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks Microsoft Security Risk Management Guide provides a number of The tools and templates to assist with the entire risk management process Microsoft defense-in-depth approach organizes controls into The several broad layers that make up the defense-in-depth model Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance Questions and Answers