37 Chapter 5. Risk Management | llo Tntroductiot ||| To keep up with the competition, organizations must design and create Safe enviyonment in which businesses process and procedures cat Function | aid i — These environments ust maintain corfidertiolity and privacy and | assure the integrity of organization's oad - objectives that are | Met through the application of the principles of visk management. © fr Overview Fs Risk Management _ |, = “Rick management” is the process of identifying risk , assessing its relative magnitude, and -taking steps to reduce it to an acceptable Level. — Business decisins ave based om trade - offs behaeen Hie cost of _ agphing informatiat systems Carrols and the benefits realized fram the operation of secured » available systens . — Components of yisk management (Fig. S-1, P2S6) _ O kick Identification —Arisk management stratesy calls om +he informedion Security professiciale +t know their Organizatios inpymation assets Ge. identify, classify , and prieritize them) ~ Then, a threat assessment process is undertaken +e identify and guantify the visks facing each asset. |) 7 Conponents of yisk identification (Fig. S-#, Por) H i Hl illThe Examinakio and documeritection : of the © ene IT ard He yisk it faces The determination of the extent Ye which the organizedion’s informodion assets ave expesed or at yisk curity posture of an Evaluate Loss ‘Magnitude (Impact) Calculate Risk Components of Risk Management (Figure 5-1, p256) 1 The appltcation of controls ts reduce the risk to an organ} Ord informatio Select Control Strategies ftom | Implement, Monitor, & Assess Controls athens dad, systems, iPlan & organize the process Classify, value, & prioritize assets Identify & prioritize “threats Components of Risk Identification (Figure 5-4, p261)ii i {Il il i 40 © Identifying, Jnventorying , and Categorizing Assets — Begins with the identification and inentory of asseks , inducing alll elements of an organizations system, such ac pecple, Procedures, deta ancl ieformation, Sftwore, hardware , and network cloweits . Then, Ceteyorize the assets and add details . See Table 5-1. Catesorizing the Gnponents of an Information System (P262) | — The objective of +his process is teestablish the velcbive_prievity of _ Ste assets to the success of the organization - — People, Rocedures » and Data Asset Identificection = Hore difficult to identify than hardware and Software assets = ds identified , they shold be recorded — Consider the follooing asset attributes © People ? Position name /mber /p , Supervisor, security cLeavance Revel, Special statls Gy te avid name @ Procedwes t Description, purpose, relakiaiship to S/A2, H/ld, ond Niki) enents , Stovage location for reference, storage Location Sor upete 7 aes @ Doda ¢ Clascficodion, ovoner /creahor/monager , Size of data Structure, data Stricture used , online /off.kine , Location, backup procedure — flardware , Software , and Network Asset Llentificatiot — You may want to cosidey including the felbwing asset attibdes ¢ Qllame + Wick/ Formal name for the device or program S Fpaddress ¢ Usually linited 4 those network devices that use Static IP addvesses ® Media access cortyol (HAC) address 8 Electronic serial qunbers or hjly addresses , As a part of the TCP/IP standard , all wetuwk interface hardware devices ave a unigue ‘umber.a | ® Element type ¢ The functiot of each element CS) Hild’ servers, desktops, tetworking devices , test equipment S/o98 0.S., Custom application by type (accounting , HR, | : payroll, +), packaged applications , ant | Specialty applications @ Sevial munber : H/A) aid S/o I © Moufactyer name th © Manufactwer's model number or park mumber HH ® Silo version, wpdote revision er FCO number : ® Physical Yocation 2 This may not apply to Si elements — iH} _ @ logical Yoceckion $ fire where iis ellenent canbe found onthe i _ organizetion’s network a I O Corlng entity + Identify hich ersanizakinal unit catrls tHe clement ~ donated tools can Sometinles / the System elements that make up _ {l0, S/o, ond network components (€3-) automated asset inentory Systens | © Information feset “Ges Veetion a |, ~ Sone orgauii zations further sibisde the cbsoies Ist in in tle S-. — It is advisable to add another dimension +o represent fee Sensitivity I and security priavity F the data and the devices i ice. “Data Classificadion” gchenes such as { Gyfidential, Infernal, éxtenall, TUndassified , Sensitive But Unclassified, Cafidential, Secret, Top Secret ¢, F transmission, processing , Shroye} , etc. ~ Horatter hour an orgartixadion choses to identify the various Components Ff systems , itis most important that the classification of components be specific encugh to allow determination of priority levels ( j.e. howl be“ comprehensive ” ancl ” muttelly exclusive”).Ra @ Information Asset Valuation ( Iwpack Evaluation ) 3 one of the toughest tasks |" = Pesing a wher of guestions assists in developing the weighting criteria | for information asset evaluat ion | Ce.g.)—Which information asset is the west critical tothe success of the organization? I - a 7 Senerates the most yeyenue ? i - 0 ” 7 generakes the most profitability ? ~ See pp 27/- 27K fx move example guestions — As each guestia is asked and answered , you should prepare 4 Worksheet Like the oe Shown in Fig. 5-7 _ (Fig. $=) Sample Inventory Worksheet CP 27/) _ © Trformeckion Asset Prioviti zection : = Once the process of “inventorying” amd “assessing Value” is complete , You can prioritize each asset using a A process known as “weighted factor andysis”, a Z — Table 52. Granplle of a Weighted factor Analysis Clerksheet CP 275)| Q System Name: _SLS E-Commerce : Date Evaluated: February 2012 | Evaluated By:__DuJones Data classification Confidential ess eee |___Confdential | ae Impact to profitability EDI Document Set 1—Logistics BOL to outsourcer (outbound) EDI Document Set 2—Supplier orders (outbound) EDI Document Set 2—Supplier fulfillment advice (inbound) Critical Customer service request via e-mall (Inbound) | DMZ Assets: | \ Edge router Critical | | Web server #1—home page and core Critical | | site | |_Web server #2—Application server Private Critical | of Lading DMZ: Demilitarized Zone EDI: Electronic Data Interchange Figure 5~7, Sample Tuentory Worksheetw | Table 5-2 Example of a Weighted Factor Analysis Worksheet Information Asset Criteria 1: Criteria 2: Criteria 3: Weighted Impact to Impact to Impact to score | Revenue Profitability Public Image Criterion Weight (1-100)eret 30 40 30 assigned inPertance ust total 1 00) foie ae EDI Document Set 1— scone 0.8 - 0.9 0.5 75 Logistics BOL to outsourcer pges fon cy acter te 1.0 which Us recommended by NIST CNetionck | (outbound) raed Fechnchesy) — a EDI Document Set 2— 0.8 0.9 0.6 78 | Supplier orders (outbound) | (EDI Document Set 2— @4) 0.5 0.3 Reed (03x30) rhe Leost Chita asset we 4 O® <= ass. | Customer order via SSL | Customer service request via 0.4 0.4 0.9 55 | | (inbound) e-mail (inbound) Notes: EDI: Electronic Data Interchange SSL: Secure Sockets Layer© Threat Identification ~ After identifying and performing He preLininary classification of an organizatia’s information assets , the andysis phase moves on to an examination of the Heads to the. organization . — The walistic threats must be. investigedio further, cohife the unimportant +Hreccks are set aside | CD Tdertifying and Prioritizing Threats | — Each of the threats from Table 5-3 CP 276) must be | toate assess its potential fo endaiger the organization. | “threat assessment.” ptf te - _ — Afew basic guestios 3 _ _ — © Ahich threats present a (ean an axsanizatin’s = inthe given | ts | t environment? nee cele B Which threads. repesert the most danger to the erguitzation’s _ | iio hehe 2a ee ae © How much sould i+ cost +o recover from a sucessfill attack? @ bich ef the threads sould veguire the srectest expenctituye tp prevent? _ > establish a flamenork for He “discussion f threat assessiient. (2) Specifying Asset Vuhherabilities 7 I ~ Review cach infornation asset for each refevant threat and create 0 fist of vulbevaltities. i 4 Flower weakness in an informatio asset , xcwity procedwe, design , or control that could be exploited accidentally or on purpose +o breach Security 6249 Table $-7

Asset Ab visk is (lo x SoH) x (40x Jooth) + 10% (5% x50)+ 10% 2S+ foe (of 2.8) = $4025 = 27S (ef) Informatio asset B is ant internal personnel database behind a firetaalll- Industry reparts indicate a | percerrt chance ___ of am attack . The information Secuyity and IT departments a report that if the oganixation js attacked , the attacle has a_/o percent chane of sucess. The assetis valuec ____ at ascre of 25 on a scale of 0 40 foo, and informah: ______ Seeurity and IT Staff expect that sd percent of theasr= assumptiats and dota are 90 percent accurate = Asset BS visk is_( (x 10%) x (asxg0%) + [0 = (0.1% xX/2-5)+ 10% = 0/25 + lo (of 0.125) 0./254 0.0/2£ 701375 _ 4) Documenting the Results f Risk. Assessment ~The final) summarized document is the ranked Vulnerability risk Warkshest” ~ Risk identification and assessment deliverables (Table $-/0, pads) Ginformation asset chossification werksheet (figure $7, p27/) @biwighted criteria analysis worksheet Cable £2, Prey @ Ranked yulnerabifity risk loaksheet (Table £9, Poseyi 4 _ ORisk Cntrol Strategies 7 Once the ranked vulnerability worksheet has been crealed , one of Five basic strategies +o cat) must be chosen 3 defend, tansfer, _ mitigate , accept, and terminate . Defend — Te prevent the exploitation of the vidnerabidity > Prefered approach and accomplished by means ef courterivta threads, removing vulnerabilities in assets . Limiting acess to assets, and adding protective safeguards. _ — 3 Commo methods used. to defend + D AppPicottion of policy 2 To mandedp thet Certain procedures are abicoys followed ces) A Shict Policy om requiring passiwards ®@ Training and educection & Awareness, +roining » and eduction ave essential if emplyees are to exibit safe and cartrolfed behavior. ® Aepbication of technolesy ¢ Technical solutions are often reguired to assure that risk is reduced (2) Transfer ~ Joattempt to shift yisk to otler assets, other processes , ar other organi zations ~ Accomplished by rethinking how Services are offered » yeyising deployment models , outsourcing to other organisations , Purchasing insurance , or implementing Service cortracts with providers , — Focus ener94 and resources om g@hat they do best whige velyilg on cosuttants or contractoys or other types of expertise, ~ Ensure tat the disaster vecovery veguirements of the attsourcing Gortoct are Sufficient and have been met befwe they ave needed for vecovery efforts|) Mitigede — To attempt to yedu { hough planing and pepevation | © Incident response plan a [ers recovery plan Je See ir + caused by the exploitation of vulne' 12_(p2 5) Figuve (2 Business Coitinuity plan 7 — Mitigation begins with the early detection of ant atlack and. “abil ty fo vespad quickly , efficiently » and effectively. (Accept coy oo a _ — Todo ricthing to potect a a. uidnevabidity and +p accept the outcone Of its exploitation. eee a ~ This strategy is based on the conclusion sat the cosh of protecting - an asset does not Sustify the security expenditure. _ (5) Terminate $ to avoid those business activities that intoduce uncattyailed visks © Selecting a Risk Cotto) Strategy RanuEnuanioes - — Risk cortrol invellves selecting one of the five visk coryal strategies Por __ each vulierabifity =? Risk handding decision points (See Fig. 5/2, P27?) ~ Feasibifity Stuclies + Al the economic and yaieconontic consequences of the vuhuerabidity must be explored. — Got benefit analysis (CBA) (or economic feasibility study) ® Gisider the ecoiomic feasibility of implementing information securrty cortrofs and Sefequaids MME coct op Odevelopnent or acquisition Staining fees @inplementakiar @sewice Oraintenance - ~ Benefit is the value tat an ovgatizetint realizes by using cnrtrols Pprevert fosses associated with a specific vulnerability. + i| $ I - SLE = asset value x EF —_ r s that ooulld Single Joss expectancy _ ____emposure factor s expected percentage of Dass thar Sle fe fica accu frm @ particuler entack an attack (£9) Avoebsite_ has an estimatid value of $ 1,000,000 and o deliberate act of sabotage oy vandalism Scenario indicaled thet jo f the website would be damaged or destroyed => SLE= asset value x EF = 47,000,000 x 0./ = 4 /00,000 — Te ascertain how rivch foss is expected from a singhe empected athack, amd how often ese atkacks occur > AME = SLE x ARO _ annuolized Toss expectance Annualized rote of occurrence : aa ~~ sD occur abut once every tue Yeors > ARO= 0.5(=50%) (€9) ALE = SLE x ARO = _$/00,000%0.£= $ $9000 indiatis that unfess the organization increases the Level of security on its Website» it can expect to lose $50,000 per yew — CBA = ALE (prior) — ALE Cpost) — ACS annualized cost of the safeguard ~ Evaluation, assessment, and maintenance of yisk corirals tthe strategy and its accompanying cortrals qust be enitored and reevaluated on an orgows basis te determine their effectiveness, and +p cafeulate mone accurately the estimated residual) visk. (See Fig, S-/4 Risk Gutred Gcle, P306) |, © Guartitative versus Qualitative Risk Cortvel Practices = ( Guoititotive assessment : uses actual valyes oy estimates (63) previous Work Qualitative assessment ¢ USES chayacteristics thet do net use numerical measures €€3) Sanyfe Scales 2fnote, no chonce , (hao, mediuel, high , very high , alsiast certain} A-zZ, 0-10, I-5, © 0-20DNetric-based measure g Comparison based on mmeric stondords , suchas # of successful attacks , \ (ote ) 0 Metric: Sef -fowrs Spent on System protection, $ spent an protection, tof security persamel $2 QOhocess-based measure § fess punber-frcused and wore Strategic re af = ji ivi indhiv ic performs in pursuit of i48 Se a Paus im ee Seiad ne ‘sania eee to accamphish o particular process’ ~ asing scales relieves the organization fam the difficulty of determining exact values. ~ | © Benchmarking and Best Practices — “Benchmarking” is the process of seeking out aid studying the practices used in other orgaiizactiaS that produce yesults you would Like ty duphiaid in your organization a 7 _ _ _ ~ Chen benchmarking, an organization typically uses oe of two types of ‘measures to Compare practices ig ed measures oY _process-bhasec as weosures ~ The difference between ani organizatiars measures and Hse of others is_ often referred fo as aperfomance gap” Performance gps_ provide iisight inte the areas that an organization should creyk on to improve its Secwity postures and defenses. _ ~ “Best business practices” (or ” best practices”) are security efferts that Seek te provide a superior Sevell of performance in the protection of informacion, Best security practices ore “hese security efforts that aye amarg the bes In he Industry , palancing the need for access - inrformection zorth adepuacts protection ~ Benchnorking best practices is accomplished by means of the metric -based ov process-based measures described earlier (Sauce) yy), Cert, org» Hue. Micreseft . om /en-ys [Security / defulk,as; » © Applying Best Practices ~ dohen coisidering est practices fey adoptia, consider the folowing 2 © Does your organization resemble the identified target organizedion coith the best practice under carsiderccticn ?I $3 | @ Can your organizetion expend vesurces simifay to these identified with the best practice ? @ Is yeur organization in a sinlar threat envivonnent as that proposed inthe best practice 2 _ - = ablloms with he application of benchmarking and best practices 3 _ © Organizatiots dort talk to each other . > Beouise valuable Lessos ave nat receded , disseminated and ccluatel, the entire industry suffers. @ No +o organizations are identical % Specific informatio may nc opply in other corterts._ Thus, Seek Lessors anid eKampfes yatfer than specific technolegies . @ Best practices are moving target. _ ® Simphy researching information Secuvity benchmarking deesn't necessarily prepare & practitioner-fiy shot todo next Safeguard against new challenges + com © BaseLining — ~ A “baseline” is a value ov profile of a performance metric against ahich Changes in the performance metric can be usefully compared . — “Boselining” is +he analysis of measures agaist establiched standards - Tn information Security, basefining is Hie comparisar of security activities and events against the organization's Sidure performance , ~ Ina sense, basefining can provide the foundatiot for internal benchmarking. The information gathered for an organization's first visk assessment beames the baseline for firture conparisms . Therefre, iti is. important that the initial baseline be accurate,- © er Results su __=dhen the orgaiization is pursuing an overall yisk management program, it pequires_a Systematic report thet enynerates the opportuilittes for contrWin: risk — This_report documents. a Series. of “pepesed. corrals, ei Ff cohich c tas been justified by ore o more feasibility or yakiondlizaction approaches. = Ato minimums each information asset - threat t pales should have ice papesed “Shateay ine been executed.