This report presents the results of the risk analysis carried out in the 01 Proyecto project. Unauthorized reproduction of the information in this report shall result in civil and criminal punishments. More detailed information and technical recommendations can be found in the risk analysis report and in the Operational risks Report.
This report presents the results of the risk analysis carried out in the 01 Proyecto project. Unauthorized reproduction of the information in this report shall result in civil and criminal punishments. More detailed information and technical recommendations can be found in the risk analysis report and in the Operational risks Report.
This report presents the results of the risk analysis carried out in the 01 Proyecto project. Unauthorized reproduction of the information in this report shall result in civil and criminal punishments. More detailed information and technical recommendations can be found in the risk analysis report and in the Operational risks Report.
01 Proyecto PRJR13011 Issued: The information in this document and any attachments is intended for users of Modulo Risk Manager, a product developed by Modulo Security LLC. If you do not have permission to access this information, know that it is prohibited to read, release, or copy this information. Improper use will be subject to the legislation in effect based on the confidentiality agreements. The controls in the knowledge bases created by Modulo Security LLC are protected by copyright and ownership laws. The full or partial unauthorized reproduction of the information in this report shall result in civil and criminal punishments. 06/11/2013 7:58:08 riskmanagersupport@modulo.com The information in this document and any attachments is intended for users of Modulo Risk Manager, a product developed by Modulo Security LLC. If you do not have permission to access this information, know that it is prohibited to read, release, or copy this information. Improper use will be subject to the legislation in effect based on the confidentiality agreements. The controls in the knowledge bases created by Modulo Security LLC are protected by copyright and ownership laws. The full or partial unauthorized reproduction of the information in this report shall result in civil and criminal punishments. ATTENTION www.modulo.com Modulo Security LLC Copyright 2013 Modulo Solutions for GRC 2 of 17 PRJR13011 Executive Analysis Report 1. INTRODUCTION This report presents the results of the risk analysis carried out in the 01 Proyecto project. The investigations included the organization's assets and may have used various methods for collecting evidence, such as: automated collectors, documental analyses, interviews, facility inspections, and others. Some of the main issues address in this report include: 1) What are the major threats to the business? 2) What are the risk levels of the non-implemented controls? 3) What are the recommendations to reduce these risks? 4) How can the security actions to be taken be prioritized? More detailed information and technical recommendations can be found in the Risk Analysis Report and in the Operational Risks Report, which are generated by Modulo Risk Manager, the system designed by Modulo Security LLC based on the GRC Metaframework methodology. This methodology is in compliance with the guidelines provided in the ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO 31000, and ISO Guide 73 standards. Thus, Modulo Risk Manager provides increased productivity, control, and standardization in activities and helps the organization achieve the desired results. Abierto The following table displays the project data, as shown below: Name: Administrator usuario1 01 Proyecto Substitute Leader: If the project is open when the report is issued, only partial results will be presented. Status: Author: Leader: PRJR13011 06/04/2013 06/04/2013 Code: Project Created: usuario1 Analysis End Date: Project Closed: Analysis Start Date: Copyright 2013 Modulo Solutions for GRC 3 of 17 PRJR13011 Executive Analysis Report Risk = Probability x Severity x Relevance The probability and severity factors are scored during technical analyses, whereas the relevance factor is scored according to the importance of the asset to the organization. 1.1 Calculating the PSR This is the degree of importance the asset holds to the organization, which may take into consideration the business components it supports. This severity scores the level of impact on the organization if the risk materializes. This means that if the incident occurs, the severity will score the degree the performance, reliability, or quality of the asset will be compromised. This is the probability that vulnerabilities or weaknesses are exploited by one or more threats due to the absence of controls. RELEVANCE SEVERITY PROBABILITY Probability x Severity x Relevance ISO Guide 73 states that risk is expressed as the value of the combination of the score of an event and its consequences. Modulo Risk Manager considers the PSR to calculate the risk, which represents the estimate of these combined factors. These factors are scored on a scale from 1 to 5. The PSR then represents the degree of risk associated with the absence of a control, and is calculated through the following formula: Copyright 2013 Modulo Solutions for GRC 4 of 17 PRJR13011 Executive Analysis Report 1.2 Risk Indices Awareness of the risks and their assessment is no longer a technical need. It has become a strategy for organizations to meet the requirements set by the market, the government, regulatory agencies, and others. To provide a risk estimate, Modulo Risk Manager uses the following indices: PSR: Calculated by summing the PSR scores of the controls. The product of the P, S, and R factors of each control is calculated and the results are then summed. The PSR can be consolidated by asset, asset type, perimeter, control grouping, knowledge base, questionnaire, business component, etc., and may vary between 0 and 100%. Risk Index: Calculated by dividing the PSR of the non-implemented controls (identified risks) by the PSR of the applicable controls. It's expressed as a percentage and may vary from 0 to 100%. Security Index: Calculated by dividing the PSR of the implemented controls (avoided risk) by the PSR of the applicable controls, thus complementing the Risk Index. It's also expressed as a percentage and may vary from 0 to 100%. Control Index: Calculated by dividing the number of implemented controls by the number of applicable controls. It's expressed as a percentage and may vary from 0 to 100%. Gap Index: Calculated by dividing the number of non-implemented controls by the number of applicable controls, thus complementing the Control Index. It's also expressed as a percentage and may vary from 0 to 100%. Copyright 2013 Modulo Solutions for GRC 5 of 17 PRJR13011 Executive Analysis Report 2.1 Gap Analysis (by Number of Controls) From a list of 329 controls investigated, 99 were considered applicable. From this total, 62 controls were identified as implemented (Control Index 1 of 62,63%) and 37 controls were identified as non-implemented (Gap Index 2 of 37,37%). Note that the higher the control index, the greater the number of controls in accordance with the recommendations in the knowledge bases used in the analysis. 2. SUMMARY Figure 1 - Number of Controls by Status Copyright 2013 Modulo Solutions for GRC 6 of 17 PRJR13011 Executive Analysis Report Copyright 2013 Modulo Solutions for GRC 7 of 17 PRJR13011 Executive Analysis Report Considering the risk with a total PSR 3 of 14209, 4322 were considered applicable. Of this total, 3024 can be considered controlled risks (implemented controls), representing a Security Index 4 of 69,97%. In addition, the 1298 risk related to the non-implemented controls (identified risk) represent a Risk Index of 30,03%. Note that the higher the Security Index, the lower the risk level in the assets in question. 2.2 Risk Analysis (by PSR) Figure 2 - PSR Index by Risk Analysis Status (1)TheControl Indexiscalculatedbydividingthenumberofimplementedcontrolsbythenumberofapplicablecontrols. (2)TheGapIndexiscalculatedbydividingthenumberofnon-implementedcontrolsbythenumberofapplicablecontrols. (3)ThePSRrepresentsthedegreeofriskassociatedwiththeabsenceofacontrol,andiscalculatedbymultiplyingtheProbabilityxSeverityxRelevance. (4)TheSecurity Indexiscalculatedbydividingthecontrolledrisks(PSR)bytheapplicablerisks. (5)TheRiskIndexiscalculatedbydividingtheidentifiedrisks(PSR)bytheapplicablerisks. IMPORTANT: When the Security Index is greater than the Control Index, it can be inferred that there is greater effectiveness in the risk management process, since the implemented controls correspond to those with higher risks (higher PSRs). Otherwise, it can be inferred that there is less effectiveness in the risk management process, since most of the implemented controls correspond to the lower risks (with lower PSRs). If the values are similar, it can be concluded that there is a homogenous distribution between the level of risk and the priority given to the implemented controls. Copyright 2013 Modulo Solutions for GRC 8 of 17 PRJR13011 Executive Analysis Report 30,03% of identified risks RISK INDEX 69,97% of controlled risks SECURITY INDEX Figure 3 - Distribution of Risks (PSR) by Risk Level The risks considered applicable in the analysis can be divided into: 2.3 Distribution of Risks (PSR) by Risk Level Copyright 2013 Modulo Solutions for GRC 9 of 17 PRJR13011 Executive Analysis Report Table 3 below presents the consolidated results by threat. It shows the absolute values and percentages of the controlled and identified risks for the 10 threats with the highest risk indices, presenting in descending order of this index. The identified risk (PSR) associated with each threat (potential incident) is calculated by summing the PSR scores of all the non-implemented controls associated with this threat. The Risk Index is calculated by dividing the value of the identified risks by the value of the applicable risks for each control associated with the threats. 2.4 Risks by Threat Risk Index Identified Risk (PSR) Security Index Controlled Risk (PSR) Applicable Risk (PSR) Threat 100,0% 40 0,0% 0 40 Repudiation 75,0% 216 25,0% 72 288 Drop in Performance 57,1% 40 42,9% 30 70 Non-Compliance with Regulations 53,0% 620 47,0% 549 1169 Loss of Traceability 27,7% 568 72,3% 1484 2052 Unavailability of Services or Information 13,2% 381 86,8% 2506 2887 Unauthorized Logical Access 13,1% 54 86,9% 359 413 Errors, Omissions, or Improper Use 0,6% 10 99,4% 1624 1634 Fraud or Sabotage 0,0% 0 0,0% 0 0 Administrative Sanctions 0,0% 0 100,0% 60 60 Copyright Infringement Table 3 - Risks by Threat These results should be used to prioritize the actions for the most critical business components and assets, in terms of the risks resulting from the main threats to the organization (see Figure 4): Figure 4 - RIsks by Threat Copyright 2013 Modulo Solutions for GRC 10 of 17 PRJR13011 Executive Analysis Report The risks identified in the assets, which support the organizations business components, were consolidated in the two levels that categorize these components: strategic and tactical levels. 2.5 Risks by Business Component Copyright 2013 Modulo Solutions for GRC 11 of 17 PRJR13011 Executive Analysis Report Table 4 below presents the consolidated indices by strategic business component. It shows the absolute values and percentages of the risks for the 0 components with the highest risk indices. 2.5.1 Strategic-Level Risks Risk Index Security Index Identified Risk (PSR) Controlled Risk (PSR) Gap Index Control Index Non- Implemented Controls Implemented Controls Relevance Component Table 4 - Risks per Strategic Level The value of the identified risk for each strategic business component is composed of the sum of the identified risk (PSR of the non-implemented controls) for all the assets that support it. The Risk Index is calculated by dividing the value of the identified risk by the value of the applicable risk, for each business component as well as for all the components. These results should be used to prioritize actions in the assets supporting the strategic business components with the highest risk indices (see Figure 5): Figure 5: Risk Index for Strategic Business Components Copyright 2013 Modulo Solutions for GRC 12 of 17 PRJR13011 Executive Analysis Report 2.5.2 Tactical-Level Risks Table 5 below presents the consolidated risks by tactical business component. It shows the absolute values and percentages for the 1 component(s) with the highest risk indices. Risk Index Security Index Identified Risk Controlled Risk Gap Index Control Index Non- Implemented Controls Implemented Controls Relevance Organizational System 30,03% 69,97% 1298 3024 37,37% 62,63% 37 62 Medium 01_PC_Banking_e mpresas Table 5 - Tactical-Level Risks The value of the identified risk for each tactical business component is comprised of the sum of the identified risks (PSR) of all the assets support it. The Risk Index for each business component is calculated by dividing the value of the identified risks by the value of the applicable risk, in each business component as well as in all the components. These results should be used to prioritize actions in the assets that support the tactical business components with the highest risk indices (see Figure 6). Table 6 - Risk Index in Tactical Business Components Copyright 2013 Modulo Solutions for GRC 13 of 17 PRJR13011 Executive Analysis Report 2.6 Risks by Asset (PSR) The 2 assets listed in the following table correspond to 30,03% of the total of applicable risks. These assets should be prioritized for treatment in order to reduce the risks identified. Contribution to Risk Index Risk Index Identified PSR Security Index Controlled PSR Applicable PSR Relevance Asset Type Asset 22,4% 27,5% 970 72,5% 2560 3530 Very High Tecnologa 01 Servidor Back End 7,6% 41,4% 328 58,6% 464 792 High Tecnologa 01 Firewall 30,03% 34,4% 1298 65,6% 3024 4322 Consolidated (2) Table 6 - Risks Identified in the Assets (by PSR) Copyright 2011 Modulo Solutions for GRC 14 of 17 PRJR13011 Executive Analysis Report 2.7 Risk Levels of Non-Implemented Controls Table 7 below presents the number and percentage of each risk level for the non-implemented controls in both the quantitative and qualitative overviews. Total Very Low Low Medium High Very High Overview RISKS LEVELS 100% 0,00% 2,00% 53,00% 15,18% 29,82% % 1298 0 26 688 197 387 PSR Qualitative 100,00% 0,00% 5,41% 64,86% 13,51% 16,22% % 37 0 2 24 5 6 Controls Quantitative Table 7 - Risk Levels of Non-Implemented Controls According to the table above, it can be noted that 16,22% of the non-implemented controls represent 29,82% of the risks considered Very High in the organization. Copyright 2013 Modulo Solutions for GRC 15 of 17 PRJR13011 Executive Analysis Report 3. NEXT STEPS This analysis identified the main asset risks, and its results will assist the decision-making process to address the situations that affect the organization's objectives. The risk levels and the interpretations for each value are presented in the table below: The results of the analysis provide important information for the next steps: risk evaluation and treatment. Using Modulo Risk Manager to evaluate risks and monitor their treatment allows for increased productivity and the use of additional tools, such as the What-If treatment simulator, which allows results to be evaluated in different possible scenarios. In addition, the evaluation and treatment phases are also integrated with the analysis phase in Modulo Risk Manager, allowing for the proper use of the results. Thus, when it is decided that a certain risk will be sent for treatment, the system will allow treatment events to be created, which can be monitored and which allow for the evolution of the results found in the analysis. For the next steps, the evaluation phase of the system should be used and the following approach should be adopted: Identify the controls with "Very High" and "High" risk levels; Evaluate the possible impacts of implementing these controls in the assets, systems, and business operations; Send the controls with "Very High" and "High" risk levels for immediate treatment; Identify the controls with "Medium" risk levels; Evaluate the need to implement, in the short term, controls with "Medium" risk levels; Identify the benefits of reducing the risks in the organization, using the Risk Index; 1, 2, 3, 4, 5, 6 These are acceptable risks, and asset managers should be informed of them. Very Low 8, 9, 10, 12, 15, 16 These are risks which may be acceptable once reviewed and confirmed by the asset managers. Low 18, 20, 24, 25, 27, 30 These are risks which may be acceptable once reviewed and confirmed by the asset managers; however, their acceptance should be done formally. Medium 32, 36, 40, 45, 48, 50 These are unacceptable risks, and asset managers should at least be oriented on how to control them. High 60, 64, 75, 80, 100, 125 These are unacceptable risks, and asset managers should be oriented on how to minimize them immediately. Very High PSR Values Definition Risk Level Table 8 - Possible PSR Values Risk Management Process Copyright 2013 Modulo Solutions for GRC 16 of 17 PRJR13011 Executive Analysis Report Identify the benefits of reducing the risks in the organization, using the Risk Index; Verify if the residual risks of the evaluation are satisfactory; Evaluate the impacts of accepting the controls with lower risk levels; Accept the risks for controls with lower risk levels; If the residual risks are not satisfactory, continue the process for controls with "Low" and "Very Low" risk levels; Close the project and constantly monitor the residual risk during the treatments. Copyright 2013 Modulo Solutions for GRC 17 of 17 PRJR13011 Executive Analysis Report