Professional Documents
Culture Documents
Risk Management
a guide towards designing an optimal security architecture (based on NIST SP 800-30)
1. risk assessment
identification and evaluation of risks and risk impacts recommendation of risk-reducing measures
2. risk mitigation
prioritizing, implementing, and maintaining the appropriate risk-reducing measures Security architecture and policy as outputs
Participants
Senior Management Chief Information Officer (CIO) Information system security officer System and Information Owners Business and Functional Managers IT Security Practitioners Security Awareness Trainers
Definitions
Availability Service
protection against Intentional or accidental attempts to perform unauthorized deletion of data or otherwise cause a denial of service or data unauthorized use of system resources
Confidentiality Service
Covers intentional or accidental attempts to perform unauthorized data reads.
Integrity Service
protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).
More Definitions
Threat
The potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
Attack
exercise (accidentally or intentionally) a specific vulnerability The actual occurrence of a threat
Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach No vulnerability, then no successful attack
Impact
The effect of a threat occurrence on an asset, e.g. loss of value, a function stops working
(IT-Related) Risk
The net mission impact considering (1) the probability that a particular threat will exercise a particular information system vulnerability and (2) the resulting impact if this should occur
Risk Management
The total process of identifying, controlling, and mitigating risks
Threat Analysis
The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment
Risk Assessment
Goal: determine the extent of potential threats and the risk associated with an IT system
boundaries of the IT system are identified, along with the resources and the information that constitute the system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, provides information essential to defining the risk
(e.g., hardware, software, system connectivity, and responsible division or support personnel)
System-Related Information I
Hardware Software System interfaces (e.g., internal and external connectivity) Data and information Persons who support and use the IT system System mission (e.g., the processes performed by the IT system) System and data criticality (e.g., the systems value or importance to an organization) System and data sensitivity The functional requirements of the IT system
System-Related Information II
Users of the system e.g., system users who provide technical support to the IT system; application users who use the IT system to perform business functions System security policies governing the IT system (organizational policies, federal requirements, laws, industry practices) System security architecture Current network topology e.g., network diagram Flow of information pertaining to the IT system e.g., system interfaces, system input and output flowchart
Information Assets
Processes and services:
including business processes, application specific activities, computing and communications services and other technical services supporting the processing of information (heating, lighting, power, air-conditioning services);
Software:
including application software, system software, development tools and utilities;
Physical items:
including computer and communications equipment, media (paper, tapes, CDs and disks), and other technical equipment (power supplies, air-conditioning units), furniture and accommodation that are used to support the processing of information;
People:
including personnel, customers, subscribers, and any other person within the ISMS that is involved with storing or processing of information.
Information-Gathering Techniques
Questionnaire for applicable technical and nontechnical management
concerning the management and operational controls planned or used for the IT system
Document Review
Policy documents, system documentation, system design and requirement document, and security-related documentation
consider all potential threats (natural, human and environmental) that could cause harm to the IT system and its processing environment Use an existing list of threats and match those that apply to the IT System in your Scope A comprehensive list of threats is found in BS7799-3:2006
develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threats Search them in
organizations security policies, planned security procedures, and system requirement definitions, and the vendors or developers security product analyses (e.g., white papers) an analysis of the IT system security features and the security controls, technical and procedural, used to protect the system
Vendor advisories
Commercial computer incident/emergency response teams and post lists (e.g., SecurityFocus.com forum mailings)
Information Assurance Vulnerability Alerts and bulletins for military systems System software security analyses Security Requirements Checklist (identify security controls of a list not complied by the IT System)
Control Categories
Preventive: inhibit attempts to violate security policy Detective: warn of violations or attempted violations of security policy
Recommend controls that could mitigate to an acceptable level or eliminate the identified risks Requirements for the controls
Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation compliance Organizational policy compliance Operational impact (do not disturb business operations) Safety and reliability
Risk Mitigation
Goals: to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process.
Risk Reduction
to implement controls to lower the risk to an acceptable level
Risk Acceptance
To accept the potential risk and continue operating the IT system
Risk Avoidance
To avoid the risk by eliminating the risk cause and/or consequence (e.g., shut down the system when risks are identified)
Risk Transference
To transfer the risk by using other options to compensate for the loss, such as purchasing insurance
Control Implementation I
Control Implementation II
Control Categories
Detective
Recovery
Develop, test, and maintain the business continuity plan Establish an incident response capability
Detective
Provide physical security Ensure environmental security
Cost-benefit Analysis
Determine the impact of implementing the new or enhanced controls Determine the impact of NOT implementing the new or enhanced controls Estimate the costs of the implementation
Hardware and software purchases Reduced operational effectiveness if system performance or functionality is reduced for increased security Cost of implementing additional policies and procedures Cost of hiring additional personnel to implement proposed policies, procedures, or services Training costs Maintenance costs
determine the importance to the organization of implementing the new controls, given their costs and relative impact
Residual Risk
Risk is a function of
Vulnerability severity Asset valuation (impact to the organization) Threat likelihood
Risk remaining after the implementation of controls is the residual risk Check residual risk is below risk acceptance threshold