Title: Information
1Information Risk Management Overview
Nena Young, CRP, CBCP Texas Department of
Information Resources email nena.young_at_dir.state.
tx.us
2Principles for All Sub-Programs
- Risk Assessment and Solutions
- Centered Management
- Implementation of Controls, including policies
- Awareness
- Monitor and Evaluation of Effectiveness
Overview
3Bonus
- In-depth Assessment of risks
- Comprehensive picture of business and technical
processes - Identify opportunities for process enhancements
and/or re-engineering - Rapid, precise, smooth recovery
- Insurance Policy for staying in business.
Overview
4Program Components
5Information Risk Management Program
Overview
61. Risk Analysis Risk Assessment
Risk Analysis - The process of identifying and
documenting vulnerabilities and applicable
threats to assets.
Risk Assessment - Projecting losses, assigning
levels of risk, and recommending appropriate
measures to protect assets.
Risk Analysis
Risk
7Foundation of all risk management programs
- Snapshot in time.
- Discover compliance with existing policies.
- Basis for selecting cost-efficient, most
appropriate protection measures for assets. - Equilibrium- asset loss to countermeasures
- Provide information on likelihood of threat
occurrence and asset impact. - Federal government and most states mandate.
- Ensure reasonable steps are taken to prevent loss
of assets.
Risk Analysis
8Risk Analysis vs BIA
Risk Analysis Assessment - (Proactive) Initial
process that identifies critical processes,
evaluates current standards and countermeasures,
determines cost-effective mitigation of
identified risks, includes ALE.
Risk Analysis
Business Impact Analysis - (Reactive) Quantifie
s risks to include exposure results such as
financial loss, client good will, public
confidence, etc
9- Jargon
- Assets - Anything with value and is worth
protecting or preserving. - Threats - Events or actions which always exists
and can generate undesirable impacts or loss of
assets. Can be either human or environmental. - Vulnerabilities - The windows of opportunity
which allow threats to materialize. The
exposures. Conditions of weakness. - Countermeasures - (Safeguards, Controls) -
Devices, processes, actions, procedures that can
reduce vulnerabilities. Preventive, Detective,
Corrective. - Risk - Potential for a threat to exploit a
vulnerability. A threat a
vulnerability a RISK.
Risk Analysis
10The Basics
- Assets identified.
- Threats identified.
- Vulnerabilities identified.
- Asset Losses identified.
- Protective measures identified and proposed.
Risk Analysis
11Quantitative Qualitative
Theoretically . . .
- Quantitative
- Objective Numeric Values
- Asset Value
- Impact
- Frequency of Threats
- Countermeasure Cost-Effectiveness
- Use of Complex Calculations (confidence factors,
probabilities, SLE, ALE, )
- Qualitative
- Descriptive, Immeasurable Values
- Characteristics
- No Quantifiable Data
- No ALE
- Yes/No Low/Medium/High Vital/Critical/Important
good/bad - Rankings based on judgement
Risk Analysis
12In the Real World. . .
Risk Analysis Involves Both
- Quantifiable measurements.
- Judgements based on experience and knowledge.
Risk Analysis
13Ten Steps
- Organize and Define the Scope
- Identify and Value the Assets
- Identify Applicable Threats
- Identify and Describe Vulnerabilities
- Establish Pairings (relationships)
- Determine the Impact of Threat Occurrence
- Measure Existing Countermeasures
- Determine Residual Risks
- Recommend Additional Countermeasures
- Prepare a Risk Analysis Report
Risk Analysis
14Types of Threats Human - Intentional Malicious
Software Invasion Fraud or embezzlement Human
- Unintentional Programmer Error User
Error Environmental - Natural Earthqu
akes Flood Environmental -
Fabricated Fire Electromagnetic
interference
Risk Analysis
15Impact of Threat Occurrence
- Impact (Loss) Categories.
- Disclosure - Classification or sensitivity of
information. Who has access - Modification - A realized threat causes
unauthorized changes in an asset. - Destruction - Threat activity causes damage to an
asset, making it unusable. - Denial of Service - A realized threat causes a
loss of availability.
Risk Analysis
16Types of Countermeasures
- Preventive
- Detective
- Corrective
Risk Analysis
17Residual Risks are accepted, mitigated,
transferred.
Risk Analysis
18Knowledge Base Needed
Analysts Need to
- Know current and historical internal environment.
- Know current and historical external environment.
- Understand dependencies and vulnerabilities.
- Understand threat profiles.
- Understand countermeasure choices and related
costs. - Be able to apply cost-benefit analysis to risks
and countermeasures
Risk Analysis
19(No Transcript)
202. Information Security Program
Protection of an organizations information
assets. Purpose - The preservation of the
confidentiality, integrity, and availability
(CIA) of information. Can add utility and
authenticity.
21Purpose A Secure Enterprise
- Protection of Assets
- Protection of Goodwill
- Integrity of Applications and Data
- Due Diligence
- Protection of Employees, Shareholders, Partners,
Clients
Security
22Eight Steps
1. Management Sponsorship and Support 2.
Organize and Define the Scope 3. Risk
Analysis 4. Policies and Procedures 5.
Controls 6. Security Breach Reporting and
Investigation 7. Awareness Training 8.
Monitor and Test
Security
23The Bad Guys
- Competitors
- Employees (58 - 80)
- Foreign Governments
- Political Activists
- Professional Spies
Security
Reprinted from Cohen Assc Presentation
24Why Do They Attack?
- Testing
- Coercion
- Military Advantage
- Economic Advantage
- Evidence
- Money
- Fun/Challenge
- Vengeance
- Mental Instability
- Religious/Political Beliefs
- Self-Defense
Security
25Some Hacker Tools
Types of Attacks
- Antagonism
- Denial of Service
- Invasion of Privacy
- System Modification
- Logic Bombs
- Trojan Horses
- Worms
- Viruses
- Malicious Mobile Code
- Over 1900 Web Sites (Free Hacking Tools)
Security
Some Defense Tools
- Virus Detection
- Access Control
- Firewalls
- Dial-back Modems
- Token-based Password
- Public Cryptography
- Biometrics
26Internet
- Older than Pong
- Digital Watches
- IBM PC
- Disco
- MicroSoft
- Current Concept of Hackers
- 12M Hosts, 120M Users (70M-USA), 12 Growth a
Month - 1Billion users by 2005, 66 abroad
- New Web Site every 4 seconds
- Electronic Commerce - Single Sites Over 100,000
Requests a Day - 80 Web Sites - Mobile Code Enabled
- 90 EC Applications use Mobile Code
- -50 Major Organizations w/Internet Use Firewall
Security
27Damage - Average cost of computer break-ins -
136K Of companies hit by viruses and
espionage, most can't estimate the value of
the damage.
Security
Chart Reprinted from Information Week
28Paradox
IT MANAGERS SURVEYED BY EY
- Security of Internet Connections
- 62 Satisfied
- 38 Not Satisfied
- Increase Important Transactions if Security were
Enhanced - 73 Yes
- 27 No
Security
29Increasing Need for Security
- Most Fortune 500 Companies Penetrated by
Cybercriminals - 17 of Intrusion Victims Report to Authorities
- FBI Estimate - 10B a year in Electronic Crimes
- Increasing Scams
- 100,000 Investors Victim to Phony Web Sites
- High-tech revolutionary devices
- Partnership with MicroSoft
- Initial Public Offering with the SEC
- Tens of Thousands Probing Attacks against
Pentagon annually - Origin of Attacks Camouflaged through other
Countries - DISA Vulnerability Testing
Security
30Some Road Blocks to Security
- Lack of Sufficient Budget
- Lack of Resources - Management Support, Staff
- Lack of Awareness
- Lack of Tools
Security
31Knowledge Base Needed (CISSP)
- Access control
- Telecommunications and network security
- BCP
- Security management practices policies,
standards, control of risk - control of Risk
- information classification
- security awareness
- organizational architecture
- policy development
- risk management
- Security architecture and models
- Law, investigation, and ethics
Security
32Knowledge Base Needed (CISSP) (cont)
- Application and system development security
- Cryptography
- Computer operations security
- Physical security
- threats and facility requirements
- personnel physical access control
- microcomputer physical security
Security
. . . information protection is not a simple
matter, and it cannot be addressed from a single
perspective. It is a pervasive problem that must
be pursued in a holistic manner in order to
provide its benefits.
33Security
34Define Environment Assets
Monitoring, Testing Audits
Risk Analysis Assessment
The Process
Policies, Stds, Procedures
Awareness Administration
Design Implementation
35 3. Business Continuity Program
BCP - Spells out what, who, how, and when for a
quick and smooth restoration of critical
operations after a catastrophic disruptive event,
minimizes losses, and eventually returns to
business as normal.
36A Rose by Any Other Name . . .
Business Resumption Plan Disaster Recovery
Plan Crisis Management Plan Contingency
Plan Business Continuity Plan
BCP
37Goals
- Identify weaknesses and implement a disaster
prevention program - Minimize the duration of a serious disruption to
business operations - Facilitate effective co-ordination of recovery
tasks and reduce the complexity of the recovery
effort
BCP
38Sources of Interruptions are Numerous
- Natural
- Tornadoes, Floods, Fires . . .
- Human
- Terrorists Attacks . . .
- Most Frequent (Less Sensational)
- Equipment Failure, Theft, Employee Sabotage . . .
BCP
39Twelve Steps
- 1. Pre-planning
- (Senior Mgmt Commitment/Support, Policies)
- 2. Risk Analysis
- 3. Business Impact Analysis
- 4. Identify Resources and Requirements Needed
- 5. Emergency Response
- 6. Coordination with Public Authorities
- 7. Public Relations and Crisis Communications
- 8. Strategic Alternatives
- 9. Plan Development/Implementation
- 10. Testing/Exercises
- 11. Awareness
- 12. Maintenance
BCP
40- Business Impact Analysis (BIA)
- Foundation of BCP
- Establishes the value of each major
organizational function as it relates to the
whole - Provides the basis for identifying the critical
resources required to develop a business recovery
strategy. - Establishes priority for restoring the functions
of the organization in the event of a disaster.
BCP
41Impacts
Revenue Legal - fines, penalties Goodwill, Client
Stockholder Confidence Note Losses May
not be Dollars.
BCP
42Six Steps to BIA
1. Identify the Critical Business Functions 2.
Prioritize These Functions 3. Identify
Dependencies and Resources Needed 4. Identify
Points of Failure for Each Function 5. Estimate
Probable Impact of Loss for Each Point of
Failure 6. Determine if a Contingency Plan is
Required
BCP
43Failing to Test
BCP
44Staying Current
- Conduct BIA on planned periodic time or after
major change - Make sure a plan is included for each critical
function that has a critical impact on mission
accomplishment - Continue to test and evaluate plans at least once
a year - Keep personnel responsibilities up to date and
test for readiness - Involve key personnel in operational planning
BCP
45Knowledge Base Needed (CRP, CBCP)
- Project initiation and management
- Risk evaluation and control
- BIA
- Developing business continuity strategies
- Emergency response and operations
- Developing and implementing business continuity
plans - Awareness and training programs
- Maintaining and exercising business continuity
plans - Public relations and crisis communications
- Coordination with public authorities
BCP
46Scope/Maintenance
BIA
Testing
BCP
Strategic Alternatives, Teams
Awareness
Plan Development, Implementation
47Financial Losses Reported
Overview
Importance of IRM Policy Elements
8
11
44
11
9
17
48Process
Obtain Sr. Mgmt Buy-in, Support Assign Roles
and Responsibilities Inventory Assets Classify
Information Assess Risks
Overview
- Business Continuity Plan
- BIA
- BCP Teams
- Requirements
- BCP Development/Implementation
- Testing
- Awareness
- Maintenance
- Information Security Plan
- Policies/Procedures
- Incident Reporting/Investigation
- Countermeasures
- Awareness
- Monitor/Audit
49Last Words
Risk is a part of every activity and can never
be eliminated, nor can all the risks ever be
known. Risk in itself is not bad risk is often
essential to progress. But we must learn to
balance the possible negative consequences of
risk to assets against the potential benefits
of its associated opportunity.
Risk Management in Practice, SEI Technical
Review
Go ahead and take risks just be sure that
everything will turn out.. Disasters are
inevitable.... Survival isn't....