Information

1
Information Risk Management Overview
Nena Young, CRP, CBCP Texas Department of
Information Resources email nena.young_at_dir.state.
tx.us
2
Principles for All Sub-Programs

• Risk Assessment and Solutions
• Centered Management
• Implementation of Controls, including policies
• Awareness
• Monitor and Evaluation of Effectiveness

Overview
3
Bonus

• In-depth Assessment of risks
• Comprehensive picture of business and technical
  processes
• Identify opportunities for process enhancements
  and/or re-engineering
• Rapid, precise, smooth recovery
• Insurance Policy for staying in business.

Overview
4
Program Components
5
Information Risk Management Program
Overview
6
1. Risk Analysis Risk Assessment
Risk Analysis - The process of identifying and
documenting vulnerabilities and applicable
threats to assets.
Risk Assessment - Projecting losses, assigning
levels of risk, and recommending appropriate
measures to protect assets.
Risk Analysis
Risk
7
Foundation of all risk management programs

• Snapshot in time.
• Discover compliance with existing policies.
• Basis for selecting cost-efficient, most
  appropriate protection measures for assets.
• Equilibrium- asset loss to countermeasures
• Provide information on likelihood of threat
  occurrence and asset impact.
• Federal government and most states mandate.
• Ensure reasonable steps are taken to prevent loss
  of assets.

Risk Analysis
8
Risk Analysis vs BIA
Risk Analysis Assessment - (Proactive) Initial
process that identifies critical processes,
evaluates current standards and countermeasures,
determines cost-effective mitigation of
identified risks, includes ALE.
Risk Analysis
Business Impact Analysis - (Reactive) Quantifie
s risks to include exposure results such as
financial loss, client good will, public
confidence, etc
9

• Jargon
• Assets - Anything with value and is worth
  protecting or preserving.
• Threats - Events or actions which always exists
  and can generate undesirable impacts or loss of
  assets. Can be either human or environmental.
• Vulnerabilities - The windows of opportunity
  which allow threats to materialize. The
  exposures. Conditions of weakness.
• Countermeasures - (Safeguards, Controls) -
  Devices, processes, actions, procedures that can
  reduce vulnerabilities. Preventive, Detective,
  Corrective.
• Risk - Potential for a threat to exploit a
  vulnerability. A threat a
  vulnerability a RISK.

Risk Analysis
10
The Basics

• Assets identified.
• Threats identified.
• Vulnerabilities identified.
• Asset Losses identified.
• Protective measures identified and proposed.

Risk Analysis
11
Quantitative Qualitative
Theoretically . . .

• Quantitative
• Objective Numeric Values
• Asset Value
• Impact
• Frequency of Threats
• Countermeasure Cost-Effectiveness
• Use of Complex Calculations (confidence factors,
  probabilities, SLE, ALE, )

• Qualitative
• Descriptive, Immeasurable Values
• Characteristics
• No Quantifiable Data
• No ALE
• Yes/No Low/Medium/High Vital/Critical/Important
  good/bad
• Rankings based on judgement

Risk Analysis
12
In the Real World. . .
Risk Analysis Involves Both

• Quantifiable measurements.
• Judgements based on experience and knowledge.

Risk Analysis
13
Ten Steps

• Organize and Define the Scope
• Identify and Value the Assets
• Identify Applicable Threats
• Identify and Describe Vulnerabilities
• Establish Pairings (relationships)
• Determine the Impact of Threat Occurrence
• Measure Existing Countermeasures
• Determine Residual Risks
• Recommend Additional Countermeasures
• Prepare a Risk Analysis Report

Risk Analysis
14
Types of Threats Human - Intentional Malicious
Software Invasion Fraud or embezzlement Human
- Unintentional Programmer Error User
Error Environmental - Natural Earthqu
akes Flood Environmental -
Fabricated Fire Electromagnetic
interference
Risk Analysis
15
Impact of Threat Occurrence

• Impact (Loss) Categories.
• Disclosure - Classification or sensitivity of
  information. Who has access
• Modification - A realized threat causes
  unauthorized changes in an asset.
• Destruction - Threat activity causes damage to an
  asset, making it unusable.
• Denial of Service - A realized threat causes a
  loss of availability.

Risk Analysis
16
Types of Countermeasures

• Preventive
• Detective
• Corrective

Risk Analysis
17
Residual Risks are accepted, mitigated,
transferred.
Risk Analysis
18
Knowledge Base Needed
Analysts Need to

• Know current and historical internal environment.
• Know current and historical external environment.
• Understand dependencies and vulnerabilities.
• Understand threat profiles.
• Understand countermeasure choices and related
  costs.
• Be able to apply cost-benefit analysis to risks
  and countermeasures

Risk Analysis
19
(No Transcript)
20
2. Information Security Program
Protection of an organizations information
assets. Purpose - The preservation of the
confidentiality, integrity, and availability
(CIA) of information. Can add utility and
authenticity.
21
Purpose A Secure Enterprise

• Protection of Assets
• Protection of Goodwill
• Integrity of Applications and Data
• Due Diligence
• Protection of Employees, Shareholders, Partners,
  Clients

Security
22
Eight Steps
1. Management Sponsorship and Support 2.
Organize and Define the Scope 3. Risk
Analysis 4. Policies and Procedures 5.
Controls 6. Security Breach Reporting and
Investigation 7. Awareness Training 8.
Monitor and Test
Security
23
The Bad Guys

• Competitors
• Employees (58 - 80)
• Foreign Governments
• Political Activists
• Professional Spies

Security
Reprinted from Cohen Assc Presentation
24
Why Do They Attack?

• Testing
• Coercion
• Military Advantage
• Economic Advantage
• Evidence
• Money

• Fun/Challenge
• Vengeance
• Mental Instability
• Religious/Political Beliefs
• Self-Defense

Security
25
Some Hacker Tools
Types of Attacks

• Antagonism
• Denial of Service
• Invasion of Privacy
• System Modification

• Logic Bombs
• Trojan Horses
• Worms
• Viruses
• Malicious Mobile Code
• Over 1900 Web Sites (Free Hacking Tools)

Security
Some Defense Tools

• Virus Detection
• Access Control
• Firewalls
• Dial-back Modems
• Token-based Password
• Public Cryptography
• Biometrics

26
Internet

• Older than Pong
• Digital Watches
• IBM PC
• Disco
• MicroSoft
• Current Concept of Hackers
• 12M Hosts, 120M Users (70M-USA), 12 Growth a
  Month
• 1Billion users by 2005, 66 abroad
• New Web Site every 4 seconds
• Electronic Commerce - Single Sites Over 100,000
  Requests a Day
• 80 Web Sites - Mobile Code Enabled
• 90 EC Applications use Mobile Code
• -50 Major Organizations w/Internet Use Firewall

Security
27
Damage - Average cost of computer break-ins -
136K Of companies hit by viruses and
espionage, most can't estimate the value of
the damage.
Security
Chart Reprinted from Information Week
28
Paradox
IT MANAGERS SURVEYED BY EY

• Security of Internet Connections
• 62 Satisfied
• 38 Not Satisfied
• Increase Important Transactions if Security were
  Enhanced
• 73 Yes
• 27 No

Security
29
Increasing Need for Security

• Most Fortune 500 Companies Penetrated by
  Cybercriminals
• 17 of Intrusion Victims Report to Authorities
• FBI Estimate - 10B a year in Electronic Crimes
• Increasing Scams
• 100,000 Investors Victim to Phony Web Sites
• High-tech revolutionary devices
• Partnership with MicroSoft
• Initial Public Offering with the SEC
• Tens of Thousands Probing Attacks against
  Pentagon annually
• Origin of Attacks Camouflaged through other
  Countries
• DISA Vulnerability Testing

Security
30
Some Road Blocks to Security

• Lack of Sufficient Budget
• Lack of Resources - Management Support, Staff
• Lack of Awareness
• Lack of Tools

Security
31
Knowledge Base Needed (CISSP)

• Access control
• Telecommunications and network security
• BCP
• Security management practices policies,
  standards, control of risk
• control of Risk
• information classification
• security awareness
• organizational architecture
• policy development
• risk management
• Security architecture and models
• Law, investigation, and ethics

Security
32
Knowledge Base Needed (CISSP) (cont)

• Application and system development security
• Cryptography
• Computer operations security
• Physical security
• threats and facility requirements
• personnel physical access control
• microcomputer physical security

Security
. . . information protection is not a simple
matter, and it cannot be addressed from a single
perspective. It is a pervasive problem that must
be pursued in a holistic manner in order to
provide its benefits.
33
Security
34
Define Environment Assets
Monitoring, Testing Audits
Risk Analysis Assessment
The Process
Policies, Stds, Procedures
Awareness Administration
Design Implementation
35
3. Business Continuity Program
BCP - Spells out what, who, how, and when for a
quick and smooth restoration of critical
operations after a catastrophic disruptive event,
minimizes losses, and eventually returns to
business as normal.
36
A Rose by Any Other Name . . .
Business Resumption Plan Disaster Recovery
Plan Crisis Management Plan Contingency
Plan Business Continuity Plan
BCP
37
Goals

• Identify weaknesses and implement a disaster
  prevention program
• Minimize the duration of a serious disruption to
  business operations
• Facilitate effective co-ordination of recovery
  tasks and reduce the complexity of the recovery
  effort

BCP
38
Sources of Interruptions are Numerous

• Natural
• Tornadoes, Floods, Fires . . .
• Human
• Terrorists Attacks . . .
• Most Frequent (Less Sensational)
• Equipment Failure, Theft, Employee Sabotage . . .

BCP
39
Twelve Steps

• 1. Pre-planning
• (Senior Mgmt Commitment/Support, Policies)
• 2. Risk Analysis
• 3. Business Impact Analysis
• 4. Identify Resources and Requirements Needed
• 5. Emergency Response
• 6. Coordination with Public Authorities
• 7. Public Relations and Crisis Communications
• 8. Strategic Alternatives
• 9. Plan Development/Implementation
• 10. Testing/Exercises
• 11. Awareness
• 12. Maintenance

BCP
40

• Business Impact Analysis (BIA)
• Foundation of BCP
• Establishes the value of each major
  organizational function as it relates to the
  whole
• Provides the basis for identifying the critical
  resources required to develop a business recovery
  strategy.
• Establishes priority for restoring the functions
  of the organization in the event of a disaster.

BCP
41
Impacts
Revenue Legal - fines, penalties Goodwill, Client
Stockholder Confidence Note Losses May
not be Dollars.
BCP
42
Six Steps to BIA
1. Identify the Critical Business Functions 2.
Prioritize These Functions 3. Identify
Dependencies and Resources Needed 4. Identify
Points of Failure for Each Function 5. Estimate
Probable Impact of Loss for Each Point of
Failure 6. Determine if a Contingency Plan is
Required
BCP
43
Failing to Test
BCP
44
Staying Current

• Conduct BIA on planned periodic time or after
  major change
• Make sure a plan is included for each critical
  function that has a critical impact on mission
  accomplishment
• Continue to test and evaluate plans at least once
  a year
• Keep personnel responsibilities up to date and
  test for readiness
• Involve key personnel in operational planning

BCP
45
Knowledge Base Needed (CRP, CBCP)

• Project initiation and management
• Risk evaluation and control
• BIA
• Developing business continuity strategies
• Emergency response and operations
• Developing and implementing business continuity
  plans
• Awareness and training programs
• Maintaining and exercising business continuity
  plans
• Public relations and crisis communications
• Coordination with public authorities

BCP
46
Scope/Maintenance
BIA
Testing
BCP
Strategic Alternatives, Teams
Awareness
Plan Development, Implementation
47
Financial Losses Reported
Overview
Importance of IRM Policy Elements
8
11
44
11
9
17
48
Process
Obtain Sr. Mgmt Buy-in, Support Assign Roles
and Responsibilities Inventory Assets Classify
Information Assess Risks
Overview

• Business Continuity Plan
• BIA
• BCP Teams
• Requirements
• BCP Development/Implementation
• Testing
• Awareness
• Maintenance

• Information Security Plan
• Policies/Procedures
• Incident Reporting/Investigation
• Countermeasures
• Awareness
• Monitor/Audit

49
Last Words
Risk is a part of every activity and can never
be eliminated, nor can all the risks ever be
known. Risk in itself is not bad risk is often
essential to progress. But we must learn to
balance the possible negative consequences of
risk to assets against the potential benefits
of its associated opportunity.
Risk Management in Practice, SEI Technical
Review
Go ahead and take risks just be sure that
everything will turn out.. Disasters are
inevitable.... Survival isn't....