Active Network Presentation 091908

1
Information Risk Management Fighting for control
of critical systems Rick Dakin Rick.dakin_at_coalfi
resystems.com February 19, 2009
2
Agenda

• Vulnerability versus Risks
• Why Maintain a Risk Management Program?
• Risk Management Process
• Risk Analysis
• Control Selection
• Control Operations
• Risk Measurement
• Reporting Risk

2
3
Why Manage RISK ?

• Increasing Cyber Threats
• Reduced Tolerance for Service Disruption
• More Demanding Compliance Requirements
• Need for more Efficient Data Sharing Across
  Agencies
• Justification to establish Risk Mitigation
  Priorities and Allocation of Resources

4
Elements of RISK
Threat Motive Method Vulnerability RISK
5
Risk Management Perspective
Risk Management on the Battlefield
See It
Shoot It
Kill It
5
6
Risk Management Process
6
7
Step 1 Categorize Assets

• Inventory Critical Services and Information
• Processes Medicaid Disbursements, Patient
  Enrollment
• Information Patient Records, Patient Contact
  Info, Prescription
• Records
• Inventory supporting information systems
• Applications MedCore, PharmTrack
• Systems WEB01, SYS01, PHSYS12, WEB01_DR,
  SYS01_DR
• Networks 172.29.50.1/24, 10.1.52.1/16
• Define Security Categorization Value System
• Confidentiality (High, Medium, Low)
• Integrity (High, Medium, Low)
• Availability (High, Medium, Low)
• Assign Values to Information, Services, and
  Information Systems
• Medicaid Disbursements (CHigh, IHigh, AHigh)
• Patient Enrollment (CHigh, IMedium, A Medium)

Goal Identify critical assets and inventory
supporting systems
7
8
Sample Data Flow
Customer
Production Environment
POS Terminals (card present in stores and parking
facilities)
Web Server (card not present)
Authorization
Transaction Servers or Payment Gateway Transaction
Record Archive
Phone, Fax, Email
Admin Environment
Batch Settlement

• Marketing
• Customer Service
• Ecommerce
• Phone / Fax
• Gift Cards
• Fraud
• Accounting / Administration

Application Servers Back Office Customer Svc
Data Warehouse Payment Gateway and Transaction
Database
Acquiring Bank Wells Fargo, BoA, Chase
Document Vaults Paper records
Portal Access to Reconciliation Data (Charge Back
/ Sales Audit)
9
Step 2 Assess Risk
Identify relevant threats Human Threats Theft,
Vandalism, Error, Interception,
Tampering Environmental Threats Earthquake,
Power Disruptions, Water Damage Link threats to
specific assets / asset groups Service Threats
Power Outages, Earthquakes Information Threats
Theft, Tampering, Interception System Threats
Theft, Power Outages, Tampering, Water
Damage Network Threats Power Outages, Water
Damage, Tampering Test assets for
vulnerabilities that could amplify
risk Vulnerability Scans, Pen Tests, Social
Engineering Create risk statements (Threat
Asset) Evaluate risk statement against
impact and likelihood of occurrence
Goal Determine the reasonable level of risk that
exists to organizational assets.
9
10
Risk Analysis
Each risk should be reviewed based upon a
combination of severity and likelihood.
HIGH
HIGH RISK
MEDIUM RISK
LOW RISK
LOW
HIGH
11
Step 3 Select Controls

• Identify compliance requirements
• Determine by service/process inventories,
  line-of-business, and information
• Consult with Legal Counsel
• Obtain source legal/contractual requirements
• Identify best-practices requirements
• Commercial sector best-practices (ISO)
• Government best-practices (NIST)
• Group requirements into control activities
• Construct a control framework.
• Eliminate and/or reduce redundancies in
  requirements
• Review risks and implement to assets as necessary

Goal Select controls to protect data and system
justified by risk levels
11
12
Step 4 Operate Controls

• Establish Policies and Procedures from selected
  Control Activities
• Ensure clear direction for control standards
• Establish organizational risk position and risk
  expectations
• Set firm tone for risk management
• Communicate control responsibilities
• Communicate responsibilities to all staff,
  contractors, and 3rd parties
• Ensure that all service providers adhere to
  control standards
• Keep employees up-to-date with controls and
  responsibilities through awareness programs
• Establish Process to Verify Ongoing Control
  Effectiveness
• Generate an audit trail of control activities
• Keep activity and event logs
• Prepare for audit

Goal Observe strict adherence to organizational
control activities in order to ensure that risks
are managed to appropriate levels.
12
13
Step 5 Measure Controls

• Report and Measure Against Existing Controls
• Statewide or entity-level control frameworks
  should be homogenous
• Control frameworks produce easily understood
  reports and reporting frameworks
• Measuring against control frameworks allows state
  to measure real residual risks (amount of risk
  left over after controls).
• Highlight Residual Risks from Control
  Deficiencies and Immaturity
• Immaturity and poor operation of control reveals
  residual risks. These risks can be mitigated
  through remediation
• Other residual risks may occur due to a lack or
  unawareness of the need for control.
• Stay Consistent
• Keep risk reporting processes aligned to control
  framework
• Framework should be highly organized, yet
  flexible for year-over-year changes
• Consistency allows for better analysis of risk
  patters and year-over-year trends
• Provide Report Data to Executive Decision-Makers
• Develop consistent reports for both state
  entities and state executives
• Report against key framework objectives (e.g.,
  Logical Access Controls, Personnel Security,
  Physical Access Controls, Malicious Code
  Prevention, etc.)

Goal Ensure that bottoms-up information
emerges from control operation to keep
decision-makers informed of changing risk
landscape.
13
14
Measure Progress
The COBIT model will help guide IT staff to
design, deploy and operate a sustainable security
program that is not dependent on any single
individual.
0 Unaware
1 Ad Hoc
2 Repeatable
3 Documented
4 Managed
5 Optimized
Current State
5 Optimized Management reviews reports and makes
consistent program adjustments 4
Managed Documented processes and policies have
accountability to specific metrics that are
routinely measured and reported 3 Documented The
repeatable processes are defined, documented and
staff trained. 2 Repeatable Processes are
routinely performed in a similar fashion by
multiple staff members. 1 Ad Hoc Processes are
performed on an individual basis and risk are
dependent on the dedication and insight of
specific staff
15
Challenges for Statewide Risk Management

• 1. Oversight for Processes and Standards
• Where is the locus of control? Within a
  Centralized Authority or Decentralized Authority?
• Have standards for information security across
  all state entities been established or codified
  into state law?
• Do agencies/state entities have sufficient
  internal security leadership to implement
  programs?
• Are resources allocated to remediate most
  vulnerable systems with the highest impact?
• Does the state have sufficient processes in place
  to enforce security controls and standards?

15
16
Challenges for Statewide Risk Management

• 2. Coordinating Risk Assessment Plans
• Are regular risk assessments executed across all
  state entities?
• Are standards for risk assessment methodology
  established, so risk information can be compared
  across state entities?
• Are there sufficient tools and staff available to
  adequately assess risk?
• Can agencies share data with the expectation of
  uniform protection?

16
17
Challenges for Statewide Risk Management

• 3. Measuring Risk
• How does the state measure risk?
• At the executive level, controls and risks are
  not black and white. Findings must not be
  based on prescribed control frameworks, since
  some level of control will always be not in
  place. Issue provide credible report to
  justify action.
• Need to assess maturity of risk management and
  reporting processes in such a way as to test
  comfort with risk, rather than prescribed
  controls.

17
18
Challenges for Statewide Risk Management

• 4. Reporting
• How are risk assessment and audit results
  communicated to executives?
• Are state executives and legislators sufficiently
  informed of risk?
• Have reporting expectations been established for
  state entities?
• Is there a repeatable reporting process in place
  across the state entities, so results are
  centrally coordinated, organized, and managed?

18
19
Overcoming the Challenges

• MS-ISAC and State of Oklahoma
• State Challenges
• Need to coordinate risk assessment planning and
  implement consistent risk methodology
• Need to ensure risk is accurately captured (and
  not prescribed) from smaller entities to large
  agencies
• Need to efficiently collect risk data from across
  hundreds of state entities
• MS-ISAC Challenges
• Need to generate consistent standards for cyber
  security risk reporting and measurement from the
  50 participating states
• Need to implement risk-based measurement system
  that could reflect disparity in control from
  state to state
• Need to overcome disparity in security leadership
  and security standards that exist from state to
  state. ( Need a common yardstick )

19
20
Overcoming the Challenges

• Coalfire Navis Risk Management Platform
• Common Control Framework
• Extensive Control Library
• Hierarchical Risk Reporting
• Coordinated Control Risk Data
• Centralized Reporting Processes
• Coordinated Risk Measurement

• Relational control requirements link different
  security programs together
• Common measurement system (Control Maturity
  Ranking Index- CMRI) allows for flexible risk
  measurement, even at state executive level
• Flexible organizational structures permit
  hierarchical risk reporting
• System automatically implements centralized
  intrastate and interstate risk reporting
  structures

20
21
Common Risk Measurement- CMRI
Immature
Mature
Very Mature
21
22
Risk Determination

• Remediation Plan
• Priority
• Resources
• Funding
• Joint Responsibility

23
Residual Risk
24
Comparative Analysis
25
Questions
Knowledge Action Risk Acceptance
Rick Dakin Rick.dakin_at_coalfiresystems.com 303.554
.6333 ext. 7001