Title: ESM Risk Management for IT Systems Eileen Dewey Rose State College Midwest City, OK 73110
1ESMRisk Management for IT SystemsEileen
DeweyRose State CollegeMidwest City, OK 73110
2Risk Management
- Comprised of 3 basic processes
- Risk assessment
- Identifying and evaluating risk, its impact and
recommended risk reducing activities - Risk mitigation
- Prioritizing, implementing and maintaining risk
reducing activities - Evaluation
- Continual process
3Risk Management
- Goals
- Enhance mission capabilities of an enterprise by
protection IT systems that support operations - Minimize impact of an event
- Avoid an event altogether
- Balance operational and economic costs of
protecting IT systems - Residual risk
4Integration into SDLC
5Integration into SDLC (contd)
6Key Personnel Roles
- Senior management decision makers, allocate
resources to ensure mission success - Chief Information Officer IT planning,
budgeting and performance - System and Information Owners ensure that
security controls are in place for assets - Business and Functional Managers unit level
decision makers - ISSO build enterprise security programs
leadership role in risk analysis - IT Security Practitioners implement security
plan - Security Awareness Trainers educate users to
mitigate risk
7Risk Assessment
- 1. System Characterization
- 2. Threat Identification
- 3. Vulnerability Identification
- 4. Control Analysis
- 5. Likelihood Determination
- 6. Impact Analysis
- 7. Risk Determination
- 8. Control Recommendations
- 9. Results Documentation
- 2,3,4,6 can be conducted in parallel after 1
8Risk Assessment
9Risk Assessment
10Risk Assessment
11System Characterization
- Define scope of the exercise
- System/enterprise boundaries
- Information and resources that constitute the
system - Personnel
- Data gathering
- Hardware and software
- System interfaces
- User base
- System mission
- System and data criticality and sensitivity
12System Characterization
- Additional data gathered
- IT system requirements
- System security policies
- System security architecture
- Network topology
- Information flow
- Technical, management and operational controls
- Physical and environmental security
13System Characterization
- Information gathering techniques
- Questionnaire
- On-site interviews
- Document review
- Automated scanning/discovery tools
- Output from Step 1 Document characterizing the
IT system, its boundaries and environment
14Threat Identification
- Threat potential for a threat source to
exercise a specific vulnerability - Threat source identification - natural, human,
environmental - Threat statement - a list of all possible threat
sources considering possible motive and
historical evidence
15Threat Identification
- Resources
- Intelligence agencies (for example, the Federal
Bureau of Investigation.s National Infrastructure
Protection Center) - Federal Computer Incident Response Center
(FedCIRC) - Mass media, Web-based resources such as
SecurityFocus.com, SecurityWatch.com,
SecurityPortal.com, and SANS.org. - Output from Step 2 A threat statement containing
a list of threat sources
16Vulnerability Identification
- Vulnerability a weakness or flaw that can be
exercised to violate a security policy - Vulnerability/Threat pairs
17Vulnerability Identification
- Vulnerability discovery depends on the state of
the system - Design policies, planned security procedures
- Implementation results of testing and
certification - Operation security controls
18Vulnerability Identification
- Previous risk assessment documentation of the IT
system assessed - The IT systems audit reports, system anomaly
reports, security review reports, and system test
and evaluation reports - Vulnerability lists, such as the NIST I-CAT
vulnerability database (http//icat.nist.gov) - Security advisories, such as FedCIRC and the
Department of Energys Computer Incident Advisory
Capability bulletins - Vendor advisories
- Commercial computer incident/emergency response
teams and post lists (e.g., SecurityFocus.com
forum mailings) - Information Assurance Vulnerability Alerts and
bulletins for military systems - System software security analyses.
19Vulnerability Identification
- System security testing
- Automated vulnerability scanning tool - false
positives? - Security Testing and Evaluation test security
controls as applied - Penetration Testing probe from the viewpoint of
a threat source
20Vulnerability Identification
- Security Requirements Checklist
21Vulnerability Identification
- Security Requirements Checklist
22Vulnerability Identification
- Security Requirements Checklist
23Vulnerability Identification
- Output from Step 3 List of system
vulnerabilities that could be exercised by the
listed threat sources
24Control Analysis
- Objective Analyze all current and planned
controls - Needed to derive a likelihood rating regarding
the exercise of specific vulnerabilities - Technical controls in HW and SW
- Management controls policies
- Operational controls operational procedures
- Preventive vs. detective controls
- Key Use the Security Requirements Checklist to
guide analysis
25Control Analysis
- 3 factors in threat likelihood determination
- Threat source motivation and capability
- Nature of the vulnerability
- Current controls (existence and effectiveness)
- Subjective characterization
- Output from Step 5 Likelihood rating (High,
Medium, Low)
26Impact Analysis
- Goal Determine the impact resulting from the
exercise of a vulnerability - Need information about
- System mission
- System and data criticality
- System and data sensitivity
- gathered from
- Organizational documents
- Mission/Business Impact Analysis Statement
- Current levels/dimensions of protection for
specific assets
27Impact Analysis
- Dimensions of loss
- Loss of integrity yields inaccuracy, fraud, bad
decisions - Loss of availability diminishes productivity
- Loss of confidentiality loss in public
confidence - Characterizing impact
28Impact Analysis
- Quantitative vs. qualitative assessment
- Qualitative assessment prioritizes risks and
identifies areas for immediate improvement does
not precisely measure magnitude - Quantitative assessment measures can be used
directly in a cost-benefits analysis of
recommended controls but meaning of numbers may
be unclear - Additional factors in determining impact
- Relative frequency of exercise of vulnerability
- Approximate cost for each exercise
- Weighted factor based on subjective analysis
- Output from Step 6 Magnitude of impact (High,
Medium, Low)
29Risk Determination
- Goal Assess the level of risk to the IT system
(for each threat/vulnerability pair) - A function of
- Likelihood of a threat source attempting to
exercise a given vulnerability - Magnitude of the impact in a successful exercise
- Adequacy of planned or existing security controls
for reducing or eliminating risk - Conceptual tools risk scale and risk-level
matrix
30Risk Determination
- Risk-Level Matrix multiple likelihood and impact
- Assign numeric values to subjective ones,
- Likelihoods - High 1.0, Medium 0.5 and Low
0.1 - Impacts High 100, Medium 50 and Low 10
31Risk Determination
- Risk scale represents degree or level of risk
- Output from Step 7 Risk Level (High, Medium, Low)
32Control Recommendations
- Goal Identify controls that could mitigate or
eliminate named risks - Factors
- Effectiveness of recommended options
- Legislation and regulation
- Organizational policy
- Operational impact
- Safety and reliability
- Not all possible recommended controls can or will
be implemented (prioritize, using cost-benefit
analysis!) - Output from Step 8 Recommendation of control(s)
and alternatives
33Results Documentation
- Goal Capture results of the risk assessment in
an official report - Focus on helping senior management and
stakeholders make decisions on policy, procedure,
operations and management - Tone systematic and analytical
- Combined with oral presentation
- Output from Step 9 Risk assessment report
describing threats, vulnerabilities, measured
risk and recommendations
34Risk Mitigation
- Prioritize, evaluate and implement controls
- Philosophy
- Least cost approach
- Implement most appropriate controls
- Accept minimal adverse impact
- Risk mitigation options
- Risk assumption zen-like state
- Risk avoidance e.g., shut down services to
avoid attacks - Risk limitation implement controls to mitigate
threats - - Risk planning managing risk systematically
- Research and acknowledgement identify flaws and
correct them - Risk transference e.g., insurance
35Risk Mitigation
36Risk Mitigation
- Action point rules of thumb
- Vulnerability exists? Implement assurance
techniques to reduce likelihood of exercise - Vulnerability can be exercised? Apply layered
protection to minimize impact - Attackers cost lt potential gain? Apply
protection to decrease attacker incentive - Loss is too great? Apply design principles and
protective measures to reduce the potential for
loss
37Control Implementation
- Philosophy Address the greatest risks and strive
for sufficient risk mitigation at the lowest
cost, with minimal adverse impact on the mission - Prioritize actions ? Actions ranked from High to
Low - Evaluate recommended control options ? List of
feasible controls - Conduct cost benefit analysis ? CBA on control
selection - Select control ? List of selected controls
- Assign responsibility ? Personnel list
- Develop a safeguard implementation plan ?
Implementation plan - Implement selected controls ? Residual risk
38Control Categories
- Security controls Prevent, limit, deter
threat-source damage to IT assets - Engage a combination of technical, management and
operational controls - Trade-offs in the decision making process reflect
organizational balance
39Technical Controls
- Supporting
- Underly most security capabilities
- Preventive
- E.g. firewalls, access control, secure
communication - Detect and recover
- Auditing, redundancy, archival, IDSs
40Technical Controls
41Management Controls
- Information protection policies, guidelines
standards for operations - Preventive
- Assign security responsibility
- Develop and maintain security plans
- Implement personnel security controls such as
least privilege or separation of duties - Conduct security awareness and training
- Detection
- Implement personnel security controls such as
background checks - Periodic review of security controls
- Periodic system audits
- Ongoing risk management processes
- Recovery
- Provide for continuity of operations during
emergencies and disasters - Establish an incident response capability
42Operational Controls
- Procedures governing the use and operation of IT
systems - Preventive
- Control data media access and disposal
- Limit external data distribution
- Control software viruses
- Protect computing facility (badges, biometrics,
guards) - Provide backup capability (power, communications
and facility) - Control environment (temperature, humidity)
- Detection
- Provide physical security (cameras)
- Monitor environmental conditions (smoke/fire
detectors)
43Cost Benefit Analysis
- Goal Intelligent allocation of resources
(controls) to mitigate risk - Encompasses
- Determining the impact of implementing and not
implementing proposed controls - Estimating the cost of implementation
- HW/SW
- Reduced operational effectiveness
- Cost of additional policies/procedures
- Cost of additional personnel
- Training costs
- Maintenance
- Weighing implementation costs against system
criticality to determine relevance to mission
44Residual Risk
- Reducing risk
- Eliminate vulnerabilities
- Reduce capacity and motivation of a threat source
- Reduce the magnitude of an adverse event
45Evaluation and Assessment
- Risk management is an ongoing process EA brings
the wheel around! - Good security practices
- RM should be repeated periodically (every 3 years
for federal agencies) - Integrated into the System Development Lifecycle
(SDLC) - Keep a schedule, but make it flexible
- Keys for success
- Commitment from senior management
- Full support and participation of the IT team
- Competence of the risk assessment team
- Awareness and cooperation of user community
- Ongoing evaluation process