ESM Risk Management for IT Systems Eileen Dewey Rose State College Midwest City, OK 73110 - PowerPoint PPT Presentation

1 / 45

About This Presentation

Title:

ESM Risk Management for IT Systems Eileen Dewey Rose State College Midwest City, OK 73110

Description:

System and Information Owners ensure that security controls are in place for assets ... Tone: systematic and analytical. Combined with oral presentation ... – PowerPoint PPT presentation

Number of Views:46

Avg rating:3.0/5.0

Slides: 46

Provided by: sujeet3

Category:

more less

Transcript and Presenter's Notes

Title: ESM Risk Management for IT Systems Eileen Dewey Rose State College Midwest City, OK 73110

1
ESMRisk Management for IT SystemsEileen
DeweyRose State CollegeMidwest City, OK 73110
2
Risk Management

Comprised of 3 basic processes
Risk assessment
Identifying and evaluating risk, its impact and
recommended risk reducing activities
Risk mitigation
Prioritizing, implementing and maintaining risk
reducing activities
Evaluation
Continual process

3
Risk Management

Goals
Enhance mission capabilities of an enterprise by
protection IT systems that support operations
Minimize impact of an event
Avoid an event altogether
Balance operational and economic costs of
protecting IT systems
Residual risk

4
Integration into SDLC
5
Integration into SDLC (contd)
6
Key Personnel Roles

Senior management decision makers, allocate
resources to ensure mission success
Chief Information Officer IT planning,
budgeting and performance
System and Information Owners ensure that
security controls are in place for assets
Business and Functional Managers unit level
decision makers
ISSO build enterprise security programs
leadership role in risk analysis
IT Security Practitioners implement security
plan
Security Awareness Trainers educate users to
mitigate risk

7
Risk Assessment

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
2,3,4,6 can be conducted in parallel after 1

8
Risk Assessment
9
Risk Assessment
10
Risk Assessment
11
System Characterization

Define scope of the exercise
System/enterprise boundaries
Information and resources that constitute the
system
Personnel
Data gathering
Hardware and software
System interfaces
User base
System mission
System and data criticality and sensitivity

12
System Characterization

Additional data gathered
IT system requirements
System security policies
System security architecture
Network topology
Information flow
Technical, management and operational controls
Physical and environmental security

13
System Characterization

Information gathering techniques
Questionnaire
On-site interviews
Document review
Automated scanning/discovery tools
Output from Step 1 Document characterizing the
IT system, its boundaries and environment

14
Threat Identification

Threat potential for a threat source to
exercise a specific vulnerability
Threat source identification - natural, human,
environmental
Threat statement - a list of all possible threat
sources considering possible motive and
historical evidence

15
Threat Identification

Resources
Intelligence agencies (for example, the Federal
Bureau of Investigation.s National Infrastructure
Protection Center)
Federal Computer Incident Response Center
(FedCIRC)
Mass media, Web-based resources such as
SecurityFocus.com, SecurityWatch.com,
SecurityPortal.com, and SANS.org.
Output from Step 2 A threat statement containing
a list of threat sources

16
Vulnerability Identification

Vulnerability a weakness or flaw that can be
exercised to violate a security policy
Vulnerability/Threat pairs

17
Vulnerability Identification

Vulnerability discovery depends on the state of
the system
Design policies, planned security procedures
Implementation results of testing and
certification
Operation security controls

18
Vulnerability Identification

Previous risk assessment documentation of the IT
system assessed
The IT systems audit reports, system anomaly
reports, security review reports, and system test
and evaluation reports
Vulnerability lists, such as the NIST I-CAT
vulnerability database (http//icat.nist.gov)
Security advisories, such as FedCIRC and the
Department of Energys Computer Incident Advisory
Capability bulletins
Vendor advisories
Commercial computer incident/emergency response
teams and post lists (e.g., SecurityFocus.com
forum mailings)
Information Assurance Vulnerability Alerts and
bulletins for military systems
System software security analyses.

19
Vulnerability Identification

System security testing
Automated vulnerability scanning tool - false
positives?
Security Testing and Evaluation test security
controls as applied
Penetration Testing probe from the viewpoint of
a threat source

20
Vulnerability Identification

Security Requirements Checklist

21
Vulnerability Identification

Security Requirements Checklist

22
Vulnerability Identification

Security Requirements Checklist

23
Vulnerability Identification

Output from Step 3 List of system
vulnerabilities that could be exercised by the
listed threat sources

24
Control Analysis

Objective Analyze all current and planned
controls
Needed to derive a likelihood rating regarding
the exercise of specific vulnerabilities
Technical controls in HW and SW
Management controls policies
Operational controls operational procedures
Preventive vs. detective controls
Key Use the Security Requirements Checklist to
guide analysis

25
Control Analysis

3 factors in threat likelihood determination
Threat source motivation and capability
Nature of the vulnerability
Current controls (existence and effectiveness)
Subjective characterization

Output from Step 5 Likelihood rating (High,
Medium, Low)

26
Impact Analysis

Goal Determine the impact resulting from the
exercise of a vulnerability
Need information about
System mission
System and data criticality
System and data sensitivity
gathered from
Organizational documents
Mission/Business Impact Analysis Statement
Current levels/dimensions of protection for
specific assets

27
Impact Analysis

Dimensions of loss
Loss of integrity yields inaccuracy, fraud, bad
decisions
Loss of availability diminishes productivity
Loss of confidentiality loss in public
confidence
Characterizing impact

28
Impact Analysis

Quantitative vs. qualitative assessment
Qualitative assessment prioritizes risks and
identifies areas for immediate improvement does
not precisely measure magnitude
Quantitative assessment measures can be used
directly in a cost-benefits analysis of
recommended controls but meaning of numbers may
be unclear
Additional factors in determining impact
Relative frequency of exercise of vulnerability
Approximate cost for each exercise
Weighted factor based on subjective analysis
Output from Step 6 Magnitude of impact (High,
Medium, Low)

29
Risk Determination

Goal Assess the level of risk to the IT system
(for each threat/vulnerability pair)
A function of
Likelihood of a threat source attempting to
exercise a given vulnerability
Magnitude of the impact in a successful exercise
Adequacy of planned or existing security controls
for reducing or eliminating risk
Conceptual tools risk scale and risk-level
matrix

30
Risk Determination

Risk-Level Matrix multiple likelihood and impact
Assign numeric values to subjective ones,
Likelihoods - High 1.0, Medium 0.5 and Low
0.1
Impacts High 100, Medium 50 and Low 10

31
Risk Determination

Risk scale represents degree or level of risk

Output from Step 7 Risk Level (High, Medium, Low)

32
Control Recommendations

Goal Identify controls that could mitigate or
eliminate named risks
Factors
Effectiveness of recommended options
Legislation and regulation
Organizational policy
Operational impact
Safety and reliability
Not all possible recommended controls can or will
be implemented (prioritize, using cost-benefit
analysis!)
Output from Step 8 Recommendation of control(s)
and alternatives

33
Results Documentation

Goal Capture results of the risk assessment in
an official report
Focus on helping senior management and
stakeholders make decisions on policy, procedure,
operations and management
Tone systematic and analytical
Combined with oral presentation
Output from Step 9 Risk assessment report
describing threats, vulnerabilities, measured
risk and recommendations

34
Risk Mitigation

Prioritize, evaluate and implement controls
Philosophy
Least cost approach
Implement most appropriate controls
Accept minimal adverse impact
Risk mitigation options
Risk assumption zen-like state
Risk avoidance e.g., shut down services to
avoid attacks
Risk limitation implement controls to mitigate
threats -
Risk planning managing risk systematically
Research and acknowledgement identify flaws and
correct them
Risk transference e.g., insurance

35
Risk Mitigation

Action Points

36
Risk Mitigation

Action point rules of thumb
Vulnerability exists? Implement assurance
techniques to reduce likelihood of exercise
Vulnerability can be exercised? Apply layered
protection to minimize impact
Attackers cost lt potential gain? Apply
protection to decrease attacker incentive
Loss is too great? Apply design principles and
protective measures to reduce the potential for
loss

37
Control Implementation

Philosophy Address the greatest risks and strive
for sufficient risk mitigation at the lowest
cost, with minimal adverse impact on the mission
Prioritize actions ? Actions ranked from High to
Low
Evaluate recommended control options ? List of
feasible controls
Conduct cost benefit analysis ? CBA on control
selection
Select control ? List of selected controls
Assign responsibility ? Personnel list
Develop a safeguard implementation plan ?
Implementation plan
Implement selected controls ? Residual risk

38
Control Categories

Security controls Prevent, limit, deter
threat-source damage to IT assets
Engage a combination of technical, management and
operational controls
Trade-offs in the decision making process reflect
organizational balance

39
Technical Controls

Supporting
Underly most security capabilities
Preventive
E.g. firewalls, access control, secure
communication
Detect and recover
Auditing, redundancy, archival, IDSs

40
Technical Controls
41
Management Controls

Information protection policies, guidelines
standards for operations
Preventive
Assign security responsibility
Develop and maintain security plans
Implement personnel security controls such as
least privilege or separation of duties
Conduct security awareness and training
Detection
Implement personnel security controls such as
background checks
Periodic review of security controls
Periodic system audits
Ongoing risk management processes
Recovery
Provide for continuity of operations during
emergencies and disasters
Establish an incident response capability

42
Operational Controls

Procedures governing the use and operation of IT
systems
Preventive
Control data media access and disposal
Limit external data distribution
Control software viruses
Protect computing facility (badges, biometrics,
guards)
Provide backup capability (power, communications
and facility)
Control environment (temperature, humidity)
Detection
Provide physical security (cameras)
Monitor environmental conditions (smoke/fire
detectors)

43
Cost Benefit Analysis

Goal Intelligent allocation of resources
(controls) to mitigate risk
Encompasses
Determining the impact of implementing and not
implementing proposed controls
Estimating the cost of implementation
HW/SW
Reduced operational effectiveness
Cost of additional policies/procedures
Cost of additional personnel
Training costs
Maintenance
Weighing implementation costs against system
criticality to determine relevance to mission

44
Residual Risk