Risk Management a Case Study

1
Risk Management a Case Study
DATALAWS Information Technology Law
Consultants Presented by F. F Akinsuyi (MSc,
LLM)MBCS
2
Anatomy of a Risk Assessment UK Government Case
study

• UK government services have gone online
• Personal and sensitive data being propagated and
  populated by government departments to provide
  these services
• Online services targeted by hackers, fraudsters,
  espionage
• Old and new risks, threats and vulnerabilities
  threaten services
• Departments need to identify and mitigate these
  risks

3
Anatomy of Risk ManagementUK Case study

• UK government policy is that any government
  information system used to store, process or
  forward any official information must be
  accredited before use
• Objective of accreditation is to show that all
  relevant risks to the system have been identified
  and will be managed by appropriate configuration,
  use, maintenance, evolution and disposal
• RMADS methodology applied to government systems

4
RMADS Documents and Process

5
RMADS Stages

• Determine the Business Impact Level of the
  information that is held on the information
  system to be accredited. (Most Important)
• Impacts are assessed against confidentiality,
  integrity and availability
• Depending on the findings of that, it may be
  sufficient to simply comply with ISO27001.
• For higher levels of impact level, an RMADS is
  mandatory.

6
Impact Samples

• Impacts measured against the government
  department and the data subject
• Financial Loss due to Fraud
• Reputational Loss due to service not being
  available.
• Criminal Charges due to breach of Data
  Protection.

7
Business Impact Assessment

• Business Impact levels range from 0-8
• Level 1 Trivial No further actions taken
• Levels 2 and 3 Minor No further actions taken
• Level 4 Significant Some negative effects
  Acceptable risks actions may need to be taken
• Level 5 Significant Significant negative
  effects actions to be taken on case by case
  basis
• Levels 6,7 Major risks need to be reduced or
  treated
• Level 8 Catastrophic Disastrous Dealt with and
  reduced under all circumtances

8
Business Impact Assessment

• Confidentiality Impact Level Markings
• For Confidentiality, the Impact Levels relate
  directly to protective markings
• Impact Levels 1 and 2 PROTECT,
• Impact Level 3 RESTRICTED,
• Impact Level 4 CONFIDENTIAL,
• Impact Level 5 SECRET
• Impact Level 6 - TOP SECRET

9
RMADS

• First Phase in developing an RMADS.
• Conduct Standard 1 Technical Risk Assessment.
• Catalogue the information system and generate a
  scope diagram.
• Verify minimum assumptions to ensure that the
  risk assessment is accurate.
• Perform Privacy Impact Assessment
• Perform threat assessment to produce a
  Prioritised Risk Catalogue that must be
  documented within the RMADS.

10
Identify Threats

• Asset List What the system is made of
• Threat Sources Where is the threat coming from
• Focus of Interest The system being accredited
• Threat Actors Principle parties involved in
  constituting the threat

11
Asset List

• DataBase
• Application
• Development and Test Environments
• Desktop
• Government Offices
• Inter connecting systems
• Data Centre
• Third Party Location

12
Threat Source Samples

• Organised Crime
• Pressure Groups
• Investigative Journalists
• Terrorist Organisations

13
Threat Actor Samples

• Hacker Altering website, Denial of service
• Third Party Inappropriate Access, Privacy Breach
  
• Normal User Accidental Data Loss
• Privileged User Data Confidentiality Compromise
• Data Handler Data Loss

14
RMADS

• Second Part Create the RMADS
• Perform an ISO 27001 Benchmarking Review to
  determine that there are suitable commercial
  countermeasures already in existence.
• Develop the Security Case and Risk Treatment Plan
  to ensure that proposed solutions meet with the
  requirements of the organisation and their risk
  appetite.

15
ISO 27001 Benchmarking

• ISO 27001 Information Security Standard
• Covers Security Policy, Security Organisation,
  Asset Classification, Personnel Security,
  Physical Security, Communications and Operations
  Management, Access Control, Systems Development
  and Maintenance, Business Continuity Management,
  Compliance
• Benchmarking involves conducting face to face
  review with System Architects, Administrators,
  Security Teams to verify compliance with the
  areas above

16
Risk Treatment Plan

• Risk Treatment Plan identifies what steps will be
  taken to resolve identified risks
• It highlights who will be responsible for risk
• Date for resolving risk
• Status

17
Penetration Test

• Network and Application tests
• Round up to identify if there is any exposure to
  known vulnerabilities by conducting a penetration
  and application test.
• Review outcome
• Accredit system

18
Application Vulnerability Tests

• Cross Site Scripting
• Failure to Restrict URL Access

19
End Of Session