Risk Assessment Frameworks

1
Risk Assessment Frameworks

• Rodney Petersen
• Government Relations Officer
• Security Task Force Coordinator
• EDUCAUSE

2
Overview

• Definition(s) of Risk Management Risk
• Impact(s) of Risk
• Enterprise Risk Management
• ERM Frameworks
• DHS Risk Management Framework
• NIST Risk Assessment Framework
• STF Risk Assessment Framework

3
Definition of Risk Management

• Risk management is a scientific approach to
  dealing with pure risks by anticipating possible
  accidental losses and designing and implementing
  procedures that minimize the occurrence of loss
  or the financial impact of the losses that do
  occur. (Fundamentals of Risk and Insurance,
  Vaughan and Vaughan)
• Meaning Risk as uncertainty concerning the
  occurrence of a loss.

4
Risk Equation

• Risk Vulnerability x Threat x Impact
  Probability
• Vulnerability An error or a weakness in the
  design, implementation, or operation of a system.
• Threat An adversary that is motivated to
  exploit a system vulnerability and is capable of
  doing so
• Impact the likelihood that a vulnerability will
  be exploited or that a threat may become harmful.
• Probability likelihood already factored into
  impact.

5
Types of Risk

• Strategic Goals of the Organization
• Operational Processes that Achieve Goals
• Financial Safeguarding Assets
• Compliance Laws and Regulations
• Reputational Public Image

6
Responses to Risk

• Severity
• Frequency

High Transfer Avoid
Low Accept Accept/Transfer
Low High
7
Enterprise Risk Management (ERM)

• A process, effected by an entitys board of
  directors, management and other personnel,
  applied in strategy setting and across the
  enterprise, designed to identify potential events
  that may affect the entity, and manage risks to
  be within its risk appetite, to provide
  reasonable assurance regarding the achievement of
  entity objectives. (COSO)
• A rigorous approach to assessing and addressing
  the risks from all sources that threatent he
  achievement of an organizations strategic
  objectives. In addition, ERM identifies those
  risks that represent corresponding opportunities
  to exploit for competitive advantage.
  (Tillinghast-Towers Perrin consultancy group)
• Any issue that impact an organizations ability
  to meet its objectives. (Developing A Strategy to
  Manage Enterprisewide Risk in Higher Education,
  NACUBO)

8
ERM Frameworks

• COSOs ERM Integrated Framework
• Australia/New Zealand Standard Risk Management
• ISO Risk Management - Draft Standard
• The Combined Code and Turnbull Guidance
• A Risk Management Standard by the Federation of
  European Risk Management Associations (FERMA)

9
COSO Integrated Control Framework

• Committee of Sponsoring Organizations of the
  Treadway Commission (COSO)

10
COSOs ERM Integrated Framework

• Entity objectives can be viewed in the
• context of four categories
• Strategic
• Operations
• Reporting
• Compliance
• ERM considers activities at all levels of the
  organization
• Enterprise-level
• Division or subsidiary
• Business unit processes

Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
11
Australia/New Zealand Standard (ASS/NZS
43602004) Risk Management
12
ISO Risk Management - Draft Standard
13
The Combined Code and Turnbull Guidance

• Risk assessment
• Does the company have clear objectives and have
  they been communicated so as to provide effective
  direction to employees on risk assessment and
  control issues? For example, do objectives and
  related plans include measurable performance
  targets and indicators?
• Are the significant internal and external
  operational, financial, compliance and other
  risks identified and assessed on an ongoing
  basis? These are likely to include the principal
  risks identified in the Operating and Financial
  Review.
• Is there a clear understanding by management and
  others within the company of what risks are
  acceptable to the board?

14
A Risk Management Standard by the Federation of
European Risk Management Associations (FERMA)
15
Risk Management Framework for Critical
Infrastructure Protection

• National Infrastructure Protection Plan, 2006

16
NIST Risk Management Framework
SP 800-37 / SP 800-53A
MONITOR Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
17
Risk Assessment Framework Security Task Force

• Purpose of Framework to provide a high-level
  overview on the subject of conducting a risk
  assessment of information systems within higher
  education.
• Points to Consider
• Risk Assessment (RA) is an ongoing process
• RA requires strong commitment from senior
  administration and collaboration between
  cross-functional units
• RA is part of strategic and continuity planning
• RA requires planning and strategy that
  systematically increases the scope
• RA needs to become a part of the culture of the
  university community
• Effective Risk Management (RM) practices require
  a "risk aware" culture
• Effective RM can provide the basis for
  prioritizing and resolving possible funding
  conflicts
• policy supporting ongoing risk assessment should
  be developed

18
Phases ofRisk Assessment

• Phase 0 Establish Risk Assessment Criteria for
  the Identification and Prioritization of Critical
  Assets (a one-time process)
• Phase 1 Develop Initial Security Strategies
• Phase 2 Technological View - Identify
  Infrastructure Vulnerabilities
• Phase 3 Risk Analysis - Develop Security
  Strategy and Plans

19
Phase 0 Establish Risk Assessment Criteria

• Goal to quickly establish the overall criteria
  for the identification of critical data assets
  and their appropriate priority level and to
  obtain senior management's perspective on issues
  of strategic importance.
• Process 1 Establish Risk Assessment Criteria
• Process 2 Apply the Critical Asset Criteria to
  Classify Data Collections and Related Resources

20
Phase 1 Develop Initial Security Strategies

• Goal Once the information assets have been
  classified, strategic planning for the rest of
  the risk management process can begin.
  Vulnerabilities can be identified, and the
  process of mitigating the threats that can
  exploit those vulnerabilities can begin. An
  institution can decide to specifically focus on
  the very highest risks, or it may decide to focus
  first on mitigating risks broadly (or both). The
  mere process of bringing management together to
  discuss the organization's strategy about risk
  mitigation can be extremely fruitful.
• Process 1 Strategic Perspective - Senior
  Management
• Process 2 Operational Perspective - Departmental
  Management
• Process 3 Practice Perspective Staff
• Process 4 Consolidated View of Security
  Requirements

21
Phase 2 Identify Infrastructure Vulnerabilities

• Goal To identify areas of potential exposure
  associated with the systems architecture.
• Process 1 Evaluation of Key Technology
  Components
• Process 2 Evaluation of Selected Technology
  Components

22
Phase 3 Develop Security Strategy and Plans

• Goal After identifying key information systems
  resources and evaluating the degree of
  vulnerability with the systems, quantitatively
  determine the level of risk associated with each
  system and system component. This information may
  then be used to prioritize the allocation of
  resources to ensure appropriate mitigation of the
  highest risks and to make appropriate management
  decisions about the degree of risk that the
  organization will be willing to accept.
• Process 1 Risk AssessmentSteps
• 1. Assess the potential impact of threats (and
  vulnerabilities) to critical assets (qualitative
  and/or quantitative)
• 2. Evaluate the likelihood of occurrence of the
  threats (high, medium, low)
• 3. Create a consolidated analysis of risks,
  based on the impact value to critical assets and
  the likelihood of occurrence
• Process 2 Protection Strategy and Mitigation
  Plans

23
Conclusion

• It is important to note that this is a process
  that has no finish line. While a risk assessment
  - the process of identifying and quantifying
  risks - might take place on an infrequent basis
  (e.g., annually), the risk management process -
  the ongoing process of mitigating the risks to
  the organization - should be ingrained into the
  institution's culture to be most effective.