COMP 3357 Managing Cyber Risk Richard Henson University
COMP 3357 Managing Cyber Risk Richard Henson University of Worcester April 2018
Week 11: Risk Assessment for Business Continuity n Objectives: Ø Create an asset register (protected through BCP) to include not just hardware but digital resources Ø Use theoretical principles of qualitative risk assessment to produce a risk register Ø Extend the risk register to include a realistic risk treatment plan that will mitigate the identified risk
BCP for increasing competitiveness and gaining market share… n All about business<>customer! Øonline environments (websites) Øeven Physical environments (shops) n B 2 C now dependent on IT Øneed risk assessment, information assurance (expensive? ) ØBCP covers similar ground… (more cost-effective? )
Variety of Physical Markets… Retail parks (expensive but many customers) n High street shops (lower rent; fewer customers? ) n Side street shops/street traders n n Physical businesses STILL use IT to run their business (internal IT) Østreet traders market/sell online via website…
Limits to Online Markets? n On-line B 2 C grows every year! n Different growth rates in different countries… Øfastest rate in early years… US/Canada Øfastest rate in 2016. . . UK! » driven by convenience » more technology… good for technology economy » 2020?
Maintaining an Online Business Environment n With or without shop/market stall! Øwebsite - still expectation of 24/7 trading n Use Internal and External IT! Øcustomers visit by the www Ødependent on advertising and search engines Øprocess, pick, dispatch orders
The Organisation IT Boundary ØInternal IT. . . process customer data ØExternal IT… gather customer data » where is the internal/external boundary? External IT (customers) Internal IT (processing customer data)
Engaging with the Online Environment n Several levels: Ø website separate from business own IT » website for advertising and enquiries only » website for online shopping Ø website integrated with rest of business IT » much larger development and maintenance operation n n may be outsourced… business needs to keep control of its data!
Competition and Internal IT n Smooth IT operation pleases… ØSuppliers » want to do business… not have their time wasted (!) ØExisting customers » will return for more » will tell others…
Threats to organisational data/systems… n Divides neatly into: Ø“internal”… employees » applies to all businesses Ø“external”… hackers » specific to online businesses n Consequences over and above “messed up” systems
Messed up systems, Data Losses… (!) § System down? Not a good look! § Depending on which data a small business loses… Øit may not be able to trade efficiently, or even at all! Øworst case scenario: 10 days maximum to recover, or out of business
Reality of IT and the Customer n External: On-line selling? Øcustomer assumes that IT works perfectly Øonly takes notice when NOT working n Essential for B 2 C to (try to…) live up to customer expectations Øif Information Assurance too difficult or expensive, BCP a good second choice
External (hacking…) » Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it » People hacking in from outside, usually via the Internet, possibly with help from inside
Do “we” have a problem? n Perceptions “from the inside” quite different from “outside looking in”
Internal IT and Competitors n Messed up operation… annoys… ØSuppliers… find new partners ØCustomers… find new vendors Øif it carries on, will ruin reputation! n Put own house in order! ØCannot successfully integrate internal & external IT if internal operation messed up (!)
Internal Data Losses n Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. ØThe same employees who could already be dealing with a “messed up” system n Employees or temps with bad intent…
Valuing IT in a Business: The Digital Asset Register n Until recently, company “value” based on Øphysical assets (asset register) Øno/quality of customers/partners Øprofit (and projections…) n What about digital data? Øe. g. their data and data structures » not a physical asset… traditionally ignored!
“The Asset Register” in a world dominated by IT n Concept of “digital assets” introduced to business via information assurance… ØISO 27001 (2005 onwards…) Essential in BCP (!) n Asset list (register) extended to include: n Øsoftware (apps & system/platform) Ødata used with that software!
Impact of Data Loss n Bad enough now(!) Nowhere to hide when GDPR comes in… Øhave to declare data breach including customer records within 72 hours n Business data not protected through GDPR ØBUT if stolen, may ALSO lose trade secrets, supplier information, Ønot good for customer perception…
ISO 27001 & Risk Assessment n ISO 27001 is about developing and managing a system to manage information security… 1. informing an organisation which incidents could occur (i. e. assess the risks) 2. assessing the relative importance of each risk so the organisation can treat the most important (i. e. prioritise the risks) 3. then find the most appropriate ways to avoid such incidents (i. e. treat the risks)
Risk Assessment Stages n Two distinct processes involved (different skill-sets): Øidentification and assessment of the risks (risk assessment) Øselection and justification of countermeasures to manage those risks (risk management).
Information Risk… n Applying the process to information risks, it becomes: Øidentifying and evaluating the information security risks associated with a computer system or telecommunications network Ønominating and justifying security countermeasures for the identified risks
Identifying the Risks n Effective Infrastructure: hardware, software, people working together with minimum downtime ØBUT attacker tools: packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. n Risks, Threats, Vulnerabilities to digital assets need to be identified…
BCP and ISO 27001 about systems & continuous improvement n Provides: Risk Assessment Methodology (rules) n Øwhat will be the acceptable level of risk, etc. for each digital asset? » choose qualitative or quantitative risk assessment… » all employees should follow agreed method
An Information Asset Register Companies typically aware of only 30% of their risks! n Developing an asset register at least raises awareness… n » list assets » list threats and vulnerabilities related to those assets
Using the Register n Identify impact and likelihood for each combination of assets, threats, vulnerabilities n finally calculate the level of risk
Risk Treatment Plan (RTP) n four ways to mitigate unacceptable risks: 1. apply ISO 27001 “Annex A” security controls to decrease risks ISO 27001 Annex A controls 2. transfer the risk to another party » insurance company (buy an insurance policy)
RTP (cont…) 3. Avoid… Østop doing an activity that is too risky Ødo the activity in a completely different fashion 4. Accept the risk… Øif cost for mitigation higher that the damage itself!
RTP: Economics Risk Treatment plan… how to decrease the risks with minimum investment? n Strategy: n Ømanagement will reduce budget… (!) » achieve the same result with less money » need to figure out how!? ! Øask for more than minimum in the first place? ! » use report (next slide) to support your case
Report (for auditors and management) n ISMS Risk Assessment Report ØAll risk assessment activities compiled into readable documentation » for the auditors… » internal, for future reference – how are we doing? checking!
Statement of Applicability (So. A) n Shows security profile of the company… » based on the results of the risk treatment n Lists implemented controls, why implemented, how implemented » important for the audit (!) n For details about the So. A, see ØStatement of Applicability for ISO 27001.
RTP Ready to go? n Creating the plan is a “journey”… ØStart: not knowing how to setup your information security ØFinish: having a very clear picture of what is needed for implementation
Putting RTP into practice n Management approval needed Øwill take considerable time and effort (and money) to implement all the controls Øwho (is going to implement each control) when, with which budget, etc.
RTP: Gathering Risk Assessment Data n Requirements: 1. figuring out all the threats to the organisation’s data 2. cataloguing all hardware and software in the organisation into a Risk Register » although hardware may apparently be irrelevant to information management , it needs identifying so it can be appropriately categorised in the risk register! Ø http: //www. computerworld. com/article/2723652/itmanagement/how-to-do-a-risk-assessment-for-iso-27001. html Ø http: //www. computerweekly. com/tip/A-free-risk-assessmenttemplate-for-ISO-27001 -certification
1. Threats to Organisational Data n Outsiders: Øhackers Øcompetitors n Insiders: Øemployees with bad intent Ødopey employees Øeither of above working with outsiders
2. Information Assets & Risk n Information Assets Ødata required to keep business functioning Øneed hardware and software to be useful! » these also carry risk n Once identified… Øneed to be categorised into rank order » according to how well (or not…) the organisation would survive without them
The Information Asset Register (ISO 27001) List of information assets… n List of related assets… n Øinfrastructure needed to maintain each/all asset(s) » can be non-computer hardware (e. g. cooling/ventilation system for servers) Øequipment to counteract effects of natural disasters (e. g. flood defences)
System Vulnerabilities n Ways that assets can be compromised Øunpatched applications and/or operating systems Øuser accounts with poorly protected passwords Øusers unaware of hacker “phishing” and other social engineering tactics
Qualitative: Risk to Assets n Previous sessions… Øestablish criteria for assessment of information assets » e. g. value on black market Øuse criteria categorise as H, M, L
Quantitative: Calculating Risk to Information Assets n Simple formula Ølikelihood of loss (1 -10) x impact (also 1 -10) Øbigger score, bigger risk! n Can be ranked accordingly Øalong with hardware/software to maintain each asset
To Mitigate or Accept a Risk? n Risk Register should contain all potential risks… ØH, M, L categorisation and/or impact assessment score should indicate the main dangers n Need to choose whether to do something or accept the risk… Øeven for L assets
Asset Register and Risk Treatment n “Risk Treatment” now an accepted part of information risk management Ørisk assessment/management finishes with completed risk treatment plan Øshows how each of the risks regarded as significant will be mitigated n Essential for effective BCP (next week…)
- Slides: 42