MANAGEMENT of INFORMATION SECURITY Fifth Edition RISK CONTROL



























- Slides: 27

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

RISK CONTROL PRACTICES Management of Information Security, 5 th Edition, © Cengage Learning 2

Recommended Risk Control Practices • Between the difficult task of valuing information assets, and the dynamic nature of the ALE calculations, it is no wonder that organizations typically look for a more straightforward method of implementing controls • This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability Management of Information Security, 5 th Edition, © Cengage Learning 3

Qualitative and Hybrid Measures • Quantitative assessment performs asset valuation with actual values or estimates with may be difficult to assign specific values • Organizations could use qualitative assessments instead, using scales instead of specific estimates • A more granular approach, the hybrid assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation process that may arise when quantitative measures are used Management of Information Security, 5 th Edition, © Cengage Learning 4

Delphi Technique • The Delphi technique, named for the oracle at Delphi, is a process whereby a group rates or ranks a set of information • The individual responses are compiled and then returned to the group for another iteration. • This process continues until the entire group is satisfied with the result • This technique can be applied to the development of scales, asset valuation, asset or threat ranking, or any scenario that can benefit from the input of more than one decision maker Management of Information Security, 5 th Edition, © Cengage Learning 5

The OCTAVE Methods • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation • By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets • The operational or business units and the IT department work together to address the information security needs of the organization Management of Information Security, 5 th Edition, © Cengage Learning 6

OCTAVE Overview Management of Information Security, 5 th Edition, © Cengage Learning 7

The OCTAVE Methods • There are three variations of the OCTAVE Method: – The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and which was designed for larger organizations (300 or more users) – OCTAVE-S, for smaller organizations of about 100 users – OCTAVE-Allegro, a streamlined approach for information security assessment and assurance Management of Information Security, 5 th Edition, © Cengage Learning 8

Microsoft Risk Management Approach • Microsoft Corp. also promotes a risk management approach • Four phases in the MS Info. Sec risk management process: – Assessing risk – Conducting decision support – Implementing controls – Measuring program effectiveness Management of Information Security, 5 th Edition, © Cengage Learning 9

Microsoft Risk Management Approach Management of Information Security, 5 th Edition, © Cengage Learning 10

FAIR • The Factor Analysis of Information Risk (FAIR) framework includes: – A taxonomy for information risk – Standard nomenclature for information risk terms – A framework for establishing data collection criteria – Measurement scales for risk factors – A computational engine for calculating risk – A modeling construct for analyzing complex risk scenarios Management of Information Security, 5 th Edition, © Cengage Learning 11

FAIR • Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 – Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 – Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Management of Information Security, 5 th Edition, © Cengage Learning 12

FAIR Stage 3 – Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low Management of Information Security, 5 th Edition, © Cengage Learning 13

Factor Analysis of Information Risk (FAIR) Management of Information Security, 5 th Edition, © Cengage Learning 14

ISO 27005 Standard for Info. Sec Risk Management • The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005 (http: //www. 27000. org/iso-27005. htm) • The 27005 document includes five-stage a risk management methodology: 1. Risk Assessment 2. Risk Treatment 3. Risk Acceptance 4. Risk Communication 5. Risk Monitoring and Review Management of Information Security, 5 th Edition, © Cengage Learning 15

NIST Risk Management Framework • National Institute for Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/ accreditation to one that follows the industry standard of effective risk management • As discussed in “Special Publication 800 -39: Managing Information Security Risk: Organization, Mission, and Information System View” Management of Information Security, 5 th Edition, © Cengage Learning 16

NIST Risk Management Framework • The first component of risk management addresses how organizations frame risk or establish a risk context —that is, describing the environment in which riskbased decisions are made • The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations • Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (ii) risk constraints (iii) risk tolerance; and (iv) priorities and tradeoffs Management of Information Security, 5 th Edition, © Cengage Learning 17

NIST Risk Management Framework • Integrated, enterprise-wide risk management includes: – (i) the strategic goals/objectives of organizations – (ii) organizational missions/business functions prioritized as needed – (iii) mission/business processes – (iv) enterprise and Info. Sec architectures – (v) system development life cycle processes. Management of Information Security, 5 th Edition, © Cengage Learning 18

NIST Risk Management Framework • The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame • The purpose of the risk assessment component is to identify: – (i) threats to organizations or threats directed through organizations against other organizations or the Nation – (ii) vulnerabilities internal and external to organizations – (iii) the harm to organizations that may occur given the potential for threats exploiting vulnerabilities – (iv) the likelihood that harm will occur • The end result is a determination of risk Management of Information Security, 5 th Edition, © Cengage Learning 19

NIST Risk Management Framework • To support the risk assessment component, organizations identify: – (i) the tools, techniques, and methodologies that are used to assess risk – (ii) the assumptions related to risk assessments – (iii) the constraints that may affect risk assessments – (iv) roles and responsibilities – (v) how risk assessment information is collected, processed, and communicated throughout organizations – (vi) how risk assessments are conducted within organizations – (vii) the frequency of risk assessments – (viii) how threat information is obtained Management of Information Security, 5 th Edition, © Cengage Learning 20

NIST Risk Management Framework • The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments • The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by: – (i) developing alternative courses of action for responding to risk – (ii) evaluating the alternative courses of action – (iii) determining appropriate courses of action consistent with organizational risk tolerance – (iv) implementing risk responses based on selected courses of action Management of Information Security, 5 th Edition, © Cengage Learning 21

NIST Risk Management Framework • The fourth component of risk management addresses how organizations monitor risk over time • The purpose of the risk monitoring component is to: – (i) verify that planned risk response measures are implemented and Info. Sec requirements derived from/traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, and standards, and guidelines, are satisfied – (ii) determine the ongoing effectiveness of risk response measures following implementation – (iii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate Management of Information Security, 5 th Edition, © Cengage Learning 22

NIST Risk Management Framework Management of Information Security, 5 th Edition, © Cengage Learning 23

Other Methods: ENISA RM Process Management of Information Security, 5 th Edition, © Cengage Learning 24

Summary • Once vulnerabilities are identified and ranked, a strategy to control the risks must be chosen – Five control strategies are: defense, transference, mitigation, acceptance, and termination • Economic feasibility studies determine and compare costs and benefits from potential controls (often called a cost benefit analysis) – Other forms of feasibility analysis include analyses based on organizational, operational, technical, and political factors • An organization must be able to place a dollar value on each collection of information and the information assets it owns – There are several methods an organization can use to calculate these values • Single loss expectancy (SLE) is calculated from the value of the asset and the expected percentage of loss that would occur from a single successful attack • Annualized loss expectancy (ALE) represents the potential loss per year Management of Information Security, 5 th Edition, © Cengage Learning 25

Summary • Cost benefit analysis determines whether a control alternative is worth its associated cost – CBA calculations are based on costs before and after controls are implemented and the cost of the controls – Other feasibility analysis approaches can also be used • Organizations may choose alternatives to feasibility studies to justify applying Info. Sec controls, including: benchmarking with either metrics-based measures or process-based measures; due care and/or due diligence; best security practices up to and including the near-mythic gold standard; and/or baselining • Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility • Residual risk is the amount of risk unaccounted for after the application of controls Management of Information Security, 5 th Edition, © Cengage Learning 26

Summary • It is possible to repeat risk analysis using estimates based on a qualitative assessment. The Delphi technique can be used to obtain group consensus on risk assessment values • Once a control strategy has been implemented, the effectiveness of controls should be monitored and measured • Alternative approaches to risk management include the OCTAVE Method, the Microsoft risk management approach, ISO 27005, the NIST risk management approach, and FAIR Management of Information Security, 5 th Edition, © Cengage Learning 27
Management of information security 5th edition
Principles of marketing fifth european edition
Appraisals in lazarus theory of emotion
Fundamentals of corporate finance fifth edition
Fifth edition chemistry a molecular approach
Mitosis
Molecular biology
Human anatomy fifth edition
Human anatomy fifth edition
Credit risk market risk operational risk
Failure of supporting utilities and structural collapse
Principles of management information system
Ranked vulnerability risk worksheet
12 principles of information security
Bulls eye model in information security
Private secruity
Tracing vs vouching
Visa international security model in information security
Cnss model 27 cells example
Goal congruence in management control system
Fiduciary investment risk management association
Risk map risk management
Information technology project management 9th edition
Blue project chapter 5
Management information systems 16th edition
Information technology project management 8th edition
Project management chapter 6
Introduction to management information systems 5th edition