Risk Management Acknowledgments Material is sourced from n
- Slides: 58
Risk Management
Acknowledgments Material is sourced from: n CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission. n All-in-One CISSP Exam Guide, 4 th Ed. / Shon Harris, Mc. Graw Hill, 2008 Author: Susan J Lincke, Ph. D Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives Students should be able to: n Define risk management process: risk management, risk assessment, risk analysis, risk appetite, risk treatment, accept residual risk n Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk mitigation/risk reduction, risk transference n Describe threat types: natural, unintentional, intentional (nonphysical) n Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders n Perform risk analysis using techniques: qualitative, quantitative n Define vulnerability, SLE, ARO, ALE, due diligence, due care
How Much to Invest in Security? How much is too much? n Firewall n Intrusion Detection/Prevention n Guard n Biometrics n Virtual Private Network n Encrypted Data & Transmission n Card Readers n Policies & Procedures n Audit & Control Testing n Antivirus / Spyware n Wireless Security How much is too little? n Hacker attack n Internal Fraud n Loss of Confidentiality n Stolen data n Loss of Reputation n Loss of Business n Penalties n Legal liability n Theft & Misappropriation Security is a Balancing Act between Security Costs & Losses
Risk Management Structure Corpo rate H istory Internal Factors Re External Factors ure st ry Cult du al n o i izat n a Org aturity M n io t a l gu In ’s t n e m e e c g n a ra n Ma Tole k Risk Mgmt Strategies are determined by both internal & external factors Risk Tolerance or Appetite: The level of risk that management is comfortable with
Risk Management Process What to investigate? What to consider? Identification What assets & risks exist? Analysis What does this risk cost? What priorities shall we set? Evaluation What controls can we use? Avoid Reduce Transfer Accept Residual Risk Retain Risk Communication & Monitoring Risk Assessment Treatment Establish Scope & Boundaries
Risk Appetite n n Do you operate your computer with or without antivirus software? Do you have antispyware? Do you open emails with forwarded attachments from friends or follow questionable web links? Have you ever given your bank account information to a foreign emailer to make $$$? What is your risk appetite? If liberal, is it due to risk acceptance or ignorance? Companies too have risk appetites, decided after evaluating risk
Continuous Risk Mgmt Process Risk Appetite Identify & Assess Risks change with time as business & environment changes Controls degrade over time and are subject to failure Countermeasures may open new risks Develop Risk Mgmt Plan Proactive Monitoring Implement Risk Mgmt Plan
Security Evaluation: Risk Assessment Five Steps include: 1. Assign Values to Assets: ¨ 2. Determine Loss due to Threats & Vulnerabilities ¨ 3. Weekly, monthly, 1 year, 10 years? Compute Expected Loss ¨ ¨ 5. Confidentiality, Integrity, Availability Estimate Likelihood of Exploitation ¨ 4. Where are the Crown Jewels? Loss = Downtime + Recovery + Liability + Replacement Risk Exposure = Probability. Of. Vulnerability * $Loss Treat Risk ¨ ¨ ¨ Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) / (cost of risk reduction)
Step 1: Determine Value of Assets Identify & Determine Value of Assets (Crown Jewels): n Assets include: IT-Related: Information/data, hardware, software, services, documents, personnel ¨ Other: Buildings, inventory, cash, reputation, sales opportunities ¨ n n n What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this? How much liability would we be subject to if the asset were compromised? Helpful websites: www. attrition. org
Determine Cost of Assets Costs Tangible $ Intangible: High/Med/Low Sales Risk: Product A Risk: Product B Product C Risk: Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality=
Matrix of Loss Scenario (taken from CISM Exhibit 2. 16) Size of Loss Repu- Lawtation suit Loss Fines/ Reg. Loss Market Loss Exp. Yearly Loss $10 M Hacker steals customer data; publicly blackmails company 1 -10 K $1 MRecor $20 M ds $1 M$10 M $1 M$35 M $1 M$5 M Employee steals strategic plan; sells data to competitor 3 -year Min. $20 M $2 M Backup tapes and Cust. data found in garbage; makes front-page news 10 M $20 M Recor ds $20 M $10 M $5 M $200 K $10 M Min. $200 K Contractor steals employee 10 K $5 M data; sells data to hackers Recor ds
Step 1: Determine Value of Assets Asset Name $ Value Direct Loss: Replacement Laptop $1, 000 Equipment $10, 000 $ Value Consequential Financial Loss Mailings= $130 x #Cust àReputation = $9, 000 $2 k per day in income Work book Confidentiality, Integrity, and Availability Notes Conf. , Avail. Breach Notification Law Availability (e. g. , due to fire or theft)
Step 2: Determine Loss Due to Threats Natural: Flood, fire, cyclones, rain/hail/snow, plagues and earthquakes Unintentional: Fire, water, building damage/collapse, loss of utility services, and equipment failure Intentional: Fire, water, theft, vandalism Intentional, non-physical: Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing, denial of service
Threat Agent Types Hackers/ Crackers Criminals Challenge, rebellion Terrorists Destruction/ revenge/ extortion Competitive advantage Industry Spies Insiders Financial gain, Disclosure/ destruction of info. Opportunity, personal issues Unauthorized access Fraud, computer crimes DOS, info warfare Info theft, econ. exploitation Fraud/ theft, malware, abuse
Step 2: Determine Threats Due to Vulnerabilities System Vulnerabilities Behavioral: Misinterpretation: Poorly-defined procedures, Disgruntled employee, employee error, uncontrolled processes, Insufficient staff, poor network design, Inadequate mgmt, improperly configured Inadequate compliance equipment enforcement Coding Problems: Security ignorance, poorly-defined requirements, defective software, unprotected communication Physical Vulnerabilities: Fire, flood, negligence, theft, kicked terminals, no redundancy
Step 3: Estimate Likelihood of Exploitation Best sources: n Past experience n National & international standards & guidelines: NIPC, OIG, Fed. CIRC, mass media n Specialists and expert advice n Economic, engineering, or other models n Market research & analysis n Experiments & prototypes If no good numbers emerge, estimates can be used, if management is notified of guesswork
Likelihood of Exploitation: Sources of Losses Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu Evaluation of 31 organizations
Step 4: Compute Expected Loss Risk Analysis Strategies Qualitative: Prioritizes risks so that highest risks can be addressed first n Based on judgment, intuition, and experience n May factor in reputation, goodwill, nontangibles Quantitative: Measures approximate cost of impact in financial terms Semiquantitative: Combination of Qualitative & Quantitative techniques
Step 4: Compute Loss Using Qualitative Analysis is used: n As a preliminary look at risk n With non-tangibles, such as reputation, image -> market share, share value n When there is insufficient information to perform a more quantified analysis
Vulnerability Assessment Quadrant Map Snow emergency Intruder Work book Threat (Probability) Hacker/Criminal Malware Disgruntled Employee Vulnerability (Severity) Flood Spy Fire Terrorist
Step 4: Compute Loss Using Semi-Quantitative Analysis 1. 2. 3. 4. 5. Impact Likelihood Insignificant: No 1. Rare meaningful impact 2. Unlikely: Not seen within the last 5 years Minor: Impacts a small part of the business, < 3. Moderate: Occurred in $1 M last 5 years, but not in last year Major: Impacts company brand, >$1 M 4. Likely: Occurred in last year Material: Requires external reporting, 5. Frequent: Occurs on a >$200 M regular basis Catastrophic: Failure or downsizing of company Risk = Impact * Likelihood
Semi. Quantitative Impact Matrix SE Catastrophic (5) VE IU ED M Minor (2) W LO Insignificant (1) H G HI Major (3) M Impact RE Material (4) Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Likelihood
Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once ¨ Eg. Stolen laptop= n n n ¨ Replacement cost + Cost of installation of special software and data Assumes no liability SLE = Asset Value (AV) x Exposure Factor (EF) n With Stolen Laptop EF > 1. 0 Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year ¨ If a fire occurs once every 25 years, ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat ¨ ALE = SLE x ARO
Risk Assessment Using Quantitative Analysis Quantitative: n Cost of HIPAA accident with insufficient protections ¨ SLE = $50 K + (1 year in jail: ) $100 K = $150 K ¨ Plus loss of reputation… Estimate of Time = 10 years or less = 0. 1 n Annualized Loss Expectancy (ALE)= n ¨ $150 x. 1 =$15 K
Annualized Loss Expectancy Asset Value-> 1 Yr 5 Yrs 10 Yrs 20 Yrs $1 K $100 K $1 M 1 K 200 100 50 10 K 2 K 1 K 1 K 100 K 20 K 10 K 5 K 1000 K 200 K 100 K 50 K Asset Costs $10 K Risk of Loss 20% per Year Over 5 years, average loss = $10 K Spend up to $2 K each year to prevent loss
Quantitative Risk Work book Asset Threat Single Loss Annualized Expectancy Rate of (SLE) Occurrence (ARO) Building Fire $1 M. 05 (20 years) Laptop Stolen $1 K + $9 K (breach notif) 0. 2 (5 years) Annual Loss Expectancy (ALE) $50 K $1 K
Step 5: Treat Risk Acceptance: Handle attack when necessary n E. g. : Comet hits n Ignore risk if risk exposure is negligible Risk Avoidance: Stop doing risky behavior n E. g. : Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability n E. g. Purchase & configure a firewall Risk Transference: Pay someone to assume risk for you n E. g. , Buy malpractice insurance (doctor) n While financial impact can be transferred, legal responsibility cannot Risk Planning: Implement a set of controls
Input Hardware, software Company history Intelligence agency data: NIPC, OIG Audit & test results Current and Planned Controls Threat motivation/ capacity Business Impact Analysis Data Criticality & Sensitivity analysis Likelihood of threat exploitation Magnitude of impact Plan for risk NIST Risk Assessment Methodology Activity System Characterization Identify Threats Output System boundary System functions System/data criticality System/data sensitivity Identify Vulnerabilities List of threats & vulnerabilities Analyze Controls List of current & planned controls Determine Likelihood Rating Analyze Impact Rating Determine Risk Documented Risks Recommend Controls Recommended Controls Document Results Risk Assessment Report
Control Types Compensating Control Threat Deterrent Control Reduces likelihood of Detective Control Tri gge Reduces likelihood of Creates rs Attack Vulnerability rs ve co s i D Corrective Control ts c e t ro P Decreases Preventive Control Results in Red u ces Impact
THREAT Deterrent control R i s k P r o b a b i l i t y Mitigating control Detective control Preventive control V U L N E R A B I L I T Y Corrective control I M P A C T Residual risk
Controls & Countermeasures Cost of control should never exceed the expected loss assuming no control n Countermeasure = Targeted Control n ¨ Aimed at a specific threat or vulnerability ¨ Problem: Firewall cannot process packets fast enough due to IP packet attacks ¨ Solution: Add border router to eliminate invalid accesses
Analysis of Risk vs. Controls Workbook Risk ALE or Score Control Cost of Control Stolen Laptop $1 K ($9 K Breach Notif. Law) $3 K per day Encryption $60 RAID $750 $9 K Breach Notif. Law Firewall $1 K Disk Failure Hacker Cost of Some Controls is shown in Case Study Appendix
Extra Step: Step 6: Risk Monitoring Stolen Laptop In investigation $2 k, legal issues HIPAA Incident Response Procedure being defined – incident response $200 K Cost overruns Internal audit investigation $400 K HIPAA: Physical security Training occurred $200 K Security Dashboard, Heat chart or Stoplight Chart Report to Mgmt status of security n Metrics showing current performance n Outstanding issues n Newly arising issues n How handled – when resolution is expected
Training n n n n Importance of following policies & procedures Clean desk policy Incident or emergency response Authentication & access control Privacy and confidentiality Recognizing and reporting security incidents Recognizing and dealing with social engineering
Security Control Baselines & Metrics Baseline: A measurement of performance n Metrics are regularly and consistently measured, quantifiable, inexpensively collected n Leads to subsequent performance evaluation n E. g. How many viruses is help desk reporting? (Company data - Not real)
Risk Management is aligned with business strategy & direction n Risk mgmt must be a joint effort between all key business units & IS n Business-Driven (not Technology-Driven) n Steering Committee: • Sets risk management priorities • Define Risk management objectives to achieve business strategy
Risk Management Roles Governance & Sr Mgmt: Info. Security Mgr Allocate resources, assess Develops, collaborates, and & use risk assessment results manages IS risk mgmt process Business Managers (Process Owners) Make difficult decisions relating to priority to achieve business goals System / Info Owners Responsible to ensure controls in place to address CIA. Sign off on changes Chief Info Officer IT planning, budget, performance incl. risk IT Security Practitioners Implement security requirem into IT systems: network, system, DB, app, admin. Security Trainers Develop appropriate training materials, including risk assessment, to educate end users.
Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken res u d e c o r P & s Comp olicie P l i a nce t n e m Ade s s e s qua s A te S ecur Risk ity C Bac Senior Mgmt Support ontr kup ols &R ecov & ery y t i inu t n o C y s g r s n e e i v r n i us eco ito B R n r o e s t M c s i r a t s e Di M &
Question Risk Assessment includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls
Question Risk Management includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls
Question The FIRST step in Security Risk Assessment is: 1. Determine threats and vulnerabilities 2. Determine values of key assets 3. Estimate likelihood of exploitation 4. Analyze existing controls
Question Single Loss Expectancy refers to: 1. The probability that an attack will occur in one year 2. The duration of time where a loss is expected to occur (e. g. , one month, one year, one decade) 3. The cost of losing an asset once 4. The average cost of loss of this asset per year
Question The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is: 1. The Chief Information Officer 2. The Chief Risk Officer 3. The Chief Information Security Officer 4. Enterprise governance and senior business management
Question Which of these risks is best measured using a 1. 2. 3. 4. qualitative process? Temporary power outage in an office building Loss of consumer confidence due to a malfunctioning website Theft of an employee’s laptop while traveling Disruption of supply deliveries due to flooding
Question The risk that is assumed after implementing controls is known as: 1. Accepted Risk 2. Annualized Loss Expectancy 3. Quantitative risk 4. Residual risk
Question The primary purpose of risk management is to: 1. Eliminate all risk 2. Find the most cost-effective controls 3. Reduce risk to an acceptable level 4. Determine budget for residual risk
Question Due Diligence ensures that 1. An organization has exercised the best possible security practices according to best practices 2. An organization has exercised acceptably reasonable security practices addressing all major security areas 3. An organization has implemented risk management and established the necessary controls 4. An organization has allocated a Chief Information Security Officer who is responsible for securing the organization’s information assets
Question ALE is: 1. The average cost of loss of this asset, for a single incident 2. An estimate using quantitative risk management of the frequency of asset loss due to a threat 3. An estimate using qualitative risk management of the priority of the vulnerability 4. ALE = SLE x ARO
Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Pat Licensed Software Consultant Practicing Nurse HEALTH FIRST CASE STUDY Analyzing Risk
Step 1: Define Assets
Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value Confidentiality, Integrity, and Availability Notes Direct Loss: Consequential Financial Replacement Loss Medical DB C? I? A? Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL)
Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value Confidentiality, Integrity, and Availability Notes Direct Loss: Consequential Financial Replacement Loss Medical DB DO+M_H+NL C IA Daily Operation (DO) $ Medical Malpractice (M) $ HIPAA Liability (H) $ Notification Law Liability (NL) $
HIPAA Criminal Penalties $ Penalty Imprisonment Offense Up to $50 K Up to one year Wrongful disclosure of individually identifiable health information Up to $100 K Up to $500 K Up to 5 years Up to 10 years …committed under false pretenses … with intent to sell, achieve personal gain, or cause malicious harm Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Normal threats: Threats common to all organizations n Inherent threats: Threats particular to your specific industry n Known vulnerabilities: Previous audit reports indicate deficiencies. n
Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation
Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Asset Threat Single Annual Loss ized Expect Rate of ancy Occurr ence (SLE) Annual Loss Expect ancy (ALE) n n (ARO) Step 5: Treat Risk n Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls
Reference Slide # Slide Title Source of Information 6 Risk Management Process CISM: page 97 Exhibit 2. 2 8 Continuous Risk Mgmt Process CISM: page 97 Exhibit 2. 3 9 Security Evaluation: Risk Assessment CISM: page 100 12 Matric of Loss Scenario CISM: page 114 Exhibit 2. 15 14 Step 2: Determine Loss Due to Threats CISM: page 105 16 Step 2: Determine Threats Due to Vulnerabilities CISM: page 105 17 Step 3: Estimate Likelihood of Exploitation CISM: page 107 -110 18 Likelihood of Exploitation Sources of Losses CISM: page 118 Exhibit 2. 11 19 Step 4; Compute Expected Loss Risk Analysis Strategies CISM: page 108 - 110 20 Step 4: Compute Loss Using Qualitative Analysis CISM: page 108 22 Step 4: Compute Loss Using Semi- Quantitative Analysis CISM: page 108, 109 23 Semi. Quantitative Impact Matrix CISM: page 109 Exhibit 2. 12 24 Step 4: Compute Loss Using Quantitative Analysis CISM: page 109, 110 26 Annualized Loss Expectancy CISM: page 110 28 Step 5: Treat Risk CISM: page 110, 111 29 NIST Risk Assessment Methodology CISM: page 102 Exhibit 2. 7 30 Control Types CISM: page 186 Exhibit 3. 18 32 Controls & Countermeasures CISM: page 184, 185 36 Security Control Baselines & Metrics CISM: page 191 -193 37 Risk Management CISM: page 91, 92 38 Risk Management Roles CISM: page 94
- Pritchon is a business idea sourced from
- Acknowledgment
- Liquidity measures
- Key risk indicators template
- Risk map risk management
- Gd&t symbols
- Idle time meaning in cost accounting
- Cultural relativism definition
- Non material culture examples
- Non material culture examples
- Difference between useful and harmful materials
- Acceptable audit risk
- Taccp risk assessment template
- Risk projection attempts to rate each risk in two ways
- Risk mitigation avoidance
- Absolute risk vs relative risk
- Residual risk and secondary risk pmp
- Inherent risks examples
- Absolute risk vs relative risk
- Activity sheet 1: conservative, moderate or speculative?
- Risk classification system
- Pembelanjaan risiko adalah
- The biggest risk is not taking any risks
- Ar = ir x cr x dr
- Business risk vs financial risk capital structure
- Relative risk
- Population attributable risk formula
- Top management and middle management
- Top management middle management first line management
- Top management middle management first line management
- Ppc
- Materials management organizational structure
- Warehouse management structure
- Materials management information system
- Function of purchase department
- Material management concept
- Man machine method material money
- Mrp 2 in operations management
- Material management organization structure
- Condemnation and disposal in material management
- Material quality management
- Stages of material management
- Material management is defined as: *
- Jemms
- Importance of material management
- Objectives of material management
- Condemnation and disposal in material management
- Material management and accounting system
- Conclusion of principles of management
- Purpose of material management
- Material management planning and procurement
- Wvu risk management
- Risk management cook county
- Uaf ehsrm
- Wharton risk management program
- Cal state
- Ibm global supply chain management
- Data governance and risk management
- Internal audit definition