1 / 49

Information Risk Management Overview

Information Risk Management Overview. Nena Young, CRP, CBCP Texas Department of Information Resources email: nena.young@dir.state.tx.us. Principles for All Sub-Programs. Risk Assessment and Solutions Centered Management Implementation of Controls, including policies Awareness

illias
Download Presentation

Information Risk Management Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Risk Management Overview Nena Young, CRP, CBCP Texas Department of Information Resources email: nena.young@dir.state.tx.us

  2. Principles for All Sub-Programs • Risk Assessment and Solutions • Centered Management • Implementation of Controls, including policies • Awareness • Monitor and Evaluation of Effectiveness Overview

  3. Bonus • In-depth Assessment of risks • Comprehensive picture of business and technical processes • Identify opportunities for process enhancements and/or re-engineering • Rapid, precise, smooth recovery • “Insurance Policy” for staying in business. Overview

  4. 1. Risk Analysis & Risk Assessment 2. Information Security Program 3. Business Continuity Program Risk BCP Security Program Components:

  5. InfoSecurity Program Risk Analysis BCP Roles and Responsibilities Defined Assets Inventory Data Classification Roles and ResponsibilitiesDefined Information Risk Management Program Overview

  6. 1. Risk Analysis & Risk Assessment Risk Analysis - The process of identifying and documenting vulnerabilities and applicable threats to assets. Risk Assessment - Projecting losses, assigning levels of risk, and recommending appropriate measures to protect assets. Risk Analysis Risk

  7. Foundation of all risk management programs • Snapshot in time. • Discover compliance with existing policies. • Basis for selecting cost-efficient, most appropriate protection measures for assets. • Equilibrium- asset loss to countermeasures • Provide information on likelihood of threat occurrence and asset impact. • Federal government and most states mandate. • Ensure reasonable steps are taken to prevent loss of assets. Risk Analysis

  8. Risk Analysis vs BIA Risk Analysis & Assessment - (Proactive) Initial process that identifies critical processes, evaluates current standards and countermeasures, determines cost-effective mitigation of identified risks, includes ALE. Risk Analysis Business Impact Analysis - (Reactive) Quantifies risks to include exposure results such as financial loss, client good will, public confidence, etc

  9. Jargon • Assets - Anything with value and is worth protecting or preserving. • Threats - Events or actions which always exists and can generate undesirable impacts or loss of assets. Can be either human or environmental. • Vulnerabilities - The “windows of opportunity” which allow threats to materialize. The exposures. Conditions of weakness. • Countermeasures - (Safeguards, Controls) - Devices,processes, actions, procedures that canreduce vulnerabilities. Preventive, Detective, Corrective. • Risk - Potential for a threat to exploit a vulnerability. A threat + a vulnerability = a RISK. Risk Analysis

  10. The Basics • Assets identified. • Threats identified. • Vulnerabilities identified. • Asset Losses identified. • Protective measures identified and proposed. Risk Analysis

  11. vs QuantitativeQualitative Theoretically . . . • Quantitative • Objective Numeric Values • Asset Value • Impact • Frequency of Threats • Countermeasure Cost-Effectiveness • Use of Complex Calculations (confidence factors, probabilities, SLE, ALE, ) • Qualitative • Descriptive, Immeasurable Values • Characteristics • No Quantifiable Data • No ALE • Yes/No; Low/Medium/High; Vital/Critical/Important; good/bad • Rankings based on judgement Risk Analysis

  12. In the Real World. . . Risk Analysis Involves Both • Quantifiable measurements. • Judgements based on experience and knowledge. Risk Analysis

  13. Ten Steps • Organize and Define the Scope • Identify and Value the Assets • Identify Applicable Threats • Identify and Describe Vulnerabilities • Establish Pairings (relationships) • Determine the Impact of Threat Occurrence • Measure Existing Countermeasures • Determine Residual Risks • Recommend Additional Countermeasures • Prepare a Risk Analysis Report Risk Analysis

  14. Types of Threats: Human -Intentional Malicious Software Invasion Fraud or embezzlement Human-Unintentional Programmer Error User Error Environmental-Natural Earthquakes Flood Environmental-Fabricated Fire Electromagnetic interference Risk Analysis

  15. Impact of Threat Occurrence • Impact (Loss) Categories. • Disclosure - Classification or sensitivity of information. Who has access • Modification - A realized threat causes unauthorized changes in an asset. • Destruction - Threat activity causes damage to an asset, making it unusable. • Denial of Service - A realized threat causes a loss of availability. Risk Analysis

  16. Types of Countermeasures • Preventive • Detective • Corrective Risk Analysis

  17. Threats Assets Vulnerabilities Countermeasures Impacts Residual Risks are accepted, mitigated, transferred. Risk Analysis

  18. Knowledge Base Needed Analysts Need to: • Know current and historical internal environment. • Know current and historical external environment. • Understand dependencies and vulnerabilities. • Understand threat profiles. • Understand countermeasure choices and related costs. • Be able to apply cost-benefit analysis to risks and countermeasures Risk Analysis

  19. Start here Cycle Drivers • Changing Requirements • Changing Systems • Changing Environment Threats Which ProtectAgainst Exploit Countermeasures Increase Vulnerabilities Increase Reduce RISKS Exposing Which are Limited by Risk Analysis Uncertainty Increase Assets Business Impacts To a Loss of Boundaries Confidentiality, Integrity & Availability Causing Modified from Len Watts, U.K., Computer /Security Risk Management Model Builders

  20. Security 2. Information Security Program Protection of an organization’s information assets. Purpose - The preservation of the confidentiality, integrity, and availability” (CIA) of information. Can add utility and authenticity.

  21. Purpose: A Secure Enterprise • Protection of Assets • Protection of Goodwill • Integrity of Applications and Data • Due Diligence • Protection of Employees, Shareholders, Partners, Clients Security

  22. Eight Steps 1. Management Sponsorship and Support 2. Organize and Define the Scope 3. Risk Analysis 4. Policies and Procedures 5. Controls 6. Security Breach Reporting and Investigation 7. Awareness Training 8. Monitor and Test Security

  23. The Bad Guys • Competitors • Employees (58 - 80%) • Foreign Governments • Political Activists • Professional Spies Security Reprinted from Cohen & Assc Presentation

  24. Why Do They Attack? • Testing • Coercion • Military Advantage • Economic Advantage • Evidence • Money • Fun/Challenge • Vengeance • Mental Instability • Religious/Political Beliefs • Self-Defense Security

  25. Some HackerTools Types of Attacks • Antagonism • Denial of Service • Invasion of Privacy • System Modification • Logic Bombs • Trojan Horses • Worms • Viruses • Malicious Mobile Code • Over 1900 Web Sites (Free Hacking Tools) Security Some Defense Tools • Virus Detection • Access Control • Firewalls • Dial-back Modems • Token-based Password • Public Cryptography • Biometrics

  26. Internet • Older than… “Pong” Digital Watches IBM PC Disco MicroSoft Current Concept of “Hackers” • +12M Hosts, 120M Users (70M-USA), 12% Growth a Month • 1Billion users by 2005, 66% abroad • New Web Site every 4 seconds • Electronic Commerce - Single Sites Over 100,000 Requests a Day • + 80% Web Sites - Mobile Code Enabled • +90% EC Applications use Mobile Code • -50% Major Organizations w/Internet Use Firewall Security

  27. Damage - Average cost of computer break-ins - +$136K Of companies hit by viruses and espionage, most can't estimate the value of the damage. Security Chart Reprinted from Information Week

  28. Paradox IT MANAGERS SURVEYED BY E&Y • Security of Internet Connections 62% Satisfied 38% Not Satisfied • Increase Important Transactions if Security were Enhanced 73% Yes • 27% No Security

  29. Increasing Need for Security • Most Fortune 500 Companies Penetrated by Cybercriminals • 17% of Intrusion Victims Report to Authorities • FBI Estimate - $10B a year in Electronic Crimes • Increasing Scams +100,000 Investors Victim to Phony Web Sites High-tech revolutionary devices Partnership with MicroSoft Initial Public Offering with the SEC • Tens of Thousands Probing Attacks against Pentagon annually Origin of Attacks Camouflaged through other Countries • DISA Vulnerability Testing Security

  30. Some Road Blocks to Security • Lack of Sufficient Budget • Lack of Resources - Management Support, Staff • Lack of Awareness • Lack of Tools Security

  31. Knowledge Base Needed (CISSP) • Access control • Telecommunications and network security • BCP • Security management practices – policies, standards, control of risk • control of Risk • information classification • security awareness • organizational architecture • policy development • risk management • Security architecture and models • Law, investigation, and ethics Security

  32. Knowledge Base Needed (CISSP) (con’t) • Application and system development security • Cryptography • Computer operations security • Physical security • threats and facility requirements • personnel physical access control • microcomputer physical security Security • “. . . information protection is not a simple matter, and it cannot be addressed from a single perspective. It is a pervasive problem that must be pursued in a holistic manner in order to provide its benefits.”

  33. Define Environment & Assets Monitoring & Audits Risk Analysis Policies, Stds, Procedures Security Administration Design & Implementation Security

  34. Define Environment & Assets Monitoring, Testing & Audits Risk Analysis & Assessment The Process Policies, Stds, Procedures Awareness & Administration Design & Implementation

  35. BCP 3. Business Continuity Program BCP - Spells out what, who, how, and when for a quick and smooth restoration of critical operations after a catastrophic disruptive event, minimizes losses, and eventually returns to business as normal.

  36. A Rose by Any Other Name . . . Business Resumption Plan Disaster Recovery Plan Crisis Management Plan Contingency Plan Business Continuity Plan BCP

  37. Goals • Identify weaknesses and implement a disaster prevention program • Minimize the duration of a serious disruption to business operations • Facilitate effective co-ordination of recovery tasks; and reduce the complexity of the recovery effort BCP

  38. Sources of Interruptions are Numerous • Natural Tornadoes, Floods, Fires . . . • Human Terrorist’s Attacks . . . • Most Frequent (Less Sensational) Equipment Failure, Theft, Employee Sabotage . . . BCP

  39. Twelve Steps 1. Pre-planning (Senior Mgmt Commitment/Support, Policies) 2. Risk Analysis 3. Business Impact Analysis 4. Identify Resources and Requirements Needed 5. Emergency Response 6. Coordination with Public Authorities 7. Public Relations and Crisis Communications 8. Strategic Alternatives 9. Plan Development/Implementation 10. Testing/Exercises 11. Awareness 12. Maintenance BCP

  40. Business Impact Analysis (BIA) • Foundation of BCP • Establishes the value of each major organizational function as it relates to the whole • Provides the basis for identifying the critical resources required to develop a business recovery strategy. • Establishes priority for restoring the functions of the organization in the event of a disaster. BCP

  41. Impacts Revenue Legal - fines, penalties Goodwill, Client & Stockholder Confidence Note: Losses May not be Dollars. BCP

  42. Six Steps to BIA 1. Identify the Critical Business Functions 2. Prioritize These Functions 3. Identify Dependencies and Resources Needed 4. Identify Points of Failure for Each Function 5. Estimate Probable Impact of Loss for Each Point of Failure 6. Determine if a Contingency Plan is Required BCP

  43. Failing to Test BCP

  44. Staying Current • Conduct BIA on planned periodic time or after major change • Make sure a plan is included for each critical function that has a critical impact on mission accomplishment • Continue to test and evaluate plans at least once a year • Keep personnel responsibilities up to date and test for readiness • Involve key personnel in operational planning BCP

  45. Knowledge Base Needed (CRP, CBCP) • Project initiation and management • Risk evaluation and control • BIA • Developing business continuity strategies • Emergency response and operations • Developing and implementing business continuity plans • Awareness and training programs • Maintaining and exercising business continuity plans • Public relations and crisis communications • Coordination with public authorities BCP

  46. Scope/Maintenance BIA Testing BCP Strategic Alternatives, Teams Awareness Plan Development, Implementation

  47. 16% 70% 31% Financial Losses Reported Overview Importance of IRM Policy Elements 8% 11% 44% 11% 9% 17%

  48. Process Obtain Sr. Mgmt Buy-in, Support Assign Roles and Responsibilities Inventory Assets Classify Information Assess Risks Overview • Business Continuity Plan • BIA • BCP Teams • Requirements • BCP Development/Implementation • Testing • Awareness • Maintenance • Information Security Plan • Policies/Procedures • Incident Reporting/Investigation • Countermeasures • Awareness • Monitor/Audit

  49. Last Words “Risk is a part of every activity and can never be eliminated, nor can all the risks ever be known. Risk in itself is not bad; risk is often essential to progress. But we must learn to balance the possible negative consequences of risk [to assets] against the potential benefits of its associated opportunity.” “Risk Management in Practice,” SEI Technical Review Go ahead and take risks… just be sure that everything will turn out.. Disasters are inevitable.... Survival isn't....

More Related