1 / 42

COMP3357 Managing Cyber Risk

Richard Henson University of Worcester April 2018. COMP3357 Managing Cyber Risk. Week 11: Risk Assessment for Business Continuity. Objectives: Create an asset register (protected through BCP) to include not just hardware but digital resources

nmiddleton
Download Presentation

COMP3357 Managing Cyber Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Richard Henson University of Worcester April 2018 COMP3357Managing Cyber Risk

  2. Week 11: Risk Assessment for Business Continuity • Objectives: • Create an asset register (protected through BCP) to include not just hardware but digital resources • Use theoretical principles of qualitative risk assessment to produce a risk register • Extend the risk register to include a realistic risk treatment plan that will mitigate the identified risk

  3. BCP for increasing competitiveness and gaining market share… • All about business<>customer! • online environments (websites) • even Physical environments (shops) • B2C now dependent on IT • need risk assessment, information assurance (expensive?) • BCP covers similar ground… (more cost-effective?)

  4. Variety of Physical Markets… • Retail parks (expensive but many customers) • High street shops (lower rent; fewer customers?) • Side street shops/street traders • Physical businesses STILL use IT to run their business (internal IT) • street traders market/sell online via website…

  5. Limits to Online Markets? • On-line B2C grows every year! • Different growth rates in different countries… • fastest rate in early years… US/Canada • fastest rate in 2016... UK! • driven by convenience • more technology… good for technology economy • 2020?

  6. Maintaining an Online Business Environment • With or without shop/market stall! • website - still expectation of 24/7 trading • Use Internal and External IT! • customers visit by the www • dependent on advertising and search engines • process, pick, dispatch orders

  7. The Organisation IT Boundary • Internal IT... process customer data • External IT… gather customer data • where is the internal/external boundary? Internal IT (processing customer data) External IT (customers)

  8. Engaging with the Online Environment • Several levels: • website separate from business own IT • website for advertising and enquiries only • website for online shopping • website integrated with rest of business IT • much larger development and maintenance operation • may be outsourced… • business needs to keep control of its data!

  9. Competition and Internal IT • Smooth IT operation pleases… • Suppliers • want to do business… not have their time wasted (!) • Existing customers • will return for more • will tell others…

  10. Threats to organisational data/systems… • Divides neatly into: • “internal”… employees • applies to all businesses • “external”… hackers • specific to online businesses • Consequences over and above “messed up” systems

  11. Messed up systems, Data Losses… (!) • System down? Not a good look! • Depending on which data a small business loses… • it may not be able to trade efficiently, or even at all! • worst case scenario: 10 days maximum to recover, or out of business

  12. Reality of IT and the Customer • External: On-line selling? • customer assumes that IT works perfectly • only takes notice when NOT working • Essential for B2C to (try to…) live up to customer expectations • if Information Assurance too difficult or expensive, BCP a good second choice

  13. External (hacking…) • Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it • People hacking in from outside, usually via the Internet, possibly with help from inside

  14. Do “we” have a problem? • Perceptions “from the inside” quite different from “outside looking in”

  15. Internal IT and Competitors • Messed up operation… annoys… • Suppliers… find new partners • Customers… find new vendors • if it carries on, will ruin reputation! • Put own house in order! • Cannot successfully integrate internal & external IT if internal operation messed up (!)

  16. Internal Data Losses • Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. • The same employees who could already be dealing with a “messed up” system • Employees or temps with bad intent…

  17. Valuing IT in a Business:The Digital Asset Register • Until recently, company “value” based on • physical assets (asset register) • no/quality of customers/partners • profit (and projections…) • What about digital data? • e.g. their data and data structures • not a physical asset… traditionally ignored!

  18. “The Asset Register” in a world dominated by IT • Concept of “digital assets” introduced to business via information assurance… • ISO27001 (2005 onwards…) • Essential in BCP (!) • Asset list (register) extended to include: • software (apps & system/platform) • data used with that software!

  19. Impact of Data Loss • Bad enough now(!) Nowhere to hide when GDPR comes in… • have to declare data breach including customer records within 72 hours • Business data not protected through GDPR • BUT if stolen, may ALSO lose trade secrets, supplier information, • not good for customer perception…

  20. ISO27001 & Risk Assessment • ISO 27001 is about developing and managing a system to manage information security… • informing an organisation which incidents could occur (i.e. assess the risks) • assessing the relative importance of each risk so the organisation can treat the most important (i.e. prioritise the risks) • then find the most appropriate ways to avoid such incidents (i.e. treat the risks)

  21. Risk Assessment Stages • Two distinct processes involved (different skill-sets): • identification and assessment of the risks (risk assessment) • selection and justification of countermeasures to manage those risks (risk management).

  22. Information Risk… • Applying the process to information risks, it becomes: • identifying and evaluating the information security risks associated with a computer system or telecommunications network • nominating and justifying security countermeasures for the identified risks

  23. Identifying the Risks • Effective Infrastructure: hardware, software, people working together with minimum downtime • BUT attacker tools: packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. • Risks, Threats, Vulnerabilities to digital assets need to be identified…

  24. BCP and ISO27001 • ISO27001 about systems & continuous improvement • Provides: Risk Assessment Methodology (rules) • what will be the acceptable level of risk, etc. for each digital asset? • choose qualitative or quantitative risk assessment… • all employees should follow agreed method

  25. An Information Asset Register • Companies typically aware of only 30% of their risks! • Developing an asset register at least raises awareness… • list assets • list threats and vulnerabilities related to those assets

  26. Using the Register • Identify impact and likelihood for each combination of assets, threats, vulnerabilities • finally calculate the level of risk

  27. Risk Treatment Plan (RTP) • four ways to mitigate unacceptable risks: • apply ISO27001 “Annex A” security controls to decrease risks ISO 27001 Annex A controls • transfer the risk to another party • insurance company (buy an insurance policy)

  28. RTP (cont…) • Avoid… • stop doing an activity that is too risky • do the activity in a completely different fashion • Accept the risk… • if cost for mitigation higher that the damage itself!

  29. RTP: Economics • Risk Treatment plan… how to decrease the risks with minimum investment? • Strategy: • management will reduce budget… (!) • achieve the same result with less money • need to figure out how!?! • ask for more than minimum in the first place?! • use report (next slide) to support your case

  30. Report (for auditors and management) • ISMS Risk Assessment Report • All risk assessment activities compiled into readable documentation • for the auditors… • internal, for future reference – how are we doing? checking!

  31. Statement of Applicability (SoA) • Shows security profile of the company… • based on the results of the risk treatment • Lists implemented controls, why implemented, how implemented • important for the audit (!) • For details about the SoA, see • Statement of Applicability for ISO 27001.

  32. RTP Ready to go? • Creating the plan is a “journey”… • Start: not knowing how to setup your information security • Finish: having a very clear picture of what is needed for implementation

  33. Putting RTP into practice • Management approval needed • will take considerable time and effort (and money) to implement all the controls • who (is going to implement each control) when, with which budget, etc.

  34. RTP: Gathering Risk Assessment Data • Requirements: • figuring out all the threats to the organisation’s data • cataloguing all hardware and software in the organisation into a Risk Register • although hardware may apparently be irrelevant to information management , it needs identifying so it can be appropriately categorised in the risk register! • http://www.computerworld.com/article/2723652/it-management/how-to-do-a-risk-assessment-for-iso-27001.html • http://www.computerweekly.com/tip/A-free-risk-assessment-template-for-ISO-27001-certification

  35. 1. Threats to Organisational Data • Outsiders: • hackers • competitors • Insiders: • employees with bad intent • dopey employees • either of above working with outsiders

  36. 2. Information Assets & Risk • Information Assets • data required to keep business functioning • need hardware and software to be useful! • these also carry risk • Once identified… • need to be categorised into rank order • according to how well (or not…) the organisation would survive without them

  37. The Information Asset Register (ISO27001) • List of information assets… • List of related assets… • infrastructure needed to maintain each/all asset(s) • can be non-computer hardware (e.g. cooling/ventilation system for servers) • equipment to counteract effects of natural disasters (e.g. flood defences)

  38. System Vulnerabilities • Ways that assets can be compromised • unpatched applications and/or operating systems • user accounts with poorly protected passwords • users unaware of hacker “phishing” and other social engineering tactics

  39. Qualitative: Risk to Assets • Previous sessions… • establish criteria for assessment of information assets • e.g. value on black market • use criteria categorise as H, M, L

  40. Quantitative: Calculating Risk to Information Assets • Simple formula • likelihood of loss (1-10) x impact (also 1-10) • bigger score, bigger risk! • Can be ranked accordingly • along with hardware/software to maintain each asset

  41. To Mitigate or Accept a Risk? • Risk Register should contain all potential risks… • H, M, L categorisation and/or impact assessment score should indicate the main dangers • Need to choose whether to do something or accept the risk… • even for L assets

  42. Asset Register and Risk Treatment • “Risk Treatment” now an accepted part of information risk management • risk assessment/management finishes with completed risk treatment plan • shows how each of the risks regarded as significant will be mitigated • Essential for effective BCP (next week…)

More Related