Working Pages for the EDUCAUSE Security Conference

Information_Security_Risk_Management:Overarching Themes

Information_Security_Risk_Management:Presentation Abstract

Information_Security_Risk_Management:Audience Participation Ideas

Information_Security_Risk_Management:True Stories

| Speaker Checklist

---

Contents 1 Definitions 2 Critical Administrative/Business Processes in the University Setting (Brad) 3 Operational Risk Management (Tom) 3.1 Internal vs External Assessments 3.2 Assessment Methods 3.3 Common Assessment Errors 3.4 Common Risks Seen in Academia 4 Security Risk Management in the Systems Life Cycle 5 References

[edit] Definitions

Risk: a problem that has not happened yet (there are no problems in the life of a risk manager) Risk: A potential occurrence that can negatively impact an individual, process, system, facility, etc. Risk: The chances of a negative outcome occurring Risk: “Exposure to the chance of injury or loss; a hazard or dangerous chance” (Dictionary.com) Risk: In professional risk assessments, risk combines the probability of an event occurring with the impact that event would have and with its different circumstances. Risk: Risk is the existence of a threat associated with a vulnerability. If there is no threat is there risk? If there is no vulnerability is there risk?

A problem is a risk with probability=1 (i.e. if a risk event is actively occurring, it has transitioned from a risk to a problem)

Risk Statement: a state of conditions and consequences that can be tracked to an undesirable outcome conditions may involve threats, vulnerabilities, environment, etc.

(Brad) - I don't get the above definition - are you just trying to separate a risk from the description of a risk??

Risk Assessment: The process of identifying risks and their potential impacts. It often includes remediation recommendations, but this is not a required component of assessment.

Risk Management: The ongoing process of identification, analysis, remediation, tracking, and communication of risks

Definitions of Risk Analysis, Assessment, Audit, Monitoring, and Management (Source Gartner July 2005):

IT organizations must be aware that the methodologies and technologies they use may already be applied elsewhere in the organization and that, at the same time, IT itself is part of the overall examination (for example, IT risks are part of operational risk assessments). On the other hand, when IT organizations incorporate a business perspective in their examination procedures using the same terms for different things, or using different terms for the same thing, inevitable misunderstandings occur. Thus, IT organizations cannot use terms such as "analysis,“ "audit" or "assessment" freely, especially because these terms have been in use in the business world for decades.

Analysis An analysis examines a given situation, checking for obvious deficits according to professional experience or even common sense. The examination can be structured and repeatable, but it is not standardized. Its purpose is to get a better understanding of the problem. Results have to be interpreted. "Review" is a term similar to analysis. An IT security "penetration test" is an analysis whose mere purpose is to identify if a perimeter can be penetrated or not. An IT security "vulnerability scan" is an analysis, which identifies flaws, but determining if such a flaw really poses a problem for the organization is left to a subsequent step.

Assessment An assessment goes further than an analysis, as it includes some sort of valuation by quantifying the results of the examination. An assessment not only identifies a problem, but also describes how much of a problem it is. A related term in IT security is "vulnerability assessment." As an extension of a "vulnerability scan," a "vulnerability assessment" sets the results of a scan into the context of the organization and assigns an urgency level. In general, an assessment uses a structured approach, is repeatable and describes the level of a problem, but it cannot be compared with other assessments outside of the organization as long as the structure of the assessment and the metrics used to quantify the results are not standardized.

Audit An audit compares a given situation with some sort of standardized situation. This can be an external standard (for example, a law or an industry standard) or an internal one (that is, a policy document that describes how it should be). It does not make sense to audit against best practices, because best practices are not described in a formal way. The results of an audit explain how much reality deviates from an expected or required situation. Documents, processes, programs and organizations can all be subject to an audit. A related term to audit is "measurement" (as in "risk measurement").

Monitoring Monitoring is an operational activity, which introduces the notion of time. Whereas the previous activities are snapshots at any given point in time (though these snapshots can be repeated), the process of monitoring is ongoing. Proper monitoring requires an established framework to be able to show trends and to repeat activities consistently and efficiently. Monitoring goes beyond the description of a situation; it already includes potential response step

Management Management is the most comprehensive, most valuable and most expensive way of dealing with problems. It involves the steps of understanding the situation (analysis), determining the extent of the problem (assessment), standardizing the examination (audit), and continuing these activities over time (monitoring). Moreover, it adds the components of remediation, initiating and tracking changes, and also includes the necessary communication within the organization (workflow). It is a strategic activity.

How do we know we are doing risk management?

• Establish standards for tolerable levels of risk and acceptable methods of risk reduction
• Integrate risk assessment into new projects/development
• Assess risk of existing processes and systems on a periodic basis
• Develop risk reduction plan for any unacceptable risks
• Implement risk reduction plan
• Verify that risk reduction has resulted in acceptable risk level
• wash, rinse, repeat (i.e. all of the above are done on an on-going basis)

Running Towards Risk: all successful projects have taken some risk; effective risk managers are running towards "speculative risk" and the tradeoff is between a gain or loss (e.g. in gambling). Hazard risk is the type of risk seen in safety and mission assurance use, and is often seen as the simple avoidance of loss, where no gain is to be directly achieved.

---

Risk Characteristics:

• source
• probability
• impact
• timeframe
• dependencies

Risk Action:

• watch
• accept
• researc
• mitigate

Types of IT Risk:

• Business risk--not achieving business goals and objectives.
• Audit risk--inherent risk, control risk, detection risk
• Security risk--both physical and logical
• Continuity risk--includes availability, redundancy, and recoverability
• Audit risk

    *Inherent risk
    *Control risk
    *Detection risk

[edit] Critical Administrative/Business Processes in the University Setting (Brad)

Security Risks in critical business processes (from the original outline)

• Define scope (entire organization, one department/unit,etc)
• Identify business functions within scope
• Prioritize these functions by criticality and/or tolerance for problems
• Identify any direct risks
• Identify dependencies (both total and partial)
• Identify dependency risks

How these risks are being fleshed out.

Common Risks Seen

[edit] Operational Risk Management (Tom)

Chris Alberts has a nice paper from 2006 discussing | Operational Risk: The potential failure to achieve mission or business objectives.

Steps for risk management 1) Developing an asset inventory (what do you want to protect). 2) Identifying threats and vulnerabilities for identified assets. 3) Determining the expected value of risk

[edit] Internal vs External Assessments

• 2006 ECAR Case Study 4 "IT Security Risk Assessment at Baylor"

 * full enterprise scope
 * outside vendor
 * multiple year agreement
 * 50-page executive summary
 * 350 pages of technical issues (vulnerabilities) to address
 * administrativa!

• 2005 Case Western Reserve University

 * two external vendor engagements: Sun and Microsoft
 * selected subsets of the IT enterprise- UHS and Dental School
 * large document reports
 * needed translation to affected end-users
 * cost effectiveness hindered follow-on

[edit] Assessment Methods

• involve end-users (they will be the impact measure)
• lightweight enough to have a high frequency repetition cycle (e.g. monthly)

Measuring Risk: Simple: Expected Value = Estimated Loss x % Likelihood of Loss

Complex: Single Loss Expectancy (SLE) = EF x AV EF = Exposure Factor & AV = Asset Value

Annual Loss Expectancy (ALE) = SLE x ARO ARO is Annual Rate of Occurrence

Exposure Factor (EF) "The Exposure Factor represents the percentage of loss that a realized threat could have on a specific asset [when the specific threat matches up with a specific vulnerability]. OR The proportion of an asset's value that is likely to be destroyed by a particular risk, expressed as a percentage. For example, if the value of a building would be reduced from $1,000,000 to $250,000 by a fire, the exposure factor for the risk of fire to the building is 75%. "A threat is a single event that has the potential to cause damage to an asset. The threat usually [manifests itself] through [a] vulnerability in the information system."(From the StrongBox Security™ Web site ) A vulnerability is a known or unknown weakness that can be exploited by any number of known or unknown threats.

Asset Value (AV) = hardware + comm. software + proprietary software + data "One can measure an informational assets value by estimating the development, purchasing, licensing, supporting and replacement costs associated with the resource. Value can also be measured [from an] organizational [as well as] an external market [perspective]." Single Loss Expectancy (SLE) = EF x AV "In the end, risk is evaluated in terms of money. This is true even if life is lost; in the case of loss of life, it may be a lot of money. For any threat we have defined, we take the value of assets at risk and multiply that by how exposed they are. This yields the expected loss if we were to get clobbered by the threat. This is called the single loss expectancy (SLE)."

Annual Loss Expectancy (ALE) = SLE x ARO "The Annual Loss Expectancy is the annually expected financial loss to an asset resulting from one [specific] threat."

"The Annual Rate of Occurrence (ARO) is the estimated number of times a threat on a single asset is estimated to occur. The higher the risk [associated to the threat] the higher the Annual Rate of Occurrence."( The higher the risk (associated to the threat) the higher the Annual Rate of Occurrence. For example, if insurance data suggests that a serious fire is likely to occur once in 25 years, then the annualized rate of occurrence is 1/25 = 0.04.

Networked Effect (Cascading Threat Multiplier): CTM factors in the importance of other critical assets networked to the specific asset being analyzed in the risk calculation. Look at the bigger picture when considering the risks associated to the compromise of a given asset.

[edit] Common Assessment Errors

• availability heuristic (likelihood judged by how quickly examples come to them)
• anchoring heuristic (people stick with initial impressions, e.g. it is a botnet)
• framing effects (risk identification made on how information is presented, e.g. by a tool)
• blind obedience (stop thinking when confronted with an authority)
• premature closure (several alternatives are not pursued)

These can be useful shortcuts, but may lead to incorrect conclusions and expenditures in terms of efforts and controls.

The source reference for this material: "The Cognitive Psychology of Missed Diagnoses" by Donald A. Redelmeier. MD |Ann Intern Med. 2005; 142:115-120

[edit] Common Risks Seen in Academia

1. FERPA data on faculty laptops
2. new projects risks: contracts, vendor agreements
3. third-party vendors and sensitive data
4. state-by-state disclosure laws
5. departments or individuals (e.g. research unit) deploying a service external to infrastructure or controls
6. the least technically astute (most vulnerable) users are handling the most sensitive information. Resource focus and distribution to the highest priority processes
7. treatment of all systems by a department to the lowest common denominator vs. sensitive data handling
8. test system compromise
9. vendor systems on the network compromised but re-ghosted to a vulnerable image
10. Incomplete or insufficient systems administration as a source of security vulnerability (underlies the discussion of the true/total cost of IT)

[edit] Security Risk Management in the Systems Life Cycle

[edit] References

Probabilistic Risk Assessment and Management for Engineers and Scientists, Kumamoto, Hiromitsu; Henley, Ernest, IEEE Press, New York, 1996.

Six Thinking Hats; De Bono, Edward, Back Bay Books, New York, 1999.

I Am Right, You Are Wrong; De Bono, Edward, Viking Press, Great Britain, 1990.

| Factor Analysis of Information Risk, by Jack A. Jones. A financial look at risk analysis.

| Waltzing with Bears: Managing Risk on Software Projects, DeMarco, Tom; Lister, Timothy, Dorset House, 2003.

[http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf | NIST Special Publication 800-64, "Security Considerations in the Information System Development Lifecycle"

CERT OCTAVE Risk Assessment Process | http://www.cert.org/octave

NASA Continuous Risk Management Process | http://crm.nasa.gov

|COBIT from ISACA