managing and mitigating risk to your organization’s critical assets.
• Risk assessment provides the information
necessary to decide the best procedures, administrative, and technical controls Security Requirement Questions • Three important questions:
– What are your critical assets?
– How these assets are threatened? – What can we do to counter those threats?
• Assets may be (e.g., network, servers, applications,
data centers, tools, etc.) within the organization. Security Management Definition: security management is the formal process of answering security requirement questions, ensuring that critical assets are sufficiently protected in a cost-effective manner. Tasks: Determining security objectives and risk profile Performing security risk assessment of assets Selecting, implementing, monitoring of controls • Numerous national and international standards have been published.
• These standards represent a consensus on the
best practice in the field of security management.
• The International Standards Organization (ISO)
has revised and established a number of these standards into the ISO 27000 series. ISO 27000 Security Standards ISO27000 a proposed standard which will define the vocabulary and definitions used in the 27000 family of standards. ISO27001 defines the information security management system specification and requirements against which organizations are formally certified. It replaces the older Australian and British national standards AS7799.2 and BS7799.2. ISO27002 currently published and better known as ISO17799, this standard specifies a code of practice detailing a comprehensive set of information security control (ISO17799) objectives and a menu of best-practice security controls. It replaces the older Australian and British national standards AS7799.1 and BS7799.1. ISO27003 a proposed standard containing implementation guidance on the use of the 27000 series of standards following the “Plan-Do-Check-Act” process quality cycle. Publication is proposed for late 2008. ISO27004 a draft standard on information security management measurement to help organizations measure and report the effectiveness of their information security management systems. It will address both the security management processes and controls. Publication is proposed for 2007. ISO27005 a proposed standard on information security risk management. It will replace the recently released British national standard BS7799.3. Publication is proposed for 2008/9. ISO13335 provides guidance on the management of IT security. This standard comprises a number of parts. Part 1 defines concepts and models for information and communications technology security management. Part 2, currently in draft, will provide operational guidance on ICT security. These replace the older series of 5 technical reports ISO/IEC TR 13335 parts 1-5. Steps of Security Management process • determining the organization’s IT security objectives, strategies, and policies.
• performing an IT security risk assessment that analyzes security threats to IT
assets within the organization, and determines the resulting risks.
• selecting suitable controls to cost effectively protect the organization’s IT assets.
• writing plans and procedures to effectively implement the selected controls.
• implementing the selected controls, including provision of a security awareness
and training program.
• monitoring the operation, and maintaining the effectiveness, of the selected
controls.
• detecting and reacting to incidents.
Security Management Process Plan - Do - Check – Act take corrective and preventative actions (based on audits)
establish policy; define assess and measure
objectives and processes and report results
implement and operate
policy, controls, processes Plan - Do - Check – Act Plan: Establish security policy, objectives, processes, and procedures; perform risk assessment; develop risk treatment plan with appropriate selection of controls or acceptance of risk.
Do: Implement the risk treatment plan.
Check: Monitor and maintain the risk treatment plan.
Act: Maintain and improve the information security risk
management process in response to incidents, review, or identified Changes Organizational Context and Security Policy • first examine organization’s IT security: – objectives - wanted IT security outcomes – strategies - how to meet objectives – policies - identify what needs to be done • These objectives, Strategies and Policies should be maintained and updated regularly by: using periodic security reviews To: reflect changing technical/risk environments Security Risk Assessment • Risk assessment is a critical component of the IT security management process
Without risk assessment:
• resources will not be efficiently deployed. • some risks are not addressed, leaving the organization vulnerable • safeguards may be deployed without sufficient justification, • wasting time and money Security Risk Assessment In Ideal risk assessment: Every asset is examined Every risk is evaluated
But this is not feasible in practice
Due to: Rapid rate of change in both IT technologies Wider threat environment Security Risk Assessment Due to the wide range of organizations, from very small businesses to global multinationals and national governments choose one of possible alternative approaches: 1. Baseline 2. Informal 3. Formal 4. Combined Security Risk Assessment The choice among these approaches will be determined by the resources available to the organization and from an initial high-level risk analysis Baseline Approach • implement a basic general level of security controls on systems using “industry best practice” Advantage: – easy, cheap, can be replicated Disadvantage: – but gives no special consideration to organization risk exposure – may give too much or too little security • implement safeguards against most common threats • Baseline alone only suitable for small organizations Informal Approach • Conduct informal, pragmatic risk analysis on organization’s IT systems • exploits knowledge and expertise of internal analyst or external consultant • Advantage: -fairly quick and cheap • Disadvantage: -does address some org specific issues -some risks may be incorrectly assessed -depend on analysts judgments • suitable for small to medium sized organizations Formal Approach • Most comprehensive risk assessment approach • assess risks using a formal structured process with a number of stages including: identification of assets, threats and vulnerabilities to those assets determination of the likelihood of the risk occurring and the consequences to the organization • Advantages: detailed examination of the security risks and strong justification for of the needed controls • Disadvantages: costly and slow, requires expert analysts
Suitable for large organizations
Combined Approach • Combines elements of other approaches – starts with the initial baseline approach on all systems – then informal analysis to identify critical risks – then formal assessment on these systems – iterated and extended over time • Advantage: better use of time and money resources better security • Disadvantages: If initial analysis is inaccurate risks remain for some time