Risk Management
Risk Management
Risk Management
Technology Risk
Management Program
Training for DHHS Information Security
Officials and Backup Security Officials
What this training covers . .
What Risk Management means
What NIST says you should do
What ISO 17799 says you should do
What COBIT says you should do
What Microsoft says you should do
What HIPAA says you should do
What NC ITS says you should do
What DHHS says you should do
What you should do and when to do it
Risk
“Take calculated risks. That is quite different
from being rash.” General George S. Patton
“Only those who risk going too far can
possibly find out how far they can go” T.S.
Elliot
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
What Assets are we Protecting?
Email
Servers
Desktop
Data Integrity
Computers
Laptops
All Filesand
on the
PDAs
Server
Switches and
Consumer Information
Routers
Application
Network Infrastructure
software
Development Tools
DHCP
Source
Web Site
Code
Availability
VPN Access
Reputation
Backup Tapes
Employee Morale
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Protecting From What Threats?
Human Threats – Carelessness, Shoulder Surfing,
User Abuse, Sabotage, Arson, Data Entry Errors,
Intentional and Unintentional Procedure Violations
Technical Threats – Takeover of authorized session,
Intrusion, Keystroke Eavesdropping, System Failure,
Saturation of Resources
Environmental Threats – Fire, Earthquake,
Hurricane, Tornado, Cable Cuts, Power Fluctuation,
Hazardous Material Accident, Overheating
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Threats to What Vulnerabilities?
Unlocked doors Software
Unlocked windows Configuration
Misconfigured systems Systems not monitored
Missing patches Unnecessary protocols
Antivirus out-of-date Poorly defined
Poorly written apps procedures
Vendor backdoors
Stolen credentials
Spyware
Poor password
protection
Proactive Risk Management
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Vulnerabilities Protected by What
Security Controls?
Controls Physical Technical Administrative
Preventive Key-card access System & Network Security Awareness
to enter area Monitoring Training for staff
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
:Public’s
Potential
Critical
Damage Failure to
Loss of operations meet contractual
confidence halted obligations
Know what to do now?
Who Wants to Help You?
NIST - The National Institute of
Standards and Technology
NIST is a non-regulatory Federal agency with the
mission of developing and promoting measurement,
standards and technology to enhance productivity and
improve quality of life
They invent – an atomic clock; a cement-like
substance that promotes bone regrowth
They develop - software for the 170 VA hospitals;
complex computational models
The set standards – weights and measures, cholesterol
testing, and . . . Information Security
Pertinent NIST Publications
SP 800-12 An Introduction to Computer
Security: The NIST Handbook
SP 800-18 Guide for Developing Security
Plans for Information Technology Systems
SP 800-26 Security Self-Assessment
Guide for Information Technology Systems
SP 800-30 Risk Management Guide for
Information Technology Systems
NIST Says
It’s a Management Function
The goal of Risk Management is to
protect the organization and its ability to
perform its mission
The focus is the mission; not IT assets
Risk Management, therefore, is an
essential management function of the
organization
NIST Says
Risk Management has Three Parts
Risk Assessment - Determining where risks
lie, and how big they are
Risk Mitigation - Prioritizing, evaluating, and
implementing appropriate risk-reducing
controls
Evaluation and Assessment – Since Risk
Management is continuous and evolving, the
past year’s Risk Management efforts should be
assessed and evaluated prior to beginning the
cycle again
Risk Management Process
Risk Risk RM
Assessment Mitigation Evaluation
National Institute of Standards and Technology SP 800-30
Risk Risk
Assessment Mitigation
Risk Mitigation
Risk Mitigation is the process of identifying
areas of risk that are unacceptable; and
estimating countermeasures, costs and
resources to be implemented as a measure to
reduce the level of risk
Determining “appropriate risk-reducing
controls” is a job for your Risk Management
Committee
What is “Acceptable” Risk?
Setting your agency’s “risk appetite” is up to
your Director and Senior Management
Because elimination of all risk is impossible,
we must use the least-cost approach and
implement the most appropriate controls to
decrease mission risk to an acceptable level,
with minimal adverse impact on the
organization’s resources and mission
Risk Mitigation Options
Assume the Risk – Accept the risk and
continue operating (how big is your appetite?)
Avoid the Risk – Stop running the program
or sharing the data
Transfer the Risk – Use options to
compensate for the loss, such as insurance
Lessen the Risk – Implement controls that
lessen the impact or lower the likelihood
Risk Mitigation Methodology
1) Prioritize based on risk levels presented
2) Evaluate recommended control options
3) Conduct a cost-benefit analysis
4) Select additional controls, as necessary
5) Assign responsibility
6) Develop an action plan, if necessary
7) Implement the selected controls
Cost-Benefit Analysis
If control reduces risk more than needed, see
if a less expensive alternative exists
If control would cost more than the risk
reduction provided, then find something else
If control does not reduce risk sufficiently,
look for more controls or a different control
If control provides enough risk reduction and
is cost-effective, then use it
Residual Risk
The risk remaining after the implementation
of new or enhanced controls is the residual
risk
If the residual risk has not been reduced to an
acceptable level, the risk management cycle
must be repeated to identify a way of
lowering the residual risk to an acceptable
level
Understand that no IT system can be risk-free
Risk Management Process
Risk Risk RM
Assessment Mitigation Evaluation
Evaluation and Assessment
People, systems, and networks change,
so risk management must be ongoing
Federal agencies must conduct risk
management at least every three years
Stay flexible to allow changes when
warranted
NIST Says
Good Risk Management Depends Upon
Physical and
Access control environmental
Communications security
and operations
management
ISO 17799 Deliverables
ISO 17799’s Information Security
Management Process
1) Obtain Upper Management Support
2) Define Security Perimeter
3) Create Information Security Policy
4) Create Info Security Management System
5) Perform Risk Assessment
6) Select and Implement Controls
7) Document in Statement of Accountability
8) Audit
ISO 17799 Risk Assessment Steps
1) Identify assets within the security
perimeter
2) Identify threats to the assets
3) Identify vulnerabilities to the assets
4) Determine realistic probability
ISO’s
Probability of Event Scale
Probability Frequency Rating
of Event
Negligible Unlikely to Occur 0
Very Low 2 to 3 times every 5 years 1
Low Less than or equal to once per year 2
Medium Once every 6 months or less 3
High Once every month or less 4
Very High More than once every month 5
Extreme Once per day or more 6
ISO 17799 Risk Assessment Steps
1) Identify assets within the security perimeter
2) Identify threats to the assets
3) Identify vulnerabilities to the assets
4) Determine realistic probability
5) Calculate harm
ISO’s
Risk Scale
Risk Calculation Rating
(Probability times harm)
0 None
1–3 Low
4–7 Medium
8 – 14 High
15 – 19 Critical
20 – 30 Extreme
ISO 17799’s Information Security
Management Process
1) Obtain Upper Management Support
2) Define Security Perimeter
3) Create Information Security Policy
4) Create Info Security Management System
5) Perform Risk Assessment
6) Select and Implement Controls
7) Document in Statement of Accountability
8) Audit
Who Wants to Help You?
COBIT – Control Objectives for
Information and related Technology
Created by the Information Systems Audit
and Control Association (ISACA) and the IT
Governance Institute (ITGI)
The first edition was published in 1996, the
second in 1998, the third in 2000, and the on-
line edition became available in 2003
Recently found favor due to Enron scandal
and the subsequent passage of the Sarbanes-
Oxley Act
What COBIT Says You Should Do
COBIT looks at information that is needed to
support business requirements and the
associated IT resources and processes
COBIT has 34 high level objectives that cover
318 control objectives, categorized in four
domains:
1) Planning and Organization
2) Acquisition and Implementation
3) Delivery and Support
4) Monitor
High Level Objectives
COBIT – Planning and Organization
P01 Define a Strategic IT Plan
P02 Define the Information Architecture
P03 Determine Technological Direction
P04 Define the IT Organization and Relationships
P05 Manage the IT Investment
P06 Communicate Management Aims and Direction
P07 Manage Human Resources
P08 Ensure Compliance with External Requirements
P09 Assess Risks
P10 Manage Projects
P11 Manage Quality
High Level Objectives
COBIT – Acquisition & Implementation
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Develop and Maintain Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
High Level Objectives
COBIT – Delivery and Support
DS1 Define and Manage Service DS8 Assist and Advise
Levels Customers
DS2 Manage Third-Party
Services
DS9 Manage the Configuration
1) Identification of Risks
2) Analysis of Risks
3) Mitigation Planning
4) Tracking and Controlling Risks
* Based on
November 2004 Risk Management policy issued
NC ITS’s Risk Management Program
Consists of two components: Pre-Risk
Assessment, and Risk Assessment (three
phases), explained in a
Risk Management Guide
Phase I – Identify Risks
Phase II – Analyze Risks
Phase III – Manage Risks
Heavily uses the NIST rating scale:
Low – Limited adverse effect on agency
Moderate – Serious adverse effect
High – Severe or catastrophic adverse effect
NC ITS’s RM – Pre-Risk Assessment
Review lines of business service that have
automated systems that support the business
service
Determine if critical infrastructures are
involved, or if there are critical infrastructure
dependencies
Complete the Pre-Risk Assessment form
NC ITS’s RM – Phase I
A Facilitator leads a team of people
responsible for delivery of a particular line of
business through completing the Phase I
Questions of the
ITS Risk Assessment Questionnaire
If the final score is “Low”, the risk
assessment process ends
If the final score is “Moderate” or “High”,
proceed to Phase II for additional analysis
NC ITS’s RM – Phase II
A Facilitator leads a team of people
knowledgeable in the particular line of
business through the Phase II Questions of the
ITS Risk Assessment Questionnaire
If the final score is “Low”, the risk
assessment process ends
If the final score is “Moderate” or “High”,
proceed to Phase III for mitigation
NC ITS’s RM – Phase III
A Facilitator leads appropriate managers and
staff through an analysis that focuses on
mitigation
The team identifies options to mitigate the risk,
analyzes the cost implications, determines the
benefits, and balances the cost of implementing
each option against the benefits derived from it
The result is completion of the Risk Analysis
Results & Mitigation Plans form found in the
ITS Risk Assessment Questionnaire
NC ITS’s Risk Management Training
On March 31, 2004, ITS and its vendor
partner, Strohl Systems, presented a two hour
agency training session (introduced by Ann
Garrett) which covered both Business Impact
Analysis and Risk Management
Let’s fast forward and view the Risk
Management part of the
PowerPoint slide show presented there
Let’s try working through an example
Pre-Risk Assessment Form
Line of Business – Pharmacy
Business Process Owner – Pharmacy
Director
Automated System Supporting – MCPlus
Critical Infrastructure – Linux Server
Critical Dependencies – Vendor
Risk Assessment Questionnaire
20 Phase I Questions (Q1 – Q19)
If one or more questions is answered as
“Moderate” or “High”, then proceed to Phase
II questions
65 Phase II Questions (Q1 – Q25)
If one or more questions (except for Q3) is
answered as “Moderate” or “High”, then
proceed to Phase III
Let’s try to fill out the Mitigation Plan now
Who Wants to Help You?
(Based on June 15, 2005 DHHS Risk Management Policy)
DHHS
NIST
Risk Risk RM
Assessment Mitigation Evaluation
National Institute of Standards and Technology SP 800-30
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
Risk Scale and Necessary Actions
Risk Level Risk Description and Necessary Actions
Risk Risk
Assessment Mitigation
Risk Mitigation
Risk Mitigation is the process of identifying
areas of risk that are unacceptable; and
estimating countermeasures, costs and
resources to be implemented as a measure to
reduce the level of risk
Determining “appropriate risk-reducing
controls” is a job for your Risk Management
Committee
What is “Acceptable” Risk?
Setting your agency’s “risk appetite” is up to
your Director and Senior Management
Because elimination of all risk is impossible,
we must use the least-cost approach and
implement the most appropriate controls to
decrease mission risk to an acceptable level,
with minimal adverse impact on the
organization’s resources and mission
Risk Mitigation Options
Assume the Risk – Accept the risk and
continue operating (how big is your appetite?)
Avoid the Risk – Stop running the program
or sharing the data
Transfer the Risk – Use options to
compensate for the loss, such as insurance
Lessen the Risk – Implement controls that
lessen the impact or lower the likelihood
Risk Mitigation Methodology
1) Prioritize based on risk levels presented
2) Evaluate recommended control options
3) Conduct a cost-benefit analysis
4) Select additional controls, as necessary
5) Assign responsibility
6) Develop an action plan, if necessary
7) Implement the selected controls
Possible Technical Controls
User Identification
Security Administration
Authentication
Authorization
Nonrepudiation
Transaction Privacy
Restore Secure State
Virus Detection and Eradication
Possible Management Controls
Assign Security Responsibility
Conduct Security Awareness Training
Conduct end-user training for system users
Implement personnel clearance procedures
Perform periodic system audits
Conduct ongoing risk management activities
Establish incident response capability
Possible Operational Controls
Control physical access
Secure hub and cable wiring closets
Establish off-site storage procedures
Provide an uninterruptible power supply
Control temperature and humidity
Provide motion sensors or CCTV monitoring
Ensure environmental security
Cost-Benefit Analysis
If control reduces risk more than needed, see
if a less expensive alternative exists
If control would cost more than the risk
reduction provided, then find something else
If control does not reduce risk sufficiently,
look for more controls or a different control
If control provides enough risk reduction and
is cost-effective, then use it
When Should Management Take Action?
Threat
Source
NO NO
No Risk No Risk
YES Loss
M ission
Risk Attacker’s YES Anticipated YES Unacceptable
Impact?
Exists Cost < Gain > Threshold Risk
NO NO NO
Risk Risk RM
Assessment Mitigation Evaluation
Evaluation and Assessment
People, systems, and networks change,
so risk management must be ongoing
Federal agencies must conduct risk
management at least every three years
Stay flexible to allow changes when
warranted
NIST Says
Good Risk Management Depends Upon
Penetration Testing
Vulnerability Forms
What We Covered Today . .
What Risk Management means
What NIST says you should do
What ISO 17799 says you should do
What COBIT says you should do
What Microsoft says you should do
What HIPAA says you should do
What NC ITS says you should do
What DHHS says you should do
Developing YOUR program in 12 steps
Links Found in this Slide Show
NIST ITS Pre-Risk Assessment Form
NIST SP 800-12 ITS RA Questionnaire
NIST SP 800-18 Threats List
NIST SP 800-26 Human Motivations List
NIST SP 800-30 Network Risk Analysis Form
ISO Instructions for above form
Microsoft’s Security Risk Management Guide Application Criticality and Risk Analysis
COBIT Form
DHHS’s Risk Management Instructions for above form
ITS’s November 2005 Risk Management Poli Vulnerability Analysis Form
cy Instructions for above form
Maturity Level Definitions Training for Management Show
HIPAA Security Rule Training for Supervisors Show
ITS Risk Management Site Training for Application Owners
ITS Risk Management Guide Training for Users Show
Any Questions?
Developing an Information
Technology Risk
Management Program
Developing an Information
Technology Risk
Management Program