Risk Management

Developing an Information
Technology Risk
Management Program
Training for DHHS Information Security
Officials and Backup Security Officials
What this training covers . .
 What Risk Management means
 What NIST says you should do
 What ISO 17799 says you should do
 What COBIT says you should do
 What Microsoft says you should do
 What HIPAA says you should do
 What NC ITS says you should do
 What DHHS says you should do
 What you should do and when to do it
Risk
“Take calculated risks. That is quite different
from being rash.” General George S. Patton
“Only those who risk going too far can
possibly find out how far they can go” T.S.
Elliot
“Of course you have to go out on a limb

sometimes; that’s where the fruit is” Unknown
Information Security
the protection of data

against unauthorized
access or modification
What is “Risk”?
 Risk is the net mission impact considering both the
likelihood that a particular threat-source will exercise
(accidentally trigger or intentionally exploit) a
particular information system vulnerability, and the
resulting impact on the organization if this should
occur (NIST)
 Risk is the probability of a vulnerability being
exploited in the current environment, leading to a
degree of loss of confidentiality, integrity, or
availability, of an asset. (Microsoft)
What is Risk Management?
 The total process of identifying, controlling,
and minimizing information system related
risks to a level commensurate with the value
of the assets protected
 The goal of a risk management program is
to protect the organization and its ability to
perform its mission from IT-related risk
Risk Management is the
Keystone of Information Security
Golden and Silver Rules of RM
All risk is owned!
Risk that is not assigned
is owned by the
organization’s Director
Why are we doing this?
 Why do we do risk management?
 Why does a car have brakes?
An organization that can take advantage of

opportunities (and the inherent risks) will
outlast an organization which cannot
Reactive Risk Management
1) Protect human life and people’s safety
2) Contain the damage
3) Assess the damage
4) Determine the cause of the damage
5) Repair the damage
6) Review response, and update policies
Proactive Risk Management
Owners
wish to
to reduce minimize
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
Threat Sources that leading to

exploit Risk to
give rise that increase

to Threats
to
Assets
wish to abuse and/or may damage
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
What Assets are we Protecting?
 Email
Servers
 Desktop
Data Integrity
Computers
 Laptops
All Filesand
on the
PDAs
Server
 Switches and
Consumer Information
Routers
 Application
Network Infrastructure
software
 Development Tools
DHCP
 Source
Web Site
Code
Availability
 VPN Access
Reputation
 Backup Tapes
Employee Morale
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Protecting From What Threats?
 Human Threats – Carelessness, Shoulder Surfing,
User Abuse, Sabotage, Arson, Data Entry Errors,
Intentional and Unintentional Procedure Violations
 Technical Threats – Takeover of authorized session,
Intrusion, Keystroke Eavesdropping, System Failure,
Saturation of Resources
 Environmental Threats – Fire, Earthquake,
Hurricane, Tornado, Cable Cuts, Power Fluctuation,
Hazardous Material Accident, Overheating
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Threats to What Vulnerabilities?
 Unlocked doors  Software
 Unlocked windows Configuration
 Misconfigured systems  Systems not monitored
 Missing patches  Unnecessary protocols
 Antivirus out-of-date  Poorly defined
 Poorly written apps procedures
 Vendor backdoors
 Stolen credentials
 Spyware
 Poor password
protection
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets
Vulnerabilities Protected by What
Security Controls?
Controls Physical Technical Administrative
Preventive Key-card access System & Network Security Awareness
to enter area Monitoring Training for staff
Detective Seals on archive Admin message on Audit of employee

file cabinets 3 incorrect logins exit procedures
Deterrent Closed-circuit Account lockout Data owner

camera monitor after 3 attempts approval of rights
Corrective Physical Isolation Firewall changes Arranging for day

of servers from past events time cleaning
Recovery Electronic records Netware’s file Contact police after

recreate physical “Salvage” option security breach
Owners
wish to
to reduce minimize
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
Threat Sources that leading to

exploit Risk to
give rise that increase

to Threats
to
Assets
wish to abuse and/or may damage
Two Approaches to Risk Assessment
1) Quantitative Risk Assessment
 Value your assets
 Determine the SLE (total amount lost from a single
occurrence of the risk) Single Loss Expectancy
 Determine the ARO (number of times you expect the
risk to occur during one year) Annual Rate of Occurrence
 Determine the ALE (amount you will lose in one
year if the risk is not mitigated) Annual Loss Expectancy
 Determine the ROSI (ALE before control) – (ALE
after control) – (annual cost of control) = ROSI
Return On Security Investment
Two Approaches to Risk Assessment
2) Qualitative Risk Assessment
 Estimate relative values
 Determine what threats each asset may be facing
 Determine what vulnerabilities those threats might
exploit in the future
 Determine controls which will mitigate the risks,
and the approximate cost of each control
 Management performs a cost-benefit analysis on
the results
Comparing the Two Approaches – the Benefits
Quantitative Qualitative
1) Risks and assets are 1) Enables visibility and
prioritized by financial understanding of risk
values ranking
2) Results facilitate 2) Easier to reach consensus
management of risk by 3) Not necessary to quantify
Return on Security threat frequency or
Investment determine financial value of
3) Results expressed in terms assets
management understands ($) 4) Easier to involve people
4) Accuracy tends to increase who are not experts on
over time security or computers
Comparing the Two Approaches – the Drawbacks
Quantitative Qualitative
1) Impact values assigned to 1) Insufficient differentiation
risks are based on subjective between important risks
opinion 2) Difficult to justify investing
2) Very time-consuming in control implementation
3) Calculations can be very when there is no basis for a
complex cost-benefit analysis
4) Results are presented only in 3) Results are dependent on the
monetary terms, and can be quality of the Risk
difficult for non-technical Management Team that is
people to interpret created
5) Process requires expertise
Effective Risk Management
Attempts to Malicious Natural Sabotage
access private attacks disasters
information Threats User
Fraud Pranks error
Sensitive Services and Integrity of data

Assets lost information benefits and reports
disclosed interrupted compromised
:Public’s
Potential
Critical
Damage Failure to
Loss of operations meet contractual
confidence halted obligations
Know what to do now?
Who Wants to Help You?
NIST - The National Institute of
Standards and Technology
 NIST is a non-regulatory Federal agency with the
mission of developing and promoting measurement,
standards and technology to enhance productivity and
improve quality of life
 They invent – an atomic clock; a cement-like
substance that promotes bone regrowth
 They develop - software for the 170 VA hospitals;
complex computational models
 The set standards – weights and measures, cholesterol
testing, and . . . Information Security
Pertinent NIST Publications
 SP 800-12 An Introduction to Computer
Security: The NIST Handbook
 SP 800-18 Guide for Developing Security
Plans for Information Technology Systems
 SP 800-26 Security Self-Assessment
Guide for Information Technology Systems
 SP 800-30 Risk Management Guide for
Information Technology Systems
NIST Says
It’s a Management Function
 The goal of Risk Management is to
protect the organization and its ability to
perform its mission
 The focus is the mission; not IT assets
 Risk Management, therefore, is an
essential management function of the
organization
NIST Says
Risk Management has Three Parts
 Risk Assessment - Determining where risks
lie, and how big they are
 Risk Mitigation - Prioritizing, evaluating, and
implementing appropriate risk-reducing
controls
 Evaluation and Assessment – Since Risk
Management is continuous and evolving, the
past year’s Risk Management efforts should be
assessed and evaluated prior to beginning the
cycle again
Risk Management Process
Risk Risk RM
Assessment Mitigation Evaluation
National Institute of Standards and Technology SP 800-30
The Ten Steps of Risk Assessment

1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Identify Threat-source/Vulnerability Pairs
6) Likelihood Determination
7) Impact Analysis
8) Risk Determination
9) Control Recommendations
10) Results Documentation
Risk Risk
Assessment Mitigation
Risk Mitigation
 Risk Mitigation is the process of identifying
areas of risk that are unacceptable; and
estimating countermeasures, costs and
resources to be implemented as a measure to
reduce the level of risk
 Determining “appropriate risk-reducing
controls” is a job for your Risk Management
Committee
What is “Acceptable” Risk?
 Setting your agency’s “risk appetite” is up to
your Director and Senior Management
 Because elimination of all risk is impossible,
we must use the least-cost approach and
implement the most appropriate controls to
decrease mission risk to an acceptable level,
with minimal adverse impact on the
organization’s resources and mission
Risk Mitigation Options
 Assume the Risk – Accept the risk and
continue operating (how big is your appetite?)
 Avoid the Risk – Stop running the program
or sharing the data
 Transfer the Risk – Use options to
compensate for the loss, such as insurance
 Lessen the Risk – Implement controls that
lessen the impact or lower the likelihood
Risk Mitigation Methodology
1) Prioritize based on risk levels presented
2) Evaluate recommended control options
3) Conduct a cost-benefit analysis
4) Select additional controls, as necessary
5) Assign responsibility
6) Develop an action plan, if necessary
7) Implement the selected controls
Cost-Benefit Analysis
 If control reduces risk more than needed, see
if a less expensive alternative exists
 If control would cost more than the risk
reduction provided, then find something else
 If control does not reduce risk sufficiently,
look for more controls or a different control
 If control provides enough risk reduction and
is cost-effective, then use it
Residual Risk
 The risk remaining after the implementation
of new or enhanced controls is the residual
risk
 If the residual risk has not been reduced to an
acceptable level, the risk management cycle
must be repeated to identify a way of
lowering the residual risk to an acceptable
level
 Understand that no IT system can be risk-free
Risk Risk RM
Evaluation and Assessment
 People, systems, and networks change,
so risk management must be ongoing
 Federal agencies must conduct risk
management at least every three years
 Stay flexible to allow changes when
warranted
NIST Says
Good Risk Management Depends Upon
1) Senior management’s commitment

2) Support of the IT Team
3) Competence of the Risk Management
Committee
4) Cooperation and education of the users
5) Ongoing assessment of IT-related
mission risks
ISO - International Organization
of Standardization
 In the late 1990s, the British Standard Institute
(BSI) developed a program to accredit auditing
firms, called “BS 7799”
 When demand grew quickly for an information
security standard, the ISO (International
Organization for Standardization) adapted 7799
and released Part 1 in 2000 as “ISO 17799”
 ISO 17799 defines a set of recommended
information security management practices
On-line Purchases of ISO 17799
9% 35 % 18% 9% 6% Others 9%
ISO 17799 – A Set of Recommendations
 ISO does not expect you to apply every piece
of the standard
 Instead ISO suggests that you consider each
recommendation as you try to improve your
information security program
 If a particular recommendation helps you
address an important security need, then
accept it – otherwise, ignore it
ISO 17799 Says “First, Understand”
Perfect security may be achievable only for networkless servers
located in rooms without doors in stone buildings without people
on high ground with no earth faults in areas with very little rain
10 Key Contexts of ISO 17799
Security policy
Organizational
Compliance
security
Business continuity Asset classification

Integrity Confidentiality
management and control
Information
Systems
development & Personnel security
maintenance Availability
Physical and
Access control environmental
Communications security
and operations
management
ISO 17799 Deliverables
ISO 17799’s Information Security
Management Process
1) Obtain Upper Management Support
2) Define Security Perimeter
3) Create Information Security Policy
4) Create Info Security Management System
5) Perform Risk Assessment
6) Select and Implement Controls
7) Document in Statement of Accountability
8) Audit
ISO 17799 Risk Assessment Steps
1) Identify assets within the security
perimeter
2) Identify threats to the assets
3) Identify vulnerabilities to the assets
4) Determine realistic probability
ISO’s
Probability of Event Scale
Probability Frequency Rating
of Event
Negligible Unlikely to Occur 0
Very Low 2 to 3 times every 5 years 1
Low Less than or equal to once per year 2
Medium Once every 6 months or less 3
High Once every month or less 4
Very High More than once every month 5
Extreme Once per day or more 6
1) Identify assets within the security perimeter
5) Calculate harm
ISO’s
Harm of Event Scale

Harm of Event Degree of Harm Rating
Insignificant Minimal to no impact 0
Minor No extra effort required to repair 1
Significant Tangible harm, extra effort required to repair 2
Damaging Significant expenditure of resources required; 3

Damage to reputation and confidence
Serious Extended outage and/or loss of connectivity; 4
Compromise of large amounts of data or services
Grave Permanent Shutdown; Complete compromise 5
1) Identify assets within the security
perimeter
5) Calculate harm
6) Calculate risk (probability x harm)
ISO’s
Risk Scale
Risk Calculation Rating
(Probability times harm)
0 None
1–3 Low
4–7 Medium
8 – 14 High
15 – 19 Critical
20 – 30 Extreme
ISO 17799’s Information Security
Management Process
1) Obtain Upper Management Support
2) Define Security Perimeter
3) Create Information Security Policy
4) Create Info Security Management System
5) Perform Risk Assessment
6) Select and Implement Controls
7) Document in Statement of Accountability
8) Audit
COBIT – Control Objectives for
Information and related Technology
 Created by the Information Systems Audit
and Control Association (ISACA) and the IT
Governance Institute (ITGI)
 The first edition was published in 1996, the
second in 1998, the third in 2000, and the on-
line edition became available in 2003
 Recently found favor due to Enron scandal
and the subsequent passage of the Sarbanes-
Oxley Act
What COBIT Says You Should Do
 COBIT looks at information that is needed to
support business requirements and the
associated IT resources and processes
 COBIT has 34 high level objectives that cover
318 control objectives, categorized in four
domains:
1) Planning and Organization
2) Acquisition and Implementation
3) Delivery and Support
4) Monitor
High Level Objectives
COBIT – Planning and Organization
P01 Define a Strategic IT Plan
P02 Define the Information Architecture
P03 Determine Technological Direction
P04 Define the IT Organization and Relationships
P05 Manage the IT Investment
P06 Communicate Management Aims and Direction
P07 Manage Human Resources
P08 Ensure Compliance with External Requirements
P09 Assess Risks
P10 Manage Projects
P11 Manage Quality
COBIT – Acquisition & Implementation
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Develop and Maintain Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
COBIT – Delivery and Support
DS1 Define and Manage Service DS8 Assist and Advise
Levels Customers
DS2 Manage Third-Party
Services
DS9 Manage the Configuration
DS3 Manage Performance and DS10 Manage Projects

Capacity
DS4 Ensure Continuous Service DS11 Manage Data
DS5 Ensure Systems Security DS12 Manage Facilities

DS6 Identify and Allocate Costs
DS13 Manage Operations
DS7 Educate and Train Users

COBIT – Monitor
M1 Monitor the Processes
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurances
M4 Provide for Independent Audit
Microsoft Says . .
Successful Risk Management Requires:
 Executive sponsorship
 A well-defined list of RM stakeholders
 Organizational maturity in terms of RM
 An atmosphere of open communication
 A spirit of teamwork
 A holistic view of the organization
 Security Risk Management Team authority
Microsoft Says . .
Risk Management Has Four Phases
1) Assessing Risk – Triage an entire list of
security risks, identifying the most important
2) Conducting Decision Support – Potential
control solutions are evaluated, and the best
are recommended for mitigating top risks
3) Implementing Controls – Control solutions
are put in place
4) Measuring Program Effectiveness –
Checking to make sure that the controls are
providing the expected protection
From
Microsoft’s Security
Risk Management
Guide, Chapter 2
Microsoft Says . .
Assessing Risk Phase has Three Steps
1) Planning – Align your annual process with
your budget; Specify your scope; Identify and
pre-sell stakeholders; embrace subjectivity
2) Facilitated Data Gathering – Identify tangible
and intangible assets, threats, vulnerabilities,
existing controls, probable impact
3) Risk Prioritization – Determine probabilities,
and combine impact with probability to produce
a risk statement
Microsoft Says . .
Conducting Decision Support Phase
1) Determine functional requirements
2) Identify combinations of controls
(Organizational, Operational, Technological)
3) Compare proposed controls to functional
requirements
4) Calculate the probable overall risk reduction to
the organization
5) Estimate the cost of teach proposed control
6) Select which controls to implement
Microsoft Says . .
Implementing Controls Phase
Solid Building Structure
Good Network Design
Secure Wireless Segment
Disable LAN Services
Remove User Rights
Good Firewall Settings
Least Privilege Necessary
Small attack surface
Frequent Backups
Encryption
Microsoft Says . .
Measuring Program Effectiveness Phase
1) Ongoing – continues until next assessment
phase
2) Should catch changes in the information
systems environment, and in applications
3) Includes creating and maintaining a security
risk scorecard that demonstrates the
organization’s current risk profile
From
Microsoft’s Security
Risk Management
Guide, Chapter 2
The Health Insurance Portability
and Accountability Act of 1996
Final Rule, “Administrative Safeguards” – 45 CFR Part 164.306
HIPAA Says Covered Entities Must

 Ensure the confidentiality, integrity and
availability of all protected health information
the covered entity creates, receives, maintains or
transmits
 Protect against any reasonably anticipated

threats or hazards to the security or integrity of
such information
HIPAA Security Specifications

1) Security Management Process – “Implement
policies and procedures to prevent, detect,
contain and correct security violations”
Standard: (a)(1)(i)
2) Train workforce – “Implement a security
awareness and training program for all members
of its workforce (including management)”
Standard: (a)(5)(i)

3) Information Systems Activity Review –
“Implement procedures to regularly review records
of information system activity, such as audit logs,
access reports, and security incident tracking
reports” Standard: (a)(1)(D)
4) Security Incidence Procedures – “Mitigate, to
the extent practicable, harmful effects of security
incidents that are known to the covered entity”
Standard: (a)(6)(2)

5) Risk Analysis – A covered entity “must conduct an
actual and thorough assessment of the potential
risks and vulnerabilities of the confidentiality,
integrity, and availability of electronic PHI held by
the covered entity” Standard (a)(1)(2)(A)
6) Risk Management – A covered entity “must
implement security measures sufficient to reduce
risks and vulnerabilities to a reasonable and
appropriate level” Standard (a)(1)(ii)(D)
. . And Why You Should Do It
 Civil Monetary Penalties for Non-Compliance
$100/person/violation, up to $25,000 per
person per year per violation (Section 1176)
 Knowingly Misusing PHI - $50,000, 1 year
 Misuse of PHI under False Pretenses -
$100,000 and up to 5 years
 Misuse of PHI with Intent to Sell - $250,000
and up to 10 years (Section 1777)
Because it’s the Law!
What NC ITS Says You Should Do*
 They say you should focus on four things:
1) Identification of Risks
2) Analysis of Risks
3) Mitigation Planning
4) Tracking and Controlling Risks
* Based on
November 2004 Risk Management policy issued
NC ITS’s Risk Management Program
 Consists of two components: Pre-Risk
Assessment, and Risk Assessment (three
phases), explained in a
Risk Management Guide
Phase I – Identify Risks
Phase II – Analyze Risks
Phase III – Manage Risks
 Heavily uses the NIST rating scale:
Low – Limited adverse effect on agency
Moderate – Serious adverse effect
High – Severe or catastrophic adverse effect
NC ITS’s RM – Pre-Risk Assessment
 Review lines of business service that have
automated systems that support the business
service
 Determine if critical infrastructures are
involved, or if there are critical infrastructure
dependencies
 Complete the Pre-Risk Assessment form
NC ITS’s RM – Phase I
 A Facilitator leads a team of people
responsible for delivery of a particular line of
business through completing the Phase I
Questions of the
ITS Risk Assessment Questionnaire
 If the final score is “Low”, the risk
assessment process ends
 If the final score is “Moderate” or “High”,
proceed to Phase II for additional analysis
NC ITS’s RM – Phase II
 A Facilitator leads a team of people
knowledgeable in the particular line of
business through the Phase II Questions of the
 If the final score is “Low”, the risk
assessment process ends
 If the final score is “Moderate” or “High”,
proceed to Phase III for mitigation
NC ITS’s RM – Phase III
 A Facilitator leads appropriate managers and
staff through an analysis that focuses on
mitigation
 The team identifies options to mitigate the risk,
analyzes the cost implications, determines the
benefits, and balances the cost of implementing
each option against the benefits derived from it
 The result is completion of the Risk Analysis
Results & Mitigation Plans form found in the
NC ITS’s Risk Management Training
 On March 31, 2004, ITS and its vendor
partner, Strohl Systems, presented a two hour
agency training session (introduced by Ann
Garrett) which covered both Business Impact
Analysis and Risk Management
 Let’s fast forward and view the Risk
Management part of the
PowerPoint slide show presented there
 Let’s try working through an example
Pre-Risk Assessment Form
 Line of Business – Pharmacy
 Business Process Owner – Pharmacy
Director
 Automated System Supporting – MCPlus
 Critical Infrastructure – Linux Server
 Critical Dependencies – Vendor
Risk Assessment Questionnaire
 20 Phase I Questions (Q1 – Q19)
 If one or more questions is answered as
“Moderate” or “High”, then proceed to Phase
II questions
 65 Phase II Questions (Q1 – Q25)
 If one or more questions (except for Q3) is
answered as “Moderate” or “High”, then
proceed to Phase III
 Let’s try to fill out the Mitigation Plan now
(Based on June 15, 2005 DHHS Risk Management Policy)
What DHHS Says You Should Do

 Assign responsibility for managing risk to
senior management
 Provide a mechanism for tracking and
reporting risks
 Identify system threats in the environment
 Identify system vulnerabilities the threats
could attack
 Identify current security controls
 Identify current security gaps
More
DHHS Risk Management Policy, June 15, 2005
Things DHHS Says to Do

 Ensure that every risk has at least one owner
 Develop the responses or controls necessary to
mitigate identified and reported risks
 Assess the probability of risks occurring and their
potential impact
 Identify the risks associated with critical processes
in the workflow
 Identify security controls currently implemented
 Provide an analysis of risks
DHHS Risk Management Policy, June 15, 2005
Even More Things DHHS Says to Do

 Ensure that Risk Management is an intrinsic
part of operations
 Keep Risk Management policies and
procedures current
 Perform an analysis to evaluate risk mitigation
actions taken, and to determine further steps
 Respond to changes in risks, and take
corrective action as needed
DHHS Information Security Management Policy, June 15, 2005
Even More Things DHHS Says to Do

 Implement a systematic, analytical and
continuous risk management program for
information systems
 Ensure that risk identification, analysis and
mitigation activities are performed
 Ensure that risk assessments are performed
periodically to evaluate effectiveness of
existing controls
 Define strategies and mitigate risks to
acceptable levels
DHHS Says to Address Risks by:
 Risk Reduction – Implement measures to
alter the risk position of an asset
 Risk Transference – Assign or transfer the
potential cost of the loss to another party
 Risk Acceptance – Accept the level of loss
that will occur and be prepared to absorb
the loss
Confused Yet?
HIPAA ISO 17799
DHHS
NIST
What you thought

Microsoft you knew
COBIT
Who Provides Us with the Most Help?
NIST Says
Risk Management has Three Parts
 Risk Assessment - Determining where risks
lie, and how big they are
 Risk Mitigation - Prioritizing, evaluating, and
implementing appropriate risk-reducing
controls
 Evaluation and Assessment – Since Risk
Management is continuous and evolving, the
past year’s Risk Management efforts should be
assessed and evaluated prior to beginning the
cycle again
Risk Risk RM
National Institute of Standards and Technology SP 800-30

4) Control Analysis
7) Impact Analysis
 Define the boundaries of the IT system you
are addressing, along with the resources and
the information that constitute the system,
setting the scope of the assessment effort
 Methods of gathering system characterization
information include the use of questionnaires,
interviews, and automatic scanning tools
 Output #1: A system characterization
paragraph
 A threat is the potential for a particular
threat-source to successfully exercise a
particular vulnerability
 A threat-source is any circumstance or event
with the potential to cause harm to an IT
system
 A vulnerability is a weakness that can be
accidentally triggered or intentionally
exploited
Two Types of Threat-Sources
1) Intent and method
targeted at the intentional
exploitation of a
vulnerability
2) A situation and method
that may accidentally
trigger a vulnerability
Common Threat-Sources
 Natural Threats – Floods, earthquakes,
tornadoes, electrical storms, landslides,
avalanches, etc.
 Human Threats – Events either enabled or
caused by human beings, including both
unintentional acts (inadvertent data entry) and
deliberate actions (unauthorized access)
 Environmental Threats – Long-term power
failure, pollution, chemicals, liquid leakage
Threat-Source Identification
 Humans are the most dangerous threat-source
 For each type of human threat-source,
estimate the motivation, resources, and
capabilities that may be required to carry out
a successful attack (to be used during the
Likelihood Determination phase)
 Output #2: A list of threats
 Output #3: A chart showing motivation and
necessary threat actions for human threats
 A vulnerability is a flaw or weakness in
system security procedures, design,
implementation, or controls that could be
exercised (accidentally triggered or
intentionally exploited) and result in a
security breach or a violation of an
information security policy
 Output #4: A list of vulnerabilities that could
be exploited by the potential threat-sources
Where Vulnerabilities are Found
1) Hardware Configuration – Servers,
Workstations, Routers, Switches, Firewalls
2) Software Applications – How installed,
Where installed, Rights granted
3) IS Policies and Procedures – How
complete, How up-to-date, How well known
4) Humans – Procedures not being followed,
Staff not being trained
How We Find Vulnerabilities
1) Hardware Configuration – Complete a
System Risk Analysis form for each network
component, arrange for penetration testing
2) Software Applications – Complete an
Application Criticality and Risk Analysis
form for each application
3) IS Policies and Procedures – Complete a
review of the quality of your Information
Security Policies and Procedures every year
4) Humans – Review log files, training records,
and incident reports
4) Control Analysis
 The goal of this step is to analyze the controls
that have been implemented to minimize the
likelihood of a threat exercising a vulnerability
 Output #5: A list of controls currently in use by
network hardware components
 Output #6: A list of controls currently in use by
applications
5) Threat-Source/Vulnerability Pairs
 Considering the controls in place, what
are the Threat-source/Vulnerability pairs
which are of most concern?
 A vulnerability with no threat-source is
not a risk
 A threat-source with no vulnerability is
not a risk
 Output #7: A list of Threat-source and
Vulnerability pairs of concern
 A determination of the probability that a
potential vulnerability will be exercised
 When determining likelihood, consider:
1) Threat-source motivation and capability
2) The nature of the vulnerability
3) The existence and effectiveness of current
controls
Likelihood Determination Results
 Output #8: For each identified vulnerability,
a determination of likelihood (H, M, or L)
High – The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from being
exercised are ineffective
Medium – The threat-source is motivated and capable, but
controls are in place that may impede successful exercise of
the vulnerability
Low – The threat-source lacks motivation or capability, or
controls are in place to prevent or significantly impede
exercising the vulnerability
7) Impact Analysis
 Determine the adverse impact
resulting from a successful
threat exercise of each threat-
source/vulnerability pair of
concern
Adverse Impact Comes From:
 Loss of Integrity
- Improper modification
 Loss of Availability
- System cannot be accessed or data
cannot be located
 Loss of Confidentiality
- Information classified as sensitive is
disclosed without authorization
Impact Analysis Needs
 For an Impact Analysis we must know:
1) The organization’s mission
2) The criticality of the data
3) The sensitivity of the data
Sensitivity is the sum of the potential injury from

a breakdown in confidentiality
Criticality is the sum of the potential injury from
a breakdown in integrity and/or availability
Impacts are High, Medium, or Low
 Output #9: For each identified vulnerability, an
estimation of the magnitude of probable impact
High – Exercise of the vulnerability may result in a highly
costly loss or may significantly impede an organization’s
mission or reputation
Medium – Exercise of the vulnerability may result in a costly
loss or may harm an organization’s mission or reputation
Low – Exercise of the vulnerability may result in the loss of
some assets, or may noticeably affect an organization’s
mission or reputation
 NIST says risk is the net mission impact
considering both the likelihood that a
particular threat-source will exercise
(accidentally trigger or intentionally exploit) a
particular information system vulnerability,
and the resulting impact on the organization if
this should occur
 Likelihood x Impact = Risk
Use a Risk-Level Matrix
Impact
Threat Low Medium High
Likelihood (10) (50) (100)
High (1.0) Low Medium High

10 x 1.0 = 10 50 x 1.0 = 50 100 x 1.0 = 100
Medium (0.5) Low Medium Medium
10 x 0.5 = 5 50 X 0.5 = 25 100 x 0.5 = 50
Low (0.1) Low Low Low
10 x 0.1 = 1 50 x 0.1 = 5 100 x 0.1 = 10
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
Risk Scale and Necessary Actions
Risk Level Risk Description and Necessary Actions
High There is a strong need for corrective measures, the

system may continue to operate, but a corrective
action plan should be put in place as soon as
possible
Medium Corrective actions are needed, and a plan
incorporating these actions should be developed in a
reasonable period of time
Low Additional controls may be implemented, or

management may decide to accept this risk
Assessing the Risk Level
 Final determination of mission risk is derived
by multiplying the threat likelihood and the
threat impact scores
 Output #10: A numeric risk score for each
identified vulnerability/threat-source pair
 The Vulnerability Analysis form can be used
to capture this information
 Finish your risk assessment by thinking of
controls which could help minimize the risk
of the vulnerability/threat-source
combinations you are most concerned about
 To determine which controls are appropriate
to add, perform a cost-benefit analysis
 Output #11: Recommendation of additional
controls based on risk assessment
 The Risk Assessment report should be of
sufficient detail to allow the organization’s
management to make informed decision on
appropriate actions in response to the risks
identified
 Unlike an audit or investigative report that
looks for “wrong-doing”, the Risk
Assessment report should be not be presented
in an accusatory manner
Risk Assessment Report
 Your Risk Assessment report should have:
A) An Introduction
B) A description of your Risk Assessment approach
C) A system characterization summary
D) A list of Threat-Sources
E) Vulnerability/Threat-Source analysis results
F) A summary of risk levels and recommendations
 Output #12: Risk Assessment Report that
measures risk and provides recommendations
Report - Introduction
 Purpose
 Scope
 Describe
* System Controls
* Elements
* Users
* Site Locations
* Other Details as necessary
Report – Risk Assessment Approach
 Describe Approach Used
Risk Assessment Team members
Techniques used to gather information
(use of tools, questionnaires, etc.)
Development and description of risk scale
(3x3, 4x4, or 5x5 risk level matrix)
Report – System Characterization
 Describe the system
- Hardware (server, router, switch)
- Software (application, operating system)
- System Interfaces (communication link)
- Data
- Users
 Provide connectivity diagram or system
input and output flowchart
Report - Threat Statement
 Compile potential threat sources

 List associated threat actions
 Review Human Motivations
Report – Risk Assessment Results
 List observations (vulnerability/threat pairs)
 Observations contain
- Observation number and brief description
- Discussion of threat-source and vulnerability
- Identification of existing security controls
- Likelihood discussion and evaluation
- Risk rating
- Recommended controls or alternative options
Report - Summary
 Total number of threat-source/vulnerabilities
pairs identified (“observations”)
 Summarize
- Observations
- Associated risk levels
- Recommendations
- Any comments
 Organize into a table to facilitate
implementation
4) Control Analysis
7) Impact Analysis
Reviewing NIST’s RA Output
1) System Characterization 7) List Threat-Source and
2) List of Threats Vulnerability pairs
3) Human Motivation 8) Likelihood determination for
Review each pair of concern
4) List of Vulnerabilities 9) Estimation of probable
5) Review Network impact
Hardware Controls 10) Identify risk scores
6) Review Application 11) Recommendations, if any, for
Controls additional controls
12) Risk Assessment Report
Risk Risk
Assessment Mitigation
Risk Mitigation
 Risk Mitigation is the process of identifying
areas of risk that are unacceptable; and
estimating countermeasures, costs and
resources to be implemented as a measure to
reduce the level of risk
 Determining “appropriate risk-reducing
controls” is a job for your Risk Management
Committee
What is “Acceptable” Risk?
 Setting your agency’s “risk appetite” is up to
your Director and Senior Management
 Because elimination of all risk is impossible,
we must use the least-cost approach and
implement the most appropriate controls to
decrease mission risk to an acceptable level,
with minimal adverse impact on the
organization’s resources and mission
Risk Mitigation Options
 Assume the Risk – Accept the risk and
continue operating (how big is your appetite?)
 Avoid the Risk – Stop running the program
or sharing the data
 Transfer the Risk – Use options to
compensate for the loss, such as insurance
 Lessen the Risk – Implement controls that
lessen the impact or lower the likelihood
Risk Mitigation Methodology
1) Prioritize based on risk levels presented
2) Evaluate recommended control options
3) Conduct a cost-benefit analysis
4) Select additional controls, as necessary
5) Assign responsibility
6) Develop an action plan, if necessary
7) Implement the selected controls
Possible Technical Controls
 User Identification
 Security Administration
 Authentication
 Authorization
 Nonrepudiation
 Transaction Privacy
 Restore Secure State
 Virus Detection and Eradication
Possible Management Controls
 Assign Security Responsibility
 Conduct Security Awareness Training
 Conduct end-user training for system users
 Implement personnel clearance procedures
 Perform periodic system audits
 Conduct ongoing risk management activities
 Establish incident response capability
Possible Operational Controls
 Control physical access
 Secure hub and cable wiring closets
 Establish off-site storage procedures
 Provide an uninterruptible power supply
 Control temperature and humidity
 Provide motion sensors or CCTV monitoring
 Ensure environmental security
Cost-Benefit Analysis
 If control reduces risk more than needed, see
if a less expensive alternative exists
 If control would cost more than the risk
reduction provided, then find something else
 If control does not reduce risk sufficiently,
look for more controls or a different control
 If control provides enough risk reduction and
is cost-effective, then use it
When Should Management Take Action?
Threat
Source
YES Can be YES Vulnerability

&
System Flaw or
Design weakness? exercised? Exists
NO NO
No Risk No Risk
YES Loss
M ission
Risk Attacker’s YES Anticipated YES Unacceptable
Impact?
Exists Cost < Gain > Threshold Risk
NO NO NO
No Risk Risk Accept Risk Accept

Residual Risk
 The risk remaining after the implementation
of new or enhanced controls is the residual
risk
 If the residual risk has not been reduced to an
acceptable level, the risk management cycle
must be repeated to identify a way of
lowering the residual risk to an acceptable
level
 Understand that no IT system can be risk-free
Risk Risk RM
Evaluation and Assessment
 People, systems, and networks change,
so risk management must be ongoing
 Federal agencies must conduct risk
management at least every three years
 Stay flexible to allow changes when
warranted
NIST Says
Good Risk Management Depends Upon
1) Senior management’s commitment

2) Support of the IT Team
3) Competence of the Risk Management
Committee
4) The cooperation of the users
5) Ongoing assessment of IT-related
mission risks
Risk Management Examples
Scenario #1 - The Grounds of My Home
#1) The Grounds of My Home
1) System Characterization - the land my home
sits on (risk owned by my wife)
2) Threat Identification – Environmental? From
people? From Nature?
3) Vulnerability Identification – Looking for
weaknesses which could be exercised by a
threat-source; use eyes and knowledge
4) Control Analysis – City Services, fire hydrant,
Home Owner’s insurance, car insurance
The Grounds of My Home – Continued
5) Identify Threat-Source/Vulnerability Pairs –
Dead limb or whole tree could fall on my car
6) Likelihood Determination – Has happened
before; lots of storms; high likelihood
7) Impact Analysis – Dents, broken glass, car
not drivable, repair cost – medium impact
8) Risk Determination – High (1.0) Likelihood
x Medium (50) Impact = Medium (50) Risk
The Grounds of My Home – Continued
9) Control Recommendation Options:
 Have wife pull the limb down
 Hire a tree surgeon to take off the limb
 Take the tree down
 Don’t park there
 Park my wife’s company car there
 Buy a bicycle
 Lower amount of deductible
Completing Mitigation . .
 Assign Responsibility
Taking down the limb - My wife (stronger)
Parking differently - Me (get home first)
 Develop an Action Plan (if necessary)
This weekend
-------------------------------------------------------
-
 Lessen the likelihood by removing the limb
 Transfer some risk to my wife’s company
 Accept the residual risk
Scenario #2 - The Agency File Servers
#2) The File Servers
1) System Characterization - the File Servers in
our Server Closet
2) Threat Identification – Environmental? From
people? From Nature?
3) Vulnerability Identification – Looking for
weaknesses which could be exercised by a
threat-source; use eyes and knowledge
4) Control Analysis – Firewall, Locks, Daily
Observation, Separate Circuit, UPSs
The File Servers – Continued
Big Oak could fall on flat roof, break it
6) Likelihood Determination – Tree appears
strong, but lots of storms; low likelihood
7) Impact Analysis – Damage from impact,
water damage, repair cost – high impact
8) Risk Determination – Low (0.1) Likelihood
x High (100) Impact = Low (10) Risk
The File Servers – Continued
9) Control Recommendation Options:
 Have the tree removed
 Weaken the tree on the other side to affect fall
 Relocate the File Servers

 Reinforce the roof
 Buy a tarp and rig it over the servers
 Buy a tarp and keep it handy

LAN Manager - Buying a tarp at Wal-Mart for $9
Do it tomorrow
--------------------------------------------------------
 Lessen the impact by preparing for the event
(even though it is unlikely)
Scenario #3 - An Agency Application
#3) An Agency Application
1) System Characterization - Local Access-
based system with PHI sent over the internet
2) Threat Identification – From people? From
telecommunication?
3) Vulnerability Identification – Availability and
Integrity risks are low, but Confidentiality risk
is high; also, data is sent elsewhere
4) Control Analysis – Logical and Physical
Access controls, Security Awareness Program,
Staff Sensitivity Designations
An Application – Continued
We are sharing PHI with no Business
Associate agreement in place
6) Likelihood Determination – Sent to another
CE, but no BA in place; low likelihood
7) Impact Analysis – PHI becoming exposed
could hurt image badly – high impact
8) Risk Determination – Low (0.1) Likelihood
x High (100) Impact = Low (10) Risk
An Application – Continued
Control Recommendation Options:
 Make sure the receiver of the PHI
understands their BA responsibilities
 Offer training to the Business Associate
 Request written documentation for the
program
 Establish a written Memorandum of
Understanding between the agencies
Security Official will contact other Security Official
Security Official will develop and offer training show
Data Owner will request software documentation
--------------------------------------------------------
 Lessen the likelihood establishing a HIPAA
compliant Business Associate relationship
So Let’s Go!
 All Set? - We know where we want to
go, and we have a map, so we’re ready,
right?
 Hold On – How long is this trip, and
how old are we now?
 Let’s estimate our organization’s risk
management maturity, and our readiness
What is your Security Risk
Management Maturity Level?
Based on ISO 17799
Which of these 6 levels best describes

your organization?
Risk Management Maturity Levels
Level State Definition
0 Non- Policy is not documented, and previously the
Existent organization was unaware of the business risk
associated with this risk management; therefore
there has been no communication on the issue.
1 Ad-Hoc Some members of the organization have

concluded that risk management has value,
however, risk management efforts are
performed in an ad-hoc manner. There are no
documented processes or policies, and the
process is not fully repeatable.
2 Repeatable There is awareness of risk management
throughout the organization. The process is
repeatable, but immature, and not fully
documented. Implementation is left to
individual employees.
3 Defined The organization has made a formal decision
Process to adopt risk management wholeheartedly in
order to drive its information security
program. There are clearly defined goals, and
some risk management training is available
for all staff.
4 Managed There is a thorough understanding of risk
management at all levels of the organization.
The process is well-defined, broadly
communicated, and training is available. Some
initial forms of measurement are in place
5 Optimized The organization has committed significant

resources to risk management. The process is
well-understood and somewhat automated.
Training across a range of levels of expertise is
available to staff.
What is your Security Risk
Management Readiness Level?
Based on Microsoft’s Security Risk Management Guide – Chapter 3
The following test measures your

organization’s readiness level
For each of these 17 questions,

score your organization on a scale of
zero to five, using the previous
maturity level definitions as a guide
From Microsoft’s Security Risk Management Guide, Chapter 3
Risk Management Readiness Test

1) Information security policies and procedures are
clear, concise, well-documented, and complete
2) All staff positions with job responsibilities involving
information security have clearly articulated and
well understood roles and responsibilities
3) Policies and procedures for securing third-party
access to business data are well-documented. For
example, remote vendors performing application
development for an internal business tool have
sufficient access to network resources to effectively
collaborate and complete their work, but they have
only the minimum amount of access that they need

4) An inventory of Information Technology (IT) assets
such as hardware, software, and data repositories is
accurate and up-to-date
5) Suitable controls are in place to protect business data
from unauthorized access by both outsiders and
insiders
6) Effective user awareness programs such as training
and newsletters regarding information security
policies and practices are in place
7) Physical access to the computer network and other
information technology assets is restricted through
the use of effective controls

8) New computer systems are provisioned following
organizational security standards in a standardized
manner using automated tools such as disk imaging
or build scripts
9) An effective patch management system is able to
automatically deliver software updates from most
vendors to the vast majority of the computer
systems in the organization
10) Effective user awareness programs such as training
and newsletters regarding information security
policies and practices are in place

11) The organization has a comprehensive anti-virus
program including multiple layers of defense, user
awareness training, and effective processes for
responding to virus outbreaks
12) User provisioning processes are well documented
and at least partially automated so that new
employees, vendors, and partners can be granted an
appropriate level of access to the organization's
information systems in a timely manner. These
processes should also support the timely disabling
and deletion of user accounts that are no longer
needed

13) Computer and network access is controlled
through user authentication and authorization,
restrictive access control lists on data, and
proactive monitoring for policy violations
14) Application developers are provided with
education and possess a clear awareness of
security standards for software creation and
quality assurance testing of code
15) Business continuity and business continuity
programs are clearly defined, well documented,
and periodically tested through simulations and
drills

16) Programs have commenced and are effective for
ensuring that all staff perform their work tasks in a
manner compliant with legal requirements
17) Third-party review and audits are used regularly to
verify compliance with standard practices for
security business assets
Add all 17 scores together
< 34 Consider starting slowly by creating a Risk
Management team and applying the process to a
single business unit of your organization
34 to Your organization has taken many significant
50 steps, and is ready to move forward and expose
the entire organization to the process
> 50 Your organization is well-prepared to begin to
use security risk management to its fullest
extent
Are You Ahead or Behind?
80 B l is s fu l
70 Ig n o r a n c e
60 A w a re n e ss
50 P h a se
40
C o r r e c t iv e
30 P h a se
20
O p e r a t io n s
10
E x c e lle n c e
0
1996 2000 2005 2008
According to the Gartner Group, using a population of G2000 type companies

So Let’s Go!
 All Set? - We know where we want to go, and we
have a map
 We know how mature we are, and have an idea about
the readiness of our organization to begin risk
management
Can we kill any other birds

with the same stones?
Related DHHS Policies
 “System owners are responsible for
determining the sensitivity of data and ensuring
that adequate controls are implemented to
protect the data.”
DHHS Information Systems Review and Auditing Policy
 “Tests that shall be included in overall security
testing strategy for each Division/Offices shall
include Vulnerability Scanning and Penetration
Testing.”
DHHS Security Testing Policy
 “The BC/DR planning team shall do the
following: Identify the types of disasters most
likely to occur and the resultant impacts on
the agency’s ability to perform its mission.”
DHHS Business Continuity and Disaster Recovery Policy
 “The BC/DR planning team shall do the
following: Propose protective measures to be
implemented in anticipation of a natural or
man-made disaster.”
 “Plans shall include: A risk assessment to
determine risk priorities and probability of
identified risk.”
 “Plans shall include: Development of
recovery/restoration procedures for time
critical systems and applications.”
 For each application, classify the risk from loss
of confidentiality as “low”, “medium”, or “high
 For each application, classify the risk from loss
of integrity as “low”, “medium” or “high”
 For each application, classify the availability
need level as 1 (2 to 4 days), 2 (5 to 9 days), 3
(10 to 19 days) or 4
DHHS Data Classification, Labeling and Access Control Policy
 “System Administrators have the
responsibility of periodically reviewing user
access privileges and notifying management
of any access concerns.”
 “The system owner of each information
system shall ensure that all user accounts are
reviewed and access rights evaluated at least
once per quarter.”
DHHS User Authorization, Identification and Authentication
Policy
More Related DHHS Policies
 “DHHS Divisions/Offices shall protect data
on all sensitive and critical
applications/systems by implementing
controls that are commensurate with the
security level required to protect the data”
 “If sensitive electronic data resides in a
DHHS Division/Office, administrative,
physical and technical security controls must
be implemented to limit unauthorized access
to the data”
DHHS Data Protection Policy
More Related DHHS Policies
 “All technology shall be evaluated to
ensure that it can provide the level of
security required.”
 “Security risk in the operations
environment shall be kept to a level that is
considered “acceptable risk”
DHHS IT Operations Security Policy
Related HIPAA Requirements
 Application and Data Criticality Analysis –
Assess the relative criticality of specific
applications and data in support of other
contingency plan components
HIPAA Section 164.308 (a)(7)(ii)(E)
 Emergency Mode Operation Plan – Establish
procedures to enable continuation of critical
business processes for protection of the
security of electronic PHI while operating in
emergency mode
HIPAA Section 164.308 (a)(7)(ii)(C)

 Risk Analysis – A covered entity “must conduct an
actual and thorough assessment of the potential
risks and vulnerabilities of the confidentiality,
integrity, and availability of electronic PHI held by
the covered entity” Standard (a)(1)(2)(A)
 Risk Management – A covered entity “must
implement security measures sufficient to reduce
risks and vulnerabilities to a reasonable and
appropriate level” Standard (a)(1)(ii)(D)
12 Steps Towards YOUR Program
1) Educate 7) Update Threats list
Management 8) Review IS P&P
2) Locate all assets 9) Complete
3) Assign all risk Vulnerability
4) Complete Analysis forms
Network Risk 10) RM Committee
Analysis forms meets and decides
5) Complete on additional
Application Risk controls
Analysis forms 11) Report sent to
1) Educate Management
 Risk Management is one of a half dozen
Information Security projects which
Management must be educated about
 Consider an
Information Security Training for Manageme
nt
presentation
 Risk Management MUST be driven by
management if it is to be successful
 Don’t neglect training for “middle” managers,
including application owners and supervisors
2) Locate All Assets
 Hardware and Data - Start listing what you
know about, then find the rest
 Do searches on the network for file types
 Find out who has been storing data on local
hard drives (and stop it)
 List applications, including which have PHI
 Determine where Word, Excel, and Access
files with PHI are kept
3) Assign all Risk
 All applications have Data Owners
 If you created a file (not part of an application
program), then you own it
 If you own a file, you are responsible for
protecting it
 All network components – wiring, router,
switches, servers, concentrators – have a
person assigned to them who owns the risk
For Network Risk Analysis form instructions, click HERE
4) Network Risk Analysis Forms

 Complete one form for
each type of component
1) Windows XP Workstations
2) Windows 2000 workstations
3) Windows 98 workstations
4) File Servers
5) Firewall
6) Router
7) Core Switch
8) Workgroup Switches
9) Wireless Segment, etc.
For Application Risk Analysis form instructions, click HERE
5) Application Risk Analysis Forms

 Complete one form
for each application
1) HEARTS
2) MCPlus Pharmacy
3) NC Accounting
4) Personal Planning System
5) NCSnap
6) Restraint Tracking
7) Staff Development
Records
8) Staff Vacancies, etc.
6) Penetration and Vulnerability Tests
 DIRM may be willing to provide penetration
and vulnerability testing
 You may have to hire a firm to provide these
services
 Testing should be done from both inside your
firewall, and from outside your firewall
 If necessary, hire a teenager
7) Update Threats List
 Consider Natural Threats, Human Threats,
and Environmental Threats
 For Human Threats, consider
sources of motivation
 Your Threats List will not be identical to
others, since local factors must be considered
 Provide this updated list to your Risk
Management Committee each year
8) Review IS Policies and Procedures
 Many risks are inherent in the absence of
information security policies and procedures
 Procedures must evolve as new policies
develop and old policies change
 Your IS Policy and Procedure review should
be done by someone other than the agency’s
Information Security Official
 The results of this review are presented at the
Risk Management Team meeting
For Vulnerability Analysis form instructions, click HERE
9) Vulnerability Analysis Forms

 Complete one form for
each vulnerability/
threat-pair combination
1) HEARTS PHI being
disclosed to or by the Client
Data Warehouse
2) Workgroup switch located in
unlocked wiring closet
3) Loss of application
availability due to file server
running out of disk space
10) Risk Management Team Meets
 RM Committee should be made up of senior
managers, such as the Assistant Director and
Business Manager, and at least one information
system owner
 Team reviews all input, and makes decisions as to
what additional cost-effective controls should be
implemented
 Educating this team is an important part of improving
your risk management process
 It is the Team’s experience that sets priorities
11) Send RM Report to the Director
 The Risk Management Report should clearly
list the vulnerability/threat-source pairings of
concern, and any additional controls which
are recommended
 The report should ideally include a cover
letter to the Director, signed by each member
of the Committee
12) The Committee’s Mid-Year Meeting
 The Risk Management Committee should
meet at least twice each year
 The mid-year meeting should be concerned
about evaluating the results of the
recommendations which emerged from the
year’s first meeting, where mitigation
measures were discussed and decided upon
 Minutes of your Risk Management Committee
meetings should be saved for 6 years
12 Steps Towards YOUR Program
1) Educate 7) Update Threats list
Management 8) Review IS P&P
2) Locate all assets 9) Complete
3) Assign all risk Vulnerability
4) Complete Analysis forms
Network Risk 10) RM Committee
Analysis forms meets and decides
5) Complete on additional
Application Risk controls
Analysis forms 11) Report sent to
Risk Management Process Timeline
Risk Mitigation Meeting
Report Sent to Director
Implement Additional Controls
Risk Management Mid-Year Meeting
Penetration Testing
Network Risk Forms
Application Risk Forms
Update Threat List
Vulnerability Forms
What We Covered Today . .
 What Risk Management means
 What NIST says you should do
 What ISO 17799 says you should do
 What COBIT says you should do
 What Microsoft says you should do
 What HIPAA says you should do
 What NC ITS says you should do
 What DHHS says you should do
 Developing YOUR program in 12 steps
Links Found in this Slide Show
NIST ITS Pre-Risk Assessment Form
NIST SP 800-12 ITS RA Questionnaire
NIST SP 800-18 Threats List
NIST SP 800-26 Human Motivations List
NIST SP 800-30 Network Risk Analysis Form
ISO Instructions for above form
Microsoft’s Security Risk Management Guide Application Criticality and Risk Analysis
COBIT Form
DHHS’s Risk Management Instructions for above form
ITS’s November 2005 Risk Management Poli Vulnerability Analysis Form
cy Instructions for above form
Maturity Level Definitions Training for Management Show
HIPAA Security Rule Training for Supervisors Show
ITS Risk Management Site Training for Application Owners
ITS Risk Management Guide Training for Users Show
Any Questions?
Technology Risk
Management Program
Technology Risk
Management Program

Risk Management

Uploaded by

Copyright:

Available Formats

Risk Management

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management

Uploaded by

Copyright:

Available Formats

Developing an Information

“Of course you have to go out on a limb

the protection of data

An organization that can take advantage of

Threat Sources that leading to

give rise that increase

Detective Seals on archive Admin message on Audit of employee

Deterrent Closed-circuit Account lockout Data owner

Corrective Physical Isolation Firewall changes Arranging for day

Recovery Electronic records Netware’s file Contact police after

Threat Sources that leading to

give rise that increase

Sensitive Services and Integrity of data

The Ten Steps of Risk Assessment

1) Senior management’s commitment

Business continuity Asset classification

Harm of Event Scale

Insignificant Minimal to no impact 0

Minor No extra effort required to repair 1

Significant Tangible harm, extra effort required to repair 2

Damaging Significant expenditure of resources required; 3

DS3 Manage Performance and DS10 Manage Projects

DS5 Ensure Systems Security DS12 Manage Facilities

DS7 Educate and Train Users

HIPAA Says Covered Entities Must

 Protect against any reasonably anticipated

HIPAA Security Specifications

HIPAA Security Specifications

HIPAA Security Specifications

What DHHS Says You Should Do

Things DHHS Says to Do

Even More Things DHHS Says to Do

Even More Things DHHS Says to Do

What you thought

The Ten Steps of Risk Assessment

Sensitivity is the sum of the potential injury from

High (1.0) Low Medium High

High There is a strong need for corrective measures, the

Low Additional controls may be implemented, or

 Compile potential threat sources

YES Can be YES Vulnerability

No Risk Risk Accept Risk Accept

1) Senior management’s commitment

 Relocate the File Servers

 Buy a tarp and rig it over the servers

 Buy a tarp and keep it handy

Which of these 6 levels best describes

1 Ad-Hoc Some members of the organization have

5 Optimized The organization has committed significant

The following test measures your

For each of these 17 questions,

Risk Management Readiness Test

Risk Management Readiness Test

Risk Management Readiness Test

Risk Management Readiness Test

Risk Management Readiness Test

Risk Management Readiness Test

According to the Gartner Group, using a population of G2000 type companies

Can we kill any other birds