Scribd
Upload
617 views35 pages

Security Risk Management Frameworks

The document discusses security risk management and is a presentation by Scott Ritchie given to the ISACA Atlanta Chapter. It covers assessing security risks, recognized security risk management frameworks, and security risk management practices. It defines key terms, describes challenges in security environments, and illustrates the risk assessment process. It also discusses risk management frameworks, conducting a risk assessment, and identifying risks.

Uploaded by

nandaanuj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
617 views35 pages

Security Risk Management Frameworks

The document discusses security risk management and is a presentation by Scott Ritchie given to the ISACA Atlanta Chapter. It covers assessing security risks, recognized security risk management frameworks, and security risk management practices. It defines key terms, describes challenges in security environments, and illustrates the risk assessment process. It also discusses risk management frameworks, conducting a risk assessment, and identifying risks.

Uploaded by

nandaanuj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

SECURITY RISK

MANAGEMENT
ISACA Atlanta Chapter, Geek Week
August 20, 2013
Scott Ritchie, Manager, HA&W
Information Assurance Services
Scott Ritchie
CISSP, CISA, PCI QSA, ISO 27001 Auditor
• Manager, HA&W Information Assurance Services
• Previous
– AT&T, Internal Audit (Technology audits)
– Scientific Research Corp., Information Systems
Security Officer
• Academics
– M.B.A.
– M.S. Information Assurance

[email protected]
(770) 353-2761

http://www.linkedin.com/pub/scott-ritchie/2/308/260
www.aicpa.org/fvs
HA&W Information Assurance
Services
Key Verticals: SME Domains: Key Services:
 Fraud &  Security • Risk and gap assessments
Analytics  Privacy: • Attest/Compliance Reporting:
 Healthcare IT o HIPAA / HITECH • SSAE 16 & SOC 2 Reporting
 Tech / Cloud o Safe Harbor • PCI Compliance
Service o State Regulations
Providers • ISO 27001 Certification
 Confidentiality
 FinTech / • FedRAMP Certification
 Processing Integrity
Payments • IT Internal Audit
 Data Management
• IT Governance
 Availability
• Due Diligence
 Financial Reporting

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Focus of Today’s Presentation

• How to assess security risks


• Understand recognized security risk
management frameworks
• Introduce security risk management
practices

http://www.linkedin.com/pub/scott-ritchie/2/308/260
www.aicpa.org/fvs
Security Environment

• Explosive growth/ aggressive


use of technology
• Proliferation of data
• Sophistication of threats

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Challenges

• Least privilege • Mobile computing


• Awareness and training • Cloud and virtualization
• Insider threat • Individual/device auth
• Advanced Persistent • Resiliency of Systems
Threats • Privacy
• Trustworthiness of • Supply chain
applications and systems

Can't cover everything - Risk management allows prioritization

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Assessment Illustrated

Licensed from CartoonStock.com


Definitions:

• Risk: Extent to which an entity is threatened by a potential


event. (Note: Quantitative or Qualitative)
• Risk Assessment: Prioritization of risks based on
probability and impact of an event.
• Threat: Circumstance with potential to adversely impact
organizational operations, assets, individuals, and others.
• Vulnerability: Weakness in an information system,
procedures, controls, or implementation.
• Impact: Magnitude of harm expected to result from the
consequences of an event.
• Probability: Likelihood that a threat event will be initiated
or will occur.
• Predisposing conditions: Condition which affects the
probability that threat events, once initiated, result in
adverse impacts.

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Management (RM) Hierarchy

Reference: NIST 800-30

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Assessment Frameworks

http://www.linkedin.com/pub/scott-ritchie/2/308/260
ISO 27005: IT Risk Management
Context Definition

Risk Identification

Risk Analysis
Communication
and consultation Monitoring and
review

Risk Evaluation

Risk Treatment

Risk Acceptance

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Understand the Organization
Governance

Contractual Organizational
relationships structure

Policies and
Standards
objectives
Organization

Organization's Resources and


culture knowledge

Relationships
Information
with
flows
stakeholders
Management Commitment

Methods for
Rationale for Accountabilities resolving
managing risk for managing risk conflicting
interests

Risk management
Management
Commit resources performance
Review
metrics

Response to an Risk Management


Democratization of
event or change in Policy
Risk Management
circumstances. Communication
Risk Management Approach

Nature and types How the level of


Likelihood and
of causes and risk is to be
impact Criteria
consequences determined

Risk Tolerance
Views of Level and Combinations of
stakeholders Acceptance multiple risks
Criteria

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Objectives of Risk Assessment

Understand business risks

Identify improvement opportunities

Allocate resources effectively

Get support from the enterprise

Demonstrate due diligence

Meet compliance requirements

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Information Asset Inventory

• Anything of value that requires protection


– People, Process, Technology
– Information
– Supporting Infrastructure
– Business processes
• Data Sources:
– Listings of Enterprise Applications
– Listings of Databases
– Software Inventory
– Hardware Inventory
– System Diagrams
– Technical Design Documents

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Example Asset Register

Exposure
Asset Name/ Asset DR
Description Level
Description Class. Priority
(H,M,L)

Personnel High 1 Employees M


Personally Identifiable
Client PII High 1 L
Information

Production Company primary web


Medium 1 H
Web server site (no sensitive data)

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Calculating Risk (perception)

Source: CSOOnline.com

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Calculating Risk

Risk = Impact X Probability

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Elements of Risk

Risk

Impact Probability

Asset Threat Vulnerability Mitigation

Initiation Success Predisposing


Threat Source Pervasiveness Severity Effectiveness
Probability Probability Conditions

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Identification

Licensed from CartoonStock.com


Risk Identification Sources

System
Threat
Catalogs Docs

Surveys and
Workshops
Interviews

Vulnerability Audits/ Gap


Assessments Assessments

Previous
Events
Assess Threats

• Deliberate Attacks • Natural


– Intent – Fire
– Capabilities – Water
– Operational constraints – Earth
– Exploit characteristics – Air

• Unintentional Exposures
– Characteristics
– Work Environment
– Time constraints
Likelihood Considerations

• Experience and statistics for threat likelihood


• Motivation and capabilities of the attacker
• Exposure to possible attackers
• Accident sources: geographical /weather
• Human errors and equipment malfunction
• Individual and aggregate vulnerabilities
• Effectiveness of existing controls

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Vulnerabilities

• Organization
• Processes and procedures
• Management routines
• Personnel
• Physical environment
• Information system configuration
• Hardware, software or communications equipment
• Dependence on external parties

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Impact criteria

• Asset classification
• Breaches of information security
• Impaired operations
• Loss of business and financial value
• Disruption of plans and deadlines
• Damage to reputation
• Breaches of requirements

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk evaluation criteria

• Strategic value of the assets


• Criticality of the assets
• Legal, contractual, and regulatory requirements
• Operational and business importance of
confidentiality, integrity, and availability (CIA)
• Stakeholders expectations
• Damage to reputation

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Example Risk Register

Availability (L,M,H)

Overall Risk Rating


Likelihood Success
Integrity (L,M,H)

Attack Initiation

Total Likelihood
Confidentiality

Overall Impact

Likelihood of
Control
Predisposing Effective-
Threat Conditions Vulnerable Entities ness
Lack of communication of
Business objectives are
Business and IT needs Business
not aligned with IT H H H H H H H H M
leads to unintended Operations
strategies.
exposure of data.

Accidental or intentional
Sensitive documents are
duplication and retention
retained beyond useful All data sources. H M M H H H H H L
of data leads to
life
unnecessary exposure.

Lost or stolen laptop leads All servers,


No encryption on
to exposure of sensitive network devices, H L H H H H H H M
almost all laptops
data. and laptops.
Improper handling of data No formal privacy
Employees,
by employees, contractors, awareness, data
contractors, and M M M M H H H M L
or vendors leads to handling, or information
vendors.
exposure of sensitive data. security training.

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk Treatment

Transfer
/Share
Avoid

Mitigate

Accept
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Risk acceptance criteria

• Multiple thresholds and provisions for senior


managers to accept risks
• Ratio of estimated benefit to the estimated risk
• Different acceptance criteria for different classes
of risk
• May include requirements for future additional
treatment

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Report

• Executive Summary, Methodology, and Detailed Results


• Share results of assessment - present risk treatment plan
• Eliminates misunderstanding among decision makers and
stakeholders
• Supports decision-making
• Improve awareness and provides new knowledge
• Co-ordinate with other parties and plan responses
• Give decision makers and stakeholders a sense of
responsibility about risks

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Re-Assess Risks

• Assessments are an on-going exercise


• Track mitigation strategies
• Re-test control design/effectiveness
• Document test results, corrective
actions, changes in business
needs/requirements.
http://www.linkedin.com/pub/scott-ritchie/2/308/260
Future

• Develop risk-aware mission and business processes


• Integrate into enterprise architecture development
• Acquire IT systems with high level of assurance
• Consider threats when deploying new technology
• Agile defense
• Implement robust continuous monitoring programs

http://www.linkedin.com/pub/scott-ritchie/2/308/260
Questions

http://www.linkedin.com/pub/scott-ritchie/2/308/260
www.aicpa.org/fvs
THANK YOU!

www.aicpa.org/fvs

You might also like