RISK MANAGEMENT

Security Management: It encompasses all the activities that are needed to keep a security program up, running and evolving.

RISK: Risk in the context of security is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM)

Information Risk Management (IRM): It is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. The IRM policy should be a subset of the organization’s overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies.

Risk Assessment: It is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed.

Risk Analysis: Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats.

A risk analysis has four main goals:

• Identify assets and their value to the organization.
• Identify vulnerabilities and threats.
• Quantify the probability and business impact of these potential threats.
• Provide an economic balance between the impact of the threat and the cost of the countermeasure.

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential cost of loss. A control, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the control itself.

Risks have loss potential, meaning what the company would lose if a threat agent actually exploited a vulnerability. The loss may be corrupted data, destruction of systems and/or the facility, unauthorized disclosure of confidential information, a reduction in employee productivity, and so on.

When performing a risk analysis, the team also must look at delayed loss when assessing the damages that can occur. Delayed loss is secondary in nature and takes place well after a vulnerability is exploited. Delayed loss may include damage to the company’s reputation, loss of market share, accrued late penalties, civil suits, the delayed collection of funds from customers, and so forth.

Methodologies for Risk Assessment

1) NIST developed a risk methodology, which is published in their SP 800-30 document. This NIST methodology is named a “Risk Management Guide for Information Technology Systems” and is considered a U.S. federal government standard. It is specific to IT threats and how they relate to information security risks. It lays out the following steps:

• System characterization
• Threat identification
• Vulnerability identification
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

The NIST risk management methodology is mainly focused on computer systems and IT security issues. It does not cover larger organizational threat types, as in natural disasters, succession planning, environmental issues, or how security risks associate to business risks.

2) FRAP: Facilitated Risk Analysis Process The crux of this qualitative methodology is to focus only on the systems that really need assessing to reduce costs and time obligations. The author of this methodology (Thomas Peltier) believes that trying to use mathematical formulas for the calculation of risk is too confusing and time consuming. The goal is to keep the scope of the assessment small and the assessment processes simple to allow for efficiency and cost effectiveness.

3) OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) was created by Carnegie Mellon University’s Software Engineering Institute. It is a methodology that is intended to be used in situations wherepeople manage and direct the risk evaluation for information security within their company. The scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP. Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.

4) While NIST, FRAP, and OCTAVE methodologies focus on IT security threats and information security risks,AS/NZS 4360 takes a much broader approach to risk management. This Australian and New Zealand methodology can be used to understand a company’s financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose. This risk methodology is more focused on the health of a company from a business point of view, not security.

5) ISO/IEC 27005 is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). So where the NIST risk methodology is mainly IT and operational focused, this methodology deals with IT and the softer security issues (documentation, personnel security, training, etc.) This methodology is to be integrated into an organizational security program that addresses all of the security threats an organization could be faced with.

6) Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. For example, you might choose to carry out an FMEA on your organization’s network to identify single points of failure. These single points of failure represent vulnerabilities that could directly affect the productivity of the network as a whole.

A fault tree analysis usually proves to be a more useful approach to identifying failures that can take place within more complex environments and systems. Fault tree analysis follows this general process. First, an undesired effect is taken as the root or top event of a tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. Fault trees are then labeled with actual numbers pertaining to failure probabilities. This is typically done by using computer programs that can calculate the failure probabilities from a fault tree.

6) CRAMM (Central Computing and Telecommunications Agency Risk Analysis and Management Method), which was created by the United Kingdom, and its automated tools are sold by Siemens. It works in three distinct stages: define objectives, assess risks, and identify countermeasures.

What make these methodologies different from each other are their unique approaches and focuses. If you need to deploy an organization-wide risk management program and integrate it into your security program, you should follow the ISO/IEC 27005 or OCTAVE methods. If you need to focus just on IT security risks during your assessment, you can follow NIST 800-30. If you have a limited budget and need to carry out a focused assessment on an individual system or process, the Facilitated Risk Analysis Process can be followed. If you really want to dig into the details of how a security flaw within a specific system could cause negative ramifications, you could use Failure Modes and Effect Analysis or fault tree analysis. If you need to understand your company’s business risks, then you can follow the AS/NZS 4360 approach.

RISK ANALYSIS APPROACHES

1) A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks. It is more of a scientific or mathematical approach to risk analysis compared to qualitative.

Single Loss Expectancy(SLE): The SLE is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place. The equation is laid out as follows:

Asset Value × Exposure Factor (EF) = SLE

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset.

Annual Loss Expectancy(ALE): SLE × Annualized Rate of Occurrence (ARO) = ALE

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe.

In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate.

Qualitative Cons

• The assessments and results are subjective and opinion-based.
• Eliminates the opportunity to create a dollar value for cost/benefit discussions.
• Hard to develop a security budget from the results because monetary values are not used.
• Standards are not available. Each vendor has its own way of interpreting the processes and their results.

2) A qualitative risk analysis uses a “softer” approach to the data elements of a risk analysis. It does not quantify that data, which means that it does not assign numeric values to the data so that they can be used in equations. Assess the risk in terms of Likelihood levels (Rare, Unlikely, Possible, Likely, Almost Certain)  and Consequences (Insignificant, minor, moderate, major, severe)

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way.

Quantitative Cons

• Calculations can be complex. Can management understand how these values were derived?
• Without automated tools, this process is extremely laborious.
• More preliminary work is needed to gather detailed information about the environment.
• Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Control Selection:

A security control must make good business sense, meaning it is cost-effective (its benefit outweighs its cost). This requires another type of analysis: a cost/benefit analysis. A commonly used cost/benefit calculation for a given safeguard (control) is:

(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company

Total risk is the risk a company faces if it chooses not to implement any type of safeguard.\

Residual risk is the risk left over after counter measures are implemented to reduce the risk to an acceptable level

• threats × vulnerability × asset value = total risk
• (threats × vulnerability × asset value) × controls gap = residual risk
• total risk – countermeasures = residual risk

Handling Risk

1. Many types of insurance are available to companies to protect their assets. If a company decides the total risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company.
2. If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance.
3. Another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business.
4. The last approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure.

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system-specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place.

Types of Policies:

Policies generally fall into one of the following categories:

• Regulatory This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI-DSS, etc.). It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries.

• Advisory This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information.

• Informative This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Organizational security standards may specify how hardware and software products are to be used.

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it.

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security.

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks.