ISC2 Philadelphia Seminar
Download
Report
Transcript ISC2 Philadelphia Seminar
Lucent Worldwide Services
Security Practice
Risk Tolerance: Balancing Business Needs And Risk
ISC2 Philadelphia Seminar November 3, 2005
George G. McBride, CISSP, CISM
Managing Principal
Lucent Worldwide Services Security Practice
Agenda
What is risk?
How can we measure it?
How do we know what is an acceptable level of risk?
Making the comparison and dealing with risk
Conclusions
Questions and Answers
Lucent Technologies – ISC2 Philadelphia 2005
2
What is risk?
No universally recognized “Definition”
The exposure/potential/possibility to suffer some loss of an asset
What about likelihood and impact?
The most important concept:
– When talking about “risk”, make sure you
agree on what definition you are using!
Can be qualitative or quantitative
Lucent Technologies – ISC2 Philadelphia 2005
3
Plugging In Some Numbers
Qualitative: Uses some reference point such as
another “level” of risk for comparison
Quantitative: Uses solid numbers and dollars:
– SLE: Single Loss Expectancy
Likelihood
– ARO: Annual Rate of Occurrence
– ALE: Annual Loss Expectancy
Impact
– Cost of A Control: How much is that additional control such as
a firewall or anti-virus software package?
Lucent Technologies – ISC2 Philadelphia 2005
4
Quantitative Analysis
A very simplified version that ignores Net Present Value, Return
On Investment (ROI):
If the virus attack happens, it will cost $200,000 to clean it up
– SLE=$200,000.00
An event happens once every 4 years
– ARO= .25
Company can expect to lose $200,000 every 4 years
– ALE = $50,000.00
Cost of the control to deploy a corporate wide anti-virus solution is
$125,000.00 for the first year and $25,000 per year afterwards
You can reach a solid conclusion now!
Lucent Technologies – ISC2 Philadelphia 2005
5
What types of risk are there?
Strategic Risk
–
Financial Risk
–
Risks that affect an organization’s ability to reach it’s goals
Risks of a company to suffer unnecessary losses
Environmental (Physical) Risk
–
Risks of a company moving or of physical damage
Operational Risk
Technical Risk
–
Business Continuity, Integrity, Change Management, Disclosure
Political/Cultural Risk
–
Personal agendas, regulatory, customer constraints
Lucent Technologies – ISC2 Philadelphia 2005
6
What do we have to measure?
Threats
Threat Assessment and
Threat Matrix
– Likelihood
– Impact
Vulnerabilities
Vulnerability Assessment
Controls Effectiveness
Controls Assessment
The Risk Equation is Simple. Obtaining the Correct Values is Not
Lucent Technologies – ISC2 Philadelphia 2005
7
Asset Identification
What are the assets within an organization?
– Systems, buildings, cars, people, products
– Business processes, applications, data
How and who determines the assets?
– Commissioning, asset management, purchasing records,
DHCP records, Active Directory
How often are the assets identified?
Lucent Technologies – ISC2 Philadelphia 2005
8
Asset Ownership and Management
Asset owner is usually the system administrator or
someone from the support organization
– What data?
– Who has access?
– What inputs and outputs?
Should be a business unit representative:
– Someone who can identify the data on the system
– Someone who determine the users of the system
– Someone who understands the data flow (inbound and
outbound)
Lucent Technologies – ISC2 Philadelphia 2005
9
Risk Speak
So many terms with so many equally valid definitions:
– Threat Agent
– Threat Catalyst
– Inhibitors / Amplifiers
– Capability
– Motivation
– And More!
Lucent Technologies – ISC2 Philadelphia 2005
10
Traditional Risk Management
Mitigate all risks to effectively
reduce risk to ZERO
Risk
– Risk > 0 Becomes
Unacceptable
Extremely costly
Unacceptable
Slow to mitigate the risks
Generally shuts the business
down.
0
Asset Criticality and Sensitivity
– How do you remove the risk of
a production system
Lucent Technologies – ISC2 Philadelphia 2005
11
Risk Management as an Enabler
Allows a business to measure
the level of risk that they are
“comfortable with”
Risk
Drive to mitigate risks to below
the acceptable level, not zero
Unacceptable
Risk Tolerance
Acceptable level of risk may be
by asset, physical location of
device, corporate posture, etc.
Business enabler
Acceptable
0
Asset Criticality and Sensitivity
Lucent Technologies – ISC2 Philadelphia 2005
12
Acceptable Levels of Risk Factors
How does a company determine their acceptable level
of risk?
– Organization Risk Tolerance: Is the company a former brick &
mortar type firm with a conservative approach or a progressive
Silicon Valley firm looking to be the first to market?
– Personnel Tolerance: Individuals within the organization will
affect the tolerance levels
– Reaction to Previous Events: What were the results of any
previous compromises/intrusions/breaches?
– Policy, Regulations, Legal Issues: These may determine what
level of risk a company can deal with
– Risk Scope: An organization may be focused on a particular
system, but need to be aware of additional connectivity issues
Lucent Technologies – ISC2 Philadelphia 2005
13
Advantages of “Acceptable Risk”
Truly serves as a business enabler
– This redefines the concept of “business vs security”
Competitive Advantage?
– Absolutely! Get services to market first!
Focus on fixing the risks that you have to address
May maintain various levels of acceptable risk
– Logical & Physical Location, Scope, Connectivity, Customer
Base and usage
Lucent Technologies – ISC2 Philadelphia 2005
14
Risk Management
What stays the same?
– Still need a Risk Management Program
– Still need to know what the assets are
– Still need to have some type of risk assessment methodology
– Still need a risk management organization
– Still need to agree on a measurement mechanism
• Quantitative or Qualitative
– Risk Measurement is not a one-off effort
• Trigger points should initiate risk analysis at potential risk
value change points during the asset lifecycle
– Still need to mitigate the risk
Lucent Technologies – ISC2 Philadelphia 2005
15
Risk Management – What Must Change
Modifications of the existing risk management program:
– Ensure that acceptable risk doesn’t slide below an agreed upon
threshold
– Security analysts need to business and operations savvy to
understand business drivers
– Continuously monitor external resources such as new
regulations, technologies, and what the competition is doing
– Process to determine whether to continue to mitigate further
below “Acceptable Risk” or to move on
Lucent Technologies – ISC2 Philadelphia 2005
16
Risk Management Lifecycle
Monitor
Identify
Assets /
Ownership
Measure Risk and
Implement Additional
Controls
Identify and
Measure
Controls
Vulnerability
Assessment
Threat
Assessment
Lucent Technologies – ISC2 Philadelphia 2005
17
Risk Management Program Plan
Develop a “Risk Management Program Plan”
– Defines the overall structure and program of the risk
management efforts of the organization
– Describes the organizational structure, roles and
responsibilities of the members
– Provides metrics, governance, compliance issues, reporting
mechanisms, etc.
– Should place a “Risk Management Director/Officer” with the
overall Corporate level responsibility
• manages the risk management organization and activities
– Database may be used to support the Program
Lucent Technologies – ISC2 Philadelphia 2005
18
Risk Database
Maintains Threats, Vulnerabilities, Controls, Likelihood, Impacts
Can be utilized for Quantitative and Qualitative efforts
Can prompt for periodic assessment reminders
Integrate with, or be, the Asset Database
Can be used to provide Enterprise Risk Management functions
including:
– Dashboard
– Tiered and Segmented Reporting
Is extremely valuable to malicious individuals and must be
protected accordingly
Supports compliance and governance matters
Lucent Technologies – ISC2 Philadelphia 2005
19
Trigger Points
You can’t just measure the risk of an asset every year
or two. Certain changes must trigger a risk
measurement of the asset.
A “Trigger Point” is a Risk Management program call
that is inserted into other operations and programs to
ensure that Risk Management is considered as part of
certain programs and at the appropriate times.
– Business Impact Analysis
– Change Management
– Acquisitions
– System Commissioning or Decommissioning
Lucent Technologies – ISC2 Philadelphia 2005
20
Risk Methodologies
Many different types. Some fit better in particular companies or
industries than others.
– OCTAVE: Operationally Critical Threat, Asset, and Vulnerability
Evaluation (http://www.cert.org/octave/)
– SPRINT, SARA, FIRM (http://www.securityforum.org)
• (Restricted to ISF Members Only)
– CRAMM (http://www.cramm.com/)
– RiskWatch, COBRA, and many others
Choose the one that works the best for you.
– Industry / Business Sector – Some tools work better than others
– Collateral Support - Including tools and training availability
– Industry Support – Who recognizes which methodologies
Lucent Technologies – ISC2 Philadelphia 2005
21
Summary
Know Your Assets!
Devote the required resources
Determine your “Acceptable Level of Risk”
– Use a consistent measurement unit
• Your “Medium” may not be somebody else’s “5”
– Determine the scope of the Acceptable Level
• Is it for all assets or particular assets
– Measure the level of risk
Lucent Technologies – ISC2 Philadelphia 2005
22
Any questions?
Contact me at [email protected] with any questions that
you may have.
Lucent Technologies
Bell Labs Innovations
George McBride
Managing Principal
Lucent Worldwide Services
Lucent Technologies Inc.
Room 1B-237A
101 Crawfords Corner Road
Holmdel, NJ 07733
Phone: +1.732.949.3408
E-mail: [email protected]
Lucent Technologies – ISC2 Philadelphia 2005
23