Transcript Introduction to Information Security Chapter N

Learning Objectives
Upon completion of this material, you should be able to:
 Define risk management, risk identification, and risk
control
 Understand how risk is identified and assessed
 Assess risk based on probability of occurrence and
impact on an organization
 Grasp the fundamental aspects of documenting risk
through the creation of a risk assessment
Principles of Information Security, 2nd Edition
2
Learning Objectives (continued)
 Describe the risk mitigation strategy options for
controlling risks
 Identify the categories that can be used to classify
controls
 Recognize the conceptual frameworks that exist for
evaluating risk controls and be able to formulate a
cost benefit analysis
 Understand how to maintain and perpetuate risk controls
Principles of Information Security, 2nd Edition
3
Introduction
 Risk management: process of identifying and controlling
risks facing an organization
 Risk identification: process of examining an organization’s
current information technology security situation
 Risk control: applying controls to reduce risks to an
organizations data and information systems
Principles of Information Security, 2nd Edition
4
An Overview of Risk Management
 Know yourself: identify, examine, and understand the
information and systems currently in place
 Know the enemy: identify, examine, and understand
threats facing the organization
 Responsibility of each community of interest within an
organization to manage risks that are encountered
Principles of Information Security, 2nd Edition
5
The Roles of the Communities of Interest
 Information security, management and users, information
technology all must work together
 Management review:
 Verify completeness/accuracy of asset inventory
 Review and verify threats as well as controls and
mitigation strategies
 Review cost effectiveness of each control
 Verify effectiveness of controls deployed
Principles of Information Security, 2nd Edition
6
Risk Identification
 Assets are targets of various threats and threat agents
 Risk management involves identifying organization’s
assets and identifying threats/vulnerabilities
 Risk identification begins with identifying organization’s
assets and assessing their value
Principles of Information Security, 2nd Edition
7
Principles of Information Security, 2nd Edition
8
Asset Identification and Valuation
 Iterative process; begins with identification of assets,
including all elements of an organization’s system
(people, procedures, data and information, software,
hardware, networking)
 Assets are then classified and categorized
Principles of Information Security, 2nd Edition
9
Table 4-1 - Categorizing
Components
Principles of Information Security, 2nd Edition
10
People, Procedures, and Data Asset Identification
 Human resources, documentation, and data information
assets are more difficult to identify
 People with knowledge, experience, and good judgment
should be assigned this task
 These assets should be recorded using reliable datahandling process
Principles of Information Security, 2nd Edition
11
People, Procedures, and Data Asset
Identification (continued)
 Asset attributes for people: position name/number/ID;
supervisor; security clearance level; special skills
 Asset attributes for procedures: description; intended
purpose; what elements is it tied to; storage location for
reference; storage location for update
 Asset attributes for data: classification; owner/creator/
manager; data structure size; data structure used; online/
offline; location; backup procedures employed
Principles of Information Security, 2nd Edition
12
Hardware, Software, and Network Asset
Identification
 What information attributes to track depends on:
 Needs of organization/risk management efforts
 Management needs of information security/information
technology communities
 Asset attributes to be considered are: name; IP address;
MAC address; element type; serial number; manufacturer
name; model/part number; software version; physical or
logical location; controlling entity
Principles of Information Security, 2nd Edition
13
Information Asset Classification
 Many organizations have data classification schemes
(e.g., confidential, internal, public data)
 Classification of components must be specific to allow
determination of priority levels
 Categories must be comprehensive and mutually
exclusive
Principles of Information Security, 2nd Edition
14
Information Asset Valuation
 Questions help develop criteria for asset valuation: which
information asset
 is most critical to organization’s success?
 generates the most revenue/profitability?
 would be most expensive to replace or protect?
 would be the most embarrassing or cause greatest liability
if revealed?
Principles of Information Security, 2nd Edition
15
Figure 4-3 – Example Worksheet
Principles of Information Security, 2nd Edition
16
Listing Assets in Order of Importance
 Create weighting for each category based on the answers
to questions
 Calculate relative importance of each asset using
weighted factor analysis
 List the assets in order of importance using a weighted
factor analysis worksheet
Principles of Information Security, 2nd Edition
17
Table 4-2 – Example Weighted
Factor Analysis
Principles of Information Security, 2nd Edition
18
Data Classification and Management
 Variety of classification schemes used by corporate and
military organizations
 Information owners responsible for classifying their
information assets
 Information classifications must be reviewed periodically
 Most organizations do not need detailed level of
classification used by military or federal agencies;
however, organizations may need to classify data to
provide protection
Principles of Information Security, 2nd Edition
19
Security Clearances
 Security clearance structure: each data user assigned a
single level of authorization indicating classification level
 Before accessing specific set of data, employee must
meet need-to-know requirement
 Extra level of protection ensures information
confidentiality is maintained
Principles of Information Security, 2nd Edition
20
Management of Classified Data
 Storage, distribution, portability, and destruction of
classified data
 Information not unclassified or public must be clearly
marked as such
 Clean desk policy requires all information be stored in
appropriate storage container daily; unneeded copies of
classified information are destroyed
 Dumpster diving can compromise information security
Principles of Information Security, 2nd Edition
21
Threat Identification
 Realistic threats need investigation; unimportant threats
are set aside
 Threat assessment:
 Which threats present danger to assets?
 Which threats represent the most danger to information?
 How much would it cost to recover from attack?
 Which threat requires greatest expenditure to prevent?
Principles of Information Security, 2nd Edition
22
Principles of Information Security, 2nd Edition
23
Vulnerability Identification
 Specific avenues threat agents can exploit to attack an
information asset are called vulnerabilities
 Examine how each threat could be perpetrated and list
organization’s assets and vulnerabilities
 Process works best when people with diverse
backgrounds within organization work iteratively in a
series of brainstorming sessions
 At end of risk identification process, list of assets and
their vulnerabilities is achieved
Principles of Information Security, 2nd Edition
24
Risk Assessment
 Risk assessment evaluates the relative risk for each
vulnerability
 Assigns a risk rating or score to each information asset
Principles of Information Security, 2nd Edition
25
Valuation of Information Assets
 Assign weighted scores for value of each asset; actual
number used can vary with needs of organization
 To be effective, assign values by asking questions:
 Which threats present danger to assets?
 Which threats represent the most danger to information?
 How much would it cost to recover from attack?
 Which threat requires greatest expenditure to prevent?
 Finally: which of the above questions for each asset is
most important to protection of organization’s information?
Principles of Information Security, 2nd Edition
26
Risk Determination
 For the purpose of relative risk assessment, risk equals:
 Likelihood of vulnerability occurrence TIMES value (or
impact)
 MINUS percentage risk already controlled
 PLUS an element of uncertainty
Principles of Information Security, 2nd Edition
27
Identify Possible Controls
 For each threat and associated vulnerabilities that have
residual risk, create preliminary list of control ideas
 Residual risk is risk that remains to information asset
even after existing control has been applied
Principles of Information Security, 2nd Edition
28
Access Controls
 Specifically address admission of a user into a trusted
area of organization
 Access controls can be:
 Mandatory
 Nondiscretionary
 Discretionary
Principles of Information Security, 2nd Edition
29
Types of Access Controls
 Mandatory access controls (MAC): give users and data
owners limited control over access to information
 Nondiscretionary controls: managed by a central authority
in organization; can be based on individual’s role (rolebased controls) or a specified set of assigned tasks (taskbased controls)
 Discretionary access controls (DAC): implemented at
discretion or option of data user
 Lattice-based access control: variation of MAC; users
assigned matrix of authorizations for areas of access
Principles of Information Security, 2nd Edition
30
Documenting the Results of Risk Assessment
 Final summary comprised in ranked vulnerability risk
worksheet
 Worksheet details asset, asset impact, vulnerability,
vulnerability likelihood, and risk-rating factor
 Ranked vulnerability risk worksheet is initial working
document for next step in risk management process:
assessing and controlling risk
Principles of Information Security, 2nd Edition
31
Principles of Information Security, 2nd Edition
32
Risk Control Strategies
 Once ranked vulnerability risk worksheet complete, must
choose one of four strategies to control each risk:
 Apply safeguards (avoidance)
 Transfer the risk (transference)
 Reduce impact (mitigation)
 Understand consequences and accept risk (acceptance)
Principles of Information Security, 2nd Edition
33
Avoidance
 Attempts to prevent exploitation of the vulnerability
 Preferred approach; accomplished through countering
threats, removing asset vulnerabilities, limiting asset
access, and adding protective safeguards
 Three common methods of risk avoidance:
 Application of policy
 Training and education
 Applying technology
Principles of Information Security, 2nd Edition
34
Transference
 Control approach that attempts to shift risk to other assets,
processes, or organizations
 If lacking, organization should hire individuals/firms that
provide security management and administration expertise
 Organization may then transfer risk associated with
management of complex systems to another organization
experienced in dealing with those risks
Principles of Information Security, 2nd Edition
35
Mitigation
 Attempts to reduce impact of vulnerability exploitation
through planning and preparation
 Approach includes three types of plans:
 Incident response plan (IRP)
 Disaster recovery plan (DRP)
 Business continuity plan (BCP)
Principles of Information Security, 2nd Edition
36
Mitigation (continued)
 DRP is most common mitigation procedure
 The actions to take while incident is in progress is
defined in IRP
 BCP encompasses continuation of business activities if
catastrophic event occurs
Principles of Information Security, 2nd Edition
37
Acceptance
 Doing nothing to protect a vulnerability and accepting the
outcome of its exploitation
 Valid only when the particular function, service,
information, or asset does not justify cost of protection
 Risk appetite describes the degree to which organization
is willing to accept risk as trade-off to the expense of
applying controls
Principles of Information Security, 2nd Edition
38
Selecting a Risk Control Strategy
 Level of threat and value of asset play major role in
selection of strategy
 Rules of thumb on strategy selection can be applied:
 When a vulnerability exists
 When a vulnerability can be exploited
 When attacker’s cost is less than potential gain
 When potential loss is substantial
Principles of Information Security, 2nd Edition
39
Figure 4- 8- Risk Handling Decision
Points
Principles of Information Security, 2nd Edition
40
Principles of Information Security, 2nd Edition
41
Categories of Controls
 Controlling risk through avoidance, mitigation or
transference accomplished by implementing controls
 Effective approach is to select controls by category:
 Control function
 Architectural layer
 Strategy layer
 Information security principle
Principles of Information Security, 2nd Edition
42
Categories of Controls (continued)
 Control function: controls (safeguards) designed to
defend systems are either preventive or detective
 Architectural layer: some controls apply to one or more
layers of organization’s technical architecture
 Strategy layer: controls sometimes classified by risk
control strategy (avoidance, mitigation, transference) in
which they operate
Principles of Information Security, 2nd Edition
43
Characteristics of Secure Information
 Controls can be classified according to the characteristics
of secure information they are intended to assure
 These characteristics include: confidentiality; integrity;
availability; authentication; authorization; accountability;
privacy
Principles of Information Security, 2nd Edition
44
Feasibility Studies
 Before deciding on strategy, all information about
economic/non-economic consequences of vulnerability of
information asset must be explored
 A number of ways exist to determine advantage of a
specific control
Principles of Information Security, 2nd Edition
45
Cost Benefit Analysis (CBA)
 Most common approach for information security controls
is economic feasibility of implementation
 CBA is begun by evaluating worth of assets to be
protected and the loss in value if those assets are
compromised
 The formal process to document this is called cost benefit
analysis or economic feasibility study
Principles of Information Security, 2nd Edition
46
Cost Benefit Analysis (CBA) (continued)
 Items that impact cost of a control or safeguard include:
cost of development; training fees; implementation cost;
service costs; cost of maintenance
 Benefit is the value an organization realizes by using
controls to prevent losses associated with a vulnerability
 Asset valuation is process of assigning financial value or
worth to each information asset; there are many
components to asset valuation
Principles of Information Security, 2nd Edition
47
Cost Benefit Analysis (CBA) (continued)
 Once worth of various assets is estimated, potential loss
from exploitation of vulnerability is examined
 Process results in estimate of potential loss per risk
 Expected loss per risk stated in the following equation:
Annualized loss expectancy (ALE) equals
Single loss expectancy (SLE) TIMES
Annualized rate of occurrence (ARO)
 SLE is equal to asset value times exposure factor (EF)
Principles of Information Security, 2nd Edition
48
The Cost Benefit Analysis (CBA) Formula
 CBA determines whether or not control alternative being
evaluated is worth cost incurred to control vulnerability
 CBA most easily calculated using ALE from earlier
assessments, before implementation of proposed control:
CBA = ALE(prior) – ALE(post) – ACS
 ALE(prior) is annualized loss expectancy of risk before
implementation of control
 ALE(post) is estimated ALE based on control being in
place for a period of time
 ACS is the annualized cost of the safeguard
Principles of Information Security, 2nd Edition
49
Benchmarking
 An alternative approach to risk management
 Benchmarking is process of seeking out and studying
practices in other organizations that one’s own
organization desires to duplicate
 One of two measures typically used to compare practices:
 Metrics-based measures
 Process-based measures
Principles of Information Security, 2nd Edition
50
Benchmarking (continued)
 Standard of due care: when adopting levels of security for
a legal defense, organization shows it has done what any
prudent organization would do in similar circumstances
 Due diligence: demonstration that organization is diligent
in ensuring that implemented standards continue to
provide required level of protection
 Failure to support standard of due care or due diligence
can leave organization open to legal liability
Principles of Information Security, 2nd Edition
51
Benchmarking (continued)
 Best business practices: security efforts that provide a
superior level protection of information
 When considering best practices for adoption in an
organization, consider:
 Does organization resemble identified target with best
practice?
 Are resources at hand similar?
 Is organization in a similar threat environment?
Principles of Information Security, 2nd Edition
52
Problems with Applying Benchmarking
and Best Practices
 Organizations don’t talk to each other (biggest problem)
 No two organizations are identical
 Best practices are a moving target
 Knowing what was going on in information security
industry in recent years through benchmarking doesn’t
necessarily prepare for what’s next
Principles of Information Security, 2nd Edition
53
Baselining
 Analysis of measures against established standards
 In information security, baselining is comparison of
security activities and events against an organization’s
future performance
 Useful when baselining to have a guide to the overall
process
Principles of Information Security, 2nd Edition
54
Other Feasibility Studies
 Operational: examines how well proposed information
security alternatives will contribute to organization’s
efficiency, effectiveness, and overall operation
 Technical: examines whether or not organization has or can
acquire the technology necessary to implement and
support the control alternatives
 Political: defines what can/cannot occur based on
consensus and relationships between communities of
interest
Principles of Information Security, 2nd Edition
55
Risk Management Discussion Points
 Organizations must define level of risk it can live with
 Risk appetite: defines quantity and nature of risk that
organizations are willing to accept as tradeoffs between
perfect security and unlimited accessibility are weighed
 Residual risk: risk that has not been completely removed,
shifted, or planned for
Principles of Information Security, 2nd Edition
56
Principles of Information Security, 2nd Edition
57
Documenting Results
 At minimum, each information asset-threat pair should
have documented control strategy clearly identifying any
remaining residual risk
 Another option: document outcome of control strategy for
each information asset-vulnerability pair as an action plan
 Risk assessment may be documented in a topic-specific
report
Principles of Information Security, 2nd Edition
58
Recommended Practices in Controlling Risk
 Convince budget authorities to spend up to value of asset
to protect from identified threat
 Final control choice may be balance of controls providing
greatest value to as many asset-threat pairs as possible
 Organizations looking to implement controls that don’t
involve such complex, inexact and dynamic calculations
Principles of Information Security, 2nd Edition
59
Qualitative Measures
 Spectrum of steps described previously—performed with
real numbers—known as a quantitative assessment
 Qualitative assessment: based on characteristics that do
not use numerical measures
Principles of Information Security, 2nd Edition
60
Delphi Technique
 A technique for accurately estimating scales and values
 Process whereby a group of individuals rates or ranks a
set of information
 Responses compiled and returned to group for another
iteration
 Process continues until group is satisfied with result
Principles of Information Security, 2nd Edition
61
Summary
 Risk identification: formal process of examining and
documenting risk present in information systems
 Risk control: process of taking carefully reasoned steps to
ensure the confidentiality, integrity, and availability of
components in organization’s information system
 Risk identification
 A risk management strategy enables identification,
classification, and prioritization of organization’s
information assets
 Residual risk: risk that remains to the information asset
even after the existing control is applied
Principles of Information Security, 2nd Edition
62
Summary
 Risk control: four strategies are used to control risks that
result from vulnerabilities:
 Apply safeguards (avoidance)
 Transfer the risk (transference)
 Reduce impact (mitigation)
 Understand consequences and accept risk (acceptance)
Principles of Information Security, 2nd Edition
63