Transcript No Slide Title

Risk Assessment - Where
Security Meets Compliance
Caroline R. Hamilton, CEO
RiskWatch, Inc.
3 New Watchwords
1. Governance
2. Risk
3. Compliance
TJMAXX
• TJX discovered the intrusion in December and reported
it to authorities in the U.S. and Canada as well as the
major credit card companies and its payment
processors. At the request of law enforcement, the
breach was kept quiet until Wednesday, TJX said.
• The breach appears broad. In Massachusetts, 28 banks
have been contacted by credit card companies
indicating that some of their customers have had
personal information that may have been exposed, the
Massachusetts Bankers Association said in a statement
Thursday. That number is likely to grow as more banks
report into the association, it said.
Governance, Risk & Compliance
Compliance
Sarbanes Oxley has increased the accountability of management
New regulations for financial institutions require every institution
complete a risk analysis by December 2006
Risk - Physical Security
Increase in terrorism around the world has hit multi-nationals
Cargo security now requires risk analysis
Workplace violence continues to affect U.S. companies
Concept of Integrated, Holistic Security
Governance - Information Technology
IT has become the important part of most organizations
New international standards require more IT risk analysis
New Requirements for
Security Risk Assessments
Based on Published Standards
Governments are instituting requirements or
expecting that companies will perform security
risk assessments. Assessments can include
identification of threats, vulnerabilities, and — based
on both — an analysis of security gaps and mitigation
strategies. Some of the assessment requirements also
require that companies identify the most critical
assets and propose plans to protect core business
functions and human assets.
Compliance Regulations,
Standards and Guidelines
Financial & Regulatory Compliance
PHYSICAL SECURITY
GLBA (Gramm Leach Bliley Act)
FFIEC Audit Framework for Information
Security and for Risk Analysis
California SB 1386 (Identity Theft)
Bank Secrecy Act (BSA)
PCI Data Security Standard
Sarbanes Oxley Act
HIPAA
Health Insurance Portability and
Accountability Act of 1996
Utilities
NERC – CIP 002-009
(North American Electric Reliability Council)
Critical Infrastructure Protection
Nuclear Power Generators
NRC (Nuclear Regulatory Commission) &
NEI (Nuclear Energy Institute)
 Army Field Manual Best Practices
 FEMA 426 – Protecting Buildings Against
Terrorism
C-TPAT (Customs Trade Partnership Again
Terrorism)
FEMA 426 – School Security Guidelines
NFPA
Maritime & Port Security – ISPS, MTSA
Information Security/ISO 17799
NIST 800-26, NIST 800-53
ISO/IEC 1779:2005
ISO/IEC 27001
Office of Management and Budget
(OMB) A-123, A-124, A-127, and A130
COBIT 4
Mapping to Audit
• Must map to audit Guidelines – ISACA
(ASIS partner organization)
• Every Vulnerability or Risk Assessment
Ends Up with Corporate Management –
CFO or IG
• Executives are being held PERSONALLY
ACCOUNTABLE and need the assessments to
demonstrate Due Care
APPROACH TO GOOD SECURITY
“The approach to good security is fundamentally
similar regardless of the assets being protected. As GAO
has previously reported for homeland security and
information systems security, applying risk management
principles can provide a sound foundation for effective
security whether the assets are information, operations,
people, or facilities. These principles, which have been
followed by members of the intelligence and defense
community for many years, can be reduced to five basic
steps:
GAO-02-687T National Security
ELEMENTS OF RISK ASSESSMENT VS.
COMPLIANCE ASSESSMENT
ASSETS
THREATS
VULNERABILITIES
LOSSES
SAFEGUARDS
What Is Risk Assessment
compared to a Site Survey ?
 A process used to determine what controls are needed
to protect critical or sensitive assets adequately & costeffectively
 The process examines five variable functions:
1. Specific Assets to be protected (value)
2. Potential Threats to the various assets
3. Vulnerabilities that would allow the threats to
materialize
4. Kinds of Losses that the threats could cause
5. Safeguards that would reduce the loss or
eliminate the threats
The Risk Assessment Process
Respondents
Automated
Survey
Management
Customization
Analyst
Process
Management
Data
Aggregation
& Analysis
Content
(Rules &
Data)
Reporting
Risk
Analysis
Estimating Asset Values
FINDING THREAT DATA OR INPUT YOUR OWN
ORGANIZATIONAL DATA SUCH AS INCIDENT
REPORT DATA
• Quantified threat data is hard to find.
• Categories of Threats:
Natural Disasters, Criminal Activity
Terrorism, Theft, Systems Failures
• Collect data from Web Sources, government data,
weather data, crime casts, global info services,
access control systems, incident logs.
• Use data from internally collected sources
Standard Threat Data or Enter
your own Site Specific Incident Data
Discovering Vulnerabilities
• Vulnerabilities specific by organization
• Can be completed only by the analyst
• Or include key individuals
• Web-Based surveys increase accuracy and
speed of survey collection & aggregation
Question answers map up to over
forty customizable vulnerability areas
Analysts Can Customize Questions or
Add New Questions
• Questions Follow Audit Format
• Control Standard matches Question
• Analyst Sets Threshold for Compliance
• Questions Validate Compliance with Standards
• Analyst can Add, Delete or Modify Questions
SAMPLE QUESTION CREATION
ELEMENTS
Use of Server-Based Questionnaires
Make it Easy to Collect Information
Including all Relevant Safeguards
and Controls
•Alarm Systems
•Background Checks
•Barriers
•Biometric Controls
•Bomb Threat Procedures
•Bomb Detection &
Identification
•CCTV Cameras
•Disaster Recovery Planning
•Emergency Response
Planning
•Entry Controls
•Fire Controls
•Guard Services
•Incident Reporting
•Incident Response
•Intrusion Detection
•Lock & Key Controls
•Monitoring Systems
•Risk Assessment
•Security Planning
•Security Policies
•Security Staff
•Technical Surveillance
•Training Programs
•Visitor Controls
Controls with default values for
implementation and life cycles
Data Aggregation & Analysis
Asset
Loss
Threat
Equipment
Related Loss
Accident
Generators
Direct Loss
Fire
Facility
Disruption
Vandalism
Staff
Injury
Power Loss
Patients
Intangibles
Theft
Security
Loss of Life
Workplace Viol
Personnel
Reputation
Homicide
Incident Class
Incident
Vulnerability
Personnel
Screening
Controlled Areas
Personnel ID
Key Controls
No Security Plan
Observation
Doors
Construction
Degree of Seriousness
Conditioned Incident
Risk = Asset  Loss  Threat  Vulnerability
WRITING REPORTS
• Data which can be benchmarked
• Making sure you include audit trails
• Use of recognized statistical probability models
• Includes both current and new directives
• Creating management level reports
MITIGATION STRATEGIES
1. Accept Risk
2. Transfer Risk
2. Mitigate Risk
3. Better Risk Reactions
5. Dealing with Residual Risk
EASY TO UNDERSTAND
GRAPHS ILLUSTRATE OVERALL
COMPLIANCE VS. NON-COMPLIANCE
O ve r all R e sponse
46%
54%
C om pliant
Non-C om pliant
VULNERABILITY DISTRIBUTION CHART
SHOWS THE WEAKNESSES IN THE
CURRENT SECURITY PROFILE
N o n C o m plia nt A ns w e rs by Q ue s tio n C a te g o ry
11%
18%
4%
E n t ry Co n t ro l
4%
I n t e r n a l B ldg Se c ur it y
6%
Ge n e r a l
I n t e gr a t e d Sy st e m s
12%
7%
9%
11%
9%
9%
B ldg Se c ur it y
P a r k in g St r uc t ur e s
Se c ur it y Gua r ds
L o a din g D o c k
L o bby C o n t r o l
P e r im e t e r /I n t r usio n D e t e c t io n
R e m a in in g
Survey Answers Can be Shown by Job
Title, or by Individual Name
N o n C o m plia nt Ans w e rs by R e s po nde nt
in t e r n a l1
9%
4%
2% 1%
0%
25%
gua r d
in t e r n a l2
9%
ba dgin g
ex t ern al
de liv e r y
12%
21%
17%
p e r so n n e l
sa f e t y
reco v ery
Re m a in in g
Shows the Annual Loss
Expectancy By Threat
ALE by T hre a t
10%
Co mmu n ic a tio n s Lo s s
10%
33%
A rs o n
8%
Exp lo s io n s M a jo r
T h e ft - Co mp a n y Pro p e rty
Va n d a lis m
7%
3%
4%
4%
4%
5%
6%
6%
A s s a u lt, Simp le
Sa b o ta g e /T e rro ris t
Exp lo s io n s M in o r/M a il-Bo mb
Co ld /Fro s t/Sn o w
Flo o d in g /W a te r D a ma g e
Sa b o ta g e /D is g ru n tle d Emp lo y e e
Re ma in in g
Loss Expectancy is Also Shown by
Asset Category Impact
ALE by As s e t C a te g o ry
Fa c ilitie s/B uildings
P e rsonne l
4%
C ommunic a tions E quipme nt
3% 0%
0%
O ffic e E quipme nt
18%
50%
C ompute r H a rdw a re
E le c tronic E quipme nt
25%
R e ma ining
Reports Can Include Loss
Protection by Threat Category
L o ss P ro te ctio n by T hre a t
A ssa ult , Sim p le
A c t iv ist
A ssa ult , A ggr a v a t e d
A ssa ult , Se x ua l
K idn a p p in g
Va n da lism
H o m ic ide
St a lk in g
Bur gla r y /Br e a k I n
Ro bbe r y
Re m a in in g
0%
10%
20%
30%
40%
50%
60%
70%
80%
How to Calculate Return on Investment
to Support Proper Budgeting for Security.
In this example, finishing and updating the Disaster Recovery Plan
had a 2000-1 ROI – that means for every dollar spent on updating
the plan – the organization saves $2,000,000
1. Finish Disaster Recovery Plan
2000:1
2. Finish the Security Plan
1200:1
3. Complete Security Training
943:1
Security Controls are Listed
Recommended by Return On Investment
R etu rn o n In vestm en t (10% D isco u n t)
ID In fra re d M o tio n D e te c to rs
GD Po lic y /Pro c e d u re
GD Pa tro l/T o u r Re p o rtin g
CN Ste e l Ba rs /Grills
BR Po lic y /Pro c e d u re
LK Po lic y /Pro c e d u re
FR M a rs h a l/Brig a d e
ID M a g n e tic /Co n ta c t Sw itc h e s
ID U PS D e d ic a te d
EC Bio me tric A c c e s s
0.0
0.5
1.0
1.5
2.0
2.5
P e rcIllustrates
e nt R e duc tio how
n in A Implementing
L E by S a fe g ua rd the Top
This Graph
20 Controls will Contribute to a Cumulative
Reduction in Loss Potential
CN S t e e l Ba rs / Grills
ID In fra re d M o t io n D e t e c t o rs
GD P o lic y / P ro c e d u re
GD P a t ro l/ T o u r Re p o rt in g
ID M a g n e t ic / Co n t a c t S w it c h e s
BR P o lic y / P ro c e d u re
LK P o lic y / P ro c e d u re
F R M a rs h a l/ Brig a d e
ID U P S D e d ic a t e d
BR Je rs e y W a lls
EC Bio me t ric A c c e s s
P R P e rs o n n e l T e rmin a t io n
VC Re mo v a l
VC Ve h ic le Ba rrie rs
ID M ic ro w a v e M o t io n D e t e c t o rs
S C S e c u rit y M a n u a l
S C S e c u rit y P o lic y
CN S t e e l M e s h W a lls
O V CCT V Ca me ra s
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
Single vs. Cumulative Loss Reductions
Re d u c t io n in A LE (% )
Cu mu la t iv e Re d u c t io n (% )
6.0%
The Bottom Line
• Security Risk Management Requirements will
Continue to Increase and need to be standardized.
• Measuring and Managing Security by Return on
Investment gives you the ‘best bang for the buck’
• Conducting Risk Assessments are the best way to
meet security requirements, quantify areas of
weakness, justify security controls, and manage
and validate the security budget.
Caroline Hamilton
410-224-4773, x105
[email protected]