Chapter 2 - Risk Assessments part 1

Technology risk

Age and condition, mixed vendors, languages, complexity, documentation, availability of replacement parts, ability to test, expertise for maintenance and patching

Control Category - Compensating

Alternate form of a control to correct a deficiency or weakness. Considered when an entity cannot meet a stated requirement due to legitimate technical or business constraints but can create a comparable acceptable level of risk by other means. Placing insecure systems on isolated networks, adding third party challenge response

Risk Assessment Technique - Reliability centered maintenance

Analyzes the functions and potential failures of a specific asset (physical). Helps establish safe minimum levels of maintenance.

Vulnerability Assessments and penetration testing

As a means to estimate the level of IT risk in the org. Tend to be very detailed. Advantage is these reports are granted a level of deference by senior management similar to an audit.

Tools to determine current state of IT risk controls

Audits, BCPs, Capability Maturity Models, Control tests, incident reports, IT operations, enterprise architecture assessment, logs, media reports, observation,self assessments, third party assurance, user feedback, vendor reports and vulnerability assessment

Core source of data used in the BCP

Business Impact Analysis which identifies the critical time lines (RTO and RPO) for services and products associated with value creation.

Org structure and culture

Contributing factors in risk prevention, detection and response.

Controls risk

Controls are implemented to reduce or maintain risk at acceptable levels but may be poorly maintained or unsuitable for the risk they are meant to control. They must be regularly reviewed.

Risk is more serious when any of the following are true

Controls are inadequate, wrong controls used, controls are ignored, controls are poorly maintained, logs not reviewed, controls not tested, changes to control configuration not managed, controls can be physically accessed and altered, duties are inadequately segregated

Risk Assessment Technique - Fault tree analysis

Deductive failure analysis. Starts with an event and examines possible means for the event to occur (top down). Diagram can be used to reduce or eliminate potential causes of the event. (used in engineering)

Risk Assessment Technique - Business Impact Analysis

Determine the impact of losing the support of any resource. In addition to identifying initial impact a comprehensive BIA seeks to establish the escalation of loss over time. Gives data to senior management to make decisions.

Risk Assessment Technique - Hazard analysis and critical control points (HACCP)

Developed for food safety industry, system for proactively preventing risk and assuring quality, reliability and safety of processes.

Risk Assessment Technique - Bow tie analysis

Diagram to communicate risk assessment results by displaying links between possible causes, controls and consequences. Cause is in the middle (knot) and triggers and controls, mitigation strategies and consequences branch off

Policies

Empower risk management, audit and security staff. Should clearly state senior managements position on protection of information. Overarching policy does not have technical focus in order to prevent it from becoming outdated. Likely to state the goal of managing risk through protecting the orgs assets. Instrumental in determining approach of the org to risk mgt and acceptable levels of risk. Risk practioner should identify presence or lack of policies.

Architecture risk

Enterprise approach to risk management, architecture and business continuity at the enterprise level promotes consistency repeatability compliance and accountability. Also improves visibility afforded to senior management. Lack of enterprise architecture results n ownership gaps between systems.

Risk Assessment Technique - Root cause analysis

Establish the origins of an event (5 whys)

Risk Assessment Technique - Hazard and operability studies (HAZOP)

Evaluating potential risk by looking at possible deviations from existing process (risks to personnel or equipment)

Risk Assessment Technique - Scenario analysis

Examines possible future scenarios that were identified during risk identification looking for risk associated with the scenario should it occur.

Crucial in developing positive risk culture and promoting risk principles

Example set by IT Management

Enterprise Architecture Assessment

Focuses on producing a view of the current state of IT, establishing vision for the future state and generating a strategy to get there.

Risk Assessment Technique - Event tree analysis

Forward looking, bottom up model that uses inductive reasoning to assess the probability of different events resulting in possible outcomes. Can see which pathway is causing the greatest probability of failure.

Risk Assessment Technique - Brainstorming/Structured Interview

Gather large group of risks to be ranked by a team. Can use prompts or interviews

Vendor reports

Government sponsored computer emergency response teams (CERTs) provide free reports and analysis

BCP risk assessment should identify the following

HR, data, infrastructure elements and other resources that support key processes, list of potential vulnerabilities, estimated probability of occurrence, efficiency and effectiveness of existing risk mitigation controls

First step in preparing a BCP

Identify the business processes of strategic importance (processes responsible for permanent growth of the business and for fulfillment of business goals)

Exception management

If exceptions are undocumented and uncontrolled the risk level is unknown and may represent a hidden vulnerability. Should only be allowed through documented formal process that requires approval by senior management.

Control Category - Preventative

Inhibit attempts to violate security policy. Encryption, user authentication and vault construction doors.

IT Operations and Management evaluation

Interviewing operations staff and reviewing logs of problem tickets con provide insight into an unmitigated or recurring problem

Risk Assessment Technique - Delphi technique

Leverages expert opinion received using two or more rounds of questionnaires. Results summarized after each round and communicated to experts. Collaborative technique helps to build consensus.

Risk Assessment Technique - Checklists

List of potential or typical threats, items can be checked off one at a time as they are completed. Can use previously developed lists, codes or standards.

Self assessments

Local managers have insight into behaviors of their staff so they are well suited to evaluate compliance with procedures, recurring problems, risk trends and vulnerabilities.

Risk Assessment Technique - Cause and effect analysis

Looks at factors that contributed to a certain effect which are then displayed in a diagram, tree structure or fishbone diagram.

Control Category - Directive

Mandate behavior by specifying what actions are and are not permitted. A policy.

Risk Assessment Technique - Bayesian Technique

Method od statistical inference that uses prior distribution data to determine the probability of a result.

Procedures

More granular than standards and support their implementation.Detailed steps to perform an operation. Created to define the way in which the processes should be carried out. Implement the intent of the policy.

Media reports

Newspapers, TV, etc. - with a degree of skepticism. RP should alert those with authority of a communication that could impact the org.

Third party assurance

Org benefits from expertise, objectivity and credibility of third party. Reviewing the outsourcing parties security policies will add a level of assurance.

Factors that can affect the calculation of a risk assessment

Org structure,Policies.Standards/Procedures, Technology, Architecture, Controls

Risk Assessment

Process used to identify and evaluate risk and its potential effects which included evaluation of: Critical Function, Risk Associated, Controls in place to reduce exposure, Prioritization of risk, Relationship between risk and enterprise risk appetite and tolerance

Desirable to have a single BCP integrated plan to ensure that

Proper coordination among various plan components, resources committed are used in the most effective way

Control Category - Detective

Provide warnings of violations or attempted violations of policy. Audit trails, intrusion detection systems and checksums.

Control Category - Deterrent

Provide warnings that may dissuade threat agents from attempting a compromise. Warning banners on logon screens.

Control Category - Corrective

Remediate erros, omissions, unauthorized uses and intrusions when detected. Data backups, error correction and automated failover.

Data Management (ops and mgt eval)

Risk practitioner should review and assess the data ownership and management processes of the organization including the protection of data from improper disclosure, modification and deletion.

Risk Assessment Technique - Layers of protection analysis (LOPA)

Semi quantitive risk analysis technique that uses aspects of HAZOP to determine risk. Looks at controls and their effectiveness. (Is is safe enough?)

Risk management function

Should have an enterprise mandate to review and provide input into all business processes, participate in incident management activities and review lessons learned to improve response planning, detection and recovery.

Risk Assessment Technique - Monte Carlo Analysis

Simulation used to aggregate variation in a system resulting from variations in the system for a number of inputs where each input has a defined distribution and the inputs are related to the output. For risk assessment triangular distributions or beta distributions are commonly used.

SSAE16

Statement on Standards for Attestation Engagements Number 16

Risk Assessment Technique - Structured what if technique (SWIFT)

Structured brainstorming to identify risk. Usually in a facilitated workshop. Using prompts and guide words.

Key elements to measure IT risk management capability

Support of senior mgt, Regular communications between stakeholders, existence of policies, Availability of BIA, Logging and monitoring, Reviewing logs, Scheduled risk assessments, Testing of BCPs, Training of staff, Involvement of risk principles on projects, Gathering feedback from users, Validating risk appetite, Time to detect/resolve issues

Standards

Support requirements in the policy. Mandatory requirements or code of practice. Implemented to comply with the requirements and direction of policy to limit risk and support efficient business operations.

User Feedback

System users know the shortcomings including potential vulnerabilities. Can help indicate where security controls could be circumvented for convenience.

Control test

Testing both technical and non technical aspects of the control (rules governing the operation of the control, procedures used in monitoring proficiency of staff)

Risk Assessment Technique - Sneak circuit analysis

Used to identify design errors or sneak conditions such as latent hardware, software or integrated conditions that are often undetected by system tests and may result in improper operations

Risk practitioner determines the current state of IT risk

Using reports generated by the controls themselves and the results of control testing activities and incident management programs.

Observation

Watching a process as an independent observer may highlight issues that may not be seen as clearly when the process is being executed. First consider what is actually happening an ensure it is reflected in the work flows.

Risk Assessment Technique - Preliminary hazard analysis

What threats or hazards may harm an organizations activities, facilities or systems.(OSHA)

Current state assessment

condition of the program at that point in time

Capability Maturity Models

contains the essential elements of effective processes for one or more disciplines. Describes and evolutionary improvement path from ad hoc to mature.

Incident response teams consist of

employees assigned specific roles during various incidents and external resources for forensic investigations

Business Continuity Plan

enable a business to continue critical services in the event of a disruption, up to and including the ability to survive a disastrous interruption

Primary focus of incident management

get the organizations affected systems and operations back to normal service as quickly as possible (this can affect evidence collecting). Each incident should be used to garner lessons learned.

SLAs only provide

monetary remedies

Logs

most valuable tool to monitor controls and detect risk. Should contain (changes to permissions, system startup/shutdown, login/logout, changes to data, errors/violations, job failures). Ensuring SOD is particularly important when it comes to log files.

In environments where the EA is immature or absent the risk practitioner should

place greater emphasis on the use of technology specific assessments as a means of building a piecemeal vision of current IT risk.

Disaster Recovery

reestablishment of business and IT services following a disaster within a predefined schedule and budget. Time frames are based on cost of recovery and length of time that management is willing to accept

Risk Assessment Technique should be used when

the goal is to produce results that can be compared over time

Four ares (EAA)

Are we doing the right things, Are we doing them the right way, Are we getting them done well, Are we getting the benefits

Risk Assessment Technique - Human reliability analysis (HRA)

Effect of human error on systems (manu, transport)

IT risk is

a subset of enterprise risk

IT risk assessment is only accurate

at the time the risk state was measured

A thorough review of a incident can

identify weak controls, poor detection, inappropriate or ineffective response and lack of training of staff

preventative control reduces

impact

Impact of an event

is hard to calculate with any degree of accuracy because there are so many factors. Sane incident could have different impacts depending on how ling it took to detect it.

Cloud risk

is the same as risk for any other outsourcing initiative

Incident management starts with

preparation and planning that build an incident response plan (IRP).

Detective control triggers

preventative control

Goal of a BCP

provide a reduced but sufficient level of functionality in the business operations immediately after encountering an interruption and while recovery is taking place

Deterrent control and Compensating control

reduce likelihood of threat

Risk Assessment Technique - Cause and consequence analysis

Combines techniques of a fault tree analysis and allows for time delays to be considered.

Risk Assessment Technique - Markov analysis

Used to analyze systems that can exist in multiple states. Assumes that future events are independent of past events. Tendency of one event to follow another. Brand switching.

IT system risk is often measured by

the impact of an IT related problem on the business services that the IT system supports

preventative control protects against

vulnerability