Chapter 5 Risk Management
Single Loss Expectancy (SLE)
In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor.
Annualized Rate of Occurrence (ARO)
In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.
Annualized Loss Expectance (ALE)
In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy.
The Open FAIR Approach to Risk Assessment
The FAIR methodology, which was developed by risk management consultant Jack Jones and promoted through his consulting agency Risk Management Insight and its parent company CXO Media, provides a qualitative approach to risk assessment. -the Open Group selected FAIR as its international standard for risk management -The major stages in the FAIR analysis consist of 10 steps in four stages: Stage 1 - Identify Scenario Components 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2—Evaluate loss event frequency (LEF) 3. Estimate the probable threat event frequency (TEF) 4. Estimate the threat capability (TCap) 5. Estimate control strength (CS) 6. Derive vulnerability (Vuln) 7. Derive loss event frequency (LEF) Stage 3—Evaluate probable loss magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate risk 10. Derive and articulate risk -The FAIR approach includes specific range-based calculations to determine vulnerability and loss frequency for a single asset/threat pair as follows: 3. Estimate the probable threat event frequency (TEF) by ranking it on a scale of very low(such as less than 10 percent or once every 10 years) to very high (over 100 times a year). 4. Estimate the threat capability (TCap) by ranking it on a scale of very low (the bottom 2percent of the overall threat population) to very high (the top 2 percent). 5. Estimate control strength (CS), which is an assessment of current protection capabilities of the organization's protection system. The CS can be a ranking from very low, which protects only against the bottom 2 percent of the average threat population, to very high, which protects against all but the top 2 percent of the average threat population. 6. Derive vulnerability (Vuln), which is the probability that an asset will be unable to resist the actions of a threat agency. The Vuln value is taken from a table that compares the TCap to the control strength. Rankings are VL (very low), L(low), M (medium), H (high), and VH (very high). 7. Derive loss event frequency (LEF). The result is the loss event frequency, which is rated on a scale of very low to very high. This value is used later to determine the overall risk present between the asset and its paired threat. 8. Estimating the worst-case loss involves determining the magnitude of loss to an asset if a threat becomes a successful attack. Assign values to each cell to represent the comparison between threat actions (rows) and forms of loss (columns). Each column identifies the estimated impact of a form of loss. Some losses represent a direct impact on productivity; others include expenses from managing loss during the incident response process, costs for replacement of equipment or data, and payments to settle legal fines or regulatory judgments. 9. Estimate probable loss. (use the most likely outcome instead of the worst-case scenario.) -Probable loss magnitude (PLM) is calculated by entering the correct Mid Range magnitude value for each form of loss, and then adding the losses to determine the total PLM that could result from a successful attack. -The final stage of the FAIR method is to assess the level of risk within an asset/threat pair by comparing the PLM in Stage 3 to the loss frequency from Stage 2. Risk assessments are presented as Low, Medium, High, and Critical. -The resulting risk values provide the organization with an assessment it can use to create a ranking of asset/threat pairs. This information can help the organization determine whether the current level of risk is acceptable based on its risk appetite and establish priorities of effort for implementing new controls and safeguards.
Major stages of Risk Assessment
(Plan & organize the process) -> (Determine loss frequency (Likelihood)) -> (Evaluate loss magnitude (Impact)) -> (Calculate risk) -> (Assess risk acceptability) 1) Planning and Organizing Risk Assessment - The risk mode is used to evaluate the risk for each information asset: RISK is the Probability of a Successful Attack on the Organization(Loss Frequency = Likelihood ∗ Attack Success Probability) Multiplied by the Expected Loss from a Successful Attack (Loss Magnitude = Asset Value ∗ Probable Loss) Plus The Uncertainty of estimates of all stated values 2)Determining the loss frequency: LOSS FREQUENCY describes an assessment of the LIKELIHOOD of an attack combined with its expected probability of success if it targets your organization (ATTACK SUCCESS PROBABILITY). The resulting information will be coupled with an expected level of loss in evaluating risk. This calculation is also known as the annualized rate of occurrence. Likelihood: In risk assessment, you assign a numeric value to the likelihood of an attack on your organization. For each threat, the organization must determine the expected likelihood of attack, which is typically converted to an annual value. -An event with a likelihood of more than once a year obviously has a higher probability of attack. -Provided that the organization does not have an extensive history of being successfully attacked, some values may be determined from published works like the CSI study -"hacker insurance" -assets and vulnerabilities have references for determining the likelihood of an attack: • The likelihood of a fire has been estimated by actuaries for any type of structure. • The likelihood that any given e-mail contains a virus or worm has been researched. • The number of network attacks against an organization can be forecast based on its number of assigned network addresses. -NIST SP 800-30 recommends assigning a likelihood between 0.1 and 1.0, which provides a qualitative approach rather than the quantitative percentages shown previously. You could also choose to use a number between 1 and 100; note that 0 is not used because vulnerabilities with no likelihood have been removed from the asset/vulnerability list. Using a range is much simpler than attempting to determine specific probabilities. Attack Success Probability: The second half of the loss frequency calculation is determining the probability of an attack's success if the organization becomes a target -The key component of this assessment is that the attack successfully compromises vulnerabilities in the organization's information asset. Another important part of the assessment is determining the organization's current level of protection, which further complicates the calculations and makes the "guestimates" that much more complex. -The person or team that performs the risk assessment calculations must work closely with the IT and information security groups to understand the current level of protection. Then, based on the probable threats, the responsible person or team develops an estimate for the probability of success of any attack in a particular threat category. (For a well-protected organization that has up-to-date malware detection and a well-trained employee force, the probability of a successful mal-ware attack may be poor. Therefore, the organization may assign a quantitative value of 10 percent or a qualitative value of "very unlikely.) -In general, the accuracy of any estimates in this category is susceptible to a great deal of uncertainty. Loss Event Frequency: Combining the likelihood and attack success probability results in an assessment of the loss frequency, also known as loss event frequency. (loss frequency is the probability that an organization will be the target of an attack, multiplied by the probability that the organization's information assets will be successfully compromised if attacked.)
Components of Risk Identification
-A risk management strategy requires that information security professionals know their organizations' information assets—that is, how to identify, classify, and prioritize them. (Plan & organize the process) -> (Identify, inventory,& categorize assets) -> (Classify, value, & prioritize assets) -> (Identify & prioritize threats) -> (Specify asset vulnerabilities) 1) Planning and Organizing the Process: the first step in risk identification is to follow your project management principles. You begin by organizing a team, which typically consists of representatives from all affected groups. Because risk can exist everywhere in the organization, representatives will come from every department and will include users, managers, IT groups, and information security groups. The process must then be planned, with periodic deliverables, reviews, and presentations to management. Once the project is ready to begin, the team can organize a meeting like the one Charlie is conducting in the opening case. Tasks are laid out, assignments are made, and timetables are discussed. 2) Identifying, Inventorying, and Categorizing Assets: This iterative process begins with the identification and inventory of assets, including all elements of an organization's system, such as people, procedures, data and information, soft-ware, hardware, and networking elements. Then, you categorize the assets, adding details as you dig deeper into the analysis. The objective of this process is to establish the relative priority of assets to the success of the organization. 3) Classifying, Valuing, and Prioritizing Information Assets: bling. Each of the other categories can be similarly subdivided as needed by the organization. You should also include a dimension to represent the sensitivity and security priority of the data and the devices that store, transmit, and process the data—that is, a data classification scheme. A simple data classification scheme could include levels of confidential, internal, and public. -Any classification method must be specific enough to enable ease of understanding and assignment of priority levels, because the next step in risk assessment is to rank the components. It is also important that the categories be comprehensive and mutually exclusive. Comprehensive means that all information assets must fit in the list somewhere, and mutually exclusive means that an information asset should fit in only one category. 5) Specifying Asset Vulnerabilities: Once you have identified the organization's information assets and documented some criteria for beginning to assess the threats it faces, you review each information asset for each relevant threat and create a list of vulnerabilities. -Next, you examine how each possible or likely threat could be perpetrated, and list the organization's assets and their vulnerabilities. At this point in the risk identification phase, the focus is simply on identifying assets that have a vulnerability, not determining how vulnerable they are. The process of listing vulnerabilities is somewhat subjective and depends on the experience and knowledge of the people creating the list. Therefore, the process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions. At the end of the risk identification process, you should have a prioritized list of assets and their vulnerabilities. You should also have a list that prioritizes the threats facing the organization based on the weighted table discussed earlier. These two lists can be combined into a THREATS-VULNERABILITIES-ASSESTS (TVA) worksheet in preparation for adding vulnerability and control information during risk assessment.
3 Steps of Risk Control (1. Selecting Control Strategies)
1) Selecting Control Strategies: Once the project team for information security development has created the ranked vulnerability risk worksheet, the team must choose a strategy for controlling each risk that results from these vulnerabilities. The five strategies are defense, transference, mitigation, acceptance, and termination. 1. Defense: The DEFENSE RISK CONTROL STRATEGY attempts to prevent the exploitation of vulnerabilities. This strategy is the preferred approach to controlling risk. It is accomplished by countering threats, removing vulnerabilities from assets, limiting access to assets, and adding protective safeguards. -Has 3 common methods: • Application of policy • Education and training • Application of technology -Another defense strategy is to implement security controls and safeguards that deflect attacks on systems and therefore minimize the probability that an attack will be successful. 2. Transference: The TRANSFERENCE RISK CONTROL STRATEGY attempts to shift risk to other assets, other processes, or other organizations. These controls can be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers. -If an organization does not already have high-quality security management and administration experience, it should hire people or firms that provide such expertise. -Rather than implementing their own servers and hiring their own Web site administrators, Web systems administrators, and specialized security experts, savvy organizations hire an ISP or a consulting organization to provide these products and services for them. This allows the organization to transfer the risks associated with managing these complex systems to another organization that has experience in dealing with such risks. Outsourcing relies on trust in others security 3. Mitigation: The MITIGATION RISK CONTROL STRATEGY strategy attempts to reduce the impact of an attack rather than reduce the success of the attack itself. This approach requires the creation of three types of contingency plans: the incident response plan, the disaster recovery plan, and the business continuity plan. -Mitigation begins with the early detection of an attack in progress and a quick, efficient, and effective response. -The most common mitigation plans are contingency plans: • Incident response (IR) plan: The actions an organization can and should take while an incident is in progress. The IR plan also enables the organization to take coordinated action that is either predefined and specific or ad hoc and reactive. • Disaster recovery (DR) plan: The most common of the mitigation procedures, the DR plan includes all preparations for the recovery process, strategies to limit losses during a disaster, and detailed steps to follow in the aftermath. • Business continuity (BC) plan: The most strategic and long-term plan of the three. The BC plan includes the steps necessary to ensure the continuation of the organization when the disaster's scope or scale exceeds the ability of the DR plan to restore operations, usually through relocation of critical business functions to an alternate location. 4. Acceptance: The ACCEPTANCE RISK CONTROL STRATEGY is the choice to do nothing more to protect a vulnerability based on the current residual risk and the organization's risk appetite. This strategy mayor may not be a conscious business decision. The only recognized valid use of this strategy occurs when the organization has done the following: • Determined the level of risk • Assessed the probability of attack • Estimated the potential damage that could occur from attacks • Performed a thorough cost-benefit analysis • Evaluated controls using each appropriate type of feasibility • Decided that the particular function, service, information, or asset did not justify the cost of protection -This strategy is based on the conclusion that the cost of protecting an asset does not justify the security expenditure. -If the acceptance strategy is used to handle every vulnerability in the organization, its man-agers may be unable to conduct proactive security activities and portray an apathetic approach to security in general. An organization cannot adopt a policy that ignorance is bliss and hope to avoid litigation by pleading ignorance of its obligation to protect employee and customer information. (management cannot hope that if it neglects to protect information, the opposition will assume that little is to be gained from an attack.) -The risks far outweigh the benefits of this approach. Acceptance as a strategy is often chosen based on the "school of fish" or "safety in numbers" justification—that the odds of being attacked by a shark are much smaller if you're swimming in a large school with many other fish. This reasoning can be very risky. 5. Termination: The TERMINATION RISK CONTROL STRATEGY directs the organization to avoid business activities that introduce uncontrollable risks. -For example, if an organization studies the risks of implementing business-to-consumer e-commerce operations and determines that the risks are not sufficiently offset by the potential benefits, the organization may seek an alternate mechanism to meet customer needs—perhaps developing new channels for product distribution or new partnership opportunities. -By terminating the questionable activity, the organization reduces risk exposure.
Security Clearance
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
Components of Risk Identification: 3) Classifying, Valuing, and Prioritizing Information Assets
A) Data Classification and Management Corporate: A simplified information classification scheme would have three categories: confidential, internal, and external. Information owners must classify the information assets for which they are responsible. At least once a year, information owners must review their classifications to ensure that the information is still classified correctly and the appropriate access controls are in place. • Confidential: Used for the most sensitive corporate information that must be tightly controlled, even within the company. Access to information with this classification is strictly on a need-to-know basis or as required by the terms of a contract. Information with this classification may also be referred to as "sensitive" or "proprietary." • Internal: Used for all internal information that does not meet the criteria for the confidential category. Internal information is to be viewed only by corporate employees, authorized contractors, and other third parties. • External: All information that has been approved by management for public release. -U.S. Classified National Security Information (NSI) system uses more complex categorization than most corporations. The government uses a three-level classification scheme: Top Secret, Secret, and Confidential. •'Top Secret' - shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. •'Secret' shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. •'Confidential' shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe." -This classification system comes with the general expectation of "crib-to-grave" protection, meaning that all people entrusted with classified information are expected to retain this level of confidence for their lifetimes, or at least until the information is officially unclassified. -For non-NSI material, other classification schemes are employed: • Sensitive but Unclassified data (SBU): Information that if lost, misused, accessed with-out authorization, or modified might adversely affect U.S. interests, the conduct of DoD programs, or the privacy of DoD personnel. Common SBU categories include Restricted, For Official Use Only, Not for Public Release, and For Internal Use Only. • Unclassified data: Information that can generally be distributed to the public without any threat to U.S. interests. B) Security Clearances: In organizations that require security clearances, all users of data must be assigned authorization levels that indicate what types of classified data they are authorized to view. This structure is usually accomplished by assigning each employee to a named role, such as data entry clerk, development programmer, information security analyst, or even CIO. Most organizations have a set of roles and associated security clearances. Overriding an employee's security clearance requires that the employee meet the need-to-know standard described earlier. In fact, this standard should be met regardless of an employee's security clearance. This extra level of protection ensures that confidentiality of information is properly maintained. C) Management of Classified Data: Management of classified data includes its storage, distribution, transportation, and destruction. All information that is not unclassified or public must be clearly marked as such. -The government also uses color-coordinated cover sheets to protect classified information from the casual observer, with Orange (Top Secret), Red (Secret), and Blue (Confidential) borders and fonts. -In addition, each classified document should contain the appropriate designation at the top and bottom of each page. Two-sided documents are required to have the designation on both sides. -When classified data is stored, it must be available only to authorized personnel. -One important control policy that is often difficult to enforce is the CLEAN DESK POLICY, which is designed to ensure that all classified information is secured at the end of every day. -When copies of classified information are no longer valuable or excess copies exist, proper care should be taken to destroy them, usually after double signature verification. Documents can be destroyed by means of shredding, burning, or transferring them to a service that offers authorized document destruction. -This type of policy does not mean the office itself is clean, but only that all classified data has been secured. It is important to enforce policies to ensure that no classified information is discarded in trash or recycling areas. Some attackers search trash and recycling bins—a practice known as DUMPSTER DIVING—to retrieve information that could embarrass a company or compromise information security.
Threat Assessment
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization.
Dumpster Diving
An information attack that involves searching through a target organization's trash and recycling bins for sensative information.
Information asset classification worksheet
Assembles information about information assets and their value to the organization
Weighted criteria analysis worksheet
Assigns a ranked value or impact weight to each information asset
Ranked vulnerability risk worksheet
Assigns a ranked value or risk rating for each uncontrolled asset-vulnerability pair
Components of Risk Identification: 3) Classifying, Valuing, and Prioritizing Information Assets (Continued)
C) Information Asset Valuation: One of the toughest tasks of information security in general and risk management in particular is information asset valuation. While most organizations have a general understanding of the relative worth of their information assets, it is much more difficult to place a specific financial value on an information asset. -Before beginning the inventory process, the organization should determine which criteria can best establish the value of the information assets. Among the criteria to be considered are: • Which information asset is most critical to the organization's success? When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. • Which information asset generates the most revenue? You can also determine which information assets are critical by evaluating how much of the organization's revenue depends on a particular asset. For nonprofit organizations, you can determine which assets are most critical to service delivery. In some organizations, different systems are in place for each line of business or service offering. • Which of these assets plays the biggest role in generating revenue or delivering services? Which information asset generates the most profitability? Organizations should evaluate how much of the organization's profitability depends on a particular asset. • Which information asset would be the most expensive to replace? Sometimes an information asset acquires special value because it is unique. After the organization has identified the unique value of this device, it can address ways to control the risk of losing access to the unique asset. • Which information asset would be the most expensive to protect? In this case, you are determining the cost of providing controls. Some assets are difficult to protect by their nature. • Which information asset would most expose the company to liability or embarrassment if revealed? Almost every organization is aware of its local, national, and inter-national image. For many organizations, the compromise of certain assets could prove especially damaging to this image. - When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the following: • The cost of creating the information asset: Information is created or acquired at some cost to the organization. This cost can be calculated or estimated. One category of this cost is software development, and another is data collection and processing. • The cost associated with past maintenance of the information asset: It is estimated that for every dollar spent developing an application or acquiring and processing data, many more dollars are spent on maintenance over the useful life of the data or software. • The cost of replacing the information: Another important cost associated with the loss or damage to information is the cost of replacing or restoring it. This includes the human resource time needed to reconstruct, restore, or regenerate the information from backups, independent transaction logs, or even hard copies of data sources. • The cost of providing the information: Separate from the cost of developing or maintaining information is the cost of providing it to the users who need it. This cost includes the value associated with delivery of information via databases, networks, and hardware and software systems. It also includes the cost of the infrastructure necessary to provide access and control of the information. • The cost of protecting the information: This value is a recursive dilemma. In other words, the value of an asset is based in part on the cost of protecting it, while the amount of money spent to protect an asset is based in part on its value. • Value to owners: How much is your Social Security number or telephone number worth to you? Placing a value on information can be a daunting task. It is vital to understand the overall cost of protecting this information in order to understand its value. Again, estimating value may be the only method. • Value of intellectual property: Related to the value of information is the specific consideration of the value of intellectual property. The value of a new product or service to a customer may be unknowable. A related but separate consideration is intellectual property known as trade secrets. These assets are so valuable that they are the primary assets of some organizations. • Value to adversaries: How much would it be worth to an organization to know what the competition is doing? This valuation approach is often overlooked, but believing that an asset is unimportant just because it is not valuable to the organization is short-sighted and may result in losses from damage to reputation or another indirect reason. -To finalize this step of information asset identification, each organization should assign a weight to each asset based on the answers to the chosen questions.
Process-Based Measures
Performance measures or metrics based on intangible activities.
Metrics-Based Measures
Performance measures or metrics based on observed numerical data.
Risk Tolerance
Same as Risk appetite.
Competitive Advantage
The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform the competition.
Performance Gap
The difference between an organization's observed and desired performance.
Sun Tzu Wu Observation Relevance
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." 1) Know yourself: you must know what those assets are, where they are, how they add value to the organization, and the vulnerabilities to which they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. 2) Know the enemy: This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.
Risk Management: Roles of Communities of Interest
-Management must also ensure that sufficient time, money, personnel, and other resources are allocated to the information security and information technology groups to meet the organization's security needs. Users work with systems and data and are therefore well positioned to understand the value these information assets offer the organization. Users also understand which assets are the most valuable. The information technology community of interest must build secure systems and operate them safely. For example, IT operations ensure good back-ups to control the risk of data loss due to hard drive failure. The IT community can provide both valuation and threat perspectives to management during the risk management process. The information security community of interest has to pull it all together in the risk management process. -The three communities of interest are also responsible for the following: • Evaluating current and proposed risk controls • Determining which control options are cost effective for the organization • Acquiring or installing the needed controls • Ensuring that the controls remain effective -All three communities of interest must conduct periodic managerial reviews or audits, with general management usually providing oversight and access to information retained outside the IT department -Other controls include following policy, promoting training and awareness, and employing appropriate technologies.
Recommended Risk Control Practices
1)Documenting results: The results of risk management activities can be delivered via a report on a systematic approach to risk management, a project-based risk assessment, or a topic-specific risk assessment. 2)The NIST Risk Management Framework: This document, most recently updated in June 2014, established a common approach to using a Risk Management Framework (RMF) for information security practice and made it the standard for the U.S. government. -Risk management is a comprehensive process that requires organizations to:(i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk;(iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm(i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action. The fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) verify that planned risk response measures are implemented and InfoSec requirements derived from/traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied;(ii) determine the ongoing effectiveness of risk response measures following implementation; and (iii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate.
3 Steps of Risk Control (2. Justifying Controls)
2) Justifying Controls: To justify use of a control, the organization must determine the actual and perceived advantages of the control as opposed to its actual and perceived disadvantages. -An organization has several ways to determine the advantages and disadvantages of a specific control. The following sections discuss common techniques for making these choices. Note that some of these techniques use dollar expenses and savings implied from economic COST AVOIDANCE, and others use noneconomic feasibility criteria. -When justifying the acquisition of new controls or safeguards, the management of most organizations would expect to see a carefully developed business case that provides insight into the needs, costs, and values of these acquisitions. -information security is described as being in its third "FUD" era, where FUD stands for fear, uncertainty, and doubt -In the first FUD era, information security professionals were able to obtain needed controls and other resources simply by preying on the FUD of upper management and asserting, "If you don't buy this, you'll get hacked!" The fear of losing an information asset caused most organizations to overspend on information security, which resulted in inflated information security salaries and complex control implementations that were difficult to maintain -Upper management became desensitized to this threat, leading to the second FUD era. This era was marked by the passage of numerous new standards and laws such as Sarbanes-Oxley, so information security demanded new resources by preying again on the FUD of upper management and asserting, "If you don't buy this, you'll go to jail!" - Management desensitized again, In the third FUD era, information security professionals now must convince upper management to purchase security assets simply because it makes good business sense to do so. -Thus, information security staff must prepare effective business justifications for information security expenditures, illustrating the costs, benefits, and other reasons that upper management should make the additional investments. Organizations are urged to evaluate the worth of the information assets to be protected and the loss in value if those assets are compromised by an exploited vulnerability. In short, organizations must gauge the cost of protecting an asset against the value of that asset. This formal decision-making process is called a COST-BENEFIT ANALYSIS (CBA) or an economic feasibility study. -The following list contains some of the items that affect the cost of a control or safeguard: • Cost of development or acquisition of hardware, software, and services • Training fees for personnel • Cost of implementation, which includes the costs to install, configure, and test hard-ware, software, and services • Service costs, which include vendor fees for maintenance and upgrades • Cost of maintenance, which includes labor expenses to verify and continually test, maintain, and update -The amount of the benefit is usually determined by valuing the information asset(s) exposed by the vulnerability, determining how much of that value is at risk, and determining how much risk exists for the asset -The valuation of assets involves estimating real and perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss and litigation. These estimates are calculated for every set of information-bearing systems or information assets. -A further complication is that some information assets acquire a value over time that is beyond the intrinsic value of the asset under consideration. The higher acquired value is the more appropriate value in most cases. -This process results in the estimate of potential loss per risk. Several questions must be asked as part of this process: • What damage could occur, and what financial impact would it have? • What would it cost to recover from the attack, in addition to the financial impact of damage? • What is the single loss expectancy (SLE) for each risk? Note that SLE = exposure factor (EF) * asset value (AV). -(SLE) This estimate is then used to calculate another value called annualized loss expectancy. -Even if network, systems, and security administrators have been actively and accurately tracking occurrences, the organization's information is sketchy at best. As a result, this information is usually estimated. -In most cases, the probability of a threat occurring is shown in a loosely derived table that indicates the probability of an attack from each threat type within a given time frame (for example, once every 10 years). This value is commonly referred to as the ANNUALIZED RATE OF OCCURENCE (ARO). To standardize calculations, you convert the rate to a yearly (annualized) value. This value is expressed as the probability of a threat occurrence. -Once each asset's worth is known, the next step is to ascertain how much loss is expected from a single expected attack and how often these attacks occur. When those values are established, an equation can be completed to determine the overall lost potential per risk. This value is usually determined through the annualized loss expectancy (ALE) ALE = SLE * ARO (Annualized loss expectancy = single loss expectancy * annualized rate of occurrence)
Major stages of Risk Assessment (Continued)
3) Evaluating Loss Magnitude: to determine how much of an information asset could be lost in a successful attack. This quantity is known as the loss magnitude or asset exposure; its evaluation can be quantitative or qualitative. -The event loss magnitude combines the value of an information asset with the percentage of that asset that would be lost in the event of a successful attack. The difficulty of making these calculations is twofold: • As mentioned earlier, valuating an information asset is extremely difficult, but if the organization can assess an asset to provide a working value, it is the first component of the loss magnitude. • The second difficulty is estimating what percentage of an information asset might be lost during each of the best-case, worst-case, and most likely scenarios, given that the organization may have little or no experience in assessing such losses. Again, information from industry surveys, insurance organizations, and other sources may assist. 4) Calculating Risk: If an organization can determine loss frequency and loss magnitude for an asset, it can then calculate the risk to the asset. Risk equals loss frequency times loss magnitude plus an element of uncertainty. - (% chance of attack * % chance of success) * (asset value score out of 100 * % of lost/compromised data in a successful attack) + % of inaccuracy 5) Assessing Risk Acceptability: For each threat and its associated vulnerabilities that have residual risk, you must create a ranking of their relative risk levels. These rankings pro-vide a simplistic approach to documenting residual risk—the left-over risk after the organization has done everything feasible to protect its assets. Next, the organization must compare the RESIDUAL RISK to its RISK APPETITE—the amount of risk the organization is willing to tolerate. -When the organization's risk appetite is less than an asset's residual risk, it must move to the next stage of risk control and look for additional strategies to further reduce the risk. -When the organization's risk appetite is greater than the asset's residual risk, the organization should move to the latter stages of risk control and continue to monitor and assess its controls and assets.
Risk Assessment
A determination of the extent to which an organization's information assets are exposed to risk. -Determine Loss Frequency (Likelihood) -Evaluate Loss Magnitude (Impact) -Calculate Risk -Assess Risk Acceptability -evaluate the relative risk for each vulnerability. -Risk assessment assigns a risk rating or score to each information asset. While this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and it facilitates the development of comparative ratings later in the risk control process.
Threats-Vulnerabilities-Assets (TVA) Worksheet
A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings. -At the end of the risk identification process, you should have a prioritized list of assets and their vulnerabilities. You should also have a list that prioritizes the threats facing the organization based on the weighted table discussed earlier. These two lists can be combined into a threats-vulnerabilities-assets (TVA) worksheet in preparation for adding vulnerability and control information during risk assessment. -Along with supporting documentation from the identification process, this worksheet serves as the starting point for the next step in the risk management process—risk assessment. -the placement of assets along the horizontal axis, with the most important asset at the left. The prioritized list of threats is placed along the vertical axis, with the most important or most dangerous threat listed at the top. The resulting grid provides a convenient method of determining the exposure of assets and allows a simplistic vulnerability assessment.
Data Classificaiton Scheme
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. -You should also include a dimension to represent the sensitivity and security priority of the data and the devices that store, transmit, and process the data—that is, a data classification scheme. A simple data classification scheme could include levels of confidential, internal, and public.
Threats-Vulnerabilities-Assets (TVA) Triples
A pairing of an asset with a threat and an identification of vulnerabilities that exist between the two. This pairing is often expresses in the format TxVyAz, where there may be one or more vulnerabilities between Threat X and Asset Z. For example, T1V1A2 would represent Threat 1 to Vulnerability 1 on Asset 2. -As you begin the risk assessment process, create a list of threats-vulnerabilities-assets (TVA) triples to help identify the severity of vulnerabilities. -In the risk assessment phase, the assessment team examines not only vulnerabilities but any existing controls that protect the asset or mitigate possible losses. Cataloging and categorizing these controls is the next step in the TVA spreadsheet.
Components of Risk Identification: 2) Identifying, Inventorying, and Categorizing Assets
A) People, Procedures, and Data Asset Identification Identifying: • People: Position name, number, or ID (avoid using people's names and stick to identifying positions, roles, or functions); supervisor; security clearance level; special skills • Procedures: Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference; storage location for update • Data: Classification; owner, creator, and manager; size of data structure; data structure used (sequential or relational); online or offline; location; backup procedures employed. As you develop the data tracking process, consider carefully how much data should be tracked and for which specific assets. B) Hardware, Software, and Network Asset Identification: • Name: Use the most common device or program name. Organizations may have several names for the same product. • IP address: This can be a useful identifier for network devices and servers, but it does not usually apply to software. You can, however, use a relational database to track software instances on specific servers or networking devices. IP address use in inventory is usually limited to devices that use static IP addresses (Because of DHCP). • Media access control (MAC) address: MAC addresses are sometimes called electronic serial numbers or hardware addresses. As part of the TCP/IP standard, all network interface hardware devices have a unique number. The MAC address number is used by the network operating system to identify a specific network device. • Element type: For hardware, you can develop a list of element types, such as servers, desktops, networking devices, or test equipment. The list can have any degree of detail you require. Types may need to be recorded at two or more levels of specificity. • Serial number: For hardware devices, the serial number can uniquely identify a specific device. Some software vendors also assign a software serial number to each instance of the program licensed by the organization. • Manufacturer name: Record the manufacturer of the device or software component. This can be useful when responding to incidents that involve the device or when certain manufacturers announce specific vulnerabilities. • Manufacturer's model number or part number: Record the model or part number of the element. This exact record of the element can be very useful in later analysis of vulnerabilities, because some vulnerability instances apply only to specific models of certain devices and software components. • Software version, update revision, or FCO number: Whenever possible, document the specific software or firmware revision number and, for hardware devices, the current field change order (FCO) number. An FCO is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. The equipment is not returned to the manufacturer, but is usually repaired at the customer's location, often by a third party. • Physical location: Note the element's physical location. This information may not apply to software elements, but some organizations have license terms that specify where software can be used. This information falls under asset inventory, which can be performed once the identification process is started. • Logical location: Note where the element can be found on the organization's network. The logical location is most useful for networking devices and indicates the logical net-work where the device is connected. Again, this information is an inventory item that is important to track for identification purposes. • Controlling entity: Identify which organizational unit controls the element. Sometimes a remote location's onsite staff controls a networking device, and sometimes the central network team controls other devices of the same make and model.
Loss Magnitude
Also know as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack.
Cost-Benefit Analysis (CBA)
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. -CBA (or economic feasibility) determines whether a particular control is worth its cost. -The CBA is most easily calculated using the ALE from earlier assessments before implementation of the proposed control, which is known as ALE(prior). Subtract the revised ALE, which is estimated based on the control being in place; this revised value is known as ALE(post). Complete the calculation by subtracting the ANNUALIZED COST OF SAFEGUARD (ACS) CBA = ALE(prior) * ALE(post) * ACS
Asset Exposure
Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack
Baseline
An assessment of the performance of some action or process against which future performance is assessed; the first measurement (benchmark) in benchmarking.
Qualitative Assessment
An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.
Benchmarking
An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. Sometimes referred to as external benchmarking. -Benchmarking involves seeking out and studying practices used in other organizations that produce results you would like to duplicate in your organization. An organization typically benchmarks itself against other institutions by selecting a measure upon which to base the comparison. The organization then measures the difference between the way it conducts business and the way the other organizations do business. -When benchmarking, an organization typically uses one of two types of measures to compare practices: METRICS BASED MEASURES or process-based measures. -Metrics-based measures are based on numerical standards, such as: • Numbers of successful attacks • Staff-hours spent on systems protection • Dollars spent on protection • Numbers of security personnel • Estimated value in dollars of the information lost in successful attacks • Loss in productivity hours associated with successful attacks -PERFORMANCE GAPS provide insight into areas that an organization should work on to improve its security postures and defenses. The other measures commonly used in benchmarking are process-based measures, which are generally less focused on numbers and are more strategic than metrics-based measures. For each area the organization is interested in benchmarking, process-based measures enable it to examine the activities it performs in pursuit of its goal, rather than the specifics of how the goals are attained. The primary focus is the method the organization uses to accomplish a particular process, rather than the outcome. -In information security, two categories of benchmarks are used: standards of due care and due diligence, and best practices. When organizations adopt levels of security for a legal defense, they may need to show they did what any prudent organization would do in similar circumstances. This standard of due care makes it insufficient to implement standards and then ignore them. The application of controls at or above prescribed levels and the maintenance of those standards of due care show that the organization has performed due diligence. -The security an organization is expected to maintain is complex and broad in scope. -Organizations must make sure they have met a reasonable level of security across the board, protecting all information, before beginning to improve individual areas to reach a higher standard. Security efforts that seek to provide a superior level of performance in the protection of information are referred to as BEST BUSINESS PRACTICES, or simply best practices or recommended practices. -Benchmarking best practices is accomplished using the metrics-based or process-based measures described earlier.
Political Feasibility
An examination of how well a particular solution fits within the organization's political environment-for example, the working relationship within the organization's communities of interest or between the organization and its external environment. -For some organizations, the most important feasibility evaluated maybe political feasibility -Politics has been defined as "the art of the possible." The information security controls that limit an organization's actions or behaviors must fit within the realm of the possible before they can be effectively implemented, and that realm includes the availability of staff resources.
Operational Feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals. -Operational feasibility analysis addresses several key areas that are not covered by the other feasibility measures. Operational feasibility, also known as behavioral feasibility, measures employees' acceptance of proposed changes. A fundamental requirement of systems development is user buy-in. If users do not accept a new technology, policy, or program, it will fail. One of the most common methods for obtaining user acceptance and support is to encourage user involvement. To promote user involvement, an organization can take three simple steps: communicate, educate, and involve. -Organizations should communicate with system users throughout the development of the security program to let them know that changes are coming. -Organizations should design training to educate employees about how to work under the new constraints and avoid any negative impact on performance. The organization must also involve users by asking them what they want from the new systems and what they will tolerate from them, and by including selected representatives from various constituencies in the development process.
Organizational Feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals. Organizational feasibility analysis examines how the proposed control must contribute to the organization's strategic objectives. Above and beyond their impact on the bottom line, the organization must determine how the proposed alternatives contribute to its business objectives.
Technical Feasibility
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel. In addition to the economic costs and benefits of proposed controls, the project team must also consider the technical feasibility of their design, implementation, and management. Some safeguards, especially technology-based safeguards, are extremely difficult to implement, configure, and manage. -Technical feasibility also examines whether the organization has the expertise tomanage the new technology. These issues must be examined in detail before a new set of controls is acquired. Many organizations rush to acquire new safeguards without completely examining the associated requirements.
Clean Desk Policy
An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day. -This type of policy does not mean the office itself is clean, but only that all classified data has been secured.
Documenting the Results of Risk Assessment
By the end of the risk assessment process, you will probably have long lists of information assets and data about each of them. -The final summarized document is the RANKED VULNERABILITY RISK WORKSHEET which is organized as follows: • Asset: List each vulnerable asset. • Asset relative value: Show the results for the asset from the weighted factor analysis worksheet. • Vulnerability: List each uncontrolled vulnerability. Some assets might be listed more than once. • Loss frequency: Estimate the cumulative likelihood that the vulnerability will be successfully exploited by threat agents. • Loss magnitude: Calculate the estimated loss magnitude by multiplying the asset's relative value by the loss frequency. -The ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk.
Components of Risk Identification: 2) Identifying, Inventorying, and Categorizing Assets (Continued)
C) Information Asset Inventory: Creating an inventory of information assets is a critical function of understanding what the organization is protecting. Unless the information assets are identified and inventoried, they cannot be effectively protected. The inventory process is critical in determining where information is located; most commonly it is in storage. -The inventory process involves formalizing the identification process in some form of organizational tool. At this point in the process, simple spreadsheets and database tools can provide effective record keeping. The inventory information can be updated later with classification and valuation data. Automated tools can sometimes identify the system elements that make up hardware, software, and network components. Once stored, the inventory listing must be kept current, often by means of a tool that periodically refreshes the data. D) Asset Categorization: the risk management categorizations introduce several new subdivisions: • People comprise employees and nonemployees. There are two subcategories of employees: those who hold trusted roles and have correspondingly greater authority and accountability, and other staff who have assignments without special privileges. Non-employees include contractors and consultants, members of other trusted organizations, and strangers. • Procedures essentially belong in one of two categories: procedures that do not expose knowledge a potential attacker might find useful, and sensitive procedures that could allow an adversary to gain an advantage or craft an attack against the organization's assets. These business-sensitive procedures may introduce risk to the organization if they are revealed to unauthorized people. • Data components account for the management of information in all its states: trans-mission, processing, and storage. These expanded categories solve the problem posed by the term data, which is usually associated with databases and not the full range of modalities of data and information used by a modern organization. • Software components are assigned to one of three categories: applications, operating systems, or security components. Security components can be applications or operating systems, but they are categorized as part of the information security control environment and must be protected more thoroughly than other system components. • Hardware is assigned to one of two categories: the usual system devices and their peripherals, and devices that are part of information security control systems. The latter must be protected more thoroughly than the former because networking subsystems are often the focal point of attacks against the system; they should be considered special cases rather than combined with general hardware and software components.
Components of Risk Identification: 3) Classifying, Valuing, and Prioritizing Information Assets (Continued2)
D) Information Asset Prioritization: Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as "weighted factor analysis" or simply using a weighted table. In this process, each information asset is assigned scores for a set of assigned critical factors. -Scores range from 0.1 to 1.0, which is the range of values recommended in NIST SP 800-30, Risk Management for Information Technology Systems. In addition, each critical factor is assigned a weight ranging from 1 to 100 to show the criterion's assigned importance for the organization. -Identifying and Prioritizing Threats: After an organization identifies and performs the preliminary classification of its information assets, the analysis phase next examines threats to the organization. This examination is known as a THREAT ASSESSMENT. You can begin a threat assessment by answering a few basic questions, as follows: • Which threats present a danger to an organization's assets in the given environment? Not all threats have the potential to affect every organization. Specific threats may be eliminated because of very low probability. • Which threats represent the most danger to the organization's information? The degree of danger from a threat is difficult to assess. Danger may be the probability of a threat attacking the organization, or it can represent the amount of damage the threat could create. It can also represent the frequency with which an attack can occur. You can use both quantitative and qualitative measures to rank values. • How much would it cost to recover from a successful attack? One calculation that guides corporate spending on controls is the cost of recovery operations in the event of a successful attack. At this preliminary phase, it is not necessary to conduct a detailed assessment of the costs associated with recovering from a particular attack. The goal of this phase is a rough assessment of the cost to recover operations if an attack interrupts normal business operations and requires recovery. • Which of the threats would require the greatest expenditure to prevent? In addition to examining the previous cost of recovering from attacks, organizations must determine the cost of protecting against threats. The cost of protecting against some threats, such as malicious code, is nominal. The cost of protection from forces of nature, on the other hand, can be very great. As a result, the amount of time and money invested in protecting against a particular threat is moderated by the amount of time and money required to fully protect against that threat.
Annualized Cost of a Safeguard (ACS)
In a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.
Exposure Factor (EF)
Ina cost-benefit analysis, the expected percentage of loss that would occur from a particular attack.
Microsoft Best Practices
Microsoft focuses on the following seven key areas for home users: 1. Use antivirus software. 2. Use strong passwords. 3. Verify your software security settings. 4. Update product security. 5. Build personal firewalls. 6. Back up early and often. 7. Protect against power surges and loss. For small businesses, Microsoft recommends the following: 1. Protect desktops and laptops—Keep software up to date, protect against viruses, and setup a firewall. 2. Keep data safe—Implement a regular backup procedure to safeguard critical business data, set permissions, and use encryption. 3. Use the Internet safely—Unscrupulous Web sites, popups, and animations can be dangerous. Set rules about Internet usage. 4. Protect the network—Remote network access is a security risk you should closely monitor. Use strong passwords and be especially cautious about wireless networks. 5. Protect servers—Servers are the network's command center. Protect your servers. 6. Secure line-of-business applications—Make sure that critical business software is fully secure around the clock. 7. Manage computers from servers—Without stringent administrative procedures in place, security measures may be unintentionally jeopardized by users. In support of security efforts, Microsoft offers "The Ten Immutable Laws of Security" asfollows: Law #1: If a bad guy can persuade you to run his program on your computer, it's not solelyyour computer anymore. Law #2: If a bad guy can alter the operating system on your computer, it's not your com-puter anymore. Law #3: If a bad guy has unrestricted physical access to your computer, it's not your com-puter anymore. Law #4: If you allow a bad guy to run active content in your Web site, it's not your Website anymore. Law #5: Weak passwords trump strong security. Law #6: A computer or connected device is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as its decryption key. Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all. Law #9: Absolute anonymity isn't practically achievable, online or offline. Law #10: Technology is not a panacea.
3 Major Components of Risk Management
Risk Identification -> Risk Assessment -> Risk control -Initially, the organization must identify and understand the risk it faces, especially the risk to information assets. Once identified, risk must be assessed, measured, and evaluated. The key determination is whether the risk an organization faces exceeds its comfort level. If not, the organization is satisfied with the risk management process. Otherwise, the organization needs to do something to reduce risk to an acceptable level.
Best Business Practices
Security efforts that are considered among the best in the industry. -Best security practices are security efforts that are among the finest in the industry, balancing the need for access to information with adequate protection. Best practices seek to provide as much security as possible for information and systems while maintaining a solid degree of fiscal responsibility. -Applying Best Practices - When considering best practices for adoption, think about the following: • Does your organization resemble the identified target organization that is considering the best practice? Is your organization in a similar industry as the target? A strategy that works well in manufacturing organizations often has little bearing in a nonprofit organization. Does your organization face similar challenges as the target? If your organization does not have a functioning information security program, a best-practice target that assumes you do is not useful. Is your organization's structure similar to the target's? Obviously, a best practice proposed for a home office setting is not appropriate for a multinational company. • Can your organization expend resources similar to those identified with the best practice? If your approach is significantly limited by the organization's resources, it is not useful to submit a best-practice proposal that assumes unlimited funding.• Is your organization in a similar threat environment as the one proposed in the best practice? A best practice from months or even weeks ago may not be appropriate for the current threat environment. Think of the best practices for Internet connectivity that were required for modern organizations in 2001 and compare them to today's best practices.
Likelihood and Impact: The Simpler Method
Some organizations assess risk using a simplified definition and calculation of likelihood and impact. This version, based on NIST SP 800-30 Rev. 1, views likelihood as the probability of a successful attack, as loss frequency was described earlier. It also views impact as the result of a successful attack, as expected loss was described earlier. This method is implemented in industry-leading software such as Clearwater Compliance's Analysis application within its Information Risk Management suite. This application is designed to support the entire risk management process from Asset Inventory(risk identification) through Risk Determination (risk assessment) to Risk Response (risk control). -Impact is identified on a simple, qualitative six-point scale ranging from Not Applicable (0) to Almost Certain (5), while risk impact is assessed on a similar scale from Not applicable threat (0) to Disastrous (5). -Risk is then calculated using a simple formula of Likelihood multiplied by Impact. (Risk = Likelihood * Impact) -All risk levels below the organization's risk appetite are automatically accepted. - Risk levels above the risk appetite are addressed through RISK CONTROLS
Avoidance of Competitive Disadvantage
The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind. -organizations cannot expect the implementation of new technologies to provide a competitive lead over others in the industry. -Effective IT-enabled organizations quickly absorb relevant emerging technologies not just to gain or maintain competitive advantage, but to avoid loss of market share from an inability to maintain the highly responsive services required by their stakeholders -To keep up with the competition, organizations must design and create safe environments in which their business processes and procedures can function.
Risk Control
The application of controls that reduce the risks to an organization's information assets to an acceptable level. -Risk control involves three basic steps: selection of control strategies, justification of these strategies to upper management, and the implementation, monitoring, and ongoing assessment of the adopted controls. A)Select Control Strategies: Risk control involves selecting one of the five risk control strategies for each vulnerability. -some rules of thumb for selecting a risk control strategy: • When a vulnerability exists, implement security controls to reduce the likelihood of the vulnerability being exploited. • When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize risk or prevent occurrence. • When the attacker's cost is less than his or her potential gain, apply protections to increase the attacker's cost. For example, use system controls to limit what a system user can access and do, which significantly reduces an attacker's gain. • When potential loss is substantial, apply design principles, architectural designs, and other protections to limit the extent of the attack. These protections reduce the potential for loss. -By adopting all reasonable and prudent measures given its risk appetite, an organization canimplement an effective security strategy. B)Justify Controls C)Implement, Monitor, & Assess Controls
Problems With the Application of Benchmarking and Best Practices
The biggest problem with benchmarking and best practices in information security is that organizations don't talk to each other. A successful attack is viewed as an organizational failure, not as a lesson. Because these valuable lessons are not recorded, disseminated, and evaluated, the entire industry suffers. -Security administrators often submit sanitized accounts of attacks to security journals after removing details that could identify the targeted organization. -Most organizations refuse to acknowledge, much less publicize, the occurrence of successful attacks. -Another problem with benchmarking is that no two organizations are identical. Even if two organizations are producing goods or services in the same market, their sizes, compositions, management philosophies, organizational cultures, technological infrastructures, and security budgets may differ dramatically. -A third problem is that best practices are a moving target. What worked well two years ago may be completely worthless against today's threats. Security practices must keep abreast of new threats in addition to the methods, techniques, policies, guidelines, educational and training approaches, and technologies used to combat those threats. -A final issue to consider is that simply researching information security benchmarks doesn't necessarily prepare a practitioner for what to do next. It is said that those who cannot remember the past are condemned to repeat it. In security, those who do not prepare for common attacks see them occur again and again.
Loss Frequency
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range. -loss frequency is the probability that an organization will be the target of an attack, multiplied by the probability that the organization's information assets will be successfully compromised if attacked
Cost Avoidance
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
Attack Success Probability
The number of successful attacks that are expected to occur within a specified time period.
Likelihood
The probability that a specific vulnerability within an organization will be the target of an attack.
Asset Valuation
The process of assigning financial value or worth to each information asset.
Baselining
The process of conducting a baseline. An activity related to benchmarking is baselining. For example, an organization could establish a baseline to measure the number of attacks against it per week. In the future, this base-line can serve as a reference point to determine if the average number of attacks is increasing or decreasing. In information security, baselining can provide the foundation for internal benchmarking. The information gathered for an organization's first risk assessment becomes the baseline for future comparisons. Therefore, it is important for the initial baseline to be accurate. The National Institute of Standards and Technology has two publications specifically written to support these activities: • Security SP 800-27, Rev. A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2004 • SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013, and NIST Special Publication 800-53A, Rev. 4: AssessingSecurity and Privacy Controls in Federal Information Systems and Organizations:Building Effective Assessment Plans, December 2014.
Risk management
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
Risk Appetite
The quantity and nature of the risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. -For instance, a financial services company that is regulated by government and conservative by nature may seek to apply every reasonable control and even some invasive controls to protect its information assets. -Less regulated organizations may also be conservative by nature, and seek to avoid the negative publicity associated with the perceived loss of integrity from an exploited vulnerability -Other organizations may take on dangerous risks through ignorance. -The reasoned approach to risk is one that balances the expense of controlling vulnerabilities against possible losses if the vulnerabilities are exploited. (Note that expenses in this context are considered both in terms of finance and the usability of information assets.) There is a well-known directive in information security: Never spend more to protect an asset than the asset is worth. -The key for the organization is to find balance in its decision-making and feasibility analyses, which ensures that its risk appetite is based on experience and facts instead of ignorance or wishful thinking.
Risk Identification
The recognition, enumeration, and documentation of risks to an organization's information assets. -Identify, Inventory, & Categorize Assets -Classify, Value, & Prioritize Assets -Identify & Prioritize Threats -Specify Asset Vulnerabilities
Defense Risk Control Strategy
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy.
Mitigation Risk Control Strategy
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.
Transference Risk Control Strategy
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations.
Termination Risk Control Strategy
The risk control strategy that eliminates all risk associated with an information asset by removing it from service
Acceptance Risk Control Strategy
The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
Residual Risk
The risk to information assets that remains even after current controls have been applied. -When vulnerabilities have been controlled as much as possible, any remaining risk that has not been removed, shifted, or planned for is called residual risk - the risk that is left over after the risk management process has concluded. - residual risk is a combined function of: (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, (3) and an asset less the effect of asset value-reducing safeguards. -The significance of residual risk must be judged within the context of the organization. Although it might seem counterintuitive, the goal of information security is not to bring residual risk to zero; it is to bring residual risk into line with an organization's comfort zone or risk appetite. -if residual risk is less than or equal to the organization's risk appetite, then the risk management team has done its job. -when management requires details about a specific risk to the organization, risk assessment may be documented in a topic-specific report.
Quantitative Assessment
The steps described in the previous section were performed using actual values or estimates. This approach is known as a quantitative assessment.
Behavioral Feasibility
see operational feasibility.