Review of Enterprise Security Risk Management

Review of Enterprise Security Risk Management

Rand W. Hirt CISSP, CISASr. Systems Security Specialist

Let’s start with the basics…

Let’s define Risk (from a security perspective):

Risk = Likelihood of an occurrence of adverse event (probability) x impact of the adverse event should it occur (value).

Thus, the measure of Risk is product of threat, vulnerability and asset values.

Risk Management concept

Therefore, Risk Management is defined:

RM = the identification, selection and adoption of countermeasures to mitigate identified risks to assets and the reduction of those risks to acceptable levels, as determined by key stakeholders and executive management.

Risk Management, cont.

Once Risk levels have been determined, Risk is treated in one of several ways:

• Risk Acceptance (accept as is or decide proposed controls are too expensive)

• Risk Transfer (i.e. insurance or outsourcing)

• Risk Mitigation (apply further controls/countermeasures)

Risk Management, cont.

Once Risk has been identified and mitigated to acceptable levels, continuous monitoring of the Enterprise will provide assurance that the Company’s Risk posture will remain consistent and that any new risks introduced into the environment can be identified, rated and mitigated to acceptable levels.

Risk Management, cont.

The process looks like this:

ISO/IEC Guide 73 RiskManagement - Vocabulary - Guidelines

Risk Management vs. Risk Assessment

Risk Assessment is a means to an end to the overall objective of the Risk Management process:

Risk Management Risk Assessment

Goal Manage risks across business to acceptable level Identify and prioritize risks

Cycle Overall program across all phases Single phase of risk management program

Schedule Ongoing As needed

Alignment Aligned with budgeting cycles N/A

Risk Assessment approaches

There are two primary methods to approach Risk Assessments:

• Quantitative(calculate objective numeric values to derive a cost/benefit analysis)

• Qualitative(calculate relative values not tied to actual financial values for cost/benefit)

Approach to Assessing Risk, cont.

Advantages/Disadvantages of either approach:

Quantitative Qualitative

Benefits Risks are prioritized by financial impact; assets are prioritized by financial values.

Results facilitate management of risk by return on security investment.

Results can be expressed in management-specific terminology (for example, monetary values and probability expressed as a specific percentage).

Accuracy tends to increase over time as the organization builds historic record of data while gaining experience.

Enables visibility and understanding of risk ranking. Easier to reach consensus. Not necessary to quantify threat frequency. Not necessary to determine financial values of assets. Easier to involve people who are not experts on

security or computers.

Drawbacks Impact values assigned to risks are based on subjective opinions of participants.

Process to reach credible results and consensus is very time consuming.

Calculations can be complex and time consuming. Results are presented in monetary terms only, and they

may be difficult for non-technical people to interpret. Process requires expertise, so participants cannot be

easily coached through it.

Insufficient differentiation between important risks. Difficult to justify investing in control implementation

because there is no basis for a cost-benefit analysis. Results are dependent upon the quality of the risk

management team that is created.

Attributes of an effective Risk Assessment methodology

• Should result in a explicit definition of objectives and contain explicit steps and supporting templates to assist in that goal.

• Should provide explicit definitions of what Security risk is, vs. Project risk, Business risk, etc.

• Should be aimed at modeling and documenting risks qualitatively.

• Should be able to use both ratio and ordinal scale risk rankings to prioritize risks reliably.

• Should use to concept of utility loss to rank the loss associated with risk.

• Should have operational guidance and training support and a tutorial available, along with templates and examples.

So, which approach will we use?

• The Microsoft Security Risk Management process usesa Hybrid approach that joins the best of both traditional approaches.– Uses a Qualitative approach to assess over-all risk.– Uses a Quantitative approach (if desired) to assess the High

Impact assets within the Organization.• Faster than traditional Quantitative approach.• Yields more detailed and justifiable results that executives

want over a traditional Qualitative approach.• Meets most, if not all, of the desired qualities of an

effective Risk Assessment methodology.• The MSRM Guide was reviewed by participants from major

corporations (Siemens, BofA) for writing, developing and testing, including NIST for comments that were incorporated into the guide.

Risk Management - Phases

Microsoft’s approach to RM

Standard’s PDCA approach

Looks consistent with stated PDCA approach:

The Risk Assessment Process (High Level)

The 5 Step process for the Risk Assessment:

1. Determine Scope of Assessment- Budget, Boundaries, Objectives, etc.- What assets are trying to protect?

2. Gather Information- Questionnaires directed at specific groups/project members- Acquiring information from specific areas

Administrative (policies, training, organization, etc)Technical (controls, configurations, pen tests, etc.)Physical (procedures, observations, etc.)

3. Assess Risk- Asset valuation/criticality- Threat/Vulnerability mapping- Calculating risk- Obtaining consensus

4. Recommend Controls- What’s the cost?- What’s the effectiveness (preventative, detective, corrective)- Are there unintended consequences of the proposed solution?

5. Determine Residual Risk- It is at an acceptable level?- What are the trade-offs, if any, and are they acceptable to implement?

The Risk Assessment Process (Lower Level)

Step 1 – Determine Scope of Assessment

• Enterprise vs. project/system

• Budget and/or deadlines to consider

• Identify Stakeholders to the Assessment

• Identifying the Assets that are relative to the Assessment

• Develop a step by step plan to address these concerns

The Risk Assessment Process (Lower Level)

Step 2 – Gathering Information• Use of questionnaires can help speed-up process

• Data gathering involves three main areas:

1. Administrative areasa. Policiesb. Proceduresc. Staff interviews

2. Technical areasa. Configurations (Architecture/Design)b. Current controls (i.e. Hardening, Patching, etc.)c. Targeted Vulnerability/Penetration testing

3. Physical areasa. Procedures and Safeguards (HA, Fault Tolerance, etc.)b. Access control (physical)c. Documentation (BCP and DR processes)

The Risk Assessment Process (Lower Level)

Step 3 – Assessing RiskThe object is to arrive at a well-formed Risk Statement. We do this as follows:

Ex: A Hacker (Threat Agent) may exploit known vulnerabilities (Vulnerability) in the remote authentication protocol (Vulnerability Target) to disrupt (Policy violated) remote authentication (Asset exposed).

The Risk Assessment Process (Lower Level)

Step 3 – Assessing RiskThe specific steps to arrive at a well-formed Risk Statement:

• Classify Assets• Low Business Impact (LBI) - public information, high-level information• Medium Business Impact (MBI) - Network designs, employee lists, purchase order info.• High Business Impact (HBI) - Financial data, PII, SSNs, medical record info.

• Define Threats and Vulnerabilities• Threat Agents• Identify current Vulnerabilities

• Calculate Asset Exposure (Impact)• Low exposure (minor or no loss)• Medium exposure (limited or moderate loss)• High exposure (severe or complete loss)

• Estimate the Threat Probability• Low (Not probable - not expected to occur within 3 years)• Medium (Probable - expected to occur with 2-3 years)• High (Likely - one or more occurrences within 1 year)

The Risk Assessment Process (Lower Level)

Step 3 – Assessing Risk (cont.)We can do a finer-grained analysis on High Value Assets:

The Risk Assessment Process (Lower Level)

Step 3 – Assessing Risk (cont.)Which results in a finer-grained result:

The Risk Assessment Process (Lower Level)

Step 4 – Recommend Controls1. Identify Functional Requirements

• Need to define objectives of control

2. Identify Control Solutions• Organizational controls (separation of duties, etc.)• Operational controls (physical protections, etc.)• Technological controls (Authentication, Access control, etc.)

3. Review Solution vs. Requirements• Does it meet the Functional requirements• Are there unintended consequences of the proposed solution?

4. Estimating Degree of Risk Reduction• Will it stop the Threat Agent, or detect an Exploit?

5. Estimating the Solution Cost• Acquisition, Implementation, On-going, Training, Productivity, etc.

6. Selecting the Risk Mitigation Solution

The Risk Assessment Process (Lower Level)

Step 5 – Determine Residual Risk

• Does the proposed Solution reduce Risk to an acceptable level?

• Are there trade-offs to the proposed Solution, and if so, are they acceptable to implement?

• Would Management rather Transfer or Assign the Residual Risk?

The Risk Assessment Process, cont.

• Final recommendations– Risk mitigation, transfer or acceptance– Document final decisions on Risk treatment

• Report to Upper Management– Communicate Risk decisions– Align with Security Risk Scorecard

The Risk Assessment Process, cont.

• Measure Control Effectiveness– Use of audit / verification tools– Review of logs

• Reassess New and Changed Assets for Risks– Review and update previous assessments– Review any Architectural changes for overall impact to

the Organization Risk posture

Steps going forward

• Solidify the Risk Management Framework.

• Build out the processes, guidance, templates and training to make the process real.

• Identify RM application to assist in process.

• Identify further steps, timeline, etc.

Questions?