Risk Based Security Management

Risk Based Security Management

Risk Based Security Management (RBSM)

may be defined as the application

of rigorous and systematic analytical techniques to the evaluation of the risks

that impact an organization's information assets and IT infrastructure.

Agenda

• THE PROBLEM • STEPS TO RBSM • GLINTT’S APPROACH • CONCLUSIONS • Q & A

THE PROBLEM

.: Many of the true assets of value are items that are intangible

and are typically not considered in technical approaches to

information security .:

FRIGHT INDEX

Threats to information security faced by organizations

Ponemon Institute 2012

FRIGHT INDEX II

The greatest rise of potential security risk within today’s IT environment

Ponemon Institute 2012

FRIGHT INDEX III

Security technology categories used to thwart internal and external threats

Ponemon Institute 2012

IDENTIFYING RISK

Steps taken to identify security risks

Ponemon Institute 2012

ADDRESSING RISK

Perceived security risk by layer in the security infrastructure and the allocated level of spending

Ponemon Institute 2012

STEPS TO RBSM

.: The goal is not perfection but to improve our decision making ability by reducing our uncertainty .:

IDENTIFY WHAT MATTERS

• How can this be achieved?

»» Survey the organization and its management.

»» Engage those who are responsible for business.

»» Gather relevant information about the organization.

COLLECT DATA ON WHAT MATTERS

• What kind of data can be useful to gather?

»» Asset valuation

»» Impact

»» Threat landscapes

»» Frequency and likelihood

»» Vulnerabilities

PERFORM A RISK ASSESSMENT

• Risk Assessment should:

»»Create meaningful analysis of probabilities and information on the magnitude of an event and its impact;

»»Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk

analyses of all sizes and types.

PRESENT TO THE ORGANIZATION

• The presentation of any risk analysis should:

»» State the assets that were considered;

»» The key threats to those assets;

»» Assumptions that were made in the analysis

»» The identified risks.

IDENTIFY CONTROL OBJECTIVES

• A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk.

»» In simple terms, control objectives are “what is it that needs to be achieved”.

IDENTIFY AND SELECT CONTROLS

• The process of selecting controls should consider:

»»What is the total cost of ownership

of the control?

»»How flexible is the control to changes in the organization or the elements that make up the risk?

IMPLEMENT CONTROLS

• If the control is implemented in a way that does not support the control objectives, the risk will likely not be reduced.

OPERATE CONTROLS

• RBSM takes an additional step that measures the effectiveness of the control itself and its operation.

MONITOR AND MEASURE

• The measures must focus on clearly identifying changes in risks.

»» Bear in mind that not all of these

elements are precisely measurable.

»» Attempting to measure the number of threats is problematic, but some qualitative or combination of measures can provide insight.

ADJUST & REPEAT

»»Are there changes in the environment that can also affect the metrics?

»»Are there changes in the threats as time changes?

»» Is the control being operated as intended and/or are the measures acting as indicators of control design and its operation?

GLINTT’S APPROACH

.: If the risk assessment is based on relevant data then the discourse should be rewarding, collaborative, and highly interactive. :.

RBSM Managed Services

»» Creates an environment of informed choice.

»» Strives to reduce

uncertainty

and eliminate conjecture.

»» Is best achieved through

a surplus of relevant data.

RBSM Managed Services

»» Based on analysis of frequency of threats

and vulnerabilities.

»» Cyclical and provide an opportunity for

continuous learning.

»» Involve feedback loops and

challenging assumptions.

RBSM Managed Services

»» Minimize the threats, reduce frequency

and/or likelihood, and reduce

the vulnerabilities that make the threats

viable.

CONCLUSIONS

.: A vulnerability lacks significant meaning if it is associated with

a worthless asset, just as a vulnerability is highly significant if it is

associated with a highly valuable asset .:

CONCLUSIONS

»» Anyone undertaking this process (RBSM) should be prepared to suspend their presuppositions and not to be shocked if ideas long held as truth are refuted by the data collected and analyses performed.

»» We challenge you to try our Services!

Q & A ?

Luís Martins

[email protected]