Risk Management 101 Barry Caplin Chief Information Security Officer MN Department of Human Services MN Government IT Symposium Thurs. Dec. 13, 2007 Session 74
Risk Management 101
Barry Caplin
Chief Information Security Officer
MN Department of Human Services
MN Government IT Symposium
Thurs. Dec. 13, 2007
Session 74
Minnesota Office of the Legislative Auditor
Agenda
• In the beginning…
• Definitions – Threat, Vulnerability, Risk
• Types of Risk
• Risk Management components
• Frameworks and standards
• Information Risk Management at DHS
In The Beginning…
In The Beginning…
There were Humans…
In The Beginning…
And Beasts…
And the concept of Risk was born...
Risk
• Always been with us• Viewed as a negative• Attempt to reduce
Magic?
Definitions
Threat
Defn: Source or warning of probable impending danger (Actor) - wikipedia
• Direct/Intended – malicious hacker, thief, malware• Indirect/Unintended – user, weather• Person or Thing
Task: Must analyze assets and environment to determine threats
Vulnerability
Defn: the state of being exposed; liable to succumb – dictionary.com
• Measures – physical, financial, operational
Task: Must analyze vulnerability to identified threats
Impact
Defn: to effect, influence or alter – dictionary.com
• Measures – cost, time delays, damage
Task: determine impact of action of threat to which we are vulnerable
Threat, Vulnerability, Impact => Risk
(probability of event × impact = risk)
Risk
Defn: Exposure to the chance of injury or loss (Event) – dictionary.com
• Based on action of threat• Components:
– Probability of occurrence– Impact of event
Task: Identification and Disposition• Accept (or Ignore)• Mitigate• Transfer
Types of Risk
Prof. John Adams, University College LondonUK risk expert
• Direct – directly perceived – obvious• Scientific – determined via science• Virtual Risk – everything else!
Directly perceived
Types of Risk
Perceived through science
Types of Risk
Virtual Risk• What we are all involved in!• Project risk/Operational risk• Physical/Data security risk• Terrorism/Homeland Security• Weather
Virtual Risk
Virtual Risk• Difficult to “prove”• Experts don’t know or do not agree• We don’t know what we don’t know
Risk Management
A discipline for living with the possibility that future events may cause adverse effects.
http://www.sei.cmu.edu/risk/index.html
Risk Management
The iterative framework and processes for:
• Identifying threats (imagining virtual threats)
• Assessing• Evaluating options• Acting.
Identify Threats
• Research• Survey• Brainstorm
Assess
• Threat Assessment• Vulnerability Assessment• Impact Assessment• Risk Assessment
• Qualitative – subjective scoring• Quantitative – objective or measured values
Disposition of Risk
• Accept (or Ignore) – what is the?• Mitigate – what is the cost?• Transfer – via contract or insurance – what
terms? Cost?
Economics of Risk Management
1. Cost of control < Cost of loss
2. Cost of compliance (pain) <Cost of circumvention (gain)
Ineffective Risk Mitigation
Evaluate and Act
• Risk Management Committee or SMT• Document decisions
• Get it done!
Frameworks for Risk Management
• CarnegieMellon (CMU SEI) – software• NIST/FISMA – information systems• CRESP – Consortium for Risk Evaluation with
Stakeholder Participation - nuclear• COSO – Committee Of Sponsoring Organizations – info
systems• COBIT – Control Objectives for IT• SOMAP – Security Officers Management & Analysis
Project – Open Information Security RM Handbook• OCTAVE - Operationally Critical Threat, Asset, and
Vulnerability Evaluation• Commercial - many
Treasury Board of Canada
Integrated Risk Management Framework – 2001
• “Risk-Smart” Workforce and Environment• 4 Elements:
– Develop Risk Profile– Establish organizational function– Practice and integrate– Ensure continuous learning
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rmf-cgr01-1_e.asp
Security and Risk Management
• Security is a subset of Risk Management• RM -> Security Solutions -> Compliance• Security/Business balance• Act on appropriate risks• Consider the “costs”
At DHS
Information Risk Management at DHS• Based on elements of NIST, COBIT and
OCTAVE• SLM – Security Lifecycle Management• Information Policy, Awareness and
Compliance• Business Continuity Planning
Resources
Information Risk Management at DHS• CMU SEI – www.sei.cmu.edu/risk• COBIT – www.isaca.org/cobit• COSO – www.coso.org• CRESP – www.cresp.org• NIST/FISMA – csrc.nist.gov• SOMAP – www.somap.org• OCTAVE – www.cert.org/octave• Prof. John Adams – john-adams.co.uk
Discussion?