Risk Management 101 with Mark E.S. Bernard

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

• Introduction • Current Known Threats • Potential Impacts to Enterprise Assets • Legal Risks • Managing Compliance Risks • Preventive Security Measurers • Risk Management Policy • Risk Management Process • Ranking & Prioritization of Risks • Treating Risks • Monitoring Risks • Conclusion




Accomplishments: • In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties

• In 2013 Assisted Aviation organization with ISO/IEC 27001 Registration/Certification

• In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation

• In 2013 Assisted Major Bank with Risk Assessment of New Services and Products

• In 2012 Assisted National Legal Firm with ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Executive Relocation Organization to ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Global Electronic Solutions Provider ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Nano Technology Manufacturer with ISO/IEC 27001 Reg./Certification

• In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO 27001 Reg./Cert

• In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO 27001 Reg./Certification

• In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider

• In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov.

• In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC 27001 Reg./Certification

• In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration to

SAP R3 - ERP

Skype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernard

Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant

CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture, COBiT, ITIL

Mark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30

or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regular

fulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a Systems

Engineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERP

systems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process,

followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed information

security and privacy architecture established information security management systems as program manager based on ISO 27001. Mark Also led the

reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001 also establishing a Knowledge

Management framework.

http://www.linkedin.com/in/markesbernard

http://www.linkedin.com/in/markesbernard


Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.

The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.



Source: Computer Security Institute 2010/11 Survey


Source: Verizon business 2011 Data Breach Investigations Report


• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.

• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.

• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.

• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities.

• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Source: 2010 Cloud Security Alliance Threats

#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile


Source: 2010 OWSAP Top 10 Web Application Security Risks

A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards


Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011

•Employee-related incidents of fraud, on average, occur weekly in participating organizations.

• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or

high within their organizations.

• CEO’s and other C-level executives may be ignoring the threat, according to respondents.

• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to

future such incidents.

• The threat vectors most difficult to secure and safeguard from insider fraud are mobile

devices, outsourced relationships (including cloud providers) and applications.

• The majority of respondents do not believe their organization has the appropriate

technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT

resources.


Source: Computer Security Institute 2010/11 Survey

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*



The Enterprise Risk Management system identifies four major areas of risk within strategic planning,

financial services, compliance management and operations. Generally capital and resources are allocated

based on priority determined by the Board of Directors and Executive Team.

There are six major groups of

Enterprise Assets that

contribute to the Enterprise

strategy, people, information,

software, hardware,

telecommunications and

facilities.

The risk associated with each

asset can be assessed and

treated based on Enterprise

Strategic priorities. A risk score

can be calculated for each

product, service channel, and

revenue stream and risk

treatment can be applied again based on strategic priorities.


The following example is a

subset demonstrating the

potential results of an

exploited vulnerability within

‘People Assets’ and most

common Enterprises. The

impacts are measured

against the principles of

information security,

confidentiality, integrity, and

availability. The severity in

this example is rated high,

medium or low to simplify

the message to a broad audience.


The following example is

a subset demonstrating

the potential results of an

exploited vulnerability

within ‘Information Assets’

and most common

Enterprises. The impacts

are measured against the

principles of information

security, confidentiality,

integrity, and availability.

The severity in this

example is rated high,








within ‘Software Assets’

and most common















within ‘Hardware Assets’

and most common















within ‘Telecommunication

Assets’ and most common














exploited vulnerability within

‘Facility Assets’ and most

common Enterprises. The

impacts are measured

against the principles of

information security,

confidentiality, integrity, and

availability. The severity in

this example is rated high,







Here is an

example of how

ISO 27001 – ISMS

can easily and

seamlessly

address all HIPA

Act legal requirements.


When all the

mapping has

been completed

approximately 70

of the already

existing 133 ISO

27001 control

objectives will be

leveraged to

address HIPAA Compliance.



Compliance

Management can

be broken down

into 4 general

categories statutes,

regulations, internal

facing and external facing.


• Health Insurance Portability and Accountability Act (HIPAA)

• Health Information Technology for Economic and Clinical Health Act (HITECH Act)

• Federal Information Security Management Act (FISMA)

• Gramm-Leach-Bliley Act (GLBA)

• Payment Card Industry Data Security Standard (PCI-DSS)

• Payment Card Industry Payment Application Standard

• Sarbanes-Oxley Act (SOX)

• U.S. state data breach notification law

• International privacy or security laws


Before we can treat compliance concerns we need to identify, record

and map ISO 27001 controls listed in the Statement of Applicability to

specific legal obligations defined by provisions and clauses within statutes, regulations and internal/external facing contracts.



We can choose

to respond to the

security incident

after the fact? Or

before a Threat

exploit the known Vulnerability?

We can choose

to identify the

threats and

matching

vulnerabilities

and remediate

them to

acceptable levels.


ISO 27001 has

already developed

controls that are

designed to

remediate

common or known

threats,

vulnerabilities and risks.


A close assessment

of the technology

stack can easily

identify vulnerabilities

that might be exposed

to threats leading to risks.


Risk Management Goals

• To assess risks to Information Assets and System Resources

• To state the goals of the RM, along with the desired security level to be attained, consistent

with the Enterprise’s risk appetite and Information Assets sensitivity

• To identify vulnerabilities within the infrastructure and facilitate the decision making

process by determining the likelihood and impact based on motive and opportunity

• To identify potential impacts should a threat agent successfully exploit the identified

vulnerability further impacting the Information Assets and System Resource and business

functions supported along with applications, expressed in terms of confidentiality, integrity

and availability and

• To provide recommendations that will mitigate and/or eliminate risk to acceptable levels.


Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that

management can choose from based on the results of a Risk Assessment and the overall Risk

Rating include the following:

• Management can choose to accept the risk in which case they do nothing to remediate

it. They should understand that they will be held accountable for any security incident,

however the risk of a security may not be a concern to management and thus they tend

to accept low risks as part of normal daily operations.

• Management may choose to remediate the risk in which case management takes some

sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the

Enterprise’s environment.

• Management may also choose to transfer the risk in which case management has

chosen to outsource the process causing the risk and/or purchase insurance to cover the

potential damages caused by the realization of a risk.


Temporary ISMS Exemption Application

There may be occasions where compliance is not possible during a particular period of time and an exemption

from compliance is this best method of identifying those occasions and following up to ensure that they are

closed. During these instances it is important to identify the manager responsible for these security gaps and have

them sign off. This will not only help the Enterprise’s security office to document gaps but also to identify the

responsible party who will ensure that they are closed. The following information is required for the Temporary

Exemption Form to be completed:

• Exemption period - From-To

• ISMS policy, procedure or standard reference ID

• Reason for Exemption Application

• Department or division unit affected

• Information system affected

• Network location affected

• Rational by not granting this application:

a). would adversely affect the accomplishment of Enterprise’s business

b). would cause a major adverse financial impact

• Rational explanation

• Signature of Responsible Manager and date




Where possible and

practical

organizations need

to integrate the Risk

Management

decision tool within

existing business

processes. The

Control Self

Assessment

technique is an

excellent approach to RM integration.


The ‘optimal’ time to

initiate the RM

process with SDLC

is during the

creation of the

systems definition

and functional

design criteria or

during development and acquisition.

•Identify Assets in Scope: in this work task we document department name, asset owner and

asset name.

•Identify Threats: in this work task we document threat(s) to asset(s) in scope of the risk

analysis as defined within the RA worksheet including the threat identification, description,

and rating.

•Identify Business Impact: in this work step we clarify the business perspective for

confidentiality, integrity and availability based on a ‘high’, ‘medium’ or ‘low’ impact to

regular business processes.

•Identify Vulnerabilities: in this work task we document vulnerabilities associated with the

asset in scope for risk analysis as defined in RA worksheet including the vulnerability

identification, description, and rating.


•Control Selection: in this work task we list the existing controls for further consideration

during the preparation of remediation activities designed to lower the overall risk rating. It is

possible that existing controls may be implemented incorrectly or suffer from other deficiency

that if corrected would eliminate the need for additional controls.

•Risk Assessment: in the work task we calculate the overall risk rating, calculated sum of the

threat and CIA business impact ratings multiplied by business impact rating multiplied by

vulnerability rating.

•Recommendations: in this work task we identify the manager who has been assigned the

responsibility of facilitating the risk mitigation activity, the date of expected delivery and the

current status of progress in the resolution process.

•Report to Management: in this work task we identify and report to management the planned

targets for risk mitigation expressed in terms of high, medium, and low impacts to

confidentiality, integrity and availability. These values are rolled up into an overall revised

‘Residual Risk Rating’.



Within the Risk

Management

Process we

systematically

identify and

address threats,

vulnerabilities to

Enterprise Assets,

and take action to

mitigate those

risks to acceptable levels.


‘Control Design’ is where Risk Management, Quality

Management and Vulnerability Management

come together.

The Assets at risk potentially leading to a

breach of Data Protection & loss of Confidentiality

include ‘People’, ‘Information’, ‘Property

/Facilities’, ’Software /Systems’, ‘Hardware’, ‘Telecommunications’.


Within the

following

example I

list out the

specific

threat,

potential

impact and

mitigating control.


Within this

example I take

the process

one step

further and

identify the test

scenario

designed to

verify and

validate the

control design.

This is a

requirement for SOX.


The are thousands of

threats to the Enterprise

but only a small subset

maintain the potential to

negatively impact the

Enterprise, so a 9 point

evaluation of threats is

essential to help

establish a common

threat index for the risk assessment process.


There are hundreds of

vulnerabilities within

any Enterprise however

only a subset will be

identified with a

matching threat, so its

very likely that some

vulnerabilities will not

be remediated as the

overall risk rating will

rank them below the risk appetite.


ISO 27001 has identified

the most common controls

utilized to remediate the

most common threats,

vulnerabilities and risks to

most Enterprises. The

emphasis of Total Quality

Management is the

remediation of those risks

based on a standard series

of controls listed within the Statement of Applicability.



The Risk Rating helps match actual risks to the risk appetite.



The Corrective Action and Preventive

Action plans are important pieces of the

evidence based Quality Management

component of Risk Management.

The CA or PA can be initiated together or

completely separate from one another.

CAPA reports will be audited and include

specific information like the date, source

of nonconformity, who’s responsible for

taking action and the date it will be

completed. The Root-Cause must also be

documented.

Once the CAPA has been completed it must be independently validated.


Risk Treatment Plans

are defined by

Corrective Action

plans and Preventive

Action plans. The

RTP is basically a

rolled up dashboard

utilized for tracking

and monitoring CAPA

by ISMS Governance Committee.



Following the

assessment of

threats,

vulnerabilities

and identification

of risks

management

makes a decision

and we begin

monitoring and tracking risks.


In more advanced

ISMS Risk

Management

programs we

monitor and track

risks in connection

with the Enterprise

Risk Management program.


We should not

only track risks

internally as

many risks are

shared with

external vendors

and service

providers through

Service

Management

processes and Service Desk.


Risk Management is a useful process that should be

seamlessly integrated within every business process to help

support and facilitate management decisions.

Need help with your Risk Management adoption or integration project please contact me, thanks.


For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

Risk Management 101 with Mark E.S. Bernard

Business

public access

information security

quality management iso

assisted provincial

management systemthat

canadian public sector

exiting service provider

mark skills