Risk Management A Brief Discussion of the Philosophy and Approach UHCL-CSI Seminar December 2013
Dec 24, 2015
2UHCL-CSI Seminar December 2013
The C-I-A Triad Confidentiality
Prevent unauthorized disclosure of sensitive information
Integrity Prevent unauthorized or
contaminating modification of systems & information
Availability Prevent disruption or loss of
service & associated productivity
10.Dec.13
C - I - A
Need for a Balanced Approach
10.Dec.13 3UHCL-CSI Seminar December 2013
Technology
Applications & Data Infrastructure
Roles & ResponsibilitiesCulture & AttitudesSkills & TrainingOrganization
Procedures, Standards, &Performance Measures
Processes
People
The Relationship of the Information AssuranceFunction to the Systems Life Cycle
The object is to integrate the IT Security/Risk Assessment and
engineering functions into each phase of any IT project intended
for production operations as a standard analysis and planning function.
Production Operations(Product Operation)
Infrastructure Engineering(Project Origination)
Functional and Participative Overlap:Integrated and Re-iterative Process
IT Security Involvement: From Project Inception thru Production Operations.
10.Dec.13UHCL-CSI Seminar December 2013 4
Trust & Assurance Trust & Assurance are evaluated by examining development
processes & operational performance
Trust All protection mechanisms work to process sensitive data for all types of users
& maintain the appropriate level of protection
Consistent enforcement of policy under all normal operating conditions
Assurance Level of confidence that the system will act in a correct & predictable manner
in all normal computing situations
Known inputs always produce expected results under all normal operating conditions
10.Dec.13 5UHCL-CSI Seminar December 2013
Total Risk “Total Risk” is what exists in a business, an agency, a
project or a location at the incipient stage of any risk assessment activity. It includes: All systems and all their connections and components
All processes, policies and procedures in all stages of development or enforcement
All personnel concerned – all roles, all levels
All compliance requirements, met and unmet
All operational conditions and performance requirements
All Management mandates, metrics and expectations, internal and for customers
This is the existing unmodified environment to be evaluated
10.Dec.13 6UHCL-CSI Seminar December 2013
Acceptable Risk “Acceptable Risk” is a level of allowable exposure,
loss or outage defined by Mgmt. that an enterprise can absorb & continue operating (examples): An SLE/ALE at or below a defined threshold
SLE: Single Loss Expectancy (any one event)
ALE: Annualized Loss Expectancy (all events)
A variance of ≤ 10% in operating expenses
A variance in up-time as measured against the Service Level Agreement (SLA) commitment
A delay of 5 days in project completion
This can also be an arbitrary Mgmt. defined value or quality.
10.Dec.13 7UHCL-CSI Seminar December 2013
Residual Risk “Residual Risk” is the level of exposure, loss or
outage potential that remains following risk reduction & mitigation efforts: Event Annualized Loss Expectancy (ALE) reduced 40% by modifying the
asset to its reduce exposure to power fluctuations
Decreasing data entry errors by 80% through operator training & better supervisory work quality checking
Adding hot-failover to a critical application system to eliminate lost service due to system failures
Changing design review QA processes to improve time-to-market by 30 days/yr by reducing in-stream design re-work & break-fix activities
10.Dec.13 8UHCL-CSI Seminar December 2013
Acceptable Risk vs. Residual Risk
The ideal relationship between Total Risk (Rt), Acceptable Risk (Ra) and Residual Risk (Rr) is
Rt Ra ≥ Rr
Where the Residual Risk is less than or equal to, at its greatest, to the Acceptable Risk limit set by Mgmt.
10.Dec.13 9UHCL-CSI Seminar December 2013
Acceptable Risk
Residual Risk
Total Risk: All risks andpossible losses found or inherent in the contextbefore any remediationis planned or performed.
©The OAS R/6 IA Performance Model by R. A. Leo
Threat/Threat Agent Analysis Source:
Human-Made (Passive)
Human-Motivated (Active)
Natural
Character:
Technological/Non-technological
Motivation:
Intentional/Unintentional
Origin & Geography:
Internal/External
Scope & Extent:
Isolated/Contained
Pervasive/Expansive
Hostile/Non-hostile
Foreseeable/Non-foreseeable
Defensible/Indefensible
Failure/Accident
Intense (High & Fast) /Gradual (Low & Slow)
Intrinsic/Extrinsic Relates to attributes in the target that
enable or retard the attack agent
Systematic/Non-systematic
©The OAS R/6 IA Performance Model by R. A. Leo
10.Dec.13 10UHCL-CSI Seminar December 2013
Risk Management Planning
10.Dec.13 11UHCL-CSI Seminar December 2013
Risk Identification
Analysis of Risk Elements
Prioritization of Candidates
Risk Response Planning
Plan Formation and
Execution
Results Evaluation
Knowledge Capture
Continuous Monitoring
Qualitative and Quantitative Methods
By impact level or frequency of occurrence
Mitigation, Assignment, or Acceptance
Plan accomplishment and project performance
Formal Records for future use and retention
Active monitoring of changing environment
Communication
Information Security:Project Cost vs. Economic Value Added
100
80
60
40
20
100%
90%
80%
70%
60%
50%45%
40%
30%
40%
70%
60%
Project Cost
Acceptable RiskUnacceptable Risk
Security Budget
Break-Even Point
Project EVAI
The criteria and selection process for Information Security projects should be the same as for all other projects in the Enterprise: “What will be the result in terms of Economic Value Added?”
Project EVA: The quantifiable reduction in risk or A.L.E.
Unacceptable Risk: The range ofexposure where the Cost of Loss orA.L.E exceeds the Cost to Protect.
Break-Even Point : The point atwhich the Cost to Protect equalsthe Cost of Loss or A.L.E.
Acceptable Risk: The range of exposure where the Cost to Protectexceeds the Cost of Loss or A.L.E.
10.Dec.13UHCL-CSI Seminar December 2013 12
Cost Trade-Offs All values must reflect Lifecycle Total Cost of Ownership
(LC/TCO) for each asset and for each candidate control Prevents overstatement/understatement of actual operational cost impact
Accounts for unique asset characteristics like appreciation or depreciation
The Cost to Protect equates to the cost of the candidate control to be implemented
The Cost of Loss equates to the value of the asset at risk of loss or compromise
Based on cost-benefit type analysis, this reflects widely practiced business methods, creating greater commonality between “business think” and “security think”
10.Dec.13 13UHCL-CSI Seminar December 2013
Cost Trade-Offs If the Cost to Protect is less than the “Cost of Loss or
Compromise”:
Cp < Cl = Cc
The result shows it is less expensive to use a control than risk the loss of the asset
This financially validates the decision to actively mitigate the risk to this asset
10.Dec.13 14UHCL-CSI Seminar December 2013
©The OAS R/6 IA Performance Model by R. A. Leo
Cost Trade-Offs If the Cost to Protect is greater than the Cost of Loss or
Compromise:
Cp > Cl ≠ Cc
The result shows it is more expensive to use a control than risk the loss of the asset
This financially validates the decision to accept the risk of loss for this asset
10.Dec.13 15UHCL-CSI Seminar December 2013
©The OAS R/6 IA Performance Model by R. A. Leo
Cost Trade-Offs If the Cost to Protect is approximately equal to the Cost of
Loss or Compromise:
Cp ≈ Cl ≈ Cc
The result shows it is no more expensive to use a control than to lose the asset
The decision to mitigate or accept the risk is typically based on criteria other than cost alone
10.Dec.13 16UHCL-CSI Seminar December 2013
©The OAS R/6 IA Performance Model by R. A. Leo
The Desired End State In conjunction with C-I-A,
these qualities desired for infrastructure are necessary in alignment with business mission, and are dependent on Budgetary constraints
Regulatory requirements
Management support
Market sensitivity …
Reliability
Redundancy
Recoverability
Resiliency
Resistance
Robust-ness
©The OAS R/6 IA Performance Model by R. A. Leo
10.Dec.13UHCL-CSI Seminar December 2013 17
Risk Management Benefits Achievement of cost-effective, measureable protection
Effects a change from bolt-on additions to architectural integration
Regular performance improves information quality, accuracy over time and contributes to enhanced “adaptive agility and response”
Products improve operational evolution and alignment with organizational objectives
Knowledge gained and applied improves cost control and decision-making results by actualizing actionable intelligence
Security measures are commensurate with protected asset value
Creates a culture of “continuous improvement” rather than “repetitive remediation”
10.Dec.13 19UHCL-CSI Seminar December 2013
INFORMATION SECURITY CONSIDERATIONS
Hofstadter’s Law
“It will always take longer than you
expect. When optimism bias is present, it
will likely take a lot longer. And nothing
and no one plays by your rules except
you.”
— Douglas Hofstadter, author of Gödel,
Escher, Bach: An Eternal Golden Braid.
This law can be seen at work almost
everywhere all of the time. It is especially
evident whenever any endeavor involves
computers, organizations of people, or
both.
10.Dec.13 20UHCL-CSI Seminar December 2013