Risk Management 101

Barry Caplin

Chief Information Security Officer

MN Department of Human Services

MN Government IT Symposium

Thurs. Dec. 13, 2007

Session 74

Minnesota Office of the Legislative Auditor

Agenda

• In the beginning…

• Definitions – Threat, Vulnerability, Risk

• Types of Risk

• Risk Management components

• Frameworks and standards

• Information Risk Management at DHS

In The Beginning…

In The Beginning…

There were Humans…

In The Beginning…

And Beasts…

And the concept of Risk was born...

Risk

• Always been with us• Viewed as a negative• Attempt to reduce

Magic?

Definitions

Threat

Defn: Source or warning of probable impending danger (Actor) - wikipedia

• Direct/Intended – malicious hacker, thief, malware• Indirect/Unintended – user, weather• Person or Thing

Task: Must analyze assets and environment to determine threats

Vulnerability

Defn: the state of being exposed; liable to succumb – dictionary.com

• Measures – physical, financial, operational

Task: Must analyze vulnerability to identified threats

Impact

Defn: to effect, influence or alter – dictionary.com

• Measures – cost, time delays, damage

Task: determine impact of action of threat to which we are vulnerable

Threat, Vulnerability, Impact => Risk

(probability of event × impact = risk)

Risk

Defn: Exposure to the chance of injury or loss (Event) – dictionary.com

• Based on action of threat• Components:

– Probability of occurrence– Impact of event

Task: Identification and Disposition• Accept (or Ignore)• Mitigate• Transfer

Types of Risk

Prof. John Adams, University College LondonUK risk expert

• Direct – directly perceived – obvious• Scientific – determined via science• Virtual Risk – everything else!

Directly perceived

Types of Risk

Perceived through science

Types of Risk

Virtual Risk• What we are all involved in!• Project risk/Operational risk• Physical/Data security risk• Terrorism/Homeland Security• Weather

Virtual Risk

Virtual Risk• Difficult to “prove”• Experts don’t know or do not agree• We don’t know what we don’t know

Risk Management

A discipline for living with the possibility that future events may cause adverse effects.

http://www.sei.cmu.edu/risk/index.html

Risk Management

The iterative framework and processes for:

• Identifying threats (imagining virtual threats)

• Assessing• Evaluating options• Acting.

Identify Threats

• Research• Survey• Brainstorm

Assess

• Threat Assessment• Vulnerability Assessment• Impact Assessment• Risk Assessment

• Qualitative – subjective scoring• Quantitative – objective or measured values

Disposition of Risk

• Accept (or Ignore) – what is the?• Mitigate – what is the cost?• Transfer – via contract or insurance – what

terms? Cost?

Economics of Risk Management

1. Cost of control < Cost of loss

2. Cost of compliance (pain) <Cost of circumvention (gain)

Ineffective Risk Mitigation

Evaluate and Act

• Risk Management Committee or SMT• Document decisions

• Get it done!

Frameworks for Risk Management

• CarnegieMellon (CMU SEI) – software• NIST/FISMA – information systems• CRESP – Consortium for Risk Evaluation with

Stakeholder Participation - nuclear• COSO – Committee Of Sponsoring Organizations – info

systems• COBIT – Control Objectives for IT• SOMAP – Security Officers Management & Analysis

Project – Open Information Security RM Handbook• OCTAVE - Operationally Critical Threat, Asset, and

Vulnerability Evaluation• Commercial - many

Treasury Board of Canada

Integrated Risk Management Framework – 2001

• “Risk-Smart” Workforce and Environment• 4 Elements:

– Develop Risk Profile– Establish organizational function– Practice and integrate– Ensure continuous learning

http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rmf-cgr01-1_e.asp

Security and Risk Management

• Security is a subset of Risk Management• RM -> Security Solutions -> Compliance• Security/Business balance• Act on appropriate risks• Consider the “costs”

At DHS

Information Risk Management at DHS• Based on elements of NIST, COBIT and

OCTAVE• SLM – Security Lifecycle Management• Information Policy, Awareness and

Compliance• Business Continuity Planning

Resources

Information Risk Management at DHS• CMU SEI – www.sei.cmu.edu/risk• COBIT – www.isaca.org/cobit• COSO – www.coso.org• CRESP – www.cresp.org• NIST/FISMA – csrc.nist.gov• SOMAP – www.somap.org• OCTAVE – www.cert.org/octave• Prof. John Adams – john-adams.co.uk

Discussion?