Chapter 14

Chapter 14 IT risk analysis and management

Overview • The relevance of risk management to top management • IT Risk management frameworks • Risk analysis - identification and assessment • Risk management - mitigation, preparation and response

Introduction • Risk • Quantitative measure of the potential damage caused by a specified threat • Draws top management attention • Integrates almost everything discussed in previous chapters • Risk management framework • NIST • Utilize inputs from both technology and management experts • Risk management is a component of managing an organization

Risk management as component of general management • Performance of organization assessed using some measure of profitability • More profitable organizations are more valuable than less profitable organizations • Primary focus of managers is to maximize their organization’s profits • Non-profits share similar risk-management concerns as for-profit organizations • We may write this managerial concern as • Manager’s decision problem • = max(profit) • = max(Revenues – cost) • Goal can be accomplished by • Increasing revenues • Generally by • Raising prices, or • Selling more units • Reducing costs • Or, some combination of both

Risk management as component of general management • Management literature and typical MBA curriculum focused on guiding managers to reach these goals • However • When running organizations • Managers find unusual things happening all the time • Can significantly affect the organization’s profit-maximizing equation • E.g. • TJ Maxx made provisions for $118 million to deal with credit card incident • Since these unusual incidents can affect organization’s profits • They need to be managed • At a very high level • Risk management • Managing financial impacts of unusual events

Risk management as component of general management • We can include risk management in manager’s decision problem • Modify it as • Manager’s decision problem • Max (Revenues – cost - Δ) • Where Δ is the impact of unusual events on the organization • Two approaches to risk management • Making risks (Δ) predictable • Insurance and hedging • Performed by financial sector of the economy • E.g. flood insurance for data center makes the financial impact of flood events predictable • Equal to the annual premium paid to buy the insurance • Unusual for techies to think about, but second nature to top management • Be prepared • Not authors’ expertise, so left to other experts • Minimizing and preparing for these risks • Approach discussed in the rest of this chapter Δ stands for delta, an industry-standard term for deviations from normal behavior

Alternate view of importance of risk • Offense and defense • All sports teams have a mix of offense and defense • In IT • Typical IT investments may be seen as offensive measures • Attack costs • Attack complexity • Battle for customers in more markets • Information security is the defensive arm of the equation • Focuses on ensuring that the organization’s existing competitive advantage is not lost due to improper IT implementations • Related area is ensuring that new risks created in organization due to IT investments are well managed • E.g. high speed trading • Quote • Offense sells tickets, defense wins championships

Risk management framework • Framework • Structure for supporting something else • Management literature • Frameworks are used when a large number of ideas are to be organized in a manner that can be understood and memorized by many people • Popular risk management frameworks • CERT’s OCTAVE • ISO 27002 • NIST 800-39 • Recommendations from Microsoft • Recommendations from Google • Similar ideas • Collective efforts of best minds in industry to manage IT risks • Pick most suitable guideline for your organization

Risk management framework • Creativity • Adoption of one of the standard risk-management frameworks is strongly recommended • Make any adjustments for your specific context • Developing own risk-management plan from scratch is dangerous • Very likely to miss many important concerns • Only discovered at great cost after a successful attack • Benjamin Franklin • Experience keeps a dear school, yet fools learn in no other • Our preference • NIST 800-39 • Very compatible with other chapters

NIST 800-39 framework • NIST recommendations for managing information security risk • Published as special publication 800-39. • Version at time of writing dated March 2011 • Developed with inputs from the Civil, Defense, and Intelligence Communities • Provide information security framework for the federal government. • Very general • Useful for vast majority of commercial and non-profit organizations • High-security environments such as military bases or special laws such as HIPAA will use more stringent procedures • http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf(as of 12/20/2012)

NIST 800-39 framework • IT risk • Defined as risk associated with the use of information systems in an organization • One of many risks facing organizations • NIST recognizes that risk management is not an exact science • Recommends that senior leadership be involved in IT risk management • IT risk management be integrated in the design of business processes

NIST 800-39 framework

IT risk management components • Four components of IT risk management in NIST 800-39 framework • Risk frame • Risk assessment • Risk response (once risks are assessed) • Ongoing risk monitoring (based on experiences gained from risk response activities)

Risk frame • Establishes the context for risk management by describing the environment in which risk-based decisions are made • Clarifies to all members in the organization the various risk criteria used in the organization • Criteria include • Assumptions about the risks that are important • Responses that are considered practical • Levels of risk considered acceptable • Priorities and trade-offs when responding to risks • Also identifies any risks that are to be managed by senior leaders/executives

Risk frame – example • Highlighted by Presidential candidate Mitt Romney in 2012 Presidential debates • There was only one reference to “terror” in the President’s 2001 State of the Union address • The very next year • After the 9/11 attacks • There were 36 references to “terror” • In the 2002 State of the Union address • Frames change in priorities of the executive branch of the US Government

Risk assessment • Identifies and aggregates risks facing the organization • Within the context of the risk frame, the • Recall definition of risk • Quantitative measure of the potential damage from a threat • Risk assessment develops these quantitative estimates • Identifying threats • Identifying vulnerabilities in the organization • Identifying harm to the organization if the threats exploit vulnerabilities • Discussed in greater detail in next section

Risk response • Addresses how organizations respond to risks once they are determined from risk assessments • Helps in the development of a consistent, organization-wide, response to risk • Consistent with risk frame • Following standard business procedure, risk response consists of • Developing alternative courses of action for responding to risk • Evaluating these alternatives • Selecting appropriate courses of action • Implementing risk responses based on selected courses of action

Risk monitoring • Evaluates effectiveness of organization's risk management plan over time • Involves • Verification that planned risk response measures are implemented • Verification that planned risk responses satisfy the requirements derived from the organization’s missions, business functions, regulations, and standards • Determination of effectiveness of risk response measures • Identification of required changes to risk management plan as result of changes in technology and business environment

NIST 800-39 framework – contd. • Activities in outer circles performed sequentially • Move from risk assessment to risk response to risk monitoring • Risk frame informs all sequential step-by-step activities • E.g. • Threats identified from risk frame serve as inputs to risk assessment • Outputs from risk assessment component (risks) serve as input to risk response component • Our adaptation • NIST uses bi-directional arrows everywhere in figure • We have used directed arrows to connect outer circles • Believe better represents sequential nature of activities and information flows • From risk assessment to response to monitoring

NIST risk assessment vs. risk analysis • The risk assessment component in NIST 800-39 framework includes two activities • Identifying risks • Quantifying these risks • NIST risk assessment is often also called risk analysis • In this usage, quantification activity of NIST risk assessment is called risk assessment • Specific context should help you disambiguate the meaning of the term risk assessment

Risk assessment model • We can build on threat model developed earlier to create a risk assessment model • Threat analysis does not conduct formal analysis of potential outcomes of threats • Limited to identifying potential problems • Risk assessment adds an analysis of outcomes to identified threats • Written as • Risk = damage as a result of a specified threat, or • Risk = damage(threat) • i.e. risk is the damage output as a function of the threat input • Since threat is composed of an actor, a motive and an asset, • Risk = damage(actor, motive, asset)

Risk assessment model – contd. • Thus, a risk is a damage output as a function of the inputs of actor, motive and assets • For example, one of the threats identified was • Actor: Remote hacker • Asset: User credentials database • Motive: Try these credentials on banking web sites • During threat analysis, we did not consider potential impact of such a threat • Risks • Can be written as risk statements • Provide all information necessary to communicate information about risks to concerned parties

Risk assessment model – contd. • For the example threat, we can write associated risks as • Risk 1 • A remote hacker may steal user credentials, with the intent to try these credentials on banking web sites. This may lead to lawsuits, which will drain profits as well as management time • Risk 2 • A remote hacker may steal user credentials, with the intent to try these credentials on banking web sites. This may lead to adverse publicity, which may hurt our business in the short term • Same threat may be associated with multiple risks, if the threat can cause multiple forms of damage

Risk assessment model and risk frame • Risks are combinatorial • Multiply rapidly • Example • 2 actors (remote attacker and disgruntled employee) • 2 assets (information assets and hardware assets) • 4 potential threats (2 * 2) if only 1 motive • Add two forms of damage • Financial loss, information loss • 8 potential risks to consider (4 * 2)

Risk assessment model and risk frame – contd. • Even smallest real-world organizations have tens of assets, actors, motives and damages • Tens of thousands of potential risks • Most organizations can only deal with, say, 5 – 10 risks at any given time • Hence risk frames are important • Prune out unlikely risks • Develop organizational consensus on pruned risks

Quantifying risks • Once risks are identified • Quantitative measures for risks can be developed • Two measures estimated • Likelihood of risk • Potential damage upon occurrence of the risk • Risk = likelihood * damage • E.g. • Say probability of such an attack in the coming year = 1% • Also, say that monetary damage from lost sales is $10,000 in profits • Risk = likelihood * magnitude = 0.01 * $10,000 = $100 • All risks within the risk frame can be prioritized

Other risk management frameworks • General frameworks • International Standards Organization (ISO) • OCTAVE • Context-specific frameworks • Sarbanes-Oxley • IT general controls for reliability of financial reporting by publicly traded companies

International Standards Organization (ISO) • Reserved ISO 27000 series of standards for information security matters • i.e. standards starting with the digits 27 • As of Dec. 2012 • Includes 6 standards • ISO 27001 – ISO 27006 • On next slide • Note parallels between NIST 800-39 and ISO 27001 standards • NIST assess phase maps to ISO plan phase • NIST respond phase maps to ISP do phase • NIST monitor phase maps to ISO check and act phases

ISO 27001 • Standard that specifies the requirements for an information security management system (ISMS) • States that ISO adopts a process approach for implementing information security • All processes follow Deming’s Plan-Do-Check-Act (PDCA) model • Planning phase • Organizations establish policies and procedures to manage information risks • Do phase • These procedures are operated • Checking phase • Performance is measured against plan specifications and presented to management for review • Act phase • Review results are used to improve policies and procedures in the next iteration of the plan phase

ISO 27002 • Standard that specifies a set of controls to meet the requirements specified in ISO 27001 • Documents a set of security techniques • Map to the controls we have discussed throughout the class • Controls are divided into the following sections • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance • Information security incident management • Business continuity management • Compliance

ISO 27003 - 27006 • ISO 27003: Guidance for the implementation of an ISMS • ISO 27004: Measurement and metrics for an ISMS • ISO 27005: Standard for information security risk management • Information security risk management process consists of 7 sequential steps • Context establishment • Risk assessment • Risk treatment • Risk acceptance • Risk treatment plan implementation • Risk monitoring and review • Risk management process improvement • Alignment with the 4 phases defined in ISO 27001 shown on next slide • ISO 27006: Guidelines for accreditation of organizations that offer ISMS certification

ISO 27001 and ISO 27005

OCTAVE • Operationally Critical Threat, Asset, Vulnerability Evaluation • Corresponds to risk assessment phase of the NIST 800-39 framework • Developed by Software Engineering Institute (SEI) • Located at Carnegie Mellon University (CMU) • Federally funded organization • Taken stewardship for coordinating various activities important to the software industry • E.g. recommended guidelines for improving the software development process (CMMI) • CERT • Maintains central repository of bug reports released by major software vendors

OCTAVE – contd. • Developed with large organizations in mind • 300 employees or more • Generally maintain their own IT infrastructure • Have the capability to manage their own information security operation • Three-phased approach to examine organizational and technology issues • Assembles comprehensive picture of the organization's information security needs • OCTAVE phases • Phase 1: Identifying critical assets and the threats to those assets • Phase 2: Identifying vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization • Phase 3: Developing practice-based protection strategy and risk mitigation plans to support the organization's mission and priorities

OCTAVE – contd. • OCTAVE comprised of a series of workshops • Facilitated by outside experts, or • Conducted by interdisciplinary analysis team of three to five of the organization's own personnel • Method takes advantage of knowledge from multiple levels of organization • Activities supported by a catalog of good or known practices • As well as surveys and worksheets • Used to elicit and capture information during focused discussions and problem-solving sessions • Many parallels • OCTAVE and ISO 27000 • OCTAVE and NIST 800-39

IT general controls for Sarbanes-Oxley • High stakes environments • Specialized guidelines become necessary • Generic guidelines inadequate • E.g. NIST 800-39 • Financial reporting by publicly traded companies • Big driver of information security hiring during 2003 – 08 • Entire courses devoted to SOX compliance • Terms added to information security vocabulary • PCAOB • Section 302 • Section 404 • Internal control • IT general controls

Sarbanes-Oxley act of 2002 • Final years of 20th century • One of the most euphoric rises in stock prices in financial history • Now known as the “dot-com boom” • Late stages • Pressure to justify lofty stock prices • Some well-respected executives forged account-books • MCI-WorldCom: Showed sales that did not actually occur • Enron: Hid costs • Personal profits for these executives

Sarbanes-Oxley act of 2002 – contd. • In courtroom • Executives denied culpability • Argued for trust in accounting staff and auditors • Argued that firms operations were too complicated for them to know all financial details • In public domain • Management experts, the public and lawmakers • Convinced that managers knew exactly what they were doing • Pleas of ignorance only attempts to exploit legal loopholes and avoid penalties

Sarbanes-Oxley act of 2002 – contd. • Implications • Awareness of dependence of retirements on stock markets • Majority of assets invested in US stock markets • Awareness of verbal and implicit directions • No paper trail for evidence • Public pressure on Congress • Sarbanes-Oxley act of 2002 • Senator Paul Sarbanes (D-MD) • Representative Michael G. Oxley (R-OH) • Voting pattern • 423 of a possible 434 votes in the house • 99 of the 100 possible votes in the senate

SOX act – important provisions - 302 SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS. (a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that— (1) the signing officer has reviewed the report; (2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; (3) based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report; (4) the signing officers— (A) are responsible for establishing and maintaining internal controls; (B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared; (C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and (D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

SOX act – important provisions - 906 SEC. 906. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS. … ‘‘(c) CRIMINAL PENALTIES.—Whoever— ‘‘(1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or ‘‘(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both.’’.

SOX act – important provisions - 404 SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

SOX implications • Section 404 of the Sarbanes-Oxley act • Introduced concept of standards-based verification of internal control • Replaced self-created procedures developed by auditing firms • Industry lost autonomy • Issued as auditing standards

PCAOB and auditing standards • Public Company Accounting Oversight Board (PCAOB) • Body created by Sarbanes-Oxley act • Develops standards to be used for SOX attestations • From PCAOB website • The PCAOB is a nonprofit corporation established by Congress to oversee [the audits of public companies and broker-dealers, with the goal of investor protection]. The Sarbanes-Oxley Act of 2002, which created the PCAOB, required that auditors of U.S. public companies be subject to external and independent oversight for the first time in history. Previously, the profession was self-regulated. The five members of the PCAOB Board, including the Chairman, are appointed to staggered five-year terms by the Securities and Exchange Commission (SEC), after consultation with the Chairman of the Board of Governors of the Federal Reserve System and the Secretary of the Treasury. The SEC has oversight authority over the PCAOB, including the approval of the Board’s rules, standards, and budget. The Act established funding for PCAOB activities, primarily through annual fees assessed on public companies [market capitalization] and on brokers and dealers [net capital]. • Standards of greatest interest • AS5 • An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements • Guides overall SOX engagement • Likely in your career if you join one of the professional auditing firms • AS12 • Identifying and Assessing Risks of Material Misstatement • Within SOX audit, provides guidance for IT

AS 5 → Para 21 Top-down approach AS 5 Audit of internal controls AS 5 → Para 36 Effect of IT on transaction flow AS 12 → Para 29 Refer to appendix B AS 12 → Appendix B Unauthorized access etc SOX audit directions for IT • Section 21 of AS 5 • Overall direction of SOX audit • Section 36 of AS 5 • Directs auditors to two paragraphs below • Paragraph 29 of AS 12 • Directs auditors to paragraph below • Appendix B of AS 12 • Controls

AS 5 – section 21 21. The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions

AS 5 – section 36 • 36. The auditor also should understand how IT affects the company's flow of transactions. The auditor should apply paragraph 29 and Appendix B of Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, which discuss the effect of information technology on internal control over financial reporting and the risks to assess

AS 12 – section 29 29. The auditor also should obtain an understanding of how IT affects the company's flow of transactions. (See Appendix B.)

AS 12 – Appendix B APPENDIX B – CONSIDERATION OF MANUAL AND AUTOMATED SYSTEMS AND CONTROLS ... B4. The auditor should obtain an understanding of specific risks to a company's internal control over financial reporting resulting from IT. Examples of such risks include: • Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both; • Unauthorized access to data that might result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions (particular risks might arise when multiple users access a common database); • The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties; • Unauthorized changes to data in master files; • Unauthorized changes to systems or programs; • Failure to make necessary changes to systems or programs; • Inappropriate manual intervention; and • Potential loss of data or inability to access data as required

Internal controls over financial reporting • OK, so now we know the law, but when we get to a client • What do we do? • Internal controls over financial reporting • Defined in Appendix A of AS 5 as • A5. Internal control over financial reporting is a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that - • (1) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; • (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and • (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.

Chapter 14

Chapter 14

Presentation Transcript

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14.

Chapter 14

Chapter 14

CHAPTER 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14