170 likes | 201 Views
Risk Management and Risk Assessment Nathan Singleton. Risk Management is….
E N D
Risk Management is… “Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions.” -NIST SP 800-30
Guidance and Policies • NIST SP 800-30 • Risk Management Guide for Information Technology Systems • ISO 17799/27002 • A comprehensive set of controls compromising best practices. Intended to serve as single reference point for identifying range of controls needed for “most” situations • Other Guidance • HIPPA • PCI-DSS • Sarbanes-Oxley • FERC/NERC CIP • etc.
Risk Management Goals • Enhance mission capabilities of an enterprise by protecting IT systems that support operations • Minimize impact of an “event” • Avoid “event’’ • Balance operational and economic costs of protecting IT systems • This process will produce “Residual Risk”
3 Processes of Risk Management • Risk Assessment • Identification and evaluation of risks and risk impact • Recommendations of risk-reducing measures • Risk Mitigation • Prioritizing, implementing, and maintaining appropriate risk-reducing measures • Evaluation and Assessment • Evaluation and Assessment are continuous activities
Key Roles • Senior Management • Ultimately responsible for mission accomplishment • Chief Information Officer (CIO) • Agency / Corporate individual responsible for planning, budgeting, and IT performance • System and Information Owners • Responsible for ensure controls in place to ensure CIA of IT system and data they “own” • Business and Functional Managers • Responsible for business operations and IT procurement. Ultimately will determine trade-offs required to accomplish mission objectives
Key Roles • ISSO • IT security managers and computer security offices responsible for security programs. They introduce methodologies and requirements • IT Security Practitioners • Administrators (network, database, etc.) and other security professionals responsible for proper implementation • Security Awareness Trainers • Employees are the result of more security violations than any other source
Risk Assessment • This is the first part of Risk Management • Used to determine extent of potential threat and associated risk • “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”
Quick Definitions • Likelihood: • Determined by analyzing the threats combined with potential vulnerabilities and the controls in place • Impact: • The amount of harm potentially caused by exercising a vulnerability. Levels are determined by potential impact on the mission • Threat: • The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
Quick Definitions • Threat-Source: • (1) There is an intent and method targeting with the intention of exploiting a vulnerability or • (2) There exists a situation and method that may accidentally trigger a vulnerability • Generally speaking threat-sources are anything that can cause harm to the IT system • Vulnerability: • A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy
9 Step Process • System Characterization • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation • 2, 3, 4, and 6 can be conducted in parallel after Step 1 has been completed
Risk Mitigation • Second process of Risk Management • Prioritize controls • Evaluate controls • Implement controls • Prioritization and Evaluation Basis • Least-cost approach • Most appropriate controls to reduce risk to acceptable level • Minimal adverse impact • Precedence should be given to threat vulnerability pairs which have the greatest impact
Risk Mitigation Options • Risk Assumption • Accept potential risk, or implement controls to lower risk • Risk Avoidance • Avoid risk by eliminating the cause and or consequence • Risk Limitation • Controls to minimized impact • Risk Planning • Develop risk mitigation plan to prioritize, implement, & maintain controls • Research and Acknowledgement • Lower risk by acknowledging vulnerability and researching controls • Risk Transference • Transfer risk (e.g. purchase insurance)
Evaluation and Assessment • Systems must be continuously reevaluated • As new equipment is inserted into the system • As new software and applications are installed • Continuously since new vulnerabilities are regularly found • Full assessments should be performed in accordance with appropriate governance • NIST SP 800-30 states at least every three years for government agencies