420 likes | 439 Views
Richard Henson University of Worcester April 2018. COMP3357 Managing Cyber Risk. Week 11: Risk Assessment for Business Continuity. Objectives: Create an asset register (protected through BCP) to include not just hardware but digital resources
E N D
Richard Henson University of Worcester April 2018 COMP3357Managing Cyber Risk
Week 11: Risk Assessment for Business Continuity • Objectives: • Create an asset register (protected through BCP) to include not just hardware but digital resources • Use theoretical principles of qualitative risk assessment to produce a risk register • Extend the risk register to include a realistic risk treatment plan that will mitigate the identified risk
BCP for increasing competitiveness and gaining market share… • All about business<>customer! • online environments (websites) • even Physical environments (shops) • B2C now dependent on IT • need risk assessment, information assurance (expensive?) • BCP covers similar ground… (more cost-effective?)
Variety of Physical Markets… • Retail parks (expensive but many customers) • High street shops (lower rent; fewer customers?) • Side street shops/street traders • Physical businesses STILL use IT to run their business (internal IT) • street traders market/sell online via website…
Limits to Online Markets? • On-line B2C grows every year! • Different growth rates in different countries… • fastest rate in early years… US/Canada • fastest rate in 2016... UK! • driven by convenience • more technology… good for technology economy • 2020?
Maintaining an Online Business Environment • With or without shop/market stall! • website - still expectation of 24/7 trading • Use Internal and External IT! • customers visit by the www • dependent on advertising and search engines • process, pick, dispatch orders
The Organisation IT Boundary • Internal IT... process customer data • External IT… gather customer data • where is the internal/external boundary? Internal IT (processing customer data) External IT (customers)
Engaging with the Online Environment • Several levels: • website separate from business own IT • website for advertising and enquiries only • website for online shopping • website integrated with rest of business IT • much larger development and maintenance operation • may be outsourced… • business needs to keep control of its data!
Competition and Internal IT • Smooth IT operation pleases… • Suppliers • want to do business… not have their time wasted (!) • Existing customers • will return for more • will tell others…
Threats to organisational data/systems… • Divides neatly into: • “internal”… employees • applies to all businesses • “external”… hackers • specific to online businesses • Consequences over and above “messed up” systems
Messed up systems, Data Losses… (!) • System down? Not a good look! • Depending on which data a small business loses… • it may not be able to trade efficiently, or even at all! • worst case scenario: 10 days maximum to recover, or out of business
Reality of IT and the Customer • External: On-line selling? • customer assumes that IT works perfectly • only takes notice when NOT working • Essential for B2C to (try to…) live up to customer expectations • if Information Assurance too difficult or expensive, BCP a good second choice
External (hacking…) • Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it • People hacking in from outside, usually via the Internet, possibly with help from inside
Do “we” have a problem? • Perceptions “from the inside” quite different from “outside looking in”
Internal IT and Competitors • Messed up operation… annoys… • Suppliers… find new partners • Customers… find new vendors • if it carries on, will ruin reputation! • Put own house in order! • Cannot successfully integrate internal & external IT if internal operation messed up (!)
Internal Data Losses • Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. • The same employees who could already be dealing with a “messed up” system • Employees or temps with bad intent…
Valuing IT in a Business:The Digital Asset Register • Until recently, company “value” based on • physical assets (asset register) • no/quality of customers/partners • profit (and projections…) • What about digital data? • e.g. their data and data structures • not a physical asset… traditionally ignored!
“The Asset Register” in a world dominated by IT • Concept of “digital assets” introduced to business via information assurance… • ISO27001 (2005 onwards…) • Essential in BCP (!) • Asset list (register) extended to include: • software (apps & system/platform) • data used with that software!
Impact of Data Loss • Bad enough now(!) Nowhere to hide when GDPR comes in… • have to declare data breach including customer records within 72 hours • Business data not protected through GDPR • BUT if stolen, may ALSO lose trade secrets, supplier information, • not good for customer perception…
ISO27001 & Risk Assessment • ISO 27001 is about developing and managing a system to manage information security… • informing an organisation which incidents could occur (i.e. assess the risks) • assessing the relative importance of each risk so the organisation can treat the most important (i.e. prioritise the risks) • then find the most appropriate ways to avoid such incidents (i.e. treat the risks)
Risk Assessment Stages • Two distinct processes involved (different skill-sets): • identification and assessment of the risks (risk assessment) • selection and justification of countermeasures to manage those risks (risk management).
Information Risk… • Applying the process to information risks, it becomes: • identifying and evaluating the information security risks associated with a computer system or telecommunications network • nominating and justifying security countermeasures for the identified risks
Identifying the Risks • Effective Infrastructure: hardware, software, people working together with minimum downtime • BUT attacker tools: packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. • Risks, Threats, Vulnerabilities to digital assets need to be identified…
BCP and ISO27001 • ISO27001 about systems & continuous improvement • Provides: Risk Assessment Methodology (rules) • what will be the acceptable level of risk, etc. for each digital asset? • choose qualitative or quantitative risk assessment… • all employees should follow agreed method
An Information Asset Register • Companies typically aware of only 30% of their risks! • Developing an asset register at least raises awareness… • list assets • list threats and vulnerabilities related to those assets
Using the Register • Identify impact and likelihood for each combination of assets, threats, vulnerabilities • finally calculate the level of risk
Risk Treatment Plan (RTP) • four ways to mitigate unacceptable risks: • apply ISO27001 “Annex A” security controls to decrease risks ISO 27001 Annex A controls • transfer the risk to another party • insurance company (buy an insurance policy)
RTP (cont…) • Avoid… • stop doing an activity that is too risky • do the activity in a completely different fashion • Accept the risk… • if cost for mitigation higher that the damage itself!
RTP: Economics • Risk Treatment plan… how to decrease the risks with minimum investment? • Strategy: • management will reduce budget… (!) • achieve the same result with less money • need to figure out how!?! • ask for more than minimum in the first place?! • use report (next slide) to support your case
Report (for auditors and management) • ISMS Risk Assessment Report • All risk assessment activities compiled into readable documentation • for the auditors… • internal, for future reference – how are we doing? checking!
Statement of Applicability (SoA) • Shows security profile of the company… • based on the results of the risk treatment • Lists implemented controls, why implemented, how implemented • important for the audit (!) • For details about the SoA, see • Statement of Applicability for ISO 27001.
RTP Ready to go? • Creating the plan is a “journey”… • Start: not knowing how to setup your information security • Finish: having a very clear picture of what is needed for implementation
Putting RTP into practice • Management approval needed • will take considerable time and effort (and money) to implement all the controls • who (is going to implement each control) when, with which budget, etc.
RTP: Gathering Risk Assessment Data • Requirements: • figuring out all the threats to the organisation’s data • cataloguing all hardware and software in the organisation into a Risk Register • although hardware may apparently be irrelevant to information management , it needs identifying so it can be appropriately categorised in the risk register! • http://www.computerworld.com/article/2723652/it-management/how-to-do-a-risk-assessment-for-iso-27001.html • http://www.computerweekly.com/tip/A-free-risk-assessment-template-for-ISO-27001-certification
1. Threats to Organisational Data • Outsiders: • hackers • competitors • Insiders: • employees with bad intent • dopey employees • either of above working with outsiders
2. Information Assets & Risk • Information Assets • data required to keep business functioning • need hardware and software to be useful! • these also carry risk • Once identified… • need to be categorised into rank order • according to how well (or not…) the organisation would survive without them
The Information Asset Register (ISO27001) • List of information assets… • List of related assets… • infrastructure needed to maintain each/all asset(s) • can be non-computer hardware (e.g. cooling/ventilation system for servers) • equipment to counteract effects of natural disasters (e.g. flood defences)
System Vulnerabilities • Ways that assets can be compromised • unpatched applications and/or operating systems • user accounts with poorly protected passwords • users unaware of hacker “phishing” and other social engineering tactics
Qualitative: Risk to Assets • Previous sessions… • establish criteria for assessment of information assets • e.g. value on black market • use criteria categorise as H, M, L
Quantitative: Calculating Risk to Information Assets • Simple formula • likelihood of loss (1-10) x impact (also 1-10) • bigger score, bigger risk! • Can be ranked accordingly • along with hardware/software to maintain each asset
To Mitigate or Accept a Risk? • Risk Register should contain all potential risks… • H, M, L categorisation and/or impact assessment score should indicate the main dangers • Need to choose whether to do something or accept the risk… • even for L assets
Asset Register and Risk Treatment • “Risk Treatment” now an accepted part of information risk management • risk assessment/management finishes with completed risk treatment plan • shows how each of the risks regarded as significant will be mitigated • Essential for effective BCP (next week…)