Enterprise Information Security

User Generated

fcpwnzvrjvyfba

Computer Science

Description

Completed Unit 3

1.) Discuss why risk management is an ongoing process.

2.) Describe the strategic roles of the three communities of interest.

3.) Create an inventory of information assets in your personal life. Then, using a weighted factor analysis worksheet, categorize the assets and classify each as to its sensitivity and importance to you.

4.) Explain how outsourcing is a sound approach to gaining capability outside of a company's primary area of expertise.

5.) Come up with a hypothetical scenario under which it would be appropriate to choose the acceptance strategy. Assign estimated values to assets and costs to other considered control strategies. Write a one paragraph summary of the scenario, describing why acceptance is the best choice strategy in this case.

Requirements:

- Learner successfully applied critical thinking to the case study analysis &

recommendations/actions taken.

- Learner successfully incorporates a minimum of two per question scholarly sources to support their and three different authors.

position. (No more than 10% of the entire submission should be from referenced sources.

In other words, the references should support the learner’s work not be the bulk of what is

written).

- Learner met the criteria for academic writing (i.e. no spelling or grammar errors, properly

formatted paragraphs, APA formatting used for references, etc.).

- Learner met per question 300 word count minimum.

One reference can be the reading material that is provided. and three total references

Whitman, M. E., & Mattord, H. J. (2013). Management of information security (4th ed.). Stamford, CT: Cengage Learning.

Please seperate the answers like the questions and place the reference at the end of them.

Unformatted Attachment Preview

chapter 8 W I L S O N , Risk Management: Identifying and Assessing Risk Once we know our weaknesses, they cease to do us any harm. G. C. (GEOGJCHRISTOPH) LICHTENBERG (1742–1799), A GERMAN PHYSICIST AND PHILOSOPHER Iris Majwabu and Mike Edwards Msat side by side on the short flight to the nearby city where the Random Widget Works, Inc. (RWW) board of directors audit committee was meeting I invited to present RWW’s information technology (IT) that afternoon. The two had been risk management program to the E committee. The board’s concerns stemmed from a recent briefing by the National Association of Corporate Directors, which focused on trends affecting the potential liability of board members in the areas of InfoSec in general and risk management in particular. 5 After the plane leveled off, Mike0 pulled out his copy of the presentation he planned to give that afternoon. He and Iris had been working on it for the past two weeks, and each knew 5 the slides by heart. Iris was along to assist with the question-and-answer period that would 1 follow Mike’s presentation. “They’re not going to be happyB campers when you’re done,” Iris said. “No, they’re not,” Mike said. “The U CEO is worried about how they’ll respond and about what might come up at the full board meeting next month. I’m afraid the disconnect between IT and Internal Audit may have some unexpected consequences.” Iris considered what she knew about the weaknesses of the Internal Audit Department’s approach to the company’s non-IT assets. Where Mike and Iris had built a sound, fact-based 279 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 280 Chapter 8 approach to estimating and controlling IT risk, some of the other company divisions used less empirical methods. “I think we should come out of this okay,” Iris told Mike. “After all, the main concern of the audit committee members is the new perception of their liability for IT security and the impact that IT risk has on the issues surrounding privacy. We have a solid risk management plan in place that’s working well, in my opinion.” Mike looked up from his notes and said, “It’s not us I’m worried about. I’m afraid we may create some discomfort and unwanted attention for our peers after the board sees the wide variety of risk management approaches used in other divisions.” LEARNING OBJECTIVES Upon completion of this material, you should be able to: W I Describe risk management techniques to identify and prioritize risk factors for L information assets S Explain how risk is assessed based on the likelihood of adverse events and the effects on information assets O when events occur N the risk identification process Discuss the use of the results of , • Define risk management and its role in the organization • • • Introduction J Information security (InfoSec) in an organization exists primarily to manage IT risk. ManagA ing risk is one of the key responsibilities of every manager within an organization. In any well-developed risk management program, two formal processes are at work. The first, risk M identification and assessment, is discussed in this chapter; the second, risk control, is the subI ject of the next chapter. E focus on reducing risk. This is often done within the Each manager in the organization should context of one of the three communities of interest, as follows: ● ● ● General management must structure the IT and InfoSec functions in ways that will 5 result in the successful defense of the organization’s information assets, including data, 0 and people. hardware, software, procedures, 5 IT needs of the broader organization and at the same IT management must serve the time exploit the special skills 1 and insights of the InfoSec community. InfoSec management must lead B the way with skill, professionalism, and flexibility as it works with the other communities of interest to balance the constant trade-offs U between InfoSec utility and security. Risk Management If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 281 you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.1 Chinese general Sun Tzu’s observation, made more than 2,400 years ago, continues to have direct relevance to the philosophy of InfoSec today. InfoSec strategy and tactics are in many ways similar to those employed in conventional warfare. InfoSec managers and technicians are the defenders of information. They constantly face a myriad of threats to the organization’s information assets. A layered defense is the foundation of any InfoSec program. So, as Sun Tzu recommends, to reduce risk, an organization must (1) know itself and (2) know its enemy. This means that managers from all three communities of interest must locate the weaknesses of their organization’s operations; understand how the organization’s information is processed, stored, and transmitted; and identify what resources are available. Only then can they develop a strategic plan of defense. Knowing Yourself W When operating any kind of organization, a certain amount of risk is always involved. Risk is inherent in hiring, marketing products, and even in making decisions about where to place I the building that houses the organization. Risk finds its way into the daily operations of L properly managed, it can cause operational failures and every organization, and if it is not even lead to complete collapse. S For an organization to manage O risk properly, managers should understand how information is processed, stored, and transmitted. Knowing yourself in this context requires knowing N to the organization, identifying, categorizing, and claswhich information assets are valuable sifying those assets, and understanding how they are currently being protected. Armed with , this knowledge, the organization can then initiate an in-depth risk management program. Note that the mere existence of a risk management program is not sufficient. Frequently, risk management mechanisms are J implemented but not maintained or kept current. Risk management is a process, which means the safeguards and controls that are devised and A implemented are not “install-and-forget” devices (see Chapter 9). M Knowing the Enemy I Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu’s second dictum: Know the enemy. This E means identifying, examining, and understanding the threats facing the organization’s information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets. Risk 5 management is the process of discovering and assessing the risks to an organization’s operations and determining how0those risks can be controlled or mitigated. Risk analysis is the identification and assessment of levels of risk in the organization; it is a major component of 5 risk management. 1 Accountability for RiskBManagement All of the communities of interest bear responsibility for the management of risks. The manU agement of the organization is accountable for the risk management program that is used. Of the three communities of interest directly linked to managing the risks to information assets, each has a particular strategic role to play: ● InfoSec—Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 282 Chapter 8 ● IT—This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk. ● Management and users—When properly trained and kept aware of the threats faced by the organization, this group plays a part in the early detection and response process. Members of this community also ensure that sufficient resources (money and personnel) are allocated to the InfoSec and IT groups to meet the security needs of the organization. For example, business managers must ensure that supporting records for orders remain intact in case of data entry error or transaction corruption. Users must be made aware of threats to data and systems and must be educated on practices that minimize those threats. The three communities of interest must work together to address every level of risk, ranging from full-scale disasters (whether natural or human-made) to the smallest mistake made by an employee. To do so, they must be actively involved in the following activities: ● ● ● ● ● W I Determining which control options are cost effective L Acquiring or installing the appropriate controls S that the controls remain effective Overseeing processes to ensure O Identifying risks, which includes: N Creating an inventory of information assets , Classifying and organizing those assets meaningfully Evaluating the risk controls ● ● ● ● Assigning a value to each information asset ● Identifying threats to the cataloged assets J ● Pinpointing vulnerable assets A by tying specific threats to specific assets Assessing risks, which includes: ● ● M I Assessing the relative risk facing the organization’s information assets, so that risk E management and control activities can focus on assets that require the most urgent Determining the likelihood that vulnerable systems will be attacked by specific threats and immediate attention ● Calculating the risks to which 5 assets are exposed in their current setting ● Looking in a general way at controls that might come into play for identified vul0 nerabilities and ways to control the risks that the assets face 5 1 involves stating the conclusions of the analysis stage Summarizing the findings, which of risk assessment in preparation B for moving into the stage of controlling risk by exploring methods to mitigate risk U ● ● Documenting and reporting the findings of risk identification and assessment Figure 8-1 outlines the steps in the risk identification and assessment process. Risk Identification Risk identification begins with the process of self-examination. At this stage, managers identify the organization’s information assets, classify and categorize them into useful groups, and 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 283 Plan and Organize Process Create System Component Categories Develop Inventory of Assets Identify Threats Specify Vulnerable Assets Assign Value or Impact Rating to Assets Assess Likelihood for Vulnerabilities Calculate Relative Risk Factor for Assets Preliminary Review of Possible Controls Document Findings Figure 8-1 Risk identification and assessment process W I prioritize them by their overall importance. This can be a daunting task, but it must be done L they present. to identify weaknesses and the threats S Creating an Inventory of Information Assets O The risk identification process begins with the identification of information assets, including peoN ple, procedures, data, software, hardware, and networking elements. This step should be done , Copyright © 2014 Cengage Learning®. IT System Components People Procedures Data Risk Management Components J Internal personnel External personnelA M I Procedures E Data/information Software Software Hardware Hardware Networking Networking Table 8-1 5 0 5 1 B U Example Risk Management Components Trusted employees Other staff members People we trust outside our organization Strangers IT and business standard procedures IT and business sensitive procedures Transmission Processing Storage Applications Operating systems Security components Systems and peripherals Security devices Local Area Network components Intranet components Internet or extranet components Cloud-based components Organizational assets used in systems Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 284 Chapter 8 without prejudging the value of each asset; values will be assigned later in the process. Table 8-1 shows a model outline of the identified assets subcategorized into risk management components. The risk management components presented in Table 8-1 are organized as follows: ● The people asset is divided into internal personnel (employees) and external personnel (nonemployees). Insiders are further divided into those employees who hold trusted roles and therefore have correspondingly greater authority and accountability and those regular staff members who do not have any special privileges. Outsiders consist of other users who have access to the organization’s information assets, some trusted and some untrusted. ● Procedures are assets because they are used to create value for the organization. They are divided into (1) IT and business standard procedures and (2) IT and business sensitive procedures. Sensitive procedures have the potential to enable an attack or to otherwise introduce risk to the organization. For example, the procedures used by a telecommunications companyW to activate new circuits pose special risks because they reveal aspects of the inner workings of a critical process, which can be subverted by I outsiders for the purpose of obtaining unbilled, illicit services. ● L The data asset includes information in all states: transmission, processing, and storage. This is an expanded use of the S term “data,” which is usually associated with databases, not the full range of information used by modern organizations. O ● Software is divided into applications, operating systems, and security components. SoftN may fall into the operating systems or applications ware that provides security controls category but is differentiated by , the fact that it is part of the InfoSec control environment and must therefore be protected more thoroughly than other systems components. ● Hardware is divided into (1) the usual systems devices and their peripherals and (2) the J control systems. The latter must be protected more devices that are part of InfoSec thoroughly than the former. A ● Networking components include networking devices (such as firewalls, routers, and M switches) and the systems software within them, which is often the focal point of attacks, I against systems connected to the networks. Of course, with successful attacks continuing most of today’s computer systems E include networking elements. You will have to determine whether a device is primarily a computer or primarily a networking device. A server computer that is used exclusively as a proxy server or bastion host may be classified as a networking component, while 5 an identical server configured as a database server may be classified as hardware. For this reason, networking devices should be considered separately 0 hardware and software components. rather than combined with general In some corporate models, this list 5 may be simplified into three groups: People, Processes and Technology, often referred to as “PPT.” Whichever model is used, an organization, in the 1 development of its risk assessment methods, should ensure that all of its information B resources are properly identified, assessed, and managed for risk. U Identifying Hardware, Software, and Network Assets Many organizations use purchased asset inventory systems to keep track of their hardware, network, and perhaps their software components. Numerous packages are available in the market today, and it is up to the chief information security officer (CISO) or chief information officer (CIO) to determine which package best serves the needs of the organization. Organizations that do not use an automated inventory system must create an equivalent manual process. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 285 Whether automated or manual, the inventory process requires a certain amount of planning. Most importantly, you must determine which attributes of each of these information assets should be tracked. That determination will depend on the needs of the organization and its risk management efforts as well as the preferences and needs of the InfoSec and IT communities. When deciding which attributes to track for each information asset, consider the following list of potential attributes: ● ● ● ● ● Name—This is a list of all the names commonly used for the device or program. Some organizations may have several names for the same product, and each of them should be cross-referenced in the inventory. This redundancy accommodates the usage across the organization and makes it accessible for everyone. No matter how many names you track or how you select a name, always provide a definition of the asset in question. Adopt naming standards that do not convey critical information to potential system attackers. For instance, a server named CASH1 or HQ_FINANCE may entice attackers. Asset tag—This is used to W facilitate the tracking of assets. Asset tags are unique numbers assigned to assets during I the acquisition process. Internet Protocol (IP) address—This attribute is useful for network devices and servers L but rarely applies to software. You can, however, use a relational database and track S servers or networking devices. Many larger organizasoftware instances on specific tions use the Dynamic Host OConfiguration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification processN very difficult. , address—As per the TCP/IP standard, all networkMedia Access Control (MAC) interface hardware devices have a unique number called the MAC address (also called an “electronic serial number” or a “hardware address”). The network operating sysJ tem uses this number to identify specific network devices. The client’s network software uses it to recognize traffic that it needs to process. In most settings, MAC A addresses can be a useful way to track connectivity, but they can be spoofed by some M hardware/software combinations. Note that some devices may have multiple network interfaces, each with its own I MAC address, and others may have configurable MAC addresses, making MAC addresses even less useful as a unique identifier. Given the E possibility of MAC address spoofing, the use of MAC addresses as a reliable identifier has been discontinued in many organizations. Asset type—This attribute 5 describes the function of each asset. For hardware assets, a list of possible asset types that includes servers, desktops, networking devices, and test 0 equipment should be developed. For software assets, a list that includes operating systems, custom applications 5 by type (accounting, human resources, or payroll, to name a few), and packaged applications and/or specialty applications (such as firewall pro1 grams) should be developed. The degree of specificity is determined by the needs of the B be recorded at two or more levels of specificity by first organization. Asset types can recording one attribute that classifies the asset at a high level and then adding attriU butes for more detail. For example, one server might be listed as follows: DeviceClass = S (server) DeviceOS = Win2008 (Windows 2008) DeviceCapacity = AS (Advanced Server) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 286 Chapter 8 ● Serial number—This is a number that uniquely identifies a specific device. Some software vendors also assign a software serial number to each instance of the program licensed by the organization. ● Manufacturer name—This attribute can be useful for analyzing threat outbreaks when specific manufacturers announce specific vulnerabilities. ● Manufacturer’s model or part number—This number that identifies exactly what the asset is can be very useful in the later analysis of vulnerabilities because some threats apply only to specific models of certain devices and/or software components. ● Software version, update revision, or FCO number—This attribute includes information about software and firmware versions and, for hardware devices, the current field change order number. A field change order (FCO) occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises. Tracking this information is particularly important when inventorying networking devices that funcW tion mainly through the software running on them. For example, a firewall device may have three version numbers associated with it: a Basic Input/Output System (BIOS) I firmware version, the running operating system version, and the firewall appliance L application software version. Each organization will have to determine which of those S or if they would like to track all three. version numbers will be tracked, ● Physical location—This attribute O does not apply to software elements. Nevertheless, some organizations may have license terms that indicate where software can be used. N This may include systems leased at remote locations (so-called “co-lo equipment”), , cloud.” often described as being “in the ● Logical location—This attribute specifies where an asset can be found on the organization’s network. The logical location is most applicable to networking devices and J indicates the logical network segment (including “virtual local area networks” or VLANs) that houses the device. A ● Controlling entity—This refers Mto the organizational unit that controls the asset. In some organizations, a remote location’s onsite staff could be placed in control of netI work devices; in other organizations, a central corporate group might control all the network devices. The inventory E should determine which group controls each asset because the controlling group will want a voice in determining how much risk that device can tolerate and how much expense can be sustained to add controls. 5 Identifying People, Procedures, 0 and Data Assets Human resources, documentation, and data information assets are not as readily identified and documented as hardware 5 and software. Responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the necessary knowledge, experience, 1 and judgment. As these assets are identified, they should be recorded via a reliable datahandling process like the one used B for hardware and software. U The record-keeping system should be flexible, allowing you to link assets to attributes based on the nature of the information asset being tracked. Basic attributes for various classes of assets include: People ● Position name/number/ID—Avoid names; use position titles, roles, or functions. ● Supervisor name/number/ID—Avoid names; use position titles, roles, or functions. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk ● Security clearance level ● Special skills 287 Procedures ● Description ● Intended purpose ● Software/hardware/networking elements to which the procedure is tied ● Location where procedure documents are stored for reference ● Location where it is stored for update purposes Data ● Classification W Size of data structure I Data structure used (e.g., sequential or relational) L Online or offline S Location O Backup procedures N Consider carefully what should be tracked for specific assets. Often, larger organizations , find that that they can effectively track only a few valuable facts about the most critical ● Owner/creator/manager ● ● ● ● ● information assets. For instance, a company may track only IP address, server name, and device type for its mission-critical J servers. The organization might forgo additional attribute tracking on all devices and completely omit the tracking of desktop or laptop systems. A Classifying and Categorizing Assets M Once the initial inventory is assembled, you must determine whether its asset categories are I meaningful to the organization’s risk management program. Such a review may cause managers E presented in Table 8-1 or create new categories that better to further subdivide the categories meet the needs of the risk management program. For example, if the category “Internet components” is deemed too general, it could be further divided into subcategories of servers, network5 protection devices (firewalls, proxies), and cabling. ing devices (routers, hubs, switches), The inventory should also reflect0the sensitivity and security priority assigned to each information asset. A classification scheme 5 should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs. Consider the following classification scheme 1 for an information asset: confidential, internal, and public. Each of these classification categories B designates the level of protection needed for a particular information asset. Some asset types, such as personnel, may require an alternative classification scheme that identifies the InfoSecU processes used by the asset type. For example, based on needto-know and right-to-update, an employee might be given a certain level of security clearance, which identifies the level of information that individual is authorized to use. Classification categories must be comprehensive and mutually exclusive. “Comprehensive” means that all inventoried assets fit into a category; “mutually exclusive” means that each asset is found in only one category. For example, an organization may have a public key 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 288 Chapter 8 infrastructure certificate authority, which is a software application that provides cryptographic key management services. Using a purely technical standard, a manager could categorize the application in the asset list of Table 8-1 as software, a general grouping with no special classification priority. Because the certificate authority must be carefully protected as part of the InfoSec infrastructure, it should be categorized into a higher priority classification, such as software/security component/cryptography, and it should be verified that no overlapping category exists, such as software/security component/PKI. Assessing Values for Information Assets As each information asset is identified, categorized, and classified, a relative value must be assigned to it. Relative values are comparative judgments intended to ensure that the most valuable information assets are given the highest priority when managing risk. It may be impossible to know in advance—in absolute economic terms—what losses will be incurred if an asset is compromised; however, a relative assessment helps to Wensure that the higher value assets are protected first. As each information asset is assigned I to its proper category, posing the following basic questions can help you develop the weighting criteria to be used for information asset valuation L to refer to the information collected in the business or impact evaluation. It may be useful impact analysis (BIA) process (covered S in Chapter 3) to help you assess a value for an asset. ● ● ● ● Which information asset is theO most critical to the success of the organization? When determining the relative importance of each information asset, refer to the organization’s N mission statement or statement of objectives. From this source, determine which assets , are essential for meeting the organization’s objectives, which assets support the objectives, and which are merely adjuncts. For example, a manufacturing company that makes aircraft engines may decide that the process control systems that control the machine tools on the assembly line are J the first order of importance. Although shipping and receiving data entry consoles are A important to those functions, they may be less critical if alternatives are available or can be easily arranged. Another example is an online organiM Web servers that advertise the company’s products and zation such as Amazon.com. The receive its orders 24 hours a day I are essential, whereas the desktop systems used by the customer service department to answer customer e-mails are less critical. E Which information asset generates the most revenue? The relative value of an information asset depends on how much revenue it generates—or, in the case of a nonprofit organization, how critical it is5to service delivery. Some organizations have different systems in place for each line of business or service they offer. Which of these assets 0 revenue or delivering services? plays the biggest role in generating 5 the highest profitability? Managers should evaluate Which information asset generates how much profit depends on1a particular asset. For instance, at Amazon.com, some servers support the book sales operations, others support the auction process, and still B review database. Which of these servers contributes others support the customer book the most to profitability? Although U important, the review database server does not directly generate profits. Note the distinction between revenues and profits: Some systems on which revenues depend operate on thin or nonexistent margins and do not generate profits. In nonprofit organizations, you can determine what percentage of the agency’s clientele receives services from the information asset being evaluated. Which information asset is the most expensive to replace? Sometimes an information asset acquires special value because it is unique. If an enterprise still uses a Model-129 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 289 keypunch machine to create special punch-card entries for a critical batch run, for example, that machine may be worth more than its cost, because spare parts or service providers may no longer be available. Another example is a specialty device with a long delivery time frame because of manufacturing or transportation requirements. Organizations must control the risk of loss or damage to such unique assets—for example, by buying and storing a backup device. Any device stored as such must, of course, be periodically updated and tested. ● Which information asset is the most expensive to protect? Some assets are by their nature difficult to protect, and formulating a complete answer to this question may not be possible until the risk identification phase is complete, because the costs of controls cannot be computed until the controls are identified. However, you can still make a preliminary assessment of the relative difficulty of establishing controls for each asset. ● Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability?W Almost every organization is aware of its image in the local, national, and international spheres. Loss or exposure of some assets would I prove especially embarrassing. Microsoft’s image, for example, was tarnished when an L became a victim of the QAZ Trojan horse and, as a employee’s computer system result, the latest version ofSMicrosoft Office was stolen.2 You can use a worksheet, such as O the one shown in Figure 8-2, to collect the answers to the preceding list of questions for later analysis. N , J A M I E 5 0 5 1 B U Figure 8-2 Sample asset classification scheme Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 290 Chapter 8 You may also need to identify and add other institution-specific questions to the evaluation process. Throughout this chapter, numbers are assigned to example assets to illustrate the concepts being discussed. This highlights one of the challenging issues in risk management. While other industries use actuarially derived sources to make estimates, InfoSec risk management lacks such data. Many organizations use a variety of estimating methods to assess values. Some in the industry question the use of “guesstimated” values in calculations with other estimated values, claiming this degree of uncertainty undermines the entire risk management endeavor. Research in this field is ongoing, and you are encouraged to study those sections of Chapter 9 where alternative, qualitative risk management techniques are discussed. W Listing Assets in Order ofI Importance The final step in the risk identification process is to list the assets in order of importance. This goal can be achieved by usingLa weighted factor analysis worksheet similar to the one shown in Table 8-2. In this process, Seach information asset is assigned a score for each critical factor. Table 8-2 uses values from 0.1 to 1.0. Your organization may choose to use another weighting system, such as 1Oto 10 or 1 to 100. Each criterion has an assigned weight showing its relative importance in the N organization. , Information Asset Criterion 1: Impact on Revenue Criterion weight (1–100); must total 100 30 EDI Document Set 1—Logistics bill of lading to outsourcer (outbound) 0.8 EDI Document Set 2—Supplier orders (outbound) 0.8 EDI Document Set 2—Supplier fulfillment advice (inbound) 0.4 Customer order via SSL (inbound) 1 Customer service request via e-mail (inbound) 0.4 Table 8-2 J A M I E 5 0 5 1 B U Criterion 2: Impact on Profitability Criterion 3: Impact on Public Image Weighted Score 40 30 0.9 0.5 75 0.9 0.6 78 0.5 0.3 41 1 1 100 0.4 0.9 55 Example of a weighted factor analysis worksheet Note: EDI = Electronic Data Interchange; SSL = Secure Sockets Layer Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 291 A quick review of Table 8-2 shows that the Customer order via Secure Sockets Layer (SSL) (inbound) data flow is the most important asset on this worksheet, and that the EDI Document Set 2—Supplier fulfillment advice (inbound) is the least critical asset. Threat Identification As mentioned at the beginning of this chapter, the ultimate goal of risk identification is to assess the circumstances and setting of each information asset to reveal any vulnerabilities. Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat identification. Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the W manager is called on to exercise good judgment and draw on experience to make the process function smoothly. I L Identify and Prioritize Threats and Threat Agents Chapter 2 identified 12 S categories of threats to InfoSec, which are listed alphabetically in Table 8-3. Each of these O to InfoSec and must be handled with specific controls threats presents a unique challenge that directly address the particular N threat and the threat agent’s attack strategy. Before , Threat Compromises to intellectual property J Deviations in quality of service from service providers A Espionage or trespass M Forces of nature I E Human error or failure Information extortion Sabotage or vandalism Software attacks Technical hardware failures or errors Technical software failures or errors Technological obsolescence Theft Table 8-3 Examples Software piracy or other copyright infringement Fluctuations in power, data, and other services Unauthorized access and/or data collection Fire, flood, earthquake, lightning, etc. Accidents, employee mistakes, failure to follow policy Blackmail threat of information disclosure 5 0 5 1 B U Damage to or destruction of systems or information Malware: viruses, worms, macros, denial-of-services, or script injections Hardware equipment failure Bugs, code problems, loopholes, backdoors Antiquated or outdated technologies Illegal confiscation of equipment or information Threats to InfoSec Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 292 Chapter 8 threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset. In general, this process is referred to as threat assessment. Posing the following questions can help you understand the various threats and their potential effects on an information asset: ● Which threats present a danger to this organization’s information assets in its current environment? Not all threats endanger every organization, of course. Examine each of the categories in Table 8-3 and eliminate any that do not apply to your organization. It is unlikely for an organization to eliminate an entire category of threats, but doing so speeds up the threat assessment process. The Offline box titled “Threats to Information Security” describes the threats that some CIOs of major companies identified for their organizations. Although the box directly addresses only InfoSec, note that a weighted ranking of threats should be compiled for any information asset that is at W risk. Once you have determined which threats apply to your organization, identify particular examples of threatsI within each category, eliminating those that are not relevant. For example, a company with offices on the 23rd floor of a high-rise building in L Denver, Colorado, might not be subject to flooding unless they had critical infrastrucS Similarly, a firm with an office in Oklahoma City, ture resources on a lower floor. Oklahoma, might not be concerned O with landslides. ● Which threats represent the gravest danger to the organization’s information assets? N The amount of danger posed by a threat is sometimes difficult to assess. It may be tied , will attack the organization, or it may reflect the to the probability that the threat amount of damage that the threat could create or the frequency with which the attack may occur. During this preliminary assessment phase, the analysis is limited to examJ ining the existing level of preparedness and improving the strategy of InfoSec. The results should give a quick overview of the components involved. A As you will discover in Chapter 9, M you can use both quantitative and qualitative measures to rank values. Since information in this case is preliminary, the organization may want to rank threats subjectively in order Iof danger. Alternatively, it may simply rate each of the threats on a scale of 1 to 5, with “1” E designating an insignificant threat and “5” designating a highly significant threat. 5 Frequency of Attacks Remarkably, the number of detected attacks is steadily decreasing; after a peak in 2000, fewer organizations have reported unauthorized use of their com0 puter systems (i.e., hacking) every year. Meanwhile, the number of organizations reporting 5 malware attacks has dramatically increased. Unfortunately, the number of organizations willing to report the number or costs 1 of successful attacks is also decreasing. The fact is, almost every company has experienced an attack. Whether that attack was successful B depends on the company’s security efforts; whether the perpetrators were caught or the organization was willing to report U the attack is another matter entirely. ● How much would it cost to recover from a successful attack? One of the calculations that guides corporate spending on controls is the cost of recovery operations if an attack occurs and is successful. At this preliminary phase, it is not necessary to conduct a detailed assessment of the costs associated with recovering from a particular attack. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 293 Offline Threats to Information Security: Survey of Industry What are the threats to InfoSec according to top computing executives? Table 8-4 presents data collected in a study published in the Journal of Information Systems Security (JISSec) and based on a previous study published in the Communications of the ACM (CACM) that asked that very question. Based on the categories of threats presented earlier, more than 1,000 top computing executives were asked to rate each threat category on a scale ranging from “not significant” to “very significant.” The results were W converted to a five-point scale, where “5” represented “very significant,” and are shown under the heading “Rate” in the following table. I The executives were also asked to identify the top five threats to their organizations. L with five points assigned to a first-place vote and Their responses were weighted, one point assigned to a fifth-place S vote. The sum of weights is presented under the 2012 JISSec Ranking O N , Categories of Threats Rate Rank Combined 2003 CACM Rank 3.54 462 16.35 4 4.00 306 12.24 1 4.30 222 9.55 3 3.61 162 5.85 7 5 J Software attacks A Human error or failure M I Theft E property Compromises to intellectual 3.59 162 5.82 9 6 Sabotage or vandalism 3.11 111 3.45 5 3.17 105 3.33 2 1 2 3 4 Espionage or trespass 2.88 87 2.51 6 2.76 81 2.24 8 2.88 72 2.07 10 11 5 Technical software failures or errors 0 Technical hardware failures or errors 5 Forces of nature 1 Deviations in quality of service from service providers B U Technological obsolescence 2.66 57 1.52 11 12 Information extortion 2.68 18 0.48 12 7 8 9 10 Table 8-4 Weighted ranks of threats to InfoSec3,4 Source: Journal of Information Systems Security and Communications of the ACM. (Continued) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 294 Chapter 8 heading “Rank” in the table. The two ratings were then calculated into a combined score by multiplying the two ratings and then dividing by 100. The final column shows the same threat as ranked in the 2003 CACM study. Another popular study that examines the threats to InfoSec is the annual survey of computer users conducted by the Computer Security Institute. Table 8-5 shows biannual results since 2000. Type of Attack or Misuse 2010/11 2008 2006 2004 2002 2000 Malware infection (revised after 2008) 67% 50% 65% 78% 85% 85% Being fraudulently represented as sender of phishing message 39% 31% (new category) 34% 42% 47% 55% 60% 29% 20% (new category) 25% 44% 42% 59% 78% 79% 17% 21% 25% 39% 40% 27% 13% 15% (revised category) 11% 9% (new category) W Laptop/mobile hardware theft/loss I Bots/zombies in organization L Insider abuse of Internet access or e-mail S Denial-of-service O N Unauthorized access or privilege escalation by insider , Password sniffing 49% System penetration by outsider (revised category) J 11% Exploit of client Web browser (new category) A 10% Attack/Misuse categories with less than M10% responses (listed in decreasing order): Financial fraud I Web site defacement E Exploit of wireless network Other exploit of public-facing Web site Theft of or unauthorized access to PII or PHI due to all other causes 5 0 Theft of or unauthorized access to IP due to all other causes Exploit of user’s social network profile 5 Theft of or unauthorized access to IP due 1 to mobile device theft/loss Theft of or unauthorized access to PII or BPHI due to mobile device theft/loss Exploit of DNS server U Extortion or blackmail associated with threat of attack or release of stolen data Instant Messaging misuse Table 8-5 CSI survey results for types of attack or misuse (2000−2011)5 Source: CSI surveys 2000 to 2010/11 (www.gocsi.com) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 295 Instead, organizations often create a subjective ranking or listing of the threats based on recovery costs. Alternatively, an organization can assign a rating for each threat on a scale of 1 to 5, with “1” representing “not expensive at all” and “5” representing “extremely expensive.” If the information is available, a raw value (such as $5,000, $10,000, or $2 million) can be assigned. In other words, the goal at this phase is to provide a rough assessment of the cost to recover operations should the attack interrupt normal business operations. ● Which threats would require the greatest expenditure to prevent? Another factor that affects the danger posed by a particular threat is the amount it would cost to protect against that threat. Some threats have a nominal cost to protect against (e.g., malicious code), while others are very expensive, as in protections from forces of nature. Here again the manager ranks, rates, or attempts to quantify the level of danger associated with protecting against a particular threat by using the same techniques outlined earlier for calculating recovery Wcosts. (See the Offline box on what issues executives are focusing their efforts on, financially.) I This list of questions may not cover everything that affects risk identification. An organizaL should influence the process and will inevitably require tion’s specific guidelines or policies that some additional questions be S answered. O Methods of Assessing N Threats A 2012 survey of computing executives also asked the following question: “In your organiza, tion’s risk management efforts, what basis do you use to assess threats? (Select all that apply.)” The percentages of respondents who selected each option are shown in Table 8-6. J Vulnerability AssessmentA Once you have identified the information assets organization and documented some threat assessment criteria, you can begin to M I E Answer Options Response Percentage Probability of occurrence 5 Reputation loss if successful 0 Financial loss if successful 5 Cost to protect against 1 Cost to recover from successful attack B Frequency of attack U 85.4% 77.1% 72.9% 64.6% 64.6% 52.1% Competitive advantage loss if successful 35.4% None of these 6.3% Table 8-6 of the review Basis of threat assessment Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 296 Chapter 8 Offline Expenditures for Threats to Information Security Table 8-7 presents data from a JISSec study discussed earlier asked computing executives to list the priorities their organizations used in determining the expenditures devoted to InfoSec. Each executive responded by identifying his or her top five expenditures. A value of “5” was assigned to the highest expenditure, a value of “1” for the lowest. These ratings were used to create a rank order of the expenses. The results are presented in the following table, which compares the 2012 study with its 2003 CACM counterpart.W I Threat (Based on Money and EffortL Spent to Defend Against or React to It) S Espionage or trespass O Software attacks N Theft , 4.07 1 6 3.94 2 1 3.18 3 7 Quality-of-service deviations by service providers 3.10 4 5 3.06 5 10 3.00 6 8 2.99 7 9 2.71 8 3 2.64 9 4 2.55 10 11 11 2 12 12 Forces of nature Sabotage or vandalism Technological obsolescence Technical software failures or errors Technical hardware failures or errors Compromises to intellectual property J A M I E 2012 Rating Average 5 Human error or failure 2.25 0 Information extortion 2.00 5 Table 8-7 Weighted ranking of top threat-driven expenditures 1 Copyright © 2014 Cengage Learning . B U 2012 Ranking 2003 CACM Ranking ® every information asset for each threat. This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization. What are vulnerabilities? They are specific avenues that threat agents can exploit to attack an information asset. In other words, they are chinks in the asset’s armor—a flaw or weakness in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 297 breach security. For example, Table 8-8 analyzes the threats to, and possible vulnerabilities of, a DMZ router. A list like the one in Table 8-8 must be created for each information asset to document its vulnerability to each possible or likely attack. This list is usually long and shows all the vulnerabilities of the information asset. Some threats manifest themselves in multiple ways, yielding multiple vulnerabilities for that asset–threat pair. Of necessity, the process of listing vulnerabilities is somewhat subjective and is based on the experience and knowledge of the people who create the list. Therefore, the process works best when groups of people with diverse backgrounds work together in a series of brainstorming sessions. For instance, the Threat Possible Vulnerabilities Compromises to intellectual property Espionage or trespass Forces of nature Human error or failure Information extortion Quality-of-service deviations from service providers Sabotage or vandalism Software attacks Technical hardware failures or errors Technical software failures or errors Technological obsolescence Theft Table 8-8 W I L S O N , J A M I E 5 0 5 1 B U Router has little intrinsic value, but other assets protected by this device could be attacked if it is compromised. Router has little intrinsic value, but other assets protected by this device could be attacked if it is compromised. All information assets in the organization are subject to forces of nature unless suitable controls are provided. Employees or contractors may cause an outage if configuration errors are made. Router has little intrinsic value, but other assets protected by this device could be attacked if it is compromised. Unless suitable electrical power conditioning is provided, failure is probable over time. IP is vulnerable to denial-of-service attacks. Device may be subject to defacement or cache poisoning. IP is vulnerable to denial-of-service attacks. Outsider IP fingerprinting activities can reveal sensitive information unless suitable controls are implemented. Hardware could fail and cause an outage. Power system failures are always possible. Vendor-supplied routing software could fail and cause an outage. If it is not reviewed and periodically updated, a device may fall too far behind its vendor support model to be kept in service. Router has little intrinsic value, but other assets protected by this device could be attacked if it is compromised. Vulnerability assessment of a DMZ router Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 298 Chapter 8 team that reviews the vulnerabilities for networking equipment should include networking specialists, the systems management team that operates the network, InfoSec risk specialists, and even technically proficient users of the system. The TVA Worksheet At the end of the risk identification process, an organization should have a prioritized list of assets and their vulnerabilities. This list serves as the starting point (with its supporting documentation from the identification process) for the next step in the risk management process: risk assessment. Another list prioritizes threats facing the organization based on the weighted table discussed earlier. These two lists can be combined into a ThreatsVulnerabilities-Assets (TVA) worksheet, in preparation for the addition of vulnerability and control information during risk assessment. Along one axis lies the prioritized set of assets. Table 8-9 shows the placement of assets along the horizontal axis, with the most W important asset at the left. The prioritized list of threats is placed along the vertical axis, with the most important or mostI dangerous threat listed at the top. The resulting grid provides a convenient method of examining the “exposure” of assets, allowing a simple Asset 1 Threat 1 Threat 2 …. L S O …. Asset 2 N , …. …. …. …. …. …. …. …. Asset n J A M I E …. …. …. …. …. …. …. …. Threat n Priority of Controls 1 5 0 5 1 B U 2 3 4 5 6 These bands of controls should be continued through all asset–threat pairs. Table 8-9 Sample TVA spreadsheet Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 299 vulnerability assessment. We now have a starting point for our risk assessment, along with the other documents and forms. As you begin the risk assessment process, create a list of the TVA “triples” to facilitate your examination of the severity of the vulnerabilities. For example, between Threat 1 and Asset 1 there may or may not be a vulnerability. After all, not all threats pose risks to all assets. If a pharmaceutical company’s most important asset is its research and development database and that database resides on a stand-alone network (i.e., one that is not connected to the Internet), then there may be no vulnerability to external hackers. If the intersection of T1 and A1 has no vulnerability, then the risk assessment team simply crosses out that box. It is much more likely, however, that one or more vulnerabilities exist between the two, and as these vulnerabilities are identified, they are categorized as follows: T1V1A1—Vulnerability 1 that exists between Threat 1 and Asset 1 Wexists between Threat 1 and Asset 1 T1V2A1—Vulnerability 2 that T2V1A1—Vulnerability 1 that I exists between Threat 2 and Asset 1… L In the risk assessment phase, discussed in the next section, not only are the vulnerabilities S examined, the assessment team analyzes any existing controls that protect the asset from the O threat or mitigate the losses that may occur. Cataloging and categorizing these controls is the next step in the TVA spreadsheet. N , and so on. View Point Getting at Risk J A By George V. Hulme, an independent business and technology journalist who has covered information security for more than 15 years for such publications as InforM mationWeek and InformationI Security Magazine E The risks that organizations face have never been higher. More systems are interconnected today than ever before, and there is only one constant to those systems: change. Aside from hackers, disgruntled 5 employees, and corporate spies, a growing number of laws and regulations (such as Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health 0 Information Portability and Accountability Act) have forever changed the role of the 5 InfoSec professional as the gatekeeper of information and the manager of risk. The role of the security professional is to help the organization manage risks poised 1 against the confidentiality, integrity, and availability of its information assets. And the B foundation of all InfoSec programs begins and forever lives with the process of risk U risk is fluid and evolves over time. A risk assessment assessment. Risk isn’t static. Rather, conducted on the first day of the month can be quite different than the same assessment conducted several weeks later. The levels of risks for particular information systems can change as quickly as IT systems change. And geopolitical events such as war, (Continued) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 300 Chapter 8 economics, new employee hires, layoffs, and the steady introduction of new technologies all work to change the amount of risk faced by an organization. The first task in risk assessment is to identify, assess, classify, and then decide on the value of digital assets and systems. Many believe that the most difficult aspect of risk assessment is uncovering the myriad system and configuration vulnerabilities that place systems at risk, but that’s not so; an abundance of tools are available that can help automate that task. It’s really deciding, organization-wide, the value of information and intellectual property that poses one of the most daunting challenges for the security professional. How much is the research and development data worth? How much will it cost the organization if it loses access to the accounting or customer relationship management systems for a day? Without knowing the value of information and the systems that ensure its flow, it’s impossible to make reasonable decisions about how much W can reasonably be spent protecting that information. It makes little sense to spend I $200,000 annually to protect information that wouldn’t cost an organization more than $25,000 if exposed or lost. In a perfect world, with unlimited budgets and L resources in hand, everything could be protected all of the time. But we don’t live in S need to be made. That means bringing together a perfect world, and tough decisions O physical security, and other groups in the orgamanagement, legal, human resources, nization. In assessing risk, you N must decide what needs to be protected and how much that information is worth. Only then can reasonable decisions be made as to , how to mitigate risk by implementing defensive measures and sound policy. During the risk assessment process, vulnerabilities to systems will inevitably be uncovered. The challenge here is J to determine which ones pose the greatest threats to protected assets. It’s a challenge that security professionals face every day. Does a low-risk vulnerability (somethingAunlikely to be exploited) on a system holding highly valuable corporate information M need to be remediated more quickly than a high-risk vulnerability (one that is easily and likely to be exploited) on a system holding inforI mation of little value? Maybe. It all depends. And each situation is different. E Risk can never be entirely eliminated; it can only be managed to levels that an organization can tolerate. The best way to keep risk low is to remain eternally vigilant by following a four-step process: (1) identify new assets, vulnerabilities, and 5 threats; (2) assess and classify assets, vulnerabilities, and threats; (3) remediate and defend; and (4) return to Step 1.0 Risk Assessment 5 1 B U Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment. Risk assessment assigns a risk rating or score to each specific vulnerability. While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 301 Introduction to Risk Assessment Estimating risk is not an exact science. Some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation. Figure 8-3 shows the factors, some of which are estimates, that go into the risk-rating estimate for each of the vulnerabilities. The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list. Chapter 9 describes how to determine more precise costs that may be experienced from vulnerabilities that lead to losses as well as projected expenses for the controls that reduce the risks. For now, you can use the simpler risk model shown in Figure 8-3 to evaluate the risk for each information asset. The next section describes the factors used to calculate the relative risk for each vulnerability. Likelihood W Likelihood is the overall rating—a numerical value on a defined scale—of the probability that a specific vulnerability will Ibe exploited. In “Special Publication 800-30,” NIST recommends that vulnerabilities be assigned a likelihood rating between 0.1 (low) and 1.0 (high). L For example, the likelihood of an employee or system being struck by a meteorite while S indoors would be rated 0.1, while the likelihood of receiving at least one e-mail containing a virus or worm in the nextOyear would be rated 1.0. You could also choose to use a number between 1 and 100, but not 0, since vulnerabilities with a 0 likelihood should have N already been removed from the asset/vulnerability list. Whatever rating system you employ , for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently. Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances. For many asset/ J sources have already determined their likelihood. For vulnerability combinations, existing example: A ● The likelihood of a fire hasMbeen estimated actuarially for each type of structure. ● The likelihood that a givenI e-mail will contain a virus or worm has been researched. ● The number of network attacks can be forecast depending on how many network E addresses the organization has been assigned. 5 0 Risk is The likelihood of the occurrence of a vulnerability 5 Multiplied by The value of the information asset 1 Minus Bof risk mitigated by current controls The percentage Plus U The uncertainty of current knowledge of the vulnerability Figure 8-3 Risk assessment estimate factors Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 302 Chapter 8 Assessing Potential Loss Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset. The actual number used will vary according to the needs of the organization. Some groups use a scale of 1–100, with “100” reserved for those information assets the loss of which would stop company operations within a few minutes. Other recommended scales, including the one in “NIST SP 80030,” use assigned weights in broad categories, with all-important assets having a value of 100, low-criticality assets having a value of 1, and all other assets having a medium value of 50. Still other scales employ weights from 1 to 10, or assigned values of 1, 3, and 5 to represent low-, medium-, and high-valued assets, respectively. Alternatively, you can create unique weighted values customized to your organization’s specific needs. To be effective, the values must be assigned by asking the questions included in the section titled “Identify and Prioritize Threats and Threat Agents.” These questions are restated here for easy reference: ● Wto this organization’s assets in its current environment? Which threats present a danger ● I Which threats represent the gravest danger to the organization’s information assets? ● L How much would it cost to recover from a successful attack? ● Which threats would require S the greatest expenditure to prevent? After reconsidering these questions,O use the background information from the risk identification process and add to that information by posing yet another question: N ● Which of the aforementioned questions is the most important to the protection of , information from threats within this organization? The answer to this question determines the priorities used in the assessment of vulnerabilities. Which is the most important to theJorganization—the cost to recover from a threat attack or the cost to protect against a threat A attack? More generally, which of the threats has the highest probability of leading to a successful attack? Recall that the purpose of risk assessment is M faces in its current state. Once these questions are to look at the threats an organization answered, move to the next step inI the process: examining how current controls can reduce the risk faced by specific vulnerabilities. E Percentage of Risk Mitigated by Current Controls If a vulnerability is fully managed by an existing control, it can be set aside. If it is partially 5 controlled, estimate what percentage of the vulnerability has been controlled. 0 5 It is not possible to know everything about every vulnerability, such as how likely an attack 1 impact a successful attack would have on the organizaagainst an asset is, or how great an tion. The degree to which a current B control can reduce risk is also subject to estimation error. A factor that accounts for uncertainty must always be added to the equations; it conU sists of an estimate made by the manager using good judgment and experience. Uncertainty Risk Determination For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty. To see how this equation works, consider the following scenario: 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 303 ● Information asset A has a value score of 50 and one vulnerability: Vulnerability 1 has a likelihood of 1.0 with no current controls. You estimate that assumptions and data are 90 percent accurate. ● Information asset B has a value score of 100 and two vulnerabilities: Vulnerability 2 has a likelihood of 0.5 with a current control that addresses 50 percent of its risk; vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that assumptions and data are 80 percent accurate. The resulting ranked list of risk ratings for the three vulnerabilities just described, using the equation (value times likelihood) minus risk mitigated plus uncertainty, is as follows: ● ● ● Asset A: Vulnerability 1 rated as 55 = (50 55 = (50 1.0) 55 = 50 0+5 ((50 1.0) 0.0) + ((50 0% + 10% where 1.0) 1.0) W Asset B: Vulnerability 2 rated I as 35 = (100 × 0.5) 35 = (100 0.5) ((100 0.5) 0.5) + ((100 L 35 = 50 25 + 10 S Asset B: Vulnerability 3 rated as 12 = (100 0.1) O 12 = (100 0.1) ((100 0.1) 0.0) + ((100 N 12 = 10 0 + 2 , 0.1) 50% + 20% where 0.5) 0.2) 0% + 20% where 0.1) 0.2) Likelihood and Consequences Another approach to calculating risk based on likelihood is the likelihood and consequences rating from the Australian and NewJZealand Risk Management Standard 4360,6 which uses qualitative methods to determine riskAbased on a threat’s probability of occurrence and expected results of a successful attack. Qualitative risk assessment, which is examined elsewhere in this M instead of specific values to determine risk. chapter, consists of using categories I As shown in Table 8-10, consequences (i.e., impact assessment) are evaluated on five levels ranging from insignificant (levelE1) to catastrophic (level 5). It is up to the organization to evaluate its threats and assign the appropriate consequence level. Level Descriptor 1 Insignificant 2 Minor 3 Moderate 4 Major 5 0 No injuries, low financial loss 5 First aid treatment, onsite release immediately contained, medium financial loss 1 Medical treatment required, onsite release contained with outside assistance, B loss high financial U Extensive injuries, loss of production capability, offsite release with no 5 Catastrophic Death, toxic release offsite with detrimental effect, huge financial loss Table 8-10 Example of Description detrimental effects, major financial loss Consequence levels for organizational threats7 Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 304 Chapter 8 Level Descriptor Explanation A Almost certain Is expected to occur in most circumstances B Likely Will probably occur in most circumstances C Possible Might occur at some time D Unlikely Could occur at some time E Rare May occur only in exceptional circumstances Table 8-11 Likelihood levels for organizational threats8 Copyright © 2014 Cengage Learning®. W I Table 8-11 shows the qualitative likelihood assessment levels ranging from A (almost certain) to E (rare). Again, the organizationLmust determine the likelihood or probability of an attack from each specific threat category. S When the two are combined, the organization should be able to determine which threats O represent the greatest danger to the organization’s information assets, as shown in N can then be inserted into the TVA tables for use in Table 8-10. The resulting rankings risk assessment. , Table 8-12 identifies the potential consequences at various risk levels. If the organization has a tie in two or more threats in the same resulting category (such as Extreme Risk), then a 5A would be ranked higher than a 5B J or a 4A, and so on. Replacing the A through E categories Risk Level Consequences Likelihood Insignificant 1 A (almost certain) H B (likely) C (possible) D (unlikely) E (rare) Table 8-12 A M I Minor 2 E H 5 0 L M 5 L L 1 L L B U Qualitative risk assessment matrix M H Moderate 3 Major 4 Catastrophic 5 E E E H E E H E E M H E M H H Note: E = Extreme risk: Immediate action required H = High risk: Senior management attention required M = Moderate risk: Management responsibility must be specified L = Low risk: Management by routine procedures required Source: Risk management plan templates and forms from www.treasury.act.gov.au/actia/Risk.htm 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 305 with a 5 (almost certain) to 1 (rare) would allow a simple multiplication for prioritization. For example, 3 (moderate) times 4 (likely) equals 12, versus 4 (major) times 4 (likely), which equals 16. Identify Possible Controls For each threat and its associated vulnerabilities that have residual risk, the organization should create a preliminary list of control ideas. The purpose of this list, which begins with the identification of extant controls, is to identify areas of residual risk that may nor may not need to be reduced. Residual risk is the risk that remains even after the existing control has been applied. “Controls,” “safeguards,” and “countermeasures” are all terms used to describe security mechanisms, policies, and procedures. These mechanisms, policies, and procedures counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the general state of security within an organization. W Three general categories of controls exist: policies, programs, and technical controls. You learned about policies in Chapter I 4. Programs are activities performed within the organization to improve security; they include security education, training, and awareness programs. L Technical controls—also known as “security technologies”—are the technical implementaS organization. These controls, whether in place or planned, tions of the policies defined by the should be added to the TVA worksheet as they are identified. O N , the admission of users into a trusted area of the organizaAccess controls specifically address Access Controls tion. These areas can include information systems, physically restricted areas such as computer rooms, and even the organization in its entirety. Access controls usually consist of a J and technologies. combination of policies, programs, A number of approaches to, andAcategories of, access controls exist. They can be mandatory, nondiscretionary, or discretionary. M Each category of controls regulates access to a particular type or collection of information, as explained in Chapter 6. I E Documenting the Results of Risk Assessment 5 process so far has been to identify information assets and The goal of the risk management their vulnerabilities and to rank 0 them according to the need for protection. In preparing this list, a wealth of factual information about the assets and the threats they face is collected. 5 that are already in place is collected. The final summaAlso, information about the controls rized document is the ranked vulnerability risk worksheet, as shown in Table 8-9. This docu1 ment is an extension of the TVA spreadsheet discussed earlier, showing only the assets and relevant vulnerabilities. A reviewBof this worksheet reveals similarities to the weighted factor analysis worksheet depicted in Table U 8-2. Table 8-13 illustrates the use of a weighted spreadsheet to calculate risk vulnerability for a number of information assets. The columns in the worksheet shown in Table 8-13 are used as follows: ● Asset—List each vulnerable asset. ● Asset impact—Show the results for this asset from the weighted factor analysis worksheet. (In our example, this value is a number from 1 to 100.) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 306 Chapter 8 Vulnerability Likelihood Risk-Rating Factor E-mail disruption due to hardware failure 0.2 11 55 E-mail disruption due to software failure 0.2 11 Customer order via SSL (inbound) 100 Lost orders due to Web server hardware failure 0.1 10 Customer order via SSL (inbound) 100 Lost orders due to Web server or ISP service failure 0.1 10 Customer service request via e-mail (inbound) 55 E-mail disruption due to SMTP mail relay attack 0.1 5.5 Customer service request via e-mail (inbound) 55 0.1 5.5 Customer service request via e-mail (inbound) 55 0.1 5.5 Customer order via SSL (inbound) 100 W I E-mail disruption due to L ISP service failure S E-mail disruption due to power O failure N orders due to Lost Webserver denial, of-service attack 0.025 2.5 Customer order via SSL (inbound) 100 Lost orders due to Web server software failure 0.1 1 0.1 1 Asset Asset Impact Vulnerability Customer service request via e-mail (inbound) 55 Customer service request via e-mail (inbound) J A orders due to Web Customer order via SSL 100 Lost (inbound) server buffer overrun M attack I Table 8-13 Ranked vulnerability risk worksheet E Copyright © 2014 Cengage Learning®. ● ● ● 5 Vulnerability—List each uncontrolled vulnerability. 0 Vulnerability likelihood—State 5 the likelihood of the realization of the vulnerability by a threat agent as indicated in the vulnerability analysis step. (In our example, the 1 to 1.0.) potential values range from 0.1 Risk-rating factor—Enter theB figure calculated by multiplying the asset impact and its likelihood. (In our example, the U calculation yields a number ranging from 0.1 to 100.) Looking at Table 8-13, you may be surprised that the most pressing risk requires making the mail server or servers more robust. Even though the impact rating of the information asset represented by the customer service e-mail is only 55, the relatively high likelihood of a hardware failure makes it the most pressing problem. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 307 Deliverable Purpose Information asset classification worksheet Assembles information about information assets and their impact on or value to the organization Weighted criteria analysis worksheet Assigns a ranked value or impact weight to each information asset TVA worksheet Combines the output from the information asset identification and prioritization with the threat identification and prioritization and identifies potential vulnerabilities in the “triples”; also incorporates extant and planned controls Ranked vulnerability risk worksheet Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair W I deliverables Table 8-14 Risk identification and assessment Copyright © 2014 Cengage Learning . L S Now that the risk identification process is complete, what should the documentation package O look like? In other words, what are the deliverables from this stage of the risk management N should designate what function the reports serve, who project? The risk identification process is responsible for preparing them, and who reviews them. The ranked vulnerability risk work, sheet is the initial working document for the next step in the risk management process: asses® sing and controlling risk. Table 8-14 shows an example list of the worksheets that should have been prepared by an information asset risk management team up to this point. J In the last stage of the risk analysis A (identification and assessment) process, you use the TVA worksheet, along with the other worksheets you have created, to develop a prioritized list of tasks. Obviously, the presence ofM uncontrolled vulnerabilities in high-ranking assets is the first priority for the implementation Iof new controls as part of the risk management process discussed in the next chapter. Before any additional controls are added, though, an organization must determine the levels of riskE it is willing to accept, based on a cost-benefit analysis, which is the subject of Chapter 9. 5 0 Chapter Summary 5 and documents an organization’s information assets. ■ Risk management examines 1 for identifying and controlling the risks that an ■ Management is responsible organization encounters. B In the modern organization, the InfoSec group often plays a leadership role in risk management. U ■ A key component of a risk management strategy is the identification, classification, and prioritization of the organization’s information assets. ■ Assessment is the identification of assets, including all the elements of an organization’s system: people, procedures, data, software, hardware, and networking elements. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 308 Chapter 8 ■ The human resources, documentation, and data information assets of an organization are not as easily identified and documented as tangible assets, such as hardware and software. These more elusive assets should be identified and described using knowledge, experience, and judgment. ■ You can use the answers to the following questions to develop weighting criteria for information assets: ■ Which information asset is the most critical to the success of the organization? ■ Which information asset generates the most revenue? ■ Which information asset generates the highest profitability? ■ Which information asset is the most expensive to replace? ■ Which information asset is the most expensive to protect? ■ Which information asset’s W loss or compromise would be the most embarrassing or cause the greatest liability? I ■ ■ What questions should be added to cover the needs of the specific organization and its environment? L S a preliminary classification of information assets, After identifying and performing the threats facing an organization O should be examined. There are 12 general categories of threats to InfoSec. N ■ Each threat must be examined during a threat assessment process that addresses the , these threats exist in this organization’s environment? following questions: Which of Which are the most dangerous to the organization’s information? Which require the greatest expenditure for recovery? Which require the greatest expenditure for protection? ■ Each information asset is evaluated for each threat it faces; the resulting information is used to create a list of theAvulnerabilities that pose risks to the organization. This process results in an information asset and vulnerability list, which serves as the M starting point for risk assessment. ■ ■ J I (TVA) worksheet lists the assets in priority order A Threats-Vulnerabilities-Assets along one axis, and the threats E in priority order along the other axis. The resulting grid provides a convenient method of examining the “exposure” of assets, allowing a simple vulnerability assessment. The goal of risk assessment5is the assignment of a risk rating or score that represents the relative risk for a specific 0 vulnerability of a specific information asset. ■ If any specific vulnerability 5 is completely managed by an existing control, it no longer needs to be considered for additional controls. ■ Controls, safeguards, and countermeasures should be identified for each threat and its associated vulnerabilities.B 1 ■ In general, three categories U of controls exist: policies, programs, and technologies. ■ Access controls can be classified as mandatory, discretionary, or nondiscretionary. ■ The risk identification process should designate what function the resulting reports serve, who is responsible for preparing them, and who reviews them. The TVA worksheet and the ranked vulnerability risk worksheet are the initial working documents for the next step in the risk management process: assessing and controlling risk. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 309 Review Questions 1. What is risk management? 2. List and describe the key areas of concern for risk management. 3. Why is identification of risks, through a listing of assets and their vulnerabilities, so important to the risk management process? 4. According to Sun Tzu, what two things must be achieved to secure information assets successfully? 5. Who is responsible for risk management in an organization? 6. Which community of interest usually takes the lead in information asset risk management? 7. Which community of interest W usually provides the resources used when undertaking information asset risk management? I L Why do networking components need more examination from an InfoSec perspective S than from a systems development perspective? O asset inventory system have for the risk identification What value would an automated process? N Which information attributes are seldom or never applied to software elements? , 8. In risk management strategies, why must periodic reviews be a part of the process? 9. 10. 11. 12. Which information attribute is often of great value for networking equipment when Dynamic Host Configuration Protocol (DHCP) is not used? J 13. When you document procedures, why is it useful to know where the electronic versions are stored? A 14. Which is more important to Mthe information asset classification scheme, that it be comprehensive or that it be mutually exclusive? I 15. What is the difference between an asset’s ability to generate revenue and its ability to E generate profit? 16. How many categories should a data classification scheme include? Why? 17. How many threat categories 5 are listed in this chapter? Which is noted as being the most frequently encountered, and why? 0 5 Describe the TVA worksheet. What is it used for? 1 Examine the simplest risk formula presented in this elements? B U 18. What are vulnerabilities? 19. 20. chapter. What are its primary Exercises 1. If an organization has three information assets to evaluate for risk management purposes, as shown in the accompanying data, which vulnerability should be evaluated for additional controls first? Which vulnerability should be evaluated last? 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 310 Chapter 8 Data for Exercise 1: ● Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75 percent certainty of the assumptions and data. ● Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions and data. ● Operators use the MGMT45W control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihoodI of misuse is 0.1. There are no controls in place on this asset, which has an impact rating L of 5. There is a 90 percent certainty of the assumptions and data. S 2. Using the Web, search for at least three tools to automate risk assessment. Collect O information on automated risk assessment tools. What do they cost? What features Nadvantages and disadvantages of each one? do they provide? What are the 3. Using the list of threats to InfoSec , presented in this chapter, identify and describe three instances of each that were not mentioned in the chapter. 4. Using the data classification scheme presented in this chapter, identify and classify the J personal computer or personal digital assistant. Based information contained in your on the potential for misuse orAembarrassment, what information is confidential, sensitive but unclassified, or suitable for public release? M 5. Using the asset valuation method presented in this chapter, conduct a preliminary risk I contained in your home. Answer each of the valuation assessment on the information questions listed in the section E of this chapter titled “Identify and Prioritize Threats and Threat Agents.” What would it cost if you lost all your data? 6. Using the Internet, locate the National Association of Corporate Directors’ Web site. 5 What does this association say about board member Describe its function and purpose. liability for InfoSec issues? 0 Closing Case Mike and Iris were flying home been what they expected. 5 1 B from U the meeting. The audit committee’s reaction had not “I’m glad they understood the situation,” Mike said. “I’d like you to start revising our risk management documentation to make it a little more general. It sounds like the board will want to take our approach company-wide soon.” Iris nodded and pulled out her notepad to make a to-do list. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Identifying and Assessing Risk 311 Discussion 1. What will Iris have on her to-do list? 2. What resources can Iris call on to assist her? Ethical Decision Making Suppose that after they returned to the office, Mike was called to a private meeting with a senior executive from another division of the firm. During the discussion, Mike felt he was being subtly threatened with nonspecific but obviously devastating consequences to his career prospects at RWW as well as long-term damage to his professional reputation if he did not back off on his efforts to improve company-wide risk management at RWW. The other executive was adamant that the costs of improving the risk management process would hurt the firm without gaining any real improvement. Was this executive simply expressing W her disagreement with Mike’s approach, or has some ethical line been crossed? Should Mike take any overt actions based on this conversation or I threats? What could Mike do that would not embarrass inform others about the perceived the other executive and still offerLhim some protection in this situation? S O Endnotes N 1. Tzu, Sun. The Art of War. Translation , University Press, 1988. by Samuel B. Griffith. Oxford, UK: Oxford 2. Quaglieri, Ernest. “The Hacking of Microsoft.” SANS Institute. Accessed March 10, 2013 @ www.giac.org/paper/gsec/488/hacking-microsoft/101184. J 3. Whitman, Michael, and Herb A Mattord. “Threats to Information Security Revisited.” Journal of Information Systems Security, 2012, 8(1). M 4. Whitman, Michael. “Enemy at the Gates: Threats to Information Security.” CommuniI 2003, 46(8). cations of the ACM, August, 5. This table is compiled fromEdata published by the Computer Security Institute and the FBI over the years. 6. “AS/NZS 4360:1999: Risk Management.” Accessed March 10, 2013 @ www.schleupen 5 .de/content/schleupen/schleupen013223/A.4.1.4_Australia_and_New_Zealand_Methodology _AS_NZ%25204360_1999.pdf. 0 7. “Introduction to Territory5Wide Risk Management: Risk Management Templates.” Australian Capital Territory Insurance Authority. Accessed April 10, 2013 @ www 1 .treasury.act.gov.au/actia/RiskManagementTemplate.docx. 8. Ibid. B U 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 8 W I L S O N Page Left , Blank Intentionally J A M I E 5 0 5 1 B U 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. chapter 9 W I L S O N , Risk Management: Controlling Risk Weakness is a better teacher than strength. Weakness must learn to J brushes aside. understand the obstacles that strength MASONACOOLEY, U.S. APHORIST (1927–2002) Iris went into the manager’s lounge M to get a soda. As she was leaving, she saw Jane Harris— the accounting supervisor at Random Widget Works, Inc. (RWW)—at a table, poring over a spreadsheet that Iris recognized.I “Hi, Jane,” Iris said. “Can I joinEyou?” “Sure, Iris,” Jane said. “Perhaps you can help me with this form Mike wants us to fill out.” 5 Jane was working on the asset valuation worksheet that Iris had designed to be completed by all RWW managers. The worksheet listed all of the information assets in Jane’s department. 0 Mike Edwards had asked each manager to provide three values for each item: its cost, its replacement value, and its ranked5criticality to the company’s mission, with the most important item being ranked number one. Mike 1 hoped that Iris and the rest of the risk management team could use the data to build a consensus about the relative importance of various assets. B U “What’s the problem?” Iris asked. “I understand these first two columns. But how am I supposed to decide what’s the most important?” “Well,” Iris began, “with your accounting background, you could base your answers on some of the data you collect about each of these information assets. For this quarter, what’s more important to senior management—revenue or profitability?” 313 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 314 Chapter 9 “Profitability is almost always more important,” Jane replied. “We have some projects that generate lots of revenue but operate at a loss.” “Well, there you go,” Iris said. “Why not calculate the profitability margin for each listed item and use that to rate and rank them?” “Oh, okay Iris. Thanks for the idea,” Jane said. She then started making notes on her copy of the form. LEARNING OBJECTIVES Upon completion of this material, you should be able to: • Recognize the strategy options used to control risk and be prepared to select from them when given background information W • Evaluate risk controls and formulate a cost-benefit analysis (CBA) using existing conceptual frameworks I • Explain how to maintain and L perpetuate risk controls • Describe popular approaches S used in the industry to manage risk Introduction O N , In the early days of information technology (IT), corporations used IT systems mainly to gain advantages over their competition. Managers discovered that establishing a competitive business model, method, or technique allowed J an organization to provide a product or service that was superior in some decisive way, thus creating a competitive advantage. But this is seldom true today. The current IT industry has A evolved from this earlier model to one in which almost all competitors operate using similar levels M of automation. Because IT is now readily available, almost all organizations are willing to make the investment to react quickly to changes in the I environment, managers realize that investing in IT systems market. In today’s highly competitive at a level that merely maintains the status E quo is no longer sufficient to gain a competitive advantage. In fact, even the implementation of new technologies does not necessarily enable an organization to gain or maintain a competitive lead. Instead, the concept of competitive disadvantage— the state of falling behind the competition—has emerged as a critical factor. Effective IT-enabled 5 organizations now quickly absorb emerging technologies, not to gain or maintain the traditional 0 competitive advantage but to avoid the possibility of losing market share when faltering systems 5 standard of service. make it impossible to maintain the current 1 To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function and evolve effectively. This environment B must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are metU via the application of the principles of risk management. This chapter builds on the concepts developed in Chapter 8, which focused on the identification of risk and the assessment of the relative impact from all identified vulnerabilities. That effort produced a list of documented vulnerabilities, ranked by criticality of impact. In this chapter, you will learn how to use such a list to assess options, estimate costs, weigh the relative merits of options, and gauge the benefits of various control approaches. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Risk Management: Controlling Risk 315 Controlling risk begins with an understanding of what risk mitigation strategies are and how to formulate them. The chosen strategy may include applying controls to some or all of the assets and vulnerabilities found in the ranked vulnerability worksheet prepared in Chapter 8. This chapter explores a variety of control approaches and then discusses how such approaches can be categorized. It also explains the critical concepts of CBA and residual risk, and it describes control strategy assessment and maintenance. Risk Control Strategies When an organization’s general management team determines that risks from information security (InfoSec) threats are creating a competitive disadvantage, it empowers the IT and InfoSec communities of interest to control those risks. Once the project team for InfoSec development has created the ranked vulnerability worksheet (see Chapter 8), the team must choose W one of five basic strategies to control the risks that arise from these vulnerabilities: ● ● ● ● ● I L Transferal—Shifting risks to other areas or to outside entities Mitigation—Reducing the S impact to information assets should an attacker successfully exploit a vulnerability O Acceptance—Understanding N the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at ...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Enterprise Information Security – Outline
I.

Why risk management is an ongoing process

II.

The strategic roles of the three communities of interest.

III.

An inventory of information assets in your personal life

IV.

How outsourcing is a sound approach to gaining capability outside of a company's
primary area of expertise.

V.

A hypothetical scenario


Running head: ENTERPRISE INFORMATION SECURITY

Enterprise Information Security
Name
Institution

1

ENTERPRISE INFORMATION SECURITY

2

Enterprise Information Security
Question 1.) Discuss why risk management is an ongoing process
Technology is the backbone of success in many organizations (Peltier, 2016). It has
enabled them to improve in both the quality of their products and services. With technology,
competition has become stiff as different organizations try to increase their market share.
However, much as technology is useful in the development and success of business, it has
become a source of wariness in the management of the Company. It brings with it a lot of risks
that if not well managed and monitored can bring down a once large and successful business.
Earlier on before invention of technology, information was stored by way of a physical
document and put in cabinets. With technology, information is visually stored in computers or
servers (Mattord, 2014). Many firms have lost vital information through computer breakdown,
abrupt power interruption and natural disaster such as fire. It could be data containing records of
debtors and creditors or about the firm’s assets. Without this information, most debtors may
refuse to pay or may not know how much debt they owe the Company. It's crucial that a risk
management system is established whenever technology is implemented in an organization. Risk
management strategies address risks about the loss of data by having sufficient and effective
backups. They also address issues about performance maintenance. Technology advances every
other day and the hardware wear out after some time (Mattord, 2014). Viruses can attack data
and risk losing it. Application of risk management is es...


Anonymous
Very useful material for studying!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags