chapter
8
W
I
L
S
O
N
,
Risk Management: Identifying
and Assessing Risk
Once we know our weaknesses, they cease to do us any harm.
G. C. (GEOGJCHRISTOPH) LICHTENBERG (1742–1799),
A GERMAN PHYSICIST AND PHILOSOPHER
Iris Majwabu and Mike Edwards
Msat side by side on the short flight to the nearby city where
the Random Widget Works, Inc. (RWW) board of directors audit committee was meeting
I invited to present RWW’s information technology (IT)
that afternoon. The two had been
risk management program to the
E committee. The board’s concerns stemmed from a recent
briefing by the National Association of Corporate Directors, which focused on trends affecting the potential liability of board members in the areas of InfoSec in general and risk management in particular.
5
After the plane leveled off, Mike0 pulled out his copy of the presentation he planned to give
that afternoon. He and Iris had been working on it for the past two weeks, and each knew
5
the slides by heart. Iris was along to assist with the question-and-answer period that would
1
follow Mike’s presentation.
“They’re not going to be happyB
campers when you’re done,” Iris said.
“No, they’re not,” Mike said. “The
U CEO is worried about how they’ll respond and about
what might come up at the full board meeting next month. I’m afraid the disconnect
between IT and Internal Audit may have some unexpected consequences.”
Iris considered what she knew about the weaknesses of the Internal Audit Department’s
approach to the company’s non-IT assets. Where Mike and Iris had built a sound, fact-based
279
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
280
Chapter 8
approach to estimating and controlling IT risk, some of the other company divisions used less
empirical methods.
“I think we should come out of this okay,” Iris told Mike. “After all, the main concern of
the audit committee members is the new perception of their liability for IT security and the
impact that IT risk has on the issues surrounding privacy. We have a solid risk management
plan in place that’s working well, in my opinion.”
Mike looked up from his notes and said, “It’s not us I’m worried about. I’m afraid we may
create some discomfort and unwanted attention for our peers after the board sees the wide
variety of risk management approaches used in other divisions.”
LEARNING OBJECTIVES
Upon completion of this material, you should be able to:
W
I
Describe risk management techniques to identify and prioritize risk factors for
L
information assets
S
Explain how risk is assessed based on the likelihood of adverse events and the
effects on information assets O
when events occur
N the risk identification process
Discuss the use of the results of
,
• Define risk management and its role in the organization
•
•
•
Introduction
J
Information security (InfoSec) in an organization exists primarily to manage IT risk. ManagA
ing risk is one of the key responsibilities
of every manager within an organization. In any
well-developed risk management program,
two formal processes are at work. The first, risk
M
identification and assessment, is discussed in this chapter; the second, risk control, is the subI
ject of the next chapter.
E focus on reducing risk. This is often done within the
Each manager in the organization should
context of one of the three communities of interest, as follows:
●
●
●
General management must structure
the IT and InfoSec functions in ways that will
5
result in the successful defense of the organization’s information assets, including data,
0 and people.
hardware, software, procedures,
5 IT needs of the broader organization and at the same
IT management must serve the
time exploit the special skills 1
and insights of the InfoSec community.
InfoSec management must lead
B the way with skill, professionalism, and flexibility as it
works with the other communities of interest to balance the constant trade-offs
U
between InfoSec utility and security.
Risk Management
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
281
you will also suffer a defeat. If you know neither the enemy nor yourself, you
will succumb in every battle.1
Chinese general Sun Tzu’s observation, made more than 2,400 years ago, continues to have direct
relevance to the philosophy of InfoSec today. InfoSec strategy and tactics are in many ways similar
to those employed in conventional warfare. InfoSec managers and technicians are the defenders of
information. They constantly face a myriad of threats to the organization’s information assets.
A layered defense is the foundation of any InfoSec program. So, as Sun Tzu recommends, to reduce
risk, an organization must (1) know itself and (2) know its enemy. This means that managers from
all three communities of interest must locate the weaknesses of their organization’s operations;
understand how the organization’s information is processed, stored, and transmitted; and identify
what resources are available. Only then can they develop a strategic plan of defense.
Knowing Yourself
W
When operating any kind of organization,
a certain amount of risk is always involved. Risk
is inherent in hiring, marketing products,
and
even in making decisions about where to place
I
the building that houses the organization. Risk finds its way into the daily operations of
L properly managed, it can cause operational failures and
every organization, and if it is not
even lead to complete collapse. S
For an organization to manage O
risk properly, managers should understand how information
is processed, stored, and transmitted. Knowing yourself in this context requires knowing
N to the organization, identifying, categorizing, and claswhich information assets are valuable
sifying those assets, and understanding
how they are currently being protected. Armed with
,
this knowledge, the organization can then initiate an in-depth risk management program.
Note that the mere existence of a risk management program is not sufficient. Frequently,
risk management mechanisms are
J implemented but not maintained or kept current. Risk
management is a process, which means the safeguards and controls that are devised and
A
implemented are not “install-and-forget” devices (see Chapter 9).
M
Knowing the Enemy I
Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu’s second
dictum: Know the enemy. This E
means identifying, examining, and understanding the threats
facing the organization’s information assets. Managers must be fully prepared to identify
those threats that pose risks to the organization and the security of its information assets. Risk
5
management is the process of discovering and assessing the risks to an organization’s
operations and determining how0those risks can be controlled or mitigated. Risk analysis is
the identification and assessment of levels of risk in the organization; it is a major component of
5
risk management.
1
Accountability for RiskBManagement
All of the communities of interest bear responsibility for the management of risks. The manU
agement of the organization is accountable
for the risk management program that is used. Of
the three communities of interest directly linked to managing the risks to information assets,
each has a particular strategic role to play:
●
InfoSec—Because members of the InfoSec community best understand the threats and
attacks that introduce risk, they often take a leadership role in addressing risk.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
282
Chapter 8
●
IT—This group must help to build secure systems and ensure their safe operation. For
example, IT builds and operates information systems that are mindful of operational
risks and have proper controls implemented to reduce risk.
●
Management and users—When properly trained and kept aware of the threats faced by the
organization, this group plays a part in the early detection and response process. Members
of this community also ensure that sufficient resources (money and personnel) are allocated
to the InfoSec and IT groups to meet the security needs of the organization. For example,
business managers must ensure that supporting records for orders remain intact in case of
data entry error or transaction corruption. Users must be made aware of threats to data
and systems and must be educated on practices that minimize those threats.
The three communities of interest must work together to address every level of risk, ranging
from full-scale disasters (whether natural or human-made) to the smallest mistake made by
an employee. To do so, they must be actively involved in the following activities:
●
●
●
●
●
W
I
Determining which control options are cost effective
L
Acquiring or installing the appropriate controls
S that the controls remain effective
Overseeing processes to ensure
O
Identifying risks, which includes:
N
Creating an inventory of information
assets
,
Classifying and organizing those assets meaningfully
Evaluating the risk controls
●
●
●
●
Assigning a value to each information asset
●
Identifying threats to the cataloged
assets
J
●
Pinpointing vulnerable assets
A by tying specific threats to specific assets
Assessing risks, which includes:
●
●
M
I
Assessing the relative risk facing the organization’s information assets, so that risk
E
management and control activities
can focus on assets that require the most urgent
Determining the likelihood that vulnerable systems will be attacked by specific threats
and immediate attention
●
Calculating the risks to which
5 assets are exposed in their current setting
●
Looking in a general way at controls that might come into play for identified vul0
nerabilities and ways to control the risks that the assets face
5
1 involves stating the conclusions of the analysis stage
Summarizing the findings, which
of risk assessment in preparation
B for moving into the stage of controlling risk by
exploring methods to mitigate risk
U
●
●
Documenting and reporting the findings of risk identification and assessment
Figure 8-1 outlines the steps in the risk identification and assessment process.
Risk Identification
Risk identification begins with the process of self-examination. At this stage, managers identify
the organization’s information assets, classify and categorize them into useful groups, and
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
283
Plan and Organize Process
Create System Component Categories
Develop Inventory of Assets
Identify Threats
Specify Vulnerable Assets
Assign Value or Impact Rating to Assets
Assess Likelihood for Vulnerabilities
Calculate Relative Risk Factor for Assets
Preliminary Review of Possible Controls
Document Findings
Figure 8-1 Risk identification and assessment process
W
I
prioritize them by their overall importance. This can be a daunting task, but it must be done
L they present.
to identify weaknesses and the threats
S
Creating an Inventory of Information Assets
O
The risk identification process begins with the identification of information assets, including peoN
ple, procedures, data, software, hardware,
and networking elements. This step should be done
,
Copyright © 2014 Cengage Learning®.
IT System Components
People
Procedures
Data
Risk Management Components
J
Internal personnel
External personnelA
M
I
Procedures
E
Data/information
Software
Software
Hardware
Hardware
Networking
Networking
Table 8-1
5
0
5
1
B
U
Example Risk Management Components
Trusted employees
Other staff members
People we trust outside our organization
Strangers
IT and business standard procedures
IT and business sensitive procedures
Transmission
Processing
Storage
Applications
Operating systems
Security components
Systems and peripherals
Security devices
Local Area Network components
Intranet components
Internet or extranet components
Cloud-based components
Organizational assets used in systems
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
284
Chapter 8
without prejudging the value of each asset; values will be assigned later in the process. Table 8-1
shows a model outline of the identified assets subcategorized into risk management components.
The risk management components presented in Table 8-1 are organized as follows:
●
The people asset is divided into internal personnel (employees) and external personnel
(nonemployees). Insiders are further divided into those employees who hold trusted roles
and therefore have correspondingly greater authority and accountability and those regular
staff members who do not have any special privileges. Outsiders consist of other users who
have access to the organization’s information assets, some trusted and some untrusted.
●
Procedures are assets because they are used to create value for the organization. They
are divided into (1) IT and business standard procedures and (2) IT and business sensitive procedures. Sensitive procedures have the potential to enable an attack or to
otherwise introduce risk to the organization. For example, the procedures used by a
telecommunications companyW
to activate new circuits pose special risks because they
reveal aspects of the inner workings of a critical process, which can be subverted by
I
outsiders for the purpose of obtaining
unbilled, illicit services.
●
L
The data asset includes information
in all states: transmission, processing, and storage.
This is an expanded use of the
S term “data,” which is usually associated with databases, not the full range of information used by modern organizations.
O
●
Software is divided into applications, operating systems, and security components. SoftN may fall into the operating systems or applications
ware that provides security controls
category but is differentiated by
, the fact that it is part of the InfoSec control environment and must therefore be protected more thoroughly than other systems components.
●
Hardware is divided into (1) the usual systems devices and their peripherals and (2) the
J control systems. The latter must be protected more
devices that are part of InfoSec
thoroughly than the former. A
●
Networking components include networking devices (such as firewalls, routers, and
M
switches) and the systems software within them, which is often the focal point of attacks,
I against systems connected to the networks. Of course,
with successful attacks continuing
most of today’s computer systems
E include networking elements. You will have to determine whether a device is primarily a computer or primarily a networking device. A server
computer that is used exclusively as a proxy server or bastion host may be classified as a
networking component, while 5
an identical server configured as a database server may be
classified as hardware. For this reason, networking devices should be considered separately
0 hardware and software components.
rather than combined with general
In some corporate models, this list 5
may be simplified into three groups: People, Processes and
Technology, often referred to as “PPT.”
Whichever model is used, an organization, in the
1
development of its risk assessment methods, should ensure that all of its information
B
resources are properly identified, assessed,
and managed for risk.
U
Identifying Hardware, Software, and Network Assets Many organizations
use purchased asset inventory systems to keep track of their hardware, network, and
perhaps their software components. Numerous packages are available in the market today,
and it is up to the chief information security officer (CISO) or chief information officer
(CIO) to determine which package best serves the needs of the organization. Organizations
that do not use an automated inventory system must create an equivalent manual process.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
285
Whether automated or manual, the inventory process requires a certain amount of planning.
Most importantly, you must determine which attributes of each of these information assets
should be tracked. That determination will depend on the needs of the organization and its
risk management efforts as well as the preferences and needs of the InfoSec and IT communities. When deciding which attributes to track for each information asset, consider the following list of potential attributes:
●
●
●
●
●
Name—This is a list of all the names commonly used for the device or program. Some
organizations may have several names for the same product, and each of them should be
cross-referenced in the inventory. This redundancy accommodates the usage across the
organization and makes it accessible for everyone. No matter how many names you track
or how you select a name, always provide a definition of the asset in question. Adopt
naming standards that do not convey critical information to potential system attackers.
For instance, a server named CASH1 or HQ_FINANCE may entice attackers.
Asset tag—This is used to W
facilitate the tracking of assets. Asset tags are unique numbers assigned to assets during
I the acquisition process.
Internet Protocol (IP) address—This
attribute is useful for network devices and servers
L
but rarely applies to software. You can, however, use a relational database and track
S servers or networking devices. Many larger organizasoftware instances on specific
tions use the Dynamic Host
OConfiguration Protocol (DHCP) within TCP/IP, which
reassigns IP numbers to devices as needed, making the use of IP numbers as part of the
asset-identification processN
very difficult.
, address—As per the TCP/IP standard, all networkMedia Access Control (MAC)
interface hardware devices have a unique number called the MAC address (also called
an “electronic serial number” or a “hardware address”). The network operating sysJ
tem uses this number to identify
specific network devices. The client’s network software uses it to recognize traffic
that
it needs to process. In most settings, MAC
A
addresses can be a useful way to track connectivity, but they can be spoofed by some
M
hardware/software combinations.
Note that some devices may have multiple network
interfaces, each with its own
I MAC address, and others may have configurable MAC
addresses, making MAC addresses even less useful as a unique identifier. Given the
E
possibility of MAC address spoofing, the use of MAC addresses as a reliable identifier
has been discontinued in many organizations.
Asset type—This attribute 5
describes the function of each asset. For hardware assets, a
list of possible asset types that includes servers, desktops, networking devices, and test
0
equipment should be developed.
For software assets, a list that includes operating systems, custom applications 5
by type (accounting, human resources, or payroll, to name a
few), and packaged applications and/or specialty applications (such as firewall pro1
grams) should be developed. The degree of specificity is determined by the needs of the
B be recorded at two or more levels of specificity by first
organization. Asset types can
recording one attribute that classifies the asset at a high level and then adding attriU
butes for more detail. For example, one server might be listed as follows:
DeviceClass = S (server)
DeviceOS = Win2008 (Windows 2008)
DeviceCapacity = AS (Advanced Server)
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
286
Chapter 8
●
Serial number—This is a number that uniquely identifies a specific device. Some software vendors also assign a software serial number to each instance of the program
licensed by the organization.
●
Manufacturer name—This attribute can be useful for analyzing threat outbreaks when
specific manufacturers announce specific vulnerabilities.
●
Manufacturer’s model or part number—This number that identifies exactly what the
asset is can be very useful in the later analysis of vulnerabilities because some threats
apply only to specific models of certain devices and/or software components.
●
Software version, update revision, or FCO number—This attribute includes information about software and firmware versions and, for hardware devices, the current field
change order number. A field change order (FCO) occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises. Tracking this
information is particularly important when inventorying networking devices that funcW
tion mainly through the software running on them. For example, a firewall device may
have three version numbers associated
with it: a Basic Input/Output System (BIOS)
I
firmware version, the running operating system version, and the firewall appliance
L
application software version. Each organization will have to determine which of those
S or if they would like to track all three.
version numbers will be tracked,
●
Physical location—This attribute
O does not apply to software elements. Nevertheless,
some organizations may have license terms that indicate where software can be used.
N
This may include systems leased at remote locations (so-called “co-lo equipment”),
, cloud.”
often described as being “in the
●
Logical location—This attribute specifies where an asset can be found on the organization’s network. The logical location is most applicable to networking devices and
J
indicates the logical network segment (including “virtual local area networks” or
VLANs) that houses the device.
A
●
Controlling entity—This refers
Mto the organizational unit that controls the asset. In
some organizations, a remote location’s onsite staff could be placed in control of netI
work devices; in other organizations,
a central corporate group might control all the
network devices. The inventory
E should determine which group controls each asset
because the controlling group will want a voice in determining how much risk that
device can tolerate and how much expense can be sustained to add controls.
5
Identifying People, Procedures,
0 and Data Assets Human resources, documentation, and data information assets are not as readily identified and documented as hardware
5
and software. Responsibility for identifying,
describing, and evaluating these information
assets should be assigned to managers
who
possess
the necessary knowledge, experience,
1
and judgment. As these assets are identified, they should be recorded via a reliable datahandling process like the one used B
for hardware and software.
U
The record-keeping system should be flexible, allowing you to link assets to attributes based on the
nature of the information asset being tracked. Basic attributes for various classes of assets include:
People
●
Position name/number/ID—Avoid names; use position titles, roles, or functions.
●
Supervisor name/number/ID—Avoid names; use position titles, roles, or functions.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
●
Security clearance level
●
Special skills
287
Procedures
●
Description
●
Intended purpose
●
Software/hardware/networking elements to which the procedure is tied
●
Location where procedure documents are stored for reference
●
Location where it is stored for update purposes
Data
●
Classification
W
Size of data structure
I
Data structure used (e.g., sequential
or relational)
L
Online or offline
S
Location
O
Backup procedures
N
Consider carefully what should be tracked for specific assets. Often, larger organizations
,
find that that they can effectively track only a few valuable facts about the most critical
●
Owner/creator/manager
●
●
●
●
●
information assets. For instance, a company may track only IP address, server name, and
device type for its mission-critical
J servers. The organization might forgo additional attribute
tracking on all devices and completely omit the tracking of desktop or laptop systems.
A
Classifying and Categorizing
Assets
M
Once the initial inventory is assembled, you must determine whether its asset categories are
I
meaningful to the organization’s risk management program. Such a review may cause managers
E presented in Table 8-1 or create new categories that better
to further subdivide the categories
meet the needs of the risk management program. For example, if the category “Internet components” is deemed too general, it could be further divided into subcategories of servers, network5 protection devices (firewalls, proxies), and cabling.
ing devices (routers, hubs, switches),
The inventory should also reflect0the sensitivity and security priority assigned to each information asset. A classification scheme
5 should be developed (or reviewed, if already in place) that
categorizes these information assets based on their sensitivity and security needs. Consider the
following classification scheme 1
for an information asset: confidential, internal, and public.
Each of these classification categories
B designates the level of protection needed for a particular
information asset. Some asset types, such as personnel, may require an alternative classification
scheme that identifies the InfoSecU
processes used by the asset type. For example, based on needto-know and right-to-update, an employee might be given a certain level of security clearance,
which identifies the level of information that individual is authorized to use.
Classification categories must be comprehensive and mutually exclusive. “Comprehensive”
means that all inventoried assets fit into a category; “mutually exclusive” means that each
asset is found in only one category. For example, an organization may have a public key
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
288
Chapter 8
infrastructure certificate authority, which is a software application that provides cryptographic key management services. Using a purely technical standard, a manager could categorize the application in the asset list of Table 8-1 as software, a general grouping with no
special classification priority. Because the certificate authority must be carefully protected as
part of the InfoSec infrastructure, it should be categorized into a higher priority classification,
such as software/security component/cryptography, and it should be verified that no overlapping category exists, such as software/security component/PKI.
Assessing Values for Information Assets
As each information asset is identified, categorized, and classified, a relative value must be assigned
to it. Relative values are comparative judgments intended to ensure that the most valuable information assets are given the highest priority when managing risk. It may be impossible to know in
advance—in absolute economic terms—what losses will be incurred if an asset is compromised;
however, a relative assessment helps to
Wensure that the higher value assets are protected first.
As each information asset is assigned
I to its proper category, posing the following basic questions can help you develop the weighting criteria to be used for information asset valuation
L to refer to the information collected in the business
or impact evaluation. It may be useful
impact analysis (BIA) process (covered
S in Chapter 3) to help you assess a value for an asset.
●
●
●
●
Which information asset is theO
most critical to the success of the organization? When
determining the relative importance of each information asset, refer to the organization’s
N
mission statement or statement of objectives. From this source, determine which assets
,
are essential for meeting the organization’s
objectives, which assets support the objectives, and which are merely adjuncts. For example, a manufacturing company that makes
aircraft engines may decide that the process control systems that control the machine
tools on the assembly line are J
the first order of importance. Although shipping and
receiving data entry consoles are
A important to those functions, they may be less critical if
alternatives are available or can be easily arranged. Another example is an online organiM Web servers that advertise the company’s products and
zation such as Amazon.com. The
receive its orders 24 hours a day
I are essential, whereas the desktop systems used by the
customer service department to answer customer e-mails are less critical.
E
Which information asset generates the most revenue? The relative value of an information asset depends on how much revenue it generates—or, in the case of a nonprofit
organization, how critical it is5to service delivery. Some organizations have different
systems in place for each line of business or service they offer. Which of these assets
0 revenue or delivering services?
plays the biggest role in generating
5 the highest profitability? Managers should evaluate
Which information asset generates
how much profit depends on1a particular asset. For instance, at Amazon.com, some
servers support the book sales operations, others support the auction process, and still
B review database. Which of these servers contributes
others support the customer book
the most to profitability? Although
U important, the review database server does not
directly generate profits. Note the distinction between revenues and profits: Some systems on which revenues depend operate on thin or nonexistent margins and do not
generate profits. In nonprofit organizations, you can determine what percentage of the
agency’s clientele receives services from the information asset being evaluated.
Which information asset is the most expensive to replace? Sometimes an information
asset acquires special value because it is unique. If an enterprise still uses a Model-129
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
289
keypunch machine to create special punch-card entries for a critical batch run, for
example, that machine may be worth more than its cost, because spare parts or service
providers may no longer be available. Another example is a specialty device with a
long delivery time frame because of manufacturing or transportation requirements.
Organizations must control the risk of loss or damage to such unique assets—for
example, by buying and storing a backup device. Any device stored as such must, of
course, be periodically updated and tested.
●
Which information asset is the most expensive to protect? Some assets are by their
nature difficult to protect, and formulating a complete answer to this question may not
be possible until the risk identification phase is complete, because the costs of controls
cannot be computed until the controls are identified. However, you can still make a
preliminary assessment of the relative difficulty of establishing controls for each asset.
●
Which information asset’s loss or compromise would be the most embarrassing or
cause the greatest liability?W
Almost every organization is aware of its image in the
local, national, and international
spheres. Loss or exposure of some assets would
I
prove especially embarrassing. Microsoft’s image, for example, was tarnished when an
L became a victim of the QAZ Trojan horse and, as a
employee’s computer system
result, the latest version ofSMicrosoft Office was stolen.2
You can use a worksheet, such as
O the one shown in Figure 8-2, to collect the answers to the
preceding list of questions for later analysis.
N
,
J
A
M
I
E
5
0
5
1
B
U
Figure 8-2 Sample asset classification scheme
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
290
Chapter 8
You may also need to identify and add other institution-specific questions to the evaluation
process.
Throughout this chapter, numbers are assigned to example assets to
illustrate the concepts being discussed. This highlights one of the
challenging issues in risk management. While other industries use
actuarially derived sources to make estimates, InfoSec risk management lacks such data. Many organizations use a variety of estimating
methods to assess values. Some in the industry question the use of “guesstimated” values in
calculations with other estimated values, claiming this degree of uncertainty undermines the
entire risk management endeavor. Research in this field is ongoing, and you are encouraged
to study those sections of Chapter 9 where alternative, qualitative risk management techniques are discussed.
W
Listing Assets in Order ofI Importance
The final step in the risk identification process is to list the assets in order of importance.
This goal can be achieved by usingLa weighted factor analysis worksheet similar to the one
shown in Table 8-2. In this process,
Seach information asset is assigned a score for each critical factor. Table 8-2 uses values from 0.1 to 1.0. Your organization may choose to use
another weighting system, such as 1Oto 10 or 1 to 100. Each criterion has an assigned weight
showing its relative importance in the
N organization.
,
Information Asset
Criterion 1:
Impact on
Revenue
Criterion weight (1–100); must
total 100
30
EDI Document Set 1—Logistics
bill of lading to outsourcer
(outbound)
0.8
EDI Document Set 2—Supplier
orders (outbound)
0.8
EDI Document Set 2—Supplier
fulfillment advice (inbound)
0.4
Customer order via SSL
(inbound)
1
Customer service request via
e-mail (inbound)
0.4
Table 8-2
J
A
M
I
E
5
0
5
1
B
U
Criterion 2:
Impact on
Profitability
Criterion 3:
Impact on Public
Image
Weighted Score
40
30
0.9
0.5
75
0.9
0.6
78
0.5
0.3
41
1
1
100
0.4
0.9
55
Example of a weighted factor analysis worksheet
Note: EDI = Electronic Data Interchange; SSL = Secure Sockets Layer
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
291
A quick review of Table 8-2 shows that the Customer order via Secure Sockets Layer (SSL)
(inbound) data flow is the most important asset on this worksheet, and that the EDI Document Set 2—Supplier fulfillment advice (inbound) is the least critical asset.
Threat Identification
As mentioned at the beginning of this chapter, the ultimate goal of risk identification is to
assess the circumstances and setting of each information asset to reveal any vulnerabilities.
Armed with a properly classified inventory, you can assess potential weaknesses in each
information asset—a process known as threat identification.
Any organization typically faces a wide variety of threats. If you assume that every threat can
and will attack every information asset, then the project scope becomes too complex. To
make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the
W
manager is called on to exercise good judgment and draw on experience to make the process
function smoothly.
I
L
Identify and Prioritize Threats
and Threat Agents Chapter 2 identified 12
S
categories of threats to InfoSec, which are listed alphabetically in Table 8-3. Each of these
O to InfoSec and must be handled with specific controls
threats presents a unique challenge
that directly address the particular
N threat and the threat agent’s attack strategy. Before
,
Threat
Compromises to intellectual property
J
Deviations in quality of service from service providers
A
Espionage or trespass
M
Forces of nature
I
E
Human error or failure
Information extortion
Sabotage or vandalism
Software attacks
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Theft
Table 8-3
Examples
Software piracy or other copyright infringement
Fluctuations in power, data, and other services
Unauthorized access and/or data collection
Fire, flood, earthquake, lightning, etc.
Accidents, employee mistakes, failure to follow policy
Blackmail threat of information disclosure
5
0
5
1
B
U
Damage to or destruction of systems or information
Malware: viruses, worms, macros, denial-of-services, or
script injections
Hardware equipment failure
Bugs, code problems, loopholes, backdoors
Antiquated or outdated technologies
Illegal confiscation of equipment or information
Threats to InfoSec
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
292
Chapter 8
threats can be assessed in the risk identification process, however, each threat must be
further examined to determine its potential to affect the targeted information asset. In general, this process is referred to as threat assessment.
Posing the following questions can help you understand the various threats and their potential effects on an information asset:
●
Which threats present a danger to this organization’s information assets in its current
environment? Not all threats endanger every organization, of course. Examine each of
the categories in Table 8-3 and eliminate any that do not apply to your organization.
It is unlikely for an organization to eliminate an entire category of threats, but doing
so speeds up the threat assessment process. The Offline box titled “Threats to Information Security” describes the threats that some CIOs of major companies identified
for their organizations. Although the box directly addresses only InfoSec, note that a
weighted ranking of threats should be compiled for any information asset that is at
W
risk. Once you have determined which threats apply to your organization, identify
particular examples of threatsI within each category, eliminating those that are not relevant. For example, a company with offices on the 23rd floor of a high-rise building in
L
Denver, Colorado, might not be subject to flooding unless they had critical infrastrucS Similarly, a firm with an office in Oklahoma City,
ture resources on a lower floor.
Oklahoma, might not be concerned
O with landslides.
●
Which threats represent the gravest danger to the organization’s information assets?
N
The amount of danger posed by a threat is sometimes difficult to assess. It may be tied
, will attack the organization, or it may reflect the
to the probability that the threat
amount of damage that the threat could create or the frequency with which the attack
may occur. During this preliminary assessment phase, the analysis is limited to examJ
ining the existing level of preparedness
and improving the strategy of InfoSec. The
results should give a quick overview
of
the components involved.
A
As you will discover in Chapter 9, M
you can use both quantitative and qualitative measures to
rank values. Since information in this case is preliminary, the organization may want to
rank threats subjectively in order Iof danger. Alternatively, it may simply rate each of the
threats on a scale of 1 to 5, with “1”
E designating an insignificant threat and “5” designating
a highly significant threat.
5
Frequency of Attacks Remarkably,
the number of detected attacks is steadily decreasing; after a peak in 2000, fewer organizations
have reported unauthorized use of their com0
puter systems (i.e., hacking) every year. Meanwhile, the number of organizations reporting
5
malware attacks has dramatically increased. Unfortunately, the number of organizations
willing to report the number or costs
1 of successful attacks is also decreasing. The fact is,
almost every company has experienced an attack. Whether that attack was successful
B
depends on the company’s security efforts; whether the perpetrators were caught or the
organization was willing to report U
the attack is another matter entirely.
●
How much would it cost to recover from a successful attack? One of the calculations
that guides corporate spending on controls is the cost of recovery operations if an
attack occurs and is successful. At this preliminary phase, it is not necessary to conduct
a detailed assessment of the costs associated with recovering from a particular attack.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
293
Offline
Threats to Information Security: Survey of Industry
What are the threats to InfoSec according to top computing executives?
Table 8-4 presents data collected in a study published in the Journal of Information
Systems Security (JISSec) and based on a previous study published in the Communications of the ACM (CACM) that asked that very question. Based on the categories of
threats presented earlier, more than 1,000 top computing executives were asked to
rate each threat category on a scale ranging from “not significant” to “very
significant.” The results were W
converted to a five-point scale, where “5” represented
“very significant,” and are shown
under the heading “Rate” in the following table.
I
The executives were also asked to identify the top five threats to their organizations.
L with five points assigned to a first-place vote and
Their responses were weighted,
one point assigned to a fifth-place
S vote. The sum of weights is presented under the
2012
JISSec
Ranking
O
N
,
Categories of Threats
Rate
Rank
Combined
2003 CACM
Rank
3.54
462
16.35
4
4.00
306
12.24
1
4.30
222
9.55
3
3.61
162
5.85
7
5
J
Software attacks
A
Human error or failure M
I
Theft
E property
Compromises to intellectual
3.59
162
5.82
9
6
Sabotage or vandalism
3.11
111
3.45
5
3.17
105
3.33
2
1
2
3
4
Espionage or trespass
2.88
87
2.51
6
2.76
81
2.24
8
2.88
72
2.07
10
11
5
Technical software failures or errors
0
Technical hardware failures or errors
5
Forces of nature
1
Deviations in quality of service
from service providers B
U
Technological obsolescence
2.66
57
1.52
11
12
Information extortion
2.68
18
0.48
12
7
8
9
10
Table 8-4
Weighted ranks of threats to InfoSec3,4
Source: Journal of Information Systems Security and Communications of the ACM.
(Continued)
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
294
Chapter 8
heading “Rank” in the table. The two ratings were then calculated into a combined
score by multiplying the two ratings and then dividing by 100. The final column
shows the same threat as ranked in the 2003 CACM study.
Another popular study that examines the threats to InfoSec is the annual survey of
computer users conducted by the Computer Security Institute. Table 8-5 shows
biannual results since 2000.
Type of Attack or Misuse
2010/11
2008
2006
2004
2002
2000
Malware infection (revised after 2008)
67%
50%
65%
78%
85%
85%
Being fraudulently represented as sender
of phishing message
39%
31%
(new category)
34%
42%
47%
55%
60%
29%
20%
(new category)
25%
44%
42%
59%
78%
79%
17%
21%
25%
39%
40%
27%
13%
15%
(revised category)
11%
9%
(new category)
W
Laptop/mobile hardware theft/loss
I
Bots/zombies in organization
L
Insider abuse of Internet access or e-mail
S
Denial-of-service
O
N
Unauthorized access or privilege
escalation by insider
,
Password sniffing
49%
System penetration by outsider
(revised category)
J 11%
Exploit of client Web browser
(new category)
A 10%
Attack/Misuse categories with less than
M10% responses (listed in decreasing order):
Financial fraud
I
Web site defacement
E
Exploit of wireless network
Other exploit of public-facing Web site
Theft of or unauthorized access to PII or PHI due to all other causes
5
0
Theft of or unauthorized access to IP due to all other causes
Exploit of user’s social network profile 5
Theft of or unauthorized access to IP due
1 to mobile device theft/loss
Theft of or unauthorized access to PII or
BPHI due to mobile device theft/loss
Exploit of DNS server
U
Extortion or blackmail associated with threat of attack or release of stolen data
Instant Messaging misuse
Table 8-5
CSI survey results for types of attack or misuse (2000−2011)5
Source: CSI surveys 2000 to 2010/11 (www.gocsi.com)
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
295
Instead, organizations often create a subjective ranking or listing of the threats based
on recovery costs. Alternatively, an organization can assign a rating for each threat on
a scale of 1 to 5, with “1” representing “not expensive at all” and “5” representing
“extremely expensive.” If the information is available, a raw value (such as $5,000,
$10,000, or $2 million) can be assigned. In other words, the goal at this phase is to
provide a rough assessment of the cost to recover operations should the attack interrupt normal business operations.
●
Which threats would require the greatest expenditure to prevent? Another factor that
affects the danger posed by a particular threat is the amount it would cost to protect
against that threat. Some threats have a nominal cost to protect against (e.g., malicious
code), while others are very expensive, as in protections from forces of nature. Here
again the manager ranks, rates, or attempts to quantify the level of danger associated
with protecting against a particular threat by using the same techniques outlined earlier for calculating recovery
Wcosts. (See the Offline box on what issues executives are
focusing their efforts on, financially.)
I
This list of questions may not cover everything that affects risk identification. An organizaL should influence the process and will inevitably require
tion’s specific guidelines or policies
that some additional questions be
S answered.
O
Methods of Assessing N
Threats
A 2012 survey of computing executives also asked the following question: “In your organiza,
tion’s risk management efforts, what basis do you use to assess threats? (Select all that
apply.)” The percentages of respondents who selected each option are shown in Table 8-6.
J
Vulnerability AssessmentA Once you have identified the information assets
organization and documented some threat assessment criteria, you can begin to
M
I
E
Answer Options
Response Percentage
Probability of occurrence
5
Reputation loss if successful
0
Financial loss if successful
5
Cost to protect against
1
Cost to recover from successful attack
B
Frequency of attack
U
85.4%
77.1%
72.9%
64.6%
64.6%
52.1%
Competitive advantage loss if successful
35.4%
None of these
6.3%
Table 8-6
of the
review
Basis of threat assessment
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
296
Chapter 8
Offline
Expenditures for Threats to Information Security
Table 8-7 presents data from a JISSec study discussed earlier asked computing executives to list the priorities their organizations used in determining the expenditures
devoted to InfoSec. Each executive responded by identifying his or her top five
expenditures. A value of “5” was assigned to the highest expenditure, a value of
“1” for the lowest. These ratings were used to create a rank order of the expenses.
The results are presented in the following table, which compares the 2012 study
with its 2003 CACM counterpart.W
I
Threat (Based on Money and EffortL
Spent to Defend Against or React to It)
S
Espionage or trespass
O
Software attacks
N
Theft
,
4.07
1
6
3.94
2
1
3.18
3
7
Quality-of-service deviations by service providers
3.10
4
5
3.06
5
10
3.00
6
8
2.99
7
9
2.71
8
3
2.64
9
4
2.55
10
11
11
2
12
12
Forces of nature
Sabotage or vandalism
Technological obsolescence
Technical software failures or errors
Technical hardware failures or errors
Compromises to intellectual property
J
A
M
I
E
2012 Rating
Average
5
Human error or failure
2.25
0
Information extortion
2.00
5
Table 8-7 Weighted ranking of top threat-driven
expenditures
1
Copyright © 2014 Cengage Learning .
B
U
2012
Ranking
2003 CACM
Ranking
®
every information asset for each threat. This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization. What are vulnerabilities? They are
specific avenues that threat agents can exploit to attack an information asset. In other
words, they are chinks in the asset’s armor—a flaw or weakness in an information asset,
security procedure, design, or control that can be exploited accidentally or on purpose to
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
297
breach security. For example, Table 8-8 analyzes the threats to, and possible vulnerabilities
of, a DMZ router.
A list like the one in Table 8-8 must be created for each information asset to document its
vulnerability to each possible or likely attack. This list is usually long and shows all the vulnerabilities of the information asset. Some threats manifest themselves in multiple ways,
yielding multiple vulnerabilities for that asset–threat pair. Of necessity, the process of listing
vulnerabilities is somewhat subjective and is based on the experience and knowledge of the
people who create the list. Therefore, the process works best when groups of people with
diverse backgrounds work together in a series of brainstorming sessions. For instance, the
Threat
Possible Vulnerabilities
Compromises to intellectual property
Espionage or trespass
Forces of nature
Human error or failure
Information extortion
Quality-of-service deviations from service
providers
Sabotage or vandalism
Software attacks
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Theft
Table 8-8
W
I
L
S
O
N
,
J
A
M
I
E
5
0
5
1
B
U
Router has little intrinsic value, but other assets protected by
this device could be attacked if it is compromised.
Router has little intrinsic value, but other assets protected by
this device could be attacked if it is compromised.
All information assets in the organization are subject to forces
of nature unless suitable controls are provided.
Employees or contractors may cause an outage if
configuration errors are made.
Router has little intrinsic value, but other assets protected by
this device could be attacked if it is compromised.
Unless suitable electrical power conditioning is provided,
failure is probable over time.
IP is vulnerable to denial-of-service attacks.
Device may be subject to defacement or cache poisoning.
IP is vulnerable to denial-of-service attacks.
Outsider IP fingerprinting activities can reveal sensitive
information unless suitable controls are implemented.
Hardware could fail and cause an outage.
Power system failures are always possible.
Vendor-supplied routing software could fail and cause an
outage.
If it is not reviewed and periodically updated, a device may
fall too far behind its vendor support model to be kept in
service.
Router has little intrinsic value, but other assets protected by
this device could be attacked if it is compromised.
Vulnerability assessment of a DMZ router
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
298
Chapter 8
team that reviews the vulnerabilities for networking equipment should include networking
specialists, the systems management team that operates the network, InfoSec risk specialists,
and even technically proficient users of the system.
The TVA Worksheet
At the end of the risk identification process, an organization should have a prioritized list
of assets and their vulnerabilities. This list serves as the starting point (with its supporting
documentation from the identification process) for the next step in the risk management
process: risk assessment. Another list prioritizes threats facing the organization based on
the weighted table discussed earlier. These two lists can be combined into a ThreatsVulnerabilities-Assets (TVA) worksheet, in preparation for the addition of vulnerability
and control information during risk assessment. Along one axis lies the prioritized set of
assets. Table 8-9 shows the placement of assets along the horizontal axis, with the most
W
important asset at the left. The prioritized list of threats is placed along the vertical axis,
with the most important or mostI dangerous threat listed at the top. The resulting grid
provides a convenient method of examining the “exposure” of assets, allowing a simple
Asset 1
Threat 1
Threat 2
….
L
S
O ….
Asset 2
N
,
….
….
….
….
….
….
….
….
Asset n
J
A
M
I
E
….
….
….
….
….
….
….
….
Threat n
Priority of Controls
1
5
0
5
1
B
U
2
3
4
5
6
These bands of controls should be continued through all asset–threat pairs.
Table 8-9
Sample TVA spreadsheet
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
299
vulnerability assessment. We now have a starting point for our risk assessment, along with
the other documents and forms.
As you begin the risk assessment process, create a list of the TVA “triples” to facilitate your
examination of the severity of the vulnerabilities. For example, between Threat 1 and Asset 1
there may or may not be a vulnerability. After all, not all threats pose risks to all assets. If a
pharmaceutical company’s most important asset is its research and development database
and that database resides on a stand-alone network (i.e., one that is not connected to the
Internet), then there may be no vulnerability to external hackers. If the intersection of T1
and A1 has no vulnerability, then the risk assessment team simply crosses out that box. It is
much more likely, however, that one or more vulnerabilities exist between the two, and as
these vulnerabilities are identified, they are categorized as follows:
T1V1A1—Vulnerability 1 that exists between Threat 1 and Asset 1
Wexists between Threat 1 and Asset 1
T1V2A1—Vulnerability 2 that
T2V1A1—Vulnerability 1 that
I exists between Threat 2 and Asset 1…
L
In the risk assessment phase, discussed
in the next section, not only are the vulnerabilities
S
examined, the assessment team analyzes any existing controls that protect the asset from the
O
threat or mitigate the losses that may occur. Cataloging and categorizing these controls is the
next step in the TVA spreadsheet.
N
,
and so on.
View Point
Getting at Risk
J
A
By George V. Hulme, an independent
business and technology journalist who has
covered information security for
more
than 15 years for such publications as InforM
mationWeek and InformationI Security Magazine
E
The risks that organizations face have never been higher. More systems are interconnected today than ever before, and there is only one constant to those systems: change.
Aside from hackers, disgruntled
5 employees, and corporate spies, a growing number of
laws and regulations (such as Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health
0
Information Portability and Accountability Act) have forever changed the role of the
5
InfoSec professional as the gatekeeper
of information and the manager of risk.
The role of the security professional
is to help the organization manage risks poised
1
against the confidentiality, integrity, and availability of its information assets. And the
B
foundation of all InfoSec programs begins and forever lives with the process of risk
U risk is fluid and evolves over time. A risk assessment
assessment. Risk isn’t static. Rather,
conducted on the first day of the month can be quite different than the same assessment conducted several weeks later. The levels of risks for particular information systems can change as quickly as IT systems change. And geopolitical events such as war,
(Continued)
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
300
Chapter 8
economics, new employee hires, layoffs, and the steady introduction of new technologies all work to change the amount of risk faced by an organization.
The first task in risk assessment is to identify, assess, classify, and then decide on the
value of digital assets and systems. Many believe that the most difficult aspect of risk assessment is uncovering the myriad system and configuration vulnerabilities that place systems
at risk, but that’s not so; an abundance of tools are available that can help automate that
task. It’s really deciding, organization-wide, the value of information and intellectual property that poses one of the most daunting challenges for the security professional.
How much is the research and development data worth? How much will it cost the
organization if it loses access to the accounting or customer relationship management systems for a day? Without knowing the value of information and the systems
that ensure its flow, it’s impossible to make reasonable decisions about how much
W
can reasonably be spent protecting that information. It makes little sense to spend
I
$200,000 annually to protect information
that wouldn’t cost an organization more
than $25,000 if exposed or lost.
In
a
perfect
world, with unlimited budgets and
L
resources in hand, everything could be protected all of the time. But we don’t live in
S need to be made. That means bringing together
a perfect world, and tough decisions
O physical security, and other groups in the orgamanagement, legal, human resources,
nization. In assessing risk, you N
must decide what needs to be protected and how
much that information is worth. Only then can reasonable decisions be made as to
,
how to mitigate risk by implementing
defensive measures and sound policy.
During the risk assessment process, vulnerabilities to systems will inevitably be
uncovered. The challenge here is
J to determine which ones pose the greatest threats
to protected assets. It’s a challenge that security professionals face every day. Does a
low-risk vulnerability (somethingAunlikely to be exploited) on a system holding highly
valuable corporate information M
need to be remediated more quickly than a high-risk
vulnerability (one that is easily and likely to be exploited) on a system holding inforI
mation of little value? Maybe. It all depends. And each situation is different.
E
Risk can never be entirely eliminated;
it can only be managed to levels that an
organization can tolerate. The best way to keep risk low is to remain eternally vigilant by following a four-step process: (1) identify new assets, vulnerabilities, and
5
threats; (2) assess and classify assets, vulnerabilities, and threats; (3) remediate and
defend; and (4) return to Step 1.0
Risk Assessment
5
1
B
U
Assessing the relative risk for each vulnerability is accomplished via a process called risk
assessment. Risk assessment assigns a risk rating or score to each specific vulnerability. While
this number does not mean anything in absolute terms, it enables you to gauge the relative
risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
301
Introduction to Risk Assessment
Estimating risk is not an exact science. Some practitioners use calculated values for risk
estimation, whereas others rely on broader methods of estimation. Figure 8-3 shows the factors, some of which are estimates, that go into the risk-rating estimate for each of the
vulnerabilities.
The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list. Chapter 9 describes how to determine
more precise costs that may be experienced from vulnerabilities that lead to losses as well as
projected expenses for the controls that reduce the risks. For now, you can use the simpler
risk model shown in Figure 8-3 to evaluate the risk for each information asset. The next section describes the factors used to calculate the relative risk for each vulnerability.
Likelihood
W
Likelihood is the overall rating—a numerical value on a defined scale—of the probability
that a specific vulnerability will Ibe exploited. In “Special Publication 800-30,” NIST recommends that vulnerabilities be assigned
a likelihood rating between 0.1 (low) and 1.0 (high).
L
For example, the likelihood of an employee or system being struck by a meteorite while
S
indoors would be rated 0.1, while the likelihood of receiving at least one e-mail containing a virus or worm in the nextOyear would be rated 1.0. You could also choose to use a
number between 1 and 100, but not 0, since vulnerabilities with a 0 likelihood should have
N
already been removed from the asset/vulnerability list. Whatever rating system you employ
,
for assigning likelihood, use professionalism,
experience, and judgment to determine the
rating—and use it consistently. Whenever possible, use external references for likelihood
values, after reviewing and adjusting them for your specific circumstances. For many asset/
J sources have already determined their likelihood. For
vulnerability combinations, existing
example:
A
●
The likelihood of a fire hasMbeen estimated actuarially for each type of structure.
●
The likelihood that a givenI e-mail will contain a virus or worm has been researched.
●
The number of network attacks can be forecast depending on how many network
E
addresses the organization has been assigned.
5
0 Risk is
The likelihood of the occurrence of a vulnerability
5 Multiplied by
The value of the information asset
1
Minus
Bof risk mitigated by current controls
The percentage
Plus
U
The uncertainty of current knowledge of the vulnerability
Figure 8-3 Risk assessment estimate factors
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
302
Chapter 8
Assessing Potential Loss
Using the information documented during the risk identification process, you can assign
weighted scores based on the value of each information asset. The actual number used will
vary according to the needs of the organization. Some groups use a scale of 1–100, with
“100” reserved for those information assets the loss of which would stop company operations within a few minutes. Other recommended scales, including the one in “NIST SP 80030,” use assigned weights in broad categories, with all-important assets having a value of
100, low-criticality assets having a value of 1, and all other assets having a medium value of 50.
Still other scales employ weights from 1 to 10, or assigned values of 1, 3, and 5 to represent
low-, medium-, and high-valued assets, respectively. Alternatively, you can create unique
weighted values customized to your organization’s specific needs. To be effective, the values
must be assigned by asking the questions included in the section titled “Identify and Prioritize
Threats and Threat Agents.” These questions are restated here for easy reference:
●
Wto this organization’s assets in its current environment?
Which threats present a danger
●
I
Which threats represent the gravest
danger to the organization’s information assets?
●
L
How much would it cost to recover
from a successful attack?
●
Which threats would require S
the greatest expenditure to prevent?
After reconsidering these questions,O
use the background information from the risk identification process and add to that information by posing yet another question:
N
●
Which of the aforementioned questions is the most important to the protection of
,
information from threats within this organization?
The answer to this question determines the priorities used in the assessment of vulnerabilities.
Which is the most important to theJorganization—the cost to recover from a threat attack or
the cost to protect against a threat A
attack? More generally, which of the threats has the highest probability of leading to a successful attack? Recall that the purpose of risk assessment is
M faces in its current state. Once these questions are
to look at the threats an organization
answered, move to the next step inI the process: examining how current controls can reduce
the risk faced by specific vulnerabilities.
E
Percentage of Risk Mitigated by Current Controls
If a vulnerability is fully managed by an existing control, it can be set aside. If it is partially
5
controlled, estimate what percentage of the vulnerability has been controlled.
0
5
It is not possible to know everything about every vulnerability, such as how likely an attack
1 impact a successful attack would have on the organizaagainst an asset is, or how great an
tion. The degree to which a current
B control can reduce risk is also subject to estimation
error. A factor that accounts for uncertainty must always be added to the equations; it conU
sists of an estimate made by the manager using good judgment and experience.
Uncertainty
Risk Determination
For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence
times value (or impact) minus percentage risk already controlled plus an element of uncertainty. To see how this equation works, consider the following scenario:
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
303
●
Information asset A has a value score of 50 and one vulnerability: Vulnerability 1 has
a likelihood of 1.0 with no current controls. You estimate that assumptions and data
are 90 percent accurate.
●
Information asset B has a value score of 100 and two vulnerabilities: Vulnerability 2
has a likelihood of 0.5 with a current control that addresses 50 percent of its risk; vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that
assumptions and data are 80 percent accurate.
The resulting ranked list of risk ratings for the three vulnerabilities just described, using the
equation (value times likelihood) minus risk mitigated plus uncertainty, is as follows:
●
●
●
Asset A: Vulnerability 1 rated as 55 = (50
55 = (50
1.0)
55 = 50
0+5
((50
1.0)
0.0) + ((50
0% + 10% where
1.0)
1.0)
W
Asset B: Vulnerability 2 rated
I as 35 = (100 × 0.5)
35 = (100 0.5) ((100 0.5) 0.5) + ((100
L
35 = 50 25 + 10
S
Asset B: Vulnerability 3 rated as 12 = (100 0.1)
O
12 = (100 0.1) ((100 0.1) 0.0) + ((100
N
12 = 10 0 + 2
,
0.1)
50% + 20% where
0.5)
0.2)
0% + 20% where
0.1)
0.2)
Likelihood and Consequences
Another approach to calculating risk based on likelihood is the likelihood and consequences rating from the Australian and NewJZealand Risk Management Standard 4360,6 which uses qualitative methods to determine riskAbased on a threat’s probability of occurrence and expected
results of a successful attack. Qualitative risk assessment, which is examined elsewhere in this
M instead of specific values to determine risk.
chapter, consists of using categories
I
As shown in Table 8-10, consequences
(i.e., impact assessment) are evaluated on five levels
ranging from insignificant (levelE1) to catastrophic (level 5). It is up to the organization to
evaluate its threats and assign the appropriate consequence level.
Level
Descriptor
1
Insignificant
2
Minor
3
Moderate
4
Major
5
0
No injuries, low financial loss
5
First aid treatment, onsite release immediately contained, medium financial loss
1
Medical treatment required, onsite release contained with outside assistance,
B loss
high financial
U
Extensive injuries, loss of production capability, offsite release with no
5
Catastrophic
Death, toxic release offsite with detrimental effect, huge financial loss
Table 8-10
Example of Description
detrimental effects, major financial loss
Consequence levels for organizational threats7
Copyright © 2014 Cengage Learning®.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
304
Chapter 8
Level
Descriptor
Explanation
A
Almost certain
Is expected to occur in most circumstances
B
Likely
Will probably occur in most circumstances
C
Possible
Might occur at some time
D
Unlikely
Could occur at some time
E
Rare
May occur only in exceptional circumstances
Table 8-11
Likelihood levels for organizational threats8
Copyright © 2014 Cengage Learning®.
W
I
Table 8-11 shows the qualitative likelihood
assessment levels ranging from A (almost certain)
to E (rare). Again, the organizationLmust determine the likelihood or probability of an attack
from each specific threat category.
S
When the two are combined, the organization should be able to determine which threats
O
represent the greatest danger to the organization’s information assets, as shown in
N can then be inserted into the TVA tables for use in
Table 8-10. The resulting rankings
risk assessment.
,
Table 8-12 identifies the potential consequences at various risk levels. If the organization has
a tie in two or more threats in the same resulting category (such as Extreme Risk), then a 5A
would be ranked higher than a 5B J
or a 4A, and so on. Replacing the A through E categories
Risk Level
Consequences
Likelihood
Insignificant 1
A (almost
certain)
H
B (likely)
C (possible)
D (unlikely)
E (rare)
Table 8-12
A
M
I
Minor 2
E
H
5
0
L
M
5
L
L
1
L
L
B
U
Qualitative risk assessment matrix
M
H
Moderate 3
Major 4
Catastrophic 5
E
E
E
H
E
E
H
E
E
M
H
E
M
H
H
Note: E = Extreme risk: Immediate action required
H = High risk: Senior management attention required
M = Moderate risk: Management responsibility must be specified
L = Low risk: Management by routine procedures required
Source: Risk management plan templates and forms from www.treasury.act.gov.au/actia/Risk.htm
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
305
with a 5 (almost certain) to 1 (rare) would allow a simple multiplication for prioritization.
For example, 3 (moderate) times 4 (likely) equals 12, versus 4 (major) times 4 (likely), which
equals 16.
Identify Possible Controls
For each threat and its associated vulnerabilities that have residual risk, the organization
should create a preliminary list of control ideas. The purpose of this list, which begins with
the identification of extant controls, is to identify areas of residual risk that may nor may
not need to be reduced. Residual risk is the risk that remains even after the existing control
has been applied. “Controls,” “safeguards,” and “countermeasures” are all terms used to
describe security mechanisms, policies, and procedures. These mechanisms, policies, and procedures counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the general state of security within an organization.
W
Three general categories of controls exist: policies, programs, and technical controls. You
learned about policies in Chapter
I 4. Programs are activities performed within the organization to improve security; they include security education, training, and awareness programs.
L
Technical controls—also known as “security technologies”—are the technical implementaS organization. These controls, whether in place or planned,
tions of the policies defined by the
should be added to the TVA worksheet
as they are identified.
O
N
, the admission of users into a trusted area of the organizaAccess controls specifically address
Access Controls
tion. These areas can include information systems, physically restricted areas such as computer rooms, and even the organization in its entirety. Access controls usually consist of a
J and technologies.
combination of policies, programs,
A number of approaches to, andAcategories of, access controls exist. They can be mandatory,
nondiscretionary, or discretionary.
M Each category of controls regulates access to a particular
type or collection of information, as explained in Chapter 6.
I
E
Documenting the Results of Risk Assessment
5 process so far has been to identify information assets and
The goal of the risk management
their vulnerabilities and to rank 0
them according to the need for protection. In preparing this
list, a wealth of factual information about the assets and the threats they face is collected.
5 that are already in place is collected. The final summaAlso, information about the controls
rized document is the ranked vulnerability
risk worksheet, as shown in Table 8-9. This docu1
ment is an extension of the TVA spreadsheet discussed earlier, showing only the assets and
relevant vulnerabilities. A reviewBof this worksheet reveals similarities to the weighted factor
analysis worksheet depicted in Table
U 8-2. Table 8-13 illustrates the use of a weighted spreadsheet to calculate risk vulnerability for a number of information assets. The columns in the
worksheet shown in Table 8-13 are used as follows:
●
Asset—List each vulnerable asset.
●
Asset impact—Show the results for this asset from the weighted factor analysis worksheet. (In our example, this value is a number from 1 to 100.)
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
306
Chapter 8
Vulnerability
Likelihood
Risk-Rating
Factor
E-mail disruption due to
hardware failure
0.2
11
55
E-mail disruption due to
software failure
0.2
11
Customer order via SSL
(inbound)
100
Lost orders due to Web
server hardware failure
0.1
10
Customer order via SSL
(inbound)
100
Lost orders due to Web
server or ISP service
failure
0.1
10
Customer service request
via e-mail (inbound)
55
E-mail disruption due to
SMTP mail relay attack
0.1
5.5
Customer service request
via e-mail (inbound)
55
0.1
5.5
Customer service request
via e-mail (inbound)
55
0.1
5.5
Customer order via SSL
(inbound)
100
W
I
E-mail disruption due to
L
ISP service failure
S
E-mail disruption due to
power
O failure
N orders due to
Lost
Webserver denial,
of-service attack
0.025
2.5
Customer order via SSL
(inbound)
100
Lost orders due to Web
server software failure
0.1
1
0.1
1
Asset
Asset Impact
Vulnerability
Customer service request
via e-mail (inbound)
55
Customer service request
via e-mail (inbound)
J
A orders due to Web
Customer order via SSL
100
Lost
(inbound)
server buffer overrun
M
attack
I
Table 8-13 Ranked vulnerability risk worksheet
E
Copyright © 2014 Cengage Learning®.
●
●
●
5
Vulnerability—List each uncontrolled
vulnerability.
0
Vulnerability likelihood—State
5 the likelihood of the realization of the vulnerability by
a threat agent as indicated in the vulnerability analysis step. (In our example, the
1 to 1.0.)
potential values range from 0.1
Risk-rating factor—Enter theB
figure calculated by multiplying the asset impact and its
likelihood. (In our example, the
U calculation yields a number ranging from 0.1 to 100.)
Looking at Table 8-13, you may be surprised that the most pressing risk requires making the
mail server or servers more robust. Even though the impact rating of the information asset
represented by the customer service e-mail is only 55, the relatively high likelihood of a hardware failure makes it the most pressing problem.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
307
Deliverable
Purpose
Information asset classification worksheet
Assembles information about information assets and
their impact on or value to the organization
Weighted criteria analysis worksheet
Assigns a ranked value or impact weight to each
information asset
TVA worksheet
Combines the output from the information asset
identification and prioritization with the threat
identification and prioritization and identifies potential
vulnerabilities in the “triples”; also incorporates extant
and planned controls
Ranked vulnerability risk worksheet
Assigns a risk-rating ranked value to each uncontrolled
asset-vulnerability pair
W
I deliverables
Table 8-14 Risk identification and assessment
Copyright © 2014 Cengage Learning .
L
S
Now that the risk identification process is complete, what should the documentation package
O
look like? In other words, what are the deliverables from this stage of the risk management
N should designate what function the reports serve, who
project? The risk identification process
is responsible for preparing them, and who reviews them. The ranked vulnerability risk work,
sheet is the initial working document for the next step in the risk management process: asses®
sing and controlling risk. Table 8-14 shows an example list of the worksheets that should
have been prepared by an information
asset risk management team up to this point.
J
In the last stage of the risk analysis
A (identification and assessment) process, you use the TVA
worksheet, along with the other worksheets you have created, to develop a prioritized list of
tasks. Obviously, the presence ofM
uncontrolled vulnerabilities in high-ranking assets is the first
priority for the implementation Iof new controls as part of the risk management process discussed in the next chapter. Before any additional controls are added, though, an organization
must determine the levels of riskE
it is willing to accept, based on a cost-benefit analysis, which
is the subject of Chapter 9.
5
0
Chapter Summary
5 and documents an organization’s information assets.
■
Risk management examines
1 for identifying and controlling the risks that an
■
Management is responsible
organization encounters. B
In the modern organization, the InfoSec group often plays
a leadership role in risk management.
U
■
A key component of a risk management strategy is the identification, classification,
and prioritization of the organization’s information assets.
■
Assessment is the identification of assets, including all the elements of an organization’s
system: people, procedures, data, software, hardware, and networking elements.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
308
Chapter 8
■
The human resources, documentation, and data information assets of an
organization are not as easily identified and documented as tangible assets, such as
hardware and software. These more elusive assets should be identified and described
using knowledge, experience, and judgment.
■
You can use the answers to the following questions to develop weighting criteria for
information assets:
■
Which information asset is the most critical to the success of the organization?
■
Which information asset generates the most revenue?
■
Which information asset generates the highest profitability?
■
Which information asset is the most expensive to replace?
■
Which information asset is the most expensive to protect?
■
Which information asset’s
W loss or compromise would be the most embarrassing
or cause the greatest liability?
I
■
■
What questions should be added to cover the needs of the specific organization
and its environment? L
S a preliminary classification of information assets,
After identifying and performing
the threats facing an organization
O should be examined. There are 12 general
categories of threats to InfoSec.
N
■
Each threat must be examined during a threat assessment process that addresses the
, these threats exist in this organization’s environment?
following questions: Which of
Which are the most dangerous to the organization’s information? Which require the
greatest expenditure for recovery? Which require the greatest expenditure for protection?
■
Each information asset is evaluated for each threat it faces; the resulting information
is used to create a list of theAvulnerabilities that pose risks to the organization. This
process results in an information asset and vulnerability list, which serves as the
M
starting point for risk assessment.
■
■
J
I (TVA) worksheet lists the assets in priority order
A Threats-Vulnerabilities-Assets
along one axis, and the threats
E in priority order along the other axis. The resulting
grid provides a convenient method of examining the “exposure” of assets, allowing a
simple vulnerability assessment.
The goal of risk assessment5is the assignment of a risk rating or score that represents
the relative risk for a specific
0 vulnerability of a specific information asset.
■
If any specific vulnerability 5
is completely managed by an existing control, it no
longer needs to be considered for additional controls.
■
Controls, safeguards, and countermeasures should be identified for each threat and
its associated vulnerabilities.B
1
■
In general, three categories U
of controls exist: policies, programs, and technologies.
■
Access controls can be classified as mandatory, discretionary, or nondiscretionary.
■
The risk identification process should designate what function the resulting reports serve,
who is responsible for preparing them, and who reviews them. The TVA worksheet and
the ranked vulnerability risk worksheet are the initial working documents for the next
step in the risk management process: assessing and controlling risk.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
309
Review Questions
1. What is risk management?
2. List and describe the key areas of concern for risk management.
3. Why is identification of risks, through a listing of assets and their vulnerabilities, so
important to the risk management process?
4. According to Sun Tzu, what two things must be achieved to secure information assets
successfully?
5. Who is responsible for risk management in an organization?
6. Which community of interest usually takes the lead in information asset risk
management?
7. Which community of interest
W usually provides the resources used when undertaking
information asset risk management?
I
L
Why do networking components need more examination from an InfoSec perspective
S
than from a systems development
perspective?
O asset inventory system have for the risk identification
What value would an automated
process?
N
Which information attributes are seldom or never applied to software elements?
,
8. In risk management strategies, why must periodic reviews be a part of the process?
9.
10.
11.
12. Which information attribute is often of great value for networking equipment when
Dynamic Host Configuration Protocol (DHCP) is not used?
J
13. When you document procedures,
why is it useful to know where the electronic versions are stored?
A
14. Which is more important to
Mthe information asset classification scheme, that it be comprehensive or that it be mutually exclusive?
I
15. What is the difference between an asset’s ability to generate revenue and its ability to
E
generate profit?
16. How many categories should a data classification scheme include? Why?
17. How many threat categories
5 are listed in this chapter? Which is noted as being the
most frequently encountered, and why?
0
5
Describe the TVA worksheet. What is it used for?
1
Examine the simplest risk formula presented in this
elements?
B
U
18. What are vulnerabilities?
19.
20.
chapter. What are its primary
Exercises
1. If an organization has three information assets to evaluate for risk management purposes, as shown in the accompanying data, which vulnerability should be evaluated
for additional controls first? Which vulnerability should be evaluated last?
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
310
Chapter 8
Data for Exercise 1:
●
Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2, and (2) susceptibility to an SNMP
buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90
and has no current controls in place. There is a 75 percent certainty of the assumptions and data.
●
Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It
has Web server software that is vulnerable to attack via invalid Unicode values. The
likelihood of such an attack is estimated at 0.1. The server has been assigned an
impact value of 100, and a control has been implemented that reduces the impact of
the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions
and data.
●
Operators use the MGMT45W
control console to monitor operations in the server
room. It has no passwords and is susceptible to unlogged misuse by the operators.
Estimates show the likelihoodI of misuse is 0.1. There are no controls in place on this
asset, which has an impact rating
L of 5. There is a 90 percent certainty of the assumptions and data.
S
2. Using the Web, search for at least three tools to automate risk assessment. Collect
O
information on automated risk assessment tools. What do they cost? What features
Nadvantages and disadvantages of each one?
do they provide? What are the
3. Using the list of threats to InfoSec
, presented in this chapter, identify and describe three
instances of each that were not mentioned in the chapter.
4. Using the data classification scheme presented in this chapter, identify and classify the
J personal computer or personal digital assistant. Based
information contained in your
on the potential for misuse orAembarrassment, what information is confidential, sensitive but unclassified, or suitable for public release?
M
5. Using the asset valuation method presented in this chapter, conduct a preliminary risk
I contained in your home. Answer each of the valuation
assessment on the information
questions listed in the section
E of this chapter titled “Identify and Prioritize Threats
and Threat Agents.” What would it cost if you lost all your data?
6. Using the Internet, locate the National Association of Corporate Directors’ Web site.
5 What does this association say about board member
Describe its function and purpose.
liability for InfoSec issues? 0
Closing Case
Mike and Iris were flying home
been what they expected.
5
1
B
from
U
the meeting. The audit committee’s reaction had not
“I’m glad they understood the situation,” Mike said. “I’d like you to start revising our risk
management documentation to make it a little more general. It sounds like the board will
want to take our approach company-wide soon.”
Iris nodded and pulled out her notepad to make a to-do list.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Identifying and Assessing Risk
311
Discussion
1. What will Iris have on her to-do list?
2. What resources can Iris call on to assist her?
Ethical Decision Making
Suppose that after they returned to the office, Mike was called to a private meeting with a
senior executive from another division of the firm. During the discussion, Mike felt he was
being subtly threatened with nonspecific but obviously devastating consequences to his career
prospects at RWW as well as long-term damage to his professional reputation if he did not
back off on his efforts to improve company-wide risk management at RWW. The other executive was adamant that the costs of improving the risk management process would hurt the
firm without gaining any real improvement.
Was this executive simply expressing
W her disagreement with Mike’s approach, or has some
ethical line been crossed? Should Mike take any overt actions based on this conversation or
I threats? What could Mike do that would not embarrass
inform others about the perceived
the other executive and still offerLhim some protection in this situation?
S
O
Endnotes
N
1. Tzu, Sun. The Art of War. Translation
,
University Press, 1988.
by Samuel B. Griffith. Oxford, UK: Oxford
2. Quaglieri, Ernest. “The Hacking of Microsoft.” SANS Institute. Accessed March 10,
2013 @ www.giac.org/paper/gsec/488/hacking-microsoft/101184.
J
3. Whitman, Michael, and Herb
A Mattord. “Threats to Information Security Revisited.”
Journal of Information Systems Security, 2012, 8(1).
M
4. Whitman, Michael. “Enemy at the Gates: Threats to Information Security.” CommuniI 2003, 46(8).
cations of the ACM, August,
5. This table is compiled fromEdata published by the Computer Security Institute and the
FBI over the years.
6. “AS/NZS 4360:1999: Risk Management.” Accessed March 10, 2013 @ www.schleupen
5
.de/content/schleupen/schleupen013223/A.4.1.4_Australia_and_New_Zealand_Methodology
_AS_NZ%25204360_1999.pdf.
0
7. “Introduction to Territory5Wide Risk Management: Risk Management Templates.”
Australian Capital Territory Insurance Authority. Accessed April 10, 2013 @ www
1
.treasury.act.gov.au/actia/RiskManagementTemplate.docx.
8. Ibid.
B
U
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
8
W
I
L
S
O
N
Page Left
, Blank Intentionally
J
A
M
I
E
5
0
5
1
B
U
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
chapter
9
W
I
L
S
O
N
,
Risk Management: Controlling Risk
Weakness is a better teacher than strength. Weakness must learn to
J brushes aside.
understand the obstacles that strength
MASONACOOLEY, U.S. APHORIST (1927–2002)
Iris went into the manager’s lounge
M to get a soda. As she was leaving, she saw Jane Harris—
the accounting supervisor at Random Widget Works, Inc. (RWW)—at a table, poring over a
spreadsheet that Iris recognized.I
“Hi, Jane,” Iris said. “Can I joinEyou?”
“Sure, Iris,” Jane said. “Perhaps you can help me with this form Mike wants us to fill out.”
5
Jane was working on the asset valuation
worksheet that Iris had designed to be completed by
all RWW managers. The worksheet
listed
all of the information assets in Jane’s department.
0
Mike Edwards had asked each manager to provide three values for each item: its cost, its
replacement value, and its ranked5criticality to the company’s mission, with the most important
item being ranked number one. Mike
1 hoped that Iris and the rest of the risk management team
could use the data to build a consensus about the relative importance of various assets.
B
U
“What’s the problem?” Iris asked.
“I understand these first two columns. But how am I supposed to decide what’s the most
important?”
“Well,” Iris began, “with your accounting background, you could base your answers on some
of the data you collect about each of these information assets. For this quarter, what’s more
important to senior management—revenue or profitability?”
313
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
314
Chapter 9
“Profitability is almost always more important,” Jane replied. “We have some projects that
generate lots of revenue but operate at a loss.”
“Well, there you go,” Iris said. “Why not calculate the profitability margin for each listed
item and use that to rate and rank them?”
“Oh, okay Iris. Thanks for the idea,” Jane said. She then started making notes on her copy
of the form.
LEARNING OBJECTIVES
Upon completion of this material, you should be able to:
• Recognize the strategy options used to control risk and be prepared to select from
them when given background information
W
• Evaluate risk controls and formulate
a cost-benefit analysis (CBA) using existing
conceptual frameworks
I
• Explain how to maintain and L
perpetuate risk controls
• Describe popular approaches S
used in the industry to manage risk
Introduction
O
N
,
In the early days of information technology (IT), corporations used IT systems mainly to gain
advantages over their competition. Managers discovered that establishing a competitive business
model, method, or technique allowed
J an organization to provide a product or service that was
superior in some decisive way, thus creating a competitive advantage. But this is seldom true
today. The current IT industry has A
evolved from this earlier model to one in which almost all
competitors operate using similar levels
M of automation. Because IT is now readily available,
almost all organizations are willing to make the investment to react quickly to changes in the
I environment, managers realize that investing in IT systems
market. In today’s highly competitive
at a level that merely maintains the status
E quo is no longer sufficient to gain a competitive advantage. In fact, even the implementation of new technologies does not necessarily enable an organization to gain or maintain a competitive lead. Instead, the concept of competitive disadvantage—
the state of falling behind the competition—has
emerged as a critical factor. Effective IT-enabled
5
organizations now quickly absorb emerging technologies, not to gain or maintain the traditional
0
competitive advantage but to avoid the possibility of losing market share when faltering systems
5 standard of service.
make it impossible to maintain the current
1
To keep up with the competition, organizations
must design and create a safe environment in
which business processes and procedures
can
function
and evolve effectively. This environment
B
must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are metU
via the application of the principles of risk management.
This chapter builds on the concepts developed in Chapter 8, which focused on the identification of risk and the assessment of the relative impact from all identified vulnerabilities. That
effort produced a list of documented vulnerabilities, ranked by criticality of impact. In this
chapter, you will learn how to use such a list to assess options, estimate costs, weigh the relative merits of options, and gauge the benefits of various control approaches.
9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization.
Risk Management: Controlling Risk
315
Controlling risk begins with an understanding of what risk mitigation strategies are and how
to formulate them. The chosen strategy may include applying controls to some or all of the
assets and vulnerabilities found in the ranked vulnerability worksheet prepared in Chapter 8.
This chapter explores a variety of control approaches and then discusses how such approaches
can be categorized. It also explains the critical concepts of CBA and residual risk, and it
describes control strategy assessment and maintenance.
Risk Control Strategies
When an organization’s general management team determines that risks from information
security (InfoSec) threats are creating a competitive disadvantage, it empowers the IT and
InfoSec communities of interest to control those risks. Once the project team for InfoSec development has created the ranked vulnerability
worksheet (see Chapter 8), the team must choose
W
one of five basic strategies to control the risks that arise from these vulnerabilities:
●
●
●
●
●
I
L
Transferal—Shifting risks to other areas or to outside entities
Mitigation—Reducing the S
impact to information assets should an attacker successfully
exploit a vulnerability
O
Acceptance—Understanding
N the consequences of choosing to leave a risk uncontrolled
and then properly acknowledging the risk that remains without an attempt at ...
Purchase answer to see full
attachment