Risk Management and the Components of Risk PDF
Document Details
Uploaded by ReadableArlington
University of Kansas
Tags
Summary
This document explores information security risk management, focusing on its importance and methodologies within information systems. It defines "risk" and covers various types. The document also provides a partial list of threats related to information systems.
Full Transcript
Risk Management and the Components of Risk Sources: SANS: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204 https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-the-surface-of-a-cyber-attack.pdf Introduction The...
Risk Management and the Components of Risk Sources: SANS: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204 https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-the-surface-of-a-cyber-attack.pdf Introduction The fundamental precept of information security is to support the mission of the organization. All organizations are exposed to uncertainties, some of which impact the organization in a negative manner. In order to support the organization, IT security professionals must be able to help their organizations’ management understand and manage these uncertainties. Managing uncertainties is not an easy task. Limited resources and an ever-changing landscape of threats and vulnerabilities make completely mitigating all risks impossible. Therefore, IT security professionals must have a toolset to assist them in sharing a commonly understood view with IT and business managers concerning the potential impact of various IT security related threats to the mission. This toolset needs to be consistent, repeatable, cost- effective and reduce risks to a reasonable level. Risk management is nothing new. There are many tools and techniques available for managing organizational risks. There are even a number of tools and techniques that focus on managing risks to information systems. This paper explores the issue of risk management with respect to information systems and seeks to answer the following questions: What is risk with respect to information systems? Why is it important to understand risk? How is risk assessed? How is risk managed? What are some common risk assessment/management methodologies and tools? What Is Risk With Respect To Information Systems? Risk is the potential harm that may arise from some current process or from some future event. Risk is present in every aspect of our lives and many different disciplines focus on risk as it applies to them. From the IT security perspective, risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system. IT security risk is the harm to a process or the related information resulting from some purposeful or accidental event that negatively impacts the process or the related information. Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.i Threats One of the most widely used definitions of threat and threat-source can be found in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. NIST SP 800-30 provides the following definitions. Threat: The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.ii Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.iii The threat is merely the potential for the exercise of a particular vulnerability. Threats in themselves are not actions. Threats must be coupled with threat-sources to become dangerous. This is an important distinction when assessing and managing risks, since each threat-source may be associated with a different likelihood, which, as will be demonstrated, affects risk assessment and risk management. It is often expedient to incorporate threat sources into threats. The list below shows some (but not all) of the possible threats to information systems. Figure 1 – Partial List of Threats with Threat Sources Taken into Consideration Threat (Including Description Threat Source) The unauthorized or accidental release of classified, personal, or Accidental Disclosure sensitive information. All types of natural occurrences (e.g., earthquakes, hurricanes, tornadoes) that may damage or affect the system/application. Any Acts of Nature of these potential threats could lead to a partial or total outage, thus affecting availability. Alteration of An intentional modification, insertion, deletion of operating system or Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Software application system programs, whether by an authorized user or not, which compromises the confidentiality, availability, or integrity of data, programs, system, or resources controlled by the system. This includes malicious code, such as logic bombs, Trojan horses, trapdoors, and viruses. The accidental or intentional use of communications bandwidth for Bandwidth Usage other then intended purposes. An interference or fluctuation may occur as the result of a Electrical Interference/ commercial power failure. This may cause denial of service to Disruption authorized users (failure) or a modification of data (fluctuation). An intentional modification, insertion, or deletion of data, whether Intentional Alteration of by authorized user or not, which compromises confidentiality, Data availability, or integrity of the data produced, processed, controlled, or stored by data processing systems. An accidental configuration error during the initial installation or System Configuration upgrade of hardware, software, communication equipment or Error (Accidental) operational environment. Any communications link, unit or component failure sufficient to Telecommunication cause interruptions in the data transfer via telecommunications Malfunction/ between computer terminals, remote or distributed processors, Interruption and host computing facility. Vulnerabilities Once again, NIST SP 800-30 provides an excellent definition of vulnerability as it pertains to information systems. Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.iv Notice that the vulnerability can be a flaw or weakness in any aspect of the system. Vulnerabilities are not merely flaws in the technical protections provided by the system. Significant vulnerabilities are often contained in the standard operating procedures that systems administrators perform, the process that the help desk uses to reset passwords or inadequate log review. Another area where vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security testing policy may be directly responsible for the lack of vulnerability scanning. Here are a few examples of vulnerabilities related to contingency planning/ disaster recovery: Not having clearly defined contingency directives and procedures Lack of a clearly defined, tested contingency plan The absence of adequate formal contingency training Lack of information (data and operating system) backups Inadequate information system recovery procedures, for all processing areas (including networks) Not having alternate processing or storage sites Not having alternate communication services Impact/Cost/Consequence Every data breach incurs many costs: There are costs associated with the discovery and immediate response of the breach; these include conducting investigations and forensics, determining potential victims, forming the incident response team, and crisis management efforts (including public relations outreach). Notification costs include determining which regulations apply and communicating with required or affected parties. After the data breach is discovered, costs associated with identity protection, auditing, consulting, and legal services are assumed. Adding to the damage are the costs of lost business, increased retention costs, opportunity costs, reputation losses, and diminished goodwill. The costs commonly associated with data breaches are only the most widely understood impacts, the damage seen above the surface. But theft of PII (personally identifiable information) is not always an attacker's objective. Rarely brought into full view are cases of intellectual property (IP) theft, espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure. Beneath the surface, these attacks can have a much more significant impact on organizations. But the tolls they take are not broadly understood and are much more difficult to quantify. Why Is It Important to Manage Risks The principle reason for managing risk in an organization is to protect the mission and assets of the organization. Therefore, risk management must be a management function rather than a technical function. It is vital to manage risks to systems. Understanding risk, and in particular, understanding the specific risks to a system allow the system owner to protect the information system commensurate with its value to the organization. The fact is that all organizations have limited resources and risk can never be reduced to zero. So, understanding risk, especially the magnitude of the risk, allows organizations to prioritize scarce resources. NIST 800-30 Guide For Conducting Risk Assessments CHAPTER ONE INTRODUCTION THE NEED FOR RISK ASSESSMENTS TO SUPPORT ENTERPRISE-WIDE RISK MANAGEMENT Organizations in the public and private sectors depend on information technology and information systems to successfully carry out their missions and business functions. Information systems can include very diverse entities ranging from office networks, financial and personnel systems to very specialized systems (e.g., industrial/process control systems, weapons systems, telecommunications systems, and environmental control systems). Information systems are subject to serious threats that can have adverse effects on organizational operations and assets, individuals, other organizations, and the Nation by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Threats to information systems can include purposeful attacks, environmental disruptions, human/machine errors, and structural failures, and can result in harm to the national and economic security interests of the United States. Therefore, it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk—that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations. Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39 (see below). Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations; (iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). Risk assessments can be conducted at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level). At Tiers 1 and 2, organizations use risk assessments to evaluate, for example, systemic information security-related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs. At Tier 3, organizations use risk assessments to more effectively support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring). NIST 800-39 Managing Information Security Risk CHAPTER ONE INTRODUCTION THE NEED FOR INTEGRATED ORGANIZATION-WIDE RISK MANAGEMENT Information technology is widely recognized as the engine that drives the U.S. economy, giving industry a competitive advantage in global markets, enabling the federal government to provide better services to its citizens, and facilitating greater productivity as a nation. Organizations in the public and private sectors depend on technology-intensive information systems to successfully carry out their missions and business functions. Information systems can include diverse entities ranging from high-end supercomputers, workstations, personal computers, cellular telephones, and personal digital assistants to very specialized systems (e.g., weapons systems, telecommunications systems, industrial/process control systems, and environmental control systems). Information systems are subject to serious threats that can have adverse effects on organizational operations (i.e., missions, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Threats to information and information systems can include purposeful attacks, environmental disruptions, and human/machine errors and result in great harm to the national and economic security interests of the United States. Therefore, it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk—that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations. Organizational risk can include many types of risk (e.g., program management risk, investment risk, budgetary risk, legal liability risk, safety risk, inventory risk, supply chain risk, and security risk). Security risk related to the operation and use of information systems is just one of many components of organizational risk that senior leaders/executives address as part of their ongoing risk management responsibilities. Effective risk management requires that organizations operate in highly complex, interconnected environments using state-of- the-art and legacy information systems—systems that organizations depend on to accomplish their missions and to conduct important business-related functions. Leaders must recognize that explicit, well-informed risk-based decisions are necessary in order to balance the benefits gained from the operation and use of these information systems with the risk of the same systems being vehicles through which purposeful attacks, environmental disruptions, or human errors cause mission or business failure. Managing information security risk, like risk management in general, is not an exact science. It brings together the best collective judgments of individuals and groups within organizations responsible for strategic planning, oversight, management, and day-to-day operations—providing both the necessary and sufficient risk response measures to adequately protect the missions and business functions of those organizations.