CH14-Risk Management_4bc178e02957c847fefd1bd33a8167be.pdf
Document Details
Tags
Full Transcript
Computer Security: Principles and Practice Chapter 14 IT Security Management and Risk Assessment I T Security Management Overview Is the formal process of answering the questions: What assets need to be protected How are those assets threatened What can be done to count...
Computer Security: Principles and Practice Chapter 14 IT Security Management and Risk Assessment I T Security Management Overview Is the formal process of answering the questions: What assets need to be protected How are those assets threatened What can be done to counter those threats Ensures that critical assets are sufficiently protected in a cost-effective manner Security risk assessment is needed for each asset in the organization that requires protection Provides the information necessary to decide what management, operational, and technical controls are needed to reduce the risks 27000: “Information security management systems—Overview 2018 Table 14.1 and vocabulary” provides an overview of information (1 of 2) security management systems, and defines the ISO/IEC 27000 vocabulary and definitions used in the 27000 family of Series of Standards standards. on IT Security 27001: “Information security management systems— Techniques 2013 Requirements” specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System. 27002: “Code of practice for information security management” 2013 provides guidelines for information security management in an organization and contains a list of best-practice security controls. It was formerly known as I S O17799. 27003: “Information security management system 2017 implementation guidance” details the process from inception to the production of implementation plans of an Information Security Management System specification and design. 13335 - 3/ 4. 27004: “Information security management—Measurement” 2009 provides guidance to help organizations measure and report on the effectiveness of their Information Security Table 14.1 (2 of 2) ISO/IEC 27000 Series of Standards on IT Security Techniques 27006:2 “Requirements for bodies providing audit and certification of 015 information security management systems” specifies requirements and provides guidance for these bodies. 27017:2 “Code of practice for Information Security Controls based on I S O/I E 015 C 27002 for Cloud Services” provides guidelines for information security controls applicable to the provision and use of Cloud services. 27033:2 “Network Security” provides guidance on the design and 010-16 implementation of network security, in 6 parts. 27034:2 “Application Security” provides guidance on the framework and 011-18 process for providing application security, in 8 parts. 27035:2 “Information security incident management” provides guidance on 016 the framework and process for providing application security, in 2 parts. IT Security Management IT Security Management: The formal process used to develop and maintain appropriate levels of computer security for an organization’s assets, by preserving their confidentiality, integrity, availability, accountability, authenticity, and reliability. The steps in the IT security management process include Determining the organization’s IT security objectives, strategies, and policies Performing an IT security risk assessment that analyzes security threats to IT assets within the organization and determines the resulting risks Selecting suitable controls to cost effectively protect the organization’s IT assets Writing plans and procedures to effectively implement the selected controls Implementing the selected controls, including provision of a security awareness and training program Monitoring the operation and maintaining the effectiveness of the selected controls Detecting and reacting to incidents Figure 14.1 Overview of IT Security Management Figure 14.2 The Plan-Do-Check-Act Process Model Organizational Context and Security Policy Maintained and updated First examine organization’s IT regularly security: Using periodic security Objectives - wanted IT reviews security outcomes Reflect changing Strategies - how to meet technical/risk objectives environments Policies - identify what Examine role and needs to be done importance of IT systems in organization Security Policy Needs to address: Scope and purpose including relation of objectives to business, legal, regulatory requirements I T security requirements Assignment of responsibilities Risk management approach Security awareness and training General personnel issues and any legal sanctions Integration of security into systems development Information classification scheme Contingency and business continuity planning Incident detection and handling processes How and when policy reviewed, and change control to it Management Support I T security policy must be supported by senior management Need I T security officer To provide consistent overall supervision Liaison with senior management Maintenance of I T security objectives, strategies, policies Handle incidents Management of I T security awareness and training programs Interaction with I T project security officers Large organizations need separate I T project security officers associated with major projects and systems Manage security policies within their area Security Risk Assessment Critical component of process Ideally examine every Not feasible in practice organizational asset Baseline Approaches to identifying and Informal mitigating risks to an Detailed risk organization’s I T infrastructure: Combined Baseline Approach Goal is to Forms a good base for Use “industry best Generally implement agreed further security practice” recommended only for measures Easy, cheap, can be small organizations controls to provide replicated without the resources protection against Gives no special to implement more the most common consideration to variations structured approaches in risk exposure threats May give too much or too little security Informal Approach Involves conducting an informal, pragmatic risk analysis on organization’s IT systems Exploits knowledge and expertise of analyst Fairly quick and cheap Judgments can be made about vulnerabilities and risks that baseline approach would not address Some risks may be incorrectly assessed Skewed by analyst’s views, varies over time Suitable for small to medium sized organizations where IT systems are not necessarily essential Detailed Risk Analysis Most Assess using Significant cost in May be a legal Suitable for large comprehensive formal structured time, resources, requirement to organizations approach process expertise use with I T systems critical to their Number of stages business Identify threats and objectives vulnerabilities to assets Identify likelihood of risk occurring and consequences Combined Approach Combines elements of the baseline, informal, and detailed risk analysis approaches Aim is to provide reasonable levels of protection as quickly as possible, then to examine and adjust the protection controls deployed on key systems Approach starts with the implementation of suitable baseline security recommendations on all systems Next, systems either exposed to high risk levels or critical to the organization's business objectives are identified in the high-level risk assessment A decision can then be made to possibly conduct an immediate informal risk assessment on key systems with the aim of relatively quickly Lastly, an ordered process of performing detailed risk analyses of these systems can be instituted Over time, this can result in the most appropriate and cost-effective security controls Detailed Security Risk Analysis Provides the most accurate evaluation of an organization's I T system’s security risks Highest cost Initially focused on addressing defense security concerns Often mandated by government organizations and associated businesses Figure 14.3 Risk Assessment Process Establishing the Context Determine the basic parameters of the Initial step risk assessment Identify the assets to be examined Explores political and social Legal and regulatory constraints environment in which the Provide baseline for organization’s risk organization operates exposure The level of risk the organization views as Risk appetite acceptable Figure 14.4 Generic Organizational Risk Context Asset Identification Draw on expertise of Last component is to people in relevant identify assets to Asset areas of organization examine to identify key assets “anything that needs to be protected” because it has Identify and interview such value to the organization and personnel contributes to the successful attainment of the organization’s objectives Terminology Asset: A system resource or capability of value to its owner that requires protection. Threat: A potential for a threat source to exploit a vulnerability in some asset, which if it occurs may compromise the security of the asset and cause harm to the asset’s owner. Vulnerability: A flaw or weakness in an asset’s design, implementation, or operation and management that could be exploited by some threat. Risk: The potential for loss computed as the combination of the likelihood that a given threat exploits some vulnerability to an asset and the magnitude of harmful consequence that results to the asset’s owner. Threat Identification A threat is: Anything that might hinder or prevent an asset from providing appropriate levels of the key security services Integrity Availability Accountability Authenticity Reliability Confidentiality Threat Sources Any previous experience of Evaluation of human threat attacks seen by the Threats may be sources should consider: organization also needs to be considered Natural “acts of God” Motivation Man-made Capability Accidental or deliberate Resources Probability of attack Deterrence Vulnerability Identification Identify exploitable flaws or Determines applicability and significance of weaknesses in organization’s I T threat to organization systems or processes Need combination of threat and vulnerability to create a risk to an asset Outcome should be a list of threats and vulnerabilities with brief descriptions of how and why they might occur Analyze Risks Specify likelihood of occurrence of each identified threat to asset given existing controls Specify consequence should threat occur Derive overall risk rating for each threat Risk = probability threat occurs cost to organization Hard to determine accurate probabilities and realistic cost consequences Use qualitative, not quantitative, ratings Analyze Existing Controls Existing controls used to attempt to minimize threats need to be identified Management Security controls include: Operational Technical processes and procedures Use checklists of existing controls and interview key organizational staff to solicit information Table 14.2 Risk Likelihood Likelihood Rating Expanded Definition Description 1 Rare May occur only in exceptional circumstances and may be deemed as “unlucky” or very unlikely 2 Unlikely Could occur at some time but not expected given current controls, circumstances, and recent events. 3 Possible Might occur at some time but just as likely as not. It may be difficult to control its occurrence due to external influences. 4 Likely Will probably occur in some circumstance, and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. Table 14.3 (1 of 2) Risk Consequences Rating Consequence Expanded Definition 1 Insignificant Generally, a result of a minor security breach in a single area. Impact is likely to last less than several days and requires only minor expenditure to rectify. Usually does not result in any tangible detriment to the organization. 2 Minor Result of a security breach in one or two areas. Impact is likely to last less than a week but can be dealt with at the segment or project level without management intervention. Can generally be rectified within project or team resources. Again, does not result in any tangible detriment to the organization but may, in hindsight, show previous lost opportunities or lack of efficiency 3 Moderate Limited systemic (and possibly ongoing) security breaches. Impact is likely to last up to two weeks and will generally require management intervention, though should still be able to be dealt with at the project or team level. Will require some ongoing compliance costs to overcome. Customers or the public may be indirectly aware or have limited information about this event. 4 Major Ongoing systemic security breach. Impact will likely last 4–8 weeks and require significant management intervention and resources to overcome. Senior management will be required to sustain ongoing direct management for the duration of the incident and compliance costs are expected to be substantial. Customers or the public will be aware of the occurrence of such an event and will be in possession of a range of important facts. Loss of business or organizational outcomes is possible but not expected, especially if this is a once-off. Table 14.3 (2 of 2) Risk Consequences Rating Consequence Expanded Definition 5 Catastrophic Major systemic security breach. Impact will last for three months or more and senior management will be required to intervene for the duration of the event to overcome shortcomings. Compliance costs are expected to be very substantial. A loss of customer business or other significant harm to the organization is expected. Substantial public or political debate about and loss of confidence in the organization is likely. Possible criminal or disciplinary action against personnel involved is likely. 6 Doomsday Multiple instances of major systemic security breaches. Impact duration cannot be determined, and senior management will be required to place the company under voluntary administration or other form of major restructuring. Criminal proceedings against senior management is expected, and substantial loss of business and failure to meet organizational objectives is unavoidable. Compliance costs are likely to result in annual losses for some years with liquidation of the organization likely. Table 14.4 Risk Level Determination and Meaning Risk Level Description Extreme (E) Will require detailed research and management planning at an executive/director level. Ongoing planning and monitoring will be required with regular reviews. Substantial adjustment of controls to manage the risk is expected with costs possibly exceeding original forecasts. High (H) Requires management attention, but management and planning can be left to senior project or team leaders. Ongoing planning and monitoring with regular reviews are likely, though adjustment of controls is likely to be met from within existing resources. Medium (M) Can be managed by existing specific monitoring and response procedures. Management by employees is suitable with appropriate monitoring and reviews. Low (L) Can be managed through routine procedures. Table 14.5 Risk Register Asset Threat/ Existin Likeliho Conseque Level Risk Vulnerability g od nce of Priorit Control Risk y s Internet Outside hacker Admin Possible Moderate High 1 router attack passwo rd only Destructi Accidental fire None Unlikely Major High 2 on of or flood (no data disaster center recover y plan) Figure 14.5 Judgment about Risk Treatment Risk Treatment Alternatives Risk Reduce Reduce Risk avoidance Risk transfer acceptance consequence likelihood Choosing to Not Sharing Modifying Implement accept a risk proceeding responsibility the structure suitable level greater with the for the risk or use of the controls to than normal activity or with a third assets at risk lower the for business system that party to reduce the chance of the reasons creates this impact on vulnerability risk the being organization exploited should the risk occur Case Study: Silver Star Mines Large I T infrastructure Both common and specific software Fictional operation of global Some directly relates to health and Decided on combined mining company safety approach Formerly isolated systems now networked Mining industry less risky Subject to legal/regulatory Management accepts end of spectrum requirements moderate or low risk Assets Reliability and integrity of S CADA nodes and net Availability, integrity Integrity of stored and confidentiality of file and database mail services information Availability, integrity of maintenance/producti Availability, integrity of on system financial system Availability, integrity of procurement system Table 14.6 Silver Star Mines—Risk Register Existing Level of Risk Asset Threat/ Vulnerability Controls Likelihood Consequence Risk Priority Reliability and integrity of Unauthorized Layered Rare Major High 1 the SCADA nodes and modification of control firewalls network system and servers Integrity of stored file and Corruption, theft, and Firewall, Possible Major Extreme 2 database information loss of info policies Availability and integrity of Attacks/errors Firewall, Possible Moderate High 3 financial system affecting system policies Availability and integrity of Attacks/errors Firewall, Possible Moderate High 4 procurement system affecting system policies Availability and integrity of Attacks/errors Firewall, Possible Minor Medium 5 maintenance/ production affecting system policies system Availability, integrity, and Attacks/errors Firewall, Almost Minor High 6 confidentiality of mail affecting system ext mail Certain services gateway Summary IT security management Detailed security risk analysis Organizational context and Context and system security policy characterization Security risk assessment Identification of Baseline approach threats/risks/vulnerabilities Informal approach Analyze risks Detailed risk analysis Evaluate risks Combined approach Risk treatment Case study: Silver Star Mines Copyright This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.
