RISK MANAGEMENT
7CCSMSEM Security Management Dr. Jose M. Such
Video
Introduction
• Iteratively balance the system risk against the business strategy
• The main aim is to minimise the risk to the organisation • However, a residual risk will always remain
• The risk analysis should be understandable to everyone
• Where do security requirements come from? • Risk assessment
• Statutory and contractual requirements • Business principles and objectives
Why do we do this?
• Value of a documented risk management process is to have the audit trail of decision makers
• Make people think
• Protect the business to make it more profitable
Risk Management Steps
1
2
3
4
5 6
• Asset Identification (and their value)
• Threat Assessment
• Vulnerability Assessment
• Risk Assessment
• Risk Treatment
• (Reduce, Transfer, Avoid or Accept the risk.)
• Risk Monitoring
Once Risk Measured, What Next?
Insure Outsource
Transfer Risk Reduce
Countermeasures Or Controls
Avoid
Accept
High Frequency
High Impact
Low Frequency
Low Impact
Avoid
• A fairly clear-cut option.
• Put simply, it means not doing something that incurs risk.
• Example:
• A company might issue a security policy that states that users of personal computers must not install unauthorised software. This removes the risk of inappropriate software finding its way onto PCs within the organisation, and can be enforced by restricting the administrative capabilities of users.
• Another example would be not to do or to stop a business activity because it puts the organisation at too much risk.
Accept
• The organisation is willing to live with or tolerate the risk.
• When to accept?
1. The risk is very low.
2. The cost of treating the risk may equal or exceed the financial loss. (still you may want to reduce it instead, e.g. to maintain customer confidence)
• It has to be conscious decision and that one or more individuals are held accountable for it by means of a formal sign-off process.
• Arecordintheriskregistershouldindicatewhohassignedtoaccepttherisk.
• Acceptance of a risk is not the same as ignoring it
• Risksthatareignoredcancauseproblemslater.
• Acceptedrisksmustbemonitoredandreviewedatsuitableintervalsincase the impact or likelihood have changed since the initial assessment was carried out.
Reduce
• Security controls are applied to reduce the risk. • Three types of reduction:
1.
•
2.
•
3.
•
Reducing the threat
Very difficult! E.g. although it would be nice to get rid of hackers completely, this would require significant social reform and is therefore an unlikely option.
Reducing the vulnerability
For example, by applying appropriate security patches to an operating system or tightening the security settings on a firewall, the likelihood of hackers gaining access is reduced, though not removed.
Reducing the impact
For example if the whole of an organisation’s information assets reside on one main system, this would represent a potential single point of
failure, and could be mitigated by introducing either a physical or virtual data separation system, or a disaster recovery standby system.
Transfer
• The risk is passed on to another entity/org. • Two main types:
1. 2.
• •
An insurance policy: especially appropriate method when the impact of the risk can be measured as a purely financial one.
Outsourcing: move it to a third party when the relevant expertise to manage the risk is not available within the organisation.
Example: media containing sensitive information requires secure disposal and the organisation outsources the work to a specialist company.
You may be outsourcing anyway – think about the cloud!
Risk Monitoring
• Final stage of risk management – after risk treatment • monitor the results of the risk treatment plan.
• The frequency of monitoring may vary according to the type of threat
• some threats may change very quickly and will require monitoring at frequent intervals, while others will change little over long periods of time and will only need occasional monitoring.
• The whole risk management cycle should be repeated over time, as some threats might disappear completely and new threats might emerge.
• Again, the interval will depend largely upon the risk appetite of the organisation and may well be documented in a risk management strategy or policy document.
Risk Monitoring – risk registers
• What info do we need to keep about risks?
• Risk registers contain, as a minimum and for each risk:
• the threats and the vulnerabilities they might exploit
• the assessed impact and likelihood, and the overall risk calculated from these
• the recommended treatment (accept, avoid, reduce, transfer)
• the actual action(s) to be taken and the person or department responsible for carrying out this work and the date by which it is expected to be completed.
• Other fields may also be included to provide further details • Risk registers are also updated regularly
• typically monthly or quarterly – so that they can also reflect the potential impact of any external sources of change such as local legislation, national or international regulation, standards and reports.
Making Risk Management Decisions
• Basic Process
• Identify and Value Information Assets • Define the Threats
• Define the Vulnerabilities
• Combine information to assess the risk • Assign a risk level
• Define Countermeasures
• Mitigate risk to an acceptable level • Monitor risks
• Who defines the acceptable level? • Who are the stakeholders?
• What are the risk management: • Duties
• Plans
• Policies
• Procedures • Projects?
• What will be discussed is the basis for what we can tailor for an organisation
Duties and Responsibilities
• Risk management function is often • Organic or knee jerk
• Rarely planned and designed
• Risk management team will be drawn from across the organisation
• Need to define roles so as to avoid overlap and contention
The Board
• Ultimate responsibility and accountability
• Define how risk management is done as part of the
business
• Define the risk appetite
• Lead by example in the risk culture
• Allocate resources
• Sponsorship of the risk management process
Risk Manager
• Overall responsibility for ensuring that risk level is maintained
• Need to manage the risk down to an acceptable level • Remember all risk cannot be eliminated
• Various key duties:
• Developing the risk environment
• Management of the risk assessment process
• Facilitation of the risk process across the organisation
Business Unit Owner
• Responsible for delivery of security policy and procedures • Requires buy in
• Responsible for the operational risk • They are domain experts
• They are best placed to spot issues
• Responsible for risk awareness and policy adherence in the unit
Others
• Core functions
• HR, Finance etc.
• Can have a business wide view
• Offer business insight at a higher level
• Staff
• How do you build the right risk culture?
• What responses do the security messages you send out activate?
• Must have buy in from them
How to Communicate Risk?
• This is important as this hides or emphasises certain aspect of the risk equation
• Threat versus vulnerability • Probability versus Impact
• Many processes tend to focus on the extreme cases
• Be careful not to represent a clean cut risk assessment
• Subjectivity is always fuzzy
• Rankings can provide an easy way to communicate risk • Qualifying statements important here
This operation has an 80% success rate.
1 out of 5 patients dies as a result of this operation.
Risk Communication
• Be aware that many visual representations oversimplify the risk landscape
• Risk combinations enable a ranking of order
• The communication of risk is vital for the success of any work to be completed
• How is the risk perceived
• What is the buy in from the stakeholders.
Processes
• It is common to have a set of processes to help with risk management
• Risk management assessment
• Internal and external environment scanning
• Reflective assessment of the company’s risk capability
• What are the new micro/macro level drivers?
• The successful risk manager recognises her limitations and takes steps to improve skills in areas where she identifies weakness. The unsuccessful risk manager works in a very narrow field, not looking beyond her own area of specialist expertise.
• Scope, context setting and impact assessment
• Risk, Vulnerability, and Threat Assessment
Processes cont…
• Risk Evaluation
• Prioritisation and rank
• Option management
• Evaluate response within business and legal contexts • Select best approach
• Response Development
• Strategy and culture management
• Monitoring
• Has it worked
• Examine the impact of change in the context of other viewpoints
• Documentation for auditing (internal and external)
Plans
• ToFailtoPlanisaPlantoFail
• Failure to have a risk plan means you end up managing
the outcome of failing to manage risk
• Risk management plan describes
• How to document the initial state
• Manage risk reduction and implementation • Risk communication, how and to whom.
What Plans?
• Information gathering plan
• Plan for performing risk analysis
• Frequency and depth
• Plans for managing operational (day to day) risk
• How to track the changes
• Business continuity plans and disaster recovery • Awareness and training plan
Security Policy
• The organisational security policy expresses the organisation’s overall approach to security. It may include:
• The organisation’s security objectives
• Corporate roles and responsibilities
• Compliance requirements for external regulations and legislation • A generic analysis of the risk to the business
• Disciplinary penalties for non-compliance with the policy
• The organisational security policy tops a hierarchy of linked and interdependent system security and other policies
Security Policy cont…
Legislation, standards, and risk info
Organisation Security Policy
Incident Reporting informs the organisational security policy about the actual risk, and about what security is needed
Standards and Guidelines
System Security Policy
Organisational Policy is based in the risk to the business, and on external compliance requirements.
This in turn informs baseline security requirements of system security policies
Security Operating Procedures
Incident reporting procedures
The Information Security Management System
• An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization’s digital assets.
• The ISMS is a key feature of ISO27001 – the code of practice for information security management
• ISO2001 specifies the ISMS. This is the basis for formal certification
• The ISMS defines all the controls and procedures required to maintain security throughout the organisation
• It further defines the methods used to manage these controls
• This enables the organisation to demonstrate compliance with best practices and corporate objectives