Enterprise security risk assessments are typically shallow or expensive due to the vastness of the systems and data. But a study on sensitive data found that the organization’s “crown jewels” (top 0.01% to 2.0% sensitive data) accounts for 70% of the value to the enterprise. This allows for a unique approach to performing a security risk assessment—namely the crown jewels approach.
(Source : RSA Conference USA 2017)
1. SESSION ID:SESSION ID:
#RSAC
Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow
Crown Jewels Risk Assessment: Cost-
Effective Risk Identification
GRC-W11
CEO
Lantego
@douglandoll
2. #RSAC
Information Security Risk Assessment (ISRA)
2
Definition- An objective analysis of the current security controls
effectiveness to protect an organization’s assets and a determination
of the probability of losses to those assets.
Benefits
Information Security
Program Oversight
e.g., checks and balances
Periodic Review review effectiveness after threats,
environment, and business process changes
Basis for Risk-based
Spending
buy greatest risk reductions not pet projects
and squeaky wheels
3. #RSAC
Information Security Risk Assessment
3
Preparation
Data
Gathering
Risk Analysis
Risk
Remediation
Reporting
and
Resolution
ISRA Process
The risk assessment process follows these five steps for
EVERY risk assessment subject.
• Scope
• Assets
• Boundaries
• Controls
• Review
• Interview
• Observe
• Test
•Threat
•Vulnerability
•Impact
•Safeguards
•Cost
•Effectiveness
•Report
•Repository
•Guidance
•Tracking
4. #RSAC
Traditional Centralized System Risk Assessments
4
Traditional organizations have centralized information systems
Common organizational controls
— Security policy, human resources, training, incident response
Common system controls
— Authentication, configuration management, incident monitoring
Limited systems
Network Infrastructure
Database
Services: Authentication,
File Server
Mission ApplicationsGeneral Office
5. #RSAC
De-Centralized System Risk Assessments
5
Many organizations have expanded from centralized information systems
Cloud-based applications
— File storage, marketing, expense tracking, business intelligence
Third party management
— System hosting, out-sourced development, human resources, sales
“Unlimited” systems
Network Infrastructure
Database
Services: Authentication,
File Server
Mission ApplicationsGeneral Office
6. #RSAC
Information Security Risk Assessment
6
Preparation
Data
Gathering
Risk Analysis
Risk
Remediation
Reporting
and
Resolution
ISRA Process
The Data Gathering step of the ISRA process does not scale
well.
0
50
100
150
200
250
300
Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution
1-2 systems
3-5 systems
6-10 systems
7. #RSAC
Effect of Increasing # of Systems
7
$ $ $ $ $
Cost
drastically
increase…
as # of
systems
increases.
9. #RSAC
Data Quality Typically Suffers
9
Self-
Assessments
ask each system owner to
rate the strength of their
systems
Surveys-based
assessments
send questionnaires to
control custodians
10. #RSAC
Crown Jewel Approach
10
Threats Impact
Most Critical Data &
Systems
All System Threats
+ Unique threats
+ Targeted attacks
Catastrophic Impact
• upon system loss
• upon data loss
11. #RSAC
Crown Jewels Approach
11
Volume Impact
Most Critical Data &
Systems
For most organizations –
0.01% - 2.0% of total
sensitive data
Represents up to
70% of sensitive
data value
Source: U.S. President’s 2006
Economic Report to Congress
12. #RSAC
Crown Jewels Project Environment
12
Fortune 500 Subsidiary
189 information systems; 80%+ cloud-based
36 System owners; 15 System custodians
13. #RSAC
Crown Jewels Project
13ITAR CM.01.2014
Define
For Each
Business
Unit:
Identify
Critical
Systems
Define Critical
Data
Discover For Each
Crown Jewel:
Identify
Lifecycle,
Environment,
and Flows
Identify
System &
Environment
Controls
Baseline For Each
Crown Jewel:
Identify
Requirements
Assess
Control
Effectiveness
Analyze Identify
Control Gaps
Identify
Security Risk
Prioritize
Security Gaps
Secure
Create
Security
Solution Sets
Deploy
Solutions
Monitor
Solutions
Reduced
systems from
186 to 20
here.
Applied risk
remediation to
overall
program here.
15. #RSAC
Crown Jewels Project Results
15
Identification of Corporate “Crown Jewels”
Determination of Crown Jewel Risk
Limitation of Assessment to Most Impactful Elements
Creation of Security Controls Plan with Most Significant Risk Reduction
Less Work – More Results
16. #RSAC
Applying Crown Jewel Lessons
16ITAR CM.01.2014
Next Week
• Identify Organization’s Security Assessment
Plan
• Self vs. Third Party
• Frequency
• Rigor / Technique (tests vs.
assessments)
• Determine Adequacy of Plan
Define
Discover
Baseline
Analyze
Secure
17. #RSAC
Applying Crown Jewel Lessons
17ITAR CM.01.2014
Within 1 Month
• Identify and Review Contractual and Legal
Security Requirements
• Review Latest Security Assessment
Reports
• Identify Business Process Owners
Within 3 Months
• Conduct Crown Jewels Project
• Apply Lessons Learned
Define
Discover
Baseline
Analyze
Secure
19. #RSAC
Project Challenges
19ITAR CM.01.2014
1. Common Organizational Definition
of “Crown Jewels”
2. Identification of Business Processes
3. Identification of Business / Systems
Owners
4. Identifying a Business Champion
Define
Discover
Baseline
Analyze
Secure