Paradigm Shift!
Customer Information Centric
    IT Risk Assessments

                                                    ...
Why Perform
    IT Risk Assessments?
• Management Request
• Regulatory Requirement
• IT Best Practice




            CICR...
What is “RISK”?
• First and most obvious, “Risk” is a probability issue.
• “Risk” has both a frequency and a magnitude com...
The Basic “IT Risk” Formula
                            Information Security
    It’s All
    About                  Profe...
Assessing “IT Risk”
High Level Goals & Objectives
• Assess current threats & vulnerabilities
• Identity and assess “Risk F...
Assessing “IT Risk”
 It’s a simple concept,
    but a difficult and
   complex analytical
    problem to solve.

Most IT R...
What IT Risk Assessment
 Methodology Should I Use?
Quantitative Risk Analysis-
Two basic elements are assessed: the probab...
What IT Risk Assessment
Methodology Should I Use?
                              “Published” IT Risk
                      ...
Assessing IT Risk:
“The Problem in the security world
is we often lack the data to do risk
 management well. Technological...
In Addition, Traditional
 IT Risk Assessments
Methodologies Do Not
  Assess IT Risks To
 Customer Information

 • Storage
...
Randy Pausch Said In
   His Now Famous
   “Last Lecture” …
  “When There Is An
Elephant In The Room
   Introduce Him”
    ...
In fact, many Information Security
 professionals cannot even agree
     on a definition of IT Risk!
“Ask a dozen informat...
What Are Leading Information Security
   Professionals Saying About Current
IT Risk Assessment Processes & Models?
       ...
There Is A Problem With Many IT
   Risk Assessment Process.
   Traditional IT Risk Assessment
 Methodologies are Primarily...
Why Are Risks to Customer
     Information Important?
                                         • Regulatory Requirements
 ...
TM
   The CICRAM
IT Risk Assessment
  Methodology for
   GLBA & HIPAA
    Compliance

      A Paradigm Shift In IT Risk
  ...
TM
      CICRAM IT Risk
 Assessment Methodology
Core Concepts:
            A Simplified View of IT Risks
                 ...
TM
      CICRAM IT Risk
 Assessment Methodology
Core Concepts:
• There are an infinite number of “Latent” vulnerabilities ...
TM
      CICRAM IT Risk
 Assessment Methodology
Core Concepts:
There are a only a few actions that can be performed
   wit...
TM
     CICRAM IT Risk
  Assessment Methodology
 “A Hybrid IT Risk Assessment Process”

• Use Qualitative Analysis methods...
TM
CICRAM                    IT Risk Assessment
    Step#1 – Assess The Current
       IT Threat Environment
Attack Motiva...
TM
CICRAM             IT Risk Assessment
  Step#2 – Determine Where
Customer Information Is Located

               Data F...
TM
CICRAM             IT Risk Assessment
   Step#3 – Document The IT
   Operational Environment:
   IT Systems & Applicati...
TM
CICRAM                 IT Risk Assessment
   Step#4 - Select an Information
   Security Controls Framework
            ...
TM
CICRAM               IT Risk Assessment
      Step#5: Select Key IT Risk
         Assessment Factors

       IT Risk As...
TM
CICRAM                      IT Risk Assessment
     Step#6: Determine an IT Risks
        Numerical Rating Scale

     ...
TM
CICRAM                IT Risk Assessment
   Step #7: Assess “Baseline”
        High Level Risks

Use Control Matrix and...
TM
CICRAM                     IT Risk Assessment
  Step#8: Determine an IT Control
      Numerical Rating Scale

         ...
TM
 CICRAM                                 IT Risk Assessment
             Step #9: Assess IT Control
                   E...
9
               TM
CICRAM                IT Risk Assessment
Step#10: Adjust Baseline Risks for
      Control Effectivenes...
9
         TM
CICRAM          IT Risk Assessment
  Step#11: Generate Narrative
   IT Risk Report Document




            ...
9
          TM
CICRAM           IT Risk Assessment
Step#12: Present Risk Report and
    Findings to Management



        ...
TM
    CICRAM IT Risk
 Assessment Methodology


    Paradigm Shift!
   Customer Information
Centric IT Risk Assessments

 ...
Upcoming SlideShare
Loading in...5
×

Paradigm Shift! - Customer Information Centric IT Risk Assessments

1,979

Published on

Readers will be exposed to a methodology for the evaluation of information security risks based on the “Value” of customer/employee information rather than on the “Economic Value” of the information to the organization.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,979
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
166
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Paradigm Shift! - Customer Information Centric IT Risk Assessments

  1. 1. Paradigm Shift! Customer Information Centric IT Risk Assessments TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance May 7th 2009 CICRAMTM IT Risk Assessment Methodology 1 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  2. 2. Why Perform IT Risk Assessments? • Management Request • Regulatory Requirement • IT Best Practice CICRAMTM IT Risk Assessment Methodology 2 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  3. 3. What is “RISK”? • First and most obvious, “Risk” is a probability issue. • “Risk” has both a frequency and a magnitude component. • The fundamental nature of “Risk” is universal; regardless of it’s context. An Introduction to Factor Analysis of Information Risk (FAIR) A framework for understanding, analyzing, and measuring information risk Jack A. Jones, CISSP, CISM, CISA “Risk is the association of the probability/frequency of a negative event occurrence, with the projected magnitude of a future loss.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 3 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  4. 4. The Basic “IT Risk” Formula Information Security It’s All About Professionals generally IT Risk can agree that: IT Controls mitigate Risk by lowering the Probability of a Threat acting on a Vulnerability to harm an organization’s Asset. CICRAMTM IT Risk Assessment Methodology 4 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  5. 5. Assessing “IT Risk” High Level Goals & Objectives • Assess current threats & vulnerabilities • Identity and assess “Risk Factors” to the Organization • Present information in a way that management can use to make informed business decisions based on risk. Processes • Identify assets – information stores & IT systems. • Quantify the probability of a negative event occurrence. • Determine the value of information & IT assets. • Assess the business impact of negative events. CICRAMTM IT Risk Assessment Methodology 5 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  6. 6. Assessing “IT Risk” It’s a simple concept, but a difficult and complex analytical problem to solve. Most IT Risk Assessment Methodologies Attempt to Determine the Threats, Vulnerabilities, Negative Event Likelihood and Information Security Impacts to Specific IT Assets. CICRAMTM IT Risk Assessment Methodology 6 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  7. 7. What IT Risk Assessment Methodology Should I Use? Quantitative Risk Analysis- Two basic elements are assessed: the probability of a negative event – “ARO” (annual rate of occurrence) and the likely financial loss – the “SLE” (single loss expectancy). The Annual Loss is then calculated – “ALE”. Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only the estimated financial loss is used. CICRAMTM IT Risk Assessment Methodology 7 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  8. 8. What IT Risk Assessment Methodology Should I Use? “Published” IT Risk Assessment Methodologies Quantitative Methodologies: CRAMM BITS (Kalculator) FAIR FMEA Qualitative Methodologies: FRAP COBRA OCTAVE CICRAMTM IT Risk Assessment Methodology 8 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  9. 9. Assessing IT Risk: “The Problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle.” “We don’t know how well our network security will keep the bad guys out, and we don’t know the cost to the company if we don’t keep them out.” Does risk management make sense? Bruce Schneier – Oct 2008 CICRAMTM IT Risk Assessment Methodology 9 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  10. 10. In Addition, Traditional IT Risk Assessments Methodologies Do Not Assess IT Risks To Customer Information • Storage • Transmission • Access & Processing I Stipulate That The IT Security Profession Has A Dirty Little Secret ... CICRAMTM IT Risk Assessment Methodology 10 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  11. 11. Randy Pausch Said In His Now Famous “Last Lecture” … “When There Is An Elephant In The Room Introduce Him” Randy Pausch Graphic – www.thelastlecture.com “Most IT Security Professionals Can Not Accurately Assess IT Risks.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 11 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  12. 12. In fact, many Information Security professionals cannot even agree on a definition of IT Risk! “Ask a dozen information security professionals to define risk and you’re certain to get several different answers.“ An Introduction to Factor Analysis of Information Risk (FAIR) Jack A. Jones, CISSP, CISM, CISA “Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact.” Understanding Risk Shon Harris CISSP - 2006 If security professional cannot agree on what are the risks, how can we accurately assess “IT Risks”? CICRAMTM IT Risk Assessment Methodology 12 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  13. 13. What Are Leading Information Security Professionals Saying About Current IT Risk Assessment Processes & Models? Number-driven risk metrics 'fundamentally broken‘ Gamit Yoran, former National Cyber Security Divison director Why Johnny Can’t Evaluate Security Risk George Cybenko, Editor in Chief Taking the risk out of IT risk management Jim Hietala – October 16, 2008 Why you shouldn’t wager the house on risk management models Bruce Schneier and Marcus Ranum – Oct 2008 It’s time to think differently about protecting data Bill Ledingham – September 10, 2008 CICRAMTM IT Risk Assessment Methodology 13 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  14. 14. There Is A Problem With Many IT Risk Assessment Process. Traditional IT Risk Assessment Methodologies are Primarily Focused on the Risks and Impacts to the Organization that is Being Assessed. The Impact to the Confidentiality or Integrity of Customers and Employee Information is Graphic - Microsoft not Assessed! CICRAMTM IT Risk Assessment Methodology 14 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  15. 15. Why Are Risks to Customer Information Important? • Regulatory Requirements  Financial Industry – GLBA  Health Care – HIPAA  Higher Education – FERPA  State Data Breach • Organizational Reputation Graphic - Microsoft • Industry Standards  Retail - PCI CICRAMTM IT Risk Assessment Methodology 15 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  16. 16. TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance A Paradigm Shift In IT Risk Assessment Methodologies! Assess Risks To Customer & Employee Information, Rather Than Operational IT Risks To The Organization. CICRAMTM IT Risk Assessment Methodology 16 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  17. 17. TM CICRAM IT Risk Assessment Methodology Core Concepts: A Simplified View of IT Risks Threat Vulnerability Asset Value X X Risk = __________ Countermeasures An IT Risk is defined within CICRAMTM, as the likelihood of a Threat acting on a Vulnerability to harm an asset which causes a negative impact. CICRAMTM IT Risk Assessment Methodology 17 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  18. 18. TM CICRAM IT Risk Assessment Methodology Core Concepts: • There are an infinite number of “Latent” vulnerabilities in software systems that allow attackers to breach computer systems. • There is a sufficiently high number of “Threats”, that given enough time, the likelihood of a vulnerability being exploited is 100%. • “Customer Information” has an inherently high value. • Assess “Risks” by following the movement of Customer Information. • Assess the effects of an IT control failure. The “Worst Case Scenario” becomes the “Baseline” for the IT Risk Assessment. • Effective IT controls reduce risks • IT Risks are almost never reduced to zero by the implementation of IT controls, there is usually some “Residual Risk”. CICRAMTM IT Risk Assessment Methodology 18 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  19. 19. TM CICRAM IT Risk Assessment Methodology Core Concepts: There are a only a few actions that can be performed with an Organization’s Customer Information: INFORMATION ACTION SECURITY RISK FACTOR View / Access / Use Confidentiality Copy Confidentiality Modify Integrity Loss Confidentiality Delete / Destroy Integrity and Availability CICRAMTM IT Risk Assessment Methodology 19 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  20. 20. TM CICRAM IT Risk Assessment Methodology “A Hybrid IT Risk Assessment Process” • Use Qualitative Analysis methods to determine current IT “Threats”. • Utilize “Data Flow” concepts to analyze risks to Customer Information as it moves across various environments. • Use Interogative & RIIOT methods to document the IT environment used to transmit, manipulate and store customer data. • Use Qualitative Analysis methods to develop a “Baseline” of IT Risks for an IT environment that does not have any IT controls. • Use Control Maturity Modeling and Quantitative Analysis – methods to assess the effectiveness of current IT controls. • Use Quantitative Analysis methods to determine the risk reduction impact of current IT controls. CICRAMTM IT Risk Assessment Methodology 20 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  21. 21. TM CICRAM IT Risk Assessment Step#1 – Assess The Current IT Threat Environment Attack Motivational Factors  External Threats i. Criminal Cyber Gangs ii. Former Employees iii. Consultants & Contractors iv. Casual Hackers & Script Kidde  Insider threats i. Malicious Insiders: Corporate Spies & Disgruntled Employees ii. Careless Staff: Policy Breakers and the Uninformed Technical Attacks  Malware Applications i. Viruses, Worms, Trojans ii. Spyware iii. Adware  Botnets  DNS  Denial of Service Human Attacks  Social Engineering  Identity Theft  Email Spam CICRAMTM IT Risk Assessment Methodology 21 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  22. 22. TM CICRAM IT Risk Assessment Step#2 – Determine Where Customer Information Is Located Data Flow Regions IT Risks Business Partners Infrastructure Application Systems CICRAMTM IT Risk Assessment Methodology 22 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  23. 23. TM CICRAM IT Risk Assessment Step#3 – Document The IT Operational Environment: IT Systems & Applications Use IT auditing tools and methods like questionnaires, interviews and diagrams to document the IT systems and applications. CICRAMTM IT Risk Assessment Methodology 23 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  24. 24. TM CICRAM IT Risk Assessment Step#4 - Select an Information Security Controls Framework • Each “Standard” may contain ISO 17799 FFIEC & FTC Security Standards for similar information security controls. Program safeguarding customer • Resolve circular references and information overlapping IT controls across the multiple frameworks. + • Use hierarchical clustering to group IT Controls into categories. COBIT NIST SP 800 Use current Your SANS & ITGI PCI information from: Organization’s SANS Institute, Controls Controls Analysts, = IT Security Industry Best Control Practices Framework CICRAMTM IT Risk Assessment Methodology 24 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  25. 25. TM CICRAM IT Risk Assessment Step#5: Select Key IT Risk Assessment Factors IT Risk Assessment “Factors”:  Customer Information Security (Confidentiality)  Improper/Incorrect Transaction Data (Integrity)  Infrastructure Stability/Change Control (Availability)  Customer Confidence / Stewardship (Reputation)  Regulatory Compliance (Legal)  Fraud / Data Breach (Financial Loss) CICRAMTM IT Risk Assessment Methodology 25 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  26. 26. TM CICRAM IT Risk Assessment Step#6: Determine an IT Risks Numerical Rating Scale NUMERICAL IT RISK RATING DEFINITIONS Level 0 - Functional control area is not relevant Color Range Risk Level 1 - Functional control area poses an insignificant risk: White 0 N/A the significance of a control failure is low or not relevant Level 2 - Functional control area poses a minimal risk potential: Green 1-2 Low the significance of a control failure is minor Level 3 - Functional control area poses a moderate risk potential: Yellow 3-4 Medium the significance of a control failure is considerable Level 4 - Functional control area poses an elevated risk potential: Red 5 High the significance of a control failure is extensive Level 5 - Functional control area poses a significant risk potential: the implications of a control failure is severe CICRAMTM IT Risk Assessment Methodology 26 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  27. 27. TM CICRAM IT Risk Assessment Step #7: Assess “Baseline” High Level Risks Use Control Matrix and Apply Threat Analysis to Develop a Heat Map of Baseline IT Risks Heat Map of Baseline IT Risks External Network Security - Perimeter Defense Systems 5 4 4 3 5 3 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 5 4 Security Technical Virus and Malware Protection 4 4 4 4 3 4 Controls Backup / Recovery 2 0 5 2 5 3 Monitoring and Logging 3 3 2 2 2 1 CICRAMTM IT Risk Assessment Methodology 27 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  28. 28. TM CICRAM IT Risk Assessment Step#8: Determine an IT Control Numerical Rating Scale IT CONTROL MATURITY RATING Stage 0 – Nonexistent Information Security Stage 1 - Initial/Ad Hoc Control Maturity Model- CMM Ratings are Stage 2 - Repeatable but Intuitive Based on Carnegie Stage 3 - Defined Process Mellon’s Process Improvement Model Stage 4 - Managed and Measurable Ratings Scale – CMMI. Stage 5 - Optimized www.sei.cmu.edu/cmmi/general/index.html CICRAMTM IT Risk Assessment Methodology 28 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  29. 29. TM CICRAM IT Risk Assessment Step #9: Assess IT Control Effectiveness GAP Exists Control PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref # Comments Maturity Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of DMZ intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, External Deployment of Network intrusion detection and vulnerability Network FIREWALL assessments, exist and are used to prevent Security - unauthorized access. Perimeter Impl. Where network connectivity is used, IT.B.3.1 Defense appropriate controls, including firewalls, Systems Deployment of Network intrusion detection and vulnerability IDS/IPS assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of Wireless intrusion detection and vulnerability Encryption - Authentication assessments, exist and are used to prevent unauthorized access. CICRAMTM IT Risk Assessment Methodology 29 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  30. 30. 9 TM CICRAM IT Risk Assessment Step#10: Adjust Baseline Risks for Control Effectiveness Use Control Effectiveness Ratings to Adjust Baseline IT Risks Heat Map of IT Risks Adjusted for Control Effectiveness External Network Security - Perimeter Defense Systems 3 3 3 2 2 2 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 2 3 Security Technical Virus and Malware Protection 4 3 3 3 2 3 Controls Backup / Recovery 1 0 3 3 2 2 Physical Security / Environmental 3 2 3 2 2 1 CICRAMTM IT Risk Assessment Methodology 30 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  31. 31. 9 TM CICRAM IT Risk Assessment Step#11: Generate Narrative IT Risk Report Document Develop a Written Report CICRAMTM IT Risk Assessment Methodology 31 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  32. 32. 9 TM CICRAM IT Risk Assessment Step#12: Present Risk Report and Findings to Management Congratulations, You Get To Do This Again Next Year! CICRAMTM IT Risk Assessment Methodology 32 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  33. 33. TM CICRAM IT Risk Assessment Methodology Paradigm Shift! Customer Information Centric IT Risk Assessments Questions ? Fernando A. Reiser freiser@bankitsecurity.com CICRAMTM IT Risk Assessment Methodology 33 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×