Your SlideShare is downloading. ×
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Paradigm Shift! - Customer Information Centric IT Risk Assessments

1,926

Published on

Readers will be exposed to a methodology for the evaluation of information security risks based on the “Value” of customer/employee information rather than on the “Economic Value” of the information …

Readers will be exposed to a methodology for the evaluation of information security risks based on the “Value” of customer/employee information rather than on the “Economic Value” of the information to the organization.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,926
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
164
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Paradigm Shift! Customer Information Centric IT Risk Assessments TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance May 7th 2009 CICRAMTM IT Risk Assessment Methodology 1 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 2. Why Perform IT Risk Assessments? • Management Request • Regulatory Requirement • IT Best Practice CICRAMTM IT Risk Assessment Methodology 2 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 3. What is “RISK”? • First and most obvious, “Risk” is a probability issue. • “Risk” has both a frequency and a magnitude component. • The fundamental nature of “Risk” is universal; regardless of it’s context. An Introduction to Factor Analysis of Information Risk (FAIR) A framework for understanding, analyzing, and measuring information risk Jack A. Jones, CISSP, CISM, CISA “Risk is the association of the probability/frequency of a negative event occurrence, with the projected magnitude of a future loss.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 3 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 4. The Basic “IT Risk” Formula Information Security It’s All About Professionals generally IT Risk can agree that: IT Controls mitigate Risk by lowering the Probability of a Threat acting on a Vulnerability to harm an organization’s Asset. CICRAMTM IT Risk Assessment Methodology 4 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 5. Assessing “IT Risk” High Level Goals & Objectives • Assess current threats & vulnerabilities • Identity and assess “Risk Factors” to the Organization • Present information in a way that management can use to make informed business decisions based on risk. Processes • Identify assets – information stores & IT systems. • Quantify the probability of a negative event occurrence. • Determine the value of information & IT assets. • Assess the business impact of negative events. CICRAMTM IT Risk Assessment Methodology 5 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 6. Assessing “IT Risk” It’s a simple concept, but a difficult and complex analytical problem to solve. Most IT Risk Assessment Methodologies Attempt to Determine the Threats, Vulnerabilities, Negative Event Likelihood and Information Security Impacts to Specific IT Assets. CICRAMTM IT Risk Assessment Methodology 6 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 7. What IT Risk Assessment Methodology Should I Use? Quantitative Risk Analysis- Two basic elements are assessed: the probability of a negative event – “ARO” (annual rate of occurrence) and the likely financial loss – the “SLE” (single loss expectancy). The Annual Loss is then calculated – “ALE”. Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only the estimated financial loss is used. CICRAMTM IT Risk Assessment Methodology 7 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 8. What IT Risk Assessment Methodology Should I Use? “Published” IT Risk Assessment Methodologies Quantitative Methodologies: CRAMM BITS (Kalculator) FAIR FMEA Qualitative Methodologies: FRAP COBRA OCTAVE CICRAMTM IT Risk Assessment Methodology 8 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 9. Assessing IT Risk: “The Problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle.” “We don’t know how well our network security will keep the bad guys out, and we don’t know the cost to the company if we don’t keep them out.” Does risk management make sense? Bruce Schneier – Oct 2008 CICRAMTM IT Risk Assessment Methodology 9 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 10. In Addition, Traditional IT Risk Assessments Methodologies Do Not Assess IT Risks To Customer Information • Storage • Transmission • Access & Processing I Stipulate That The IT Security Profession Has A Dirty Little Secret ... CICRAMTM IT Risk Assessment Methodology 10 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 11. Randy Pausch Said In His Now Famous “Last Lecture” … “When There Is An Elephant In The Room Introduce Him” Randy Pausch Graphic – www.thelastlecture.com “Most IT Security Professionals Can Not Accurately Assess IT Risks.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 11 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 12. In fact, many Information Security professionals cannot even agree on a definition of IT Risk! “Ask a dozen information security professionals to define risk and you’re certain to get several different answers.“ An Introduction to Factor Analysis of Information Risk (FAIR) Jack A. Jones, CISSP, CISM, CISA “Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact.” Understanding Risk Shon Harris CISSP - 2006 If security professional cannot agree on what are the risks, how can we accurately assess “IT Risks”? CICRAMTM IT Risk Assessment Methodology 12 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 13. What Are Leading Information Security Professionals Saying About Current IT Risk Assessment Processes & Models? Number-driven risk metrics 'fundamentally broken‘ Gamit Yoran, former National Cyber Security Divison director Why Johnny Can’t Evaluate Security Risk George Cybenko, Editor in Chief Taking the risk out of IT risk management Jim Hietala – October 16, 2008 Why you shouldn’t wager the house on risk management models Bruce Schneier and Marcus Ranum – Oct 2008 It’s time to think differently about protecting data Bill Ledingham – September 10, 2008 CICRAMTM IT Risk Assessment Methodology 13 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 14. There Is A Problem With Many IT Risk Assessment Process. Traditional IT Risk Assessment Methodologies are Primarily Focused on the Risks and Impacts to the Organization that is Being Assessed. The Impact to the Confidentiality or Integrity of Customers and Employee Information is Graphic - Microsoft not Assessed! CICRAMTM IT Risk Assessment Methodology 14 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 15. Why Are Risks to Customer Information Important? • Regulatory Requirements  Financial Industry – GLBA  Health Care – HIPAA  Higher Education – FERPA  State Data Breach • Organizational Reputation Graphic - Microsoft • Industry Standards  Retail - PCI CICRAMTM IT Risk Assessment Methodology 15 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 16. TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance A Paradigm Shift In IT Risk Assessment Methodologies! Assess Risks To Customer & Employee Information, Rather Than Operational IT Risks To The Organization. CICRAMTM IT Risk Assessment Methodology 16 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 17. TM CICRAM IT Risk Assessment Methodology Core Concepts: A Simplified View of IT Risks Threat Vulnerability Asset Value X X Risk = __________ Countermeasures An IT Risk is defined within CICRAMTM, as the likelihood of a Threat acting on a Vulnerability to harm an asset which causes a negative impact. CICRAMTM IT Risk Assessment Methodology 17 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 18. TM CICRAM IT Risk Assessment Methodology Core Concepts: • There are an infinite number of “Latent” vulnerabilities in software systems that allow attackers to breach computer systems. • There is a sufficiently high number of “Threats”, that given enough time, the likelihood of a vulnerability being exploited is 100%. • “Customer Information” has an inherently high value. • Assess “Risks” by following the movement of Customer Information. • Assess the effects of an IT control failure. The “Worst Case Scenario” becomes the “Baseline” for the IT Risk Assessment. • Effective IT controls reduce risks • IT Risks are almost never reduced to zero by the implementation of IT controls, there is usually some “Residual Risk”. CICRAMTM IT Risk Assessment Methodology 18 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 19. TM CICRAM IT Risk Assessment Methodology Core Concepts: There are a only a few actions that can be performed with an Organization’s Customer Information: INFORMATION ACTION SECURITY RISK FACTOR View / Access / Use Confidentiality Copy Confidentiality Modify Integrity Loss Confidentiality Delete / Destroy Integrity and Availability CICRAMTM IT Risk Assessment Methodology 19 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 20. TM CICRAM IT Risk Assessment Methodology “A Hybrid IT Risk Assessment Process” • Use Qualitative Analysis methods to determine current IT “Threats”. • Utilize “Data Flow” concepts to analyze risks to Customer Information as it moves across various environments. • Use Interogative & RIIOT methods to document the IT environment used to transmit, manipulate and store customer data. • Use Qualitative Analysis methods to develop a “Baseline” of IT Risks for an IT environment that does not have any IT controls. • Use Control Maturity Modeling and Quantitative Analysis – methods to assess the effectiveness of current IT controls. • Use Quantitative Analysis methods to determine the risk reduction impact of current IT controls. CICRAMTM IT Risk Assessment Methodology 20 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 21. TM CICRAM IT Risk Assessment Step#1 – Assess The Current IT Threat Environment Attack Motivational Factors  External Threats i. Criminal Cyber Gangs ii. Former Employees iii. Consultants & Contractors iv. Casual Hackers & Script Kidde  Insider threats i. Malicious Insiders: Corporate Spies & Disgruntled Employees ii. Careless Staff: Policy Breakers and the Uninformed Technical Attacks  Malware Applications i. Viruses, Worms, Trojans ii. Spyware iii. Adware  Botnets  DNS  Denial of Service Human Attacks  Social Engineering  Identity Theft  Email Spam CICRAMTM IT Risk Assessment Methodology 21 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 22. TM CICRAM IT Risk Assessment Step#2 – Determine Where Customer Information Is Located Data Flow Regions IT Risks Business Partners Infrastructure Application Systems CICRAMTM IT Risk Assessment Methodology 22 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 23. TM CICRAM IT Risk Assessment Step#3 – Document The IT Operational Environment: IT Systems & Applications Use IT auditing tools and methods like questionnaires, interviews and diagrams to document the IT systems and applications. CICRAMTM IT Risk Assessment Methodology 23 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 24. TM CICRAM IT Risk Assessment Step#4 - Select an Information Security Controls Framework • Each “Standard” may contain ISO 17799 FFIEC & FTC Security Standards for similar information security controls. Program safeguarding customer • Resolve circular references and information overlapping IT controls across the multiple frameworks. + • Use hierarchical clustering to group IT Controls into categories. COBIT NIST SP 800 Use current Your SANS & ITGI PCI information from: Organization’s SANS Institute, Controls Controls Analysts, = IT Security Industry Best Control Practices Framework CICRAMTM IT Risk Assessment Methodology 24 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 25. TM CICRAM IT Risk Assessment Step#5: Select Key IT Risk Assessment Factors IT Risk Assessment “Factors”:  Customer Information Security (Confidentiality)  Improper/Incorrect Transaction Data (Integrity)  Infrastructure Stability/Change Control (Availability)  Customer Confidence / Stewardship (Reputation)  Regulatory Compliance (Legal)  Fraud / Data Breach (Financial Loss) CICRAMTM IT Risk Assessment Methodology 25 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 26. TM CICRAM IT Risk Assessment Step#6: Determine an IT Risks Numerical Rating Scale NUMERICAL IT RISK RATING DEFINITIONS Level 0 - Functional control area is not relevant Color Range Risk Level 1 - Functional control area poses an insignificant risk: White 0 N/A the significance of a control failure is low or not relevant Level 2 - Functional control area poses a minimal risk potential: Green 1-2 Low the significance of a control failure is minor Level 3 - Functional control area poses a moderate risk potential: Yellow 3-4 Medium the significance of a control failure is considerable Level 4 - Functional control area poses an elevated risk potential: Red 5 High the significance of a control failure is extensive Level 5 - Functional control area poses a significant risk potential: the implications of a control failure is severe CICRAMTM IT Risk Assessment Methodology 26 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 27. TM CICRAM IT Risk Assessment Step #7: Assess “Baseline” High Level Risks Use Control Matrix and Apply Threat Analysis to Develop a Heat Map of Baseline IT Risks Heat Map of Baseline IT Risks External Network Security - Perimeter Defense Systems 5 4 4 3 5 3 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 5 4 Security Technical Virus and Malware Protection 4 4 4 4 3 4 Controls Backup / Recovery 2 0 5 2 5 3 Monitoring and Logging 3 3 2 2 2 1 CICRAMTM IT Risk Assessment Methodology 27 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 28. TM CICRAM IT Risk Assessment Step#8: Determine an IT Control Numerical Rating Scale IT CONTROL MATURITY RATING Stage 0 – Nonexistent Information Security Stage 1 - Initial/Ad Hoc Control Maturity Model- CMM Ratings are Stage 2 - Repeatable but Intuitive Based on Carnegie Stage 3 - Defined Process Mellon’s Process Improvement Model Stage 4 - Managed and Measurable Ratings Scale – CMMI. Stage 5 - Optimized www.sei.cmu.edu/cmmi/general/index.html CICRAMTM IT Risk Assessment Methodology 28 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 29. TM CICRAM IT Risk Assessment Step #9: Assess IT Control Effectiveness GAP Exists Control PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref # Comments Maturity Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of DMZ intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, External Deployment of Network intrusion detection and vulnerability Network FIREWALL assessments, exist and are used to prevent Security - unauthorized access. Perimeter Impl. Where network connectivity is used, IT.B.3.1 Defense appropriate controls, including firewalls, Systems Deployment of Network intrusion detection and vulnerability IDS/IPS assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of Wireless intrusion detection and vulnerability Encryption - Authentication assessments, exist and are used to prevent unauthorized access. CICRAMTM IT Risk Assessment Methodology 29 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 30. 9 TM CICRAM IT Risk Assessment Step#10: Adjust Baseline Risks for Control Effectiveness Use Control Effectiveness Ratings to Adjust Baseline IT Risks Heat Map of IT Risks Adjusted for Control Effectiveness External Network Security - Perimeter Defense Systems 3 3 3 2 2 2 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 2 3 Security Technical Virus and Malware Protection 4 3 3 3 2 3 Controls Backup / Recovery 1 0 3 3 2 2 Physical Security / Environmental 3 2 3 2 2 1 CICRAMTM IT Risk Assessment Methodology 30 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 31. 9 TM CICRAM IT Risk Assessment Step#11: Generate Narrative IT Risk Report Document Develop a Written Report CICRAMTM IT Risk Assessment Methodology 31 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 32. 9 TM CICRAM IT Risk Assessment Step#12: Present Risk Report and Findings to Management Congratulations, You Get To Do This Again Next Year! CICRAMTM IT Risk Assessment Methodology 32 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 33. TM CICRAM IT Risk Assessment Methodology Paradigm Shift! Customer Information Centric IT Risk Assessments Questions ? Fernando A. Reiser freiser@bankitsecurity.com CICRAMTM IT Risk Assessment Methodology 33 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved

×