Risk mgmt key to security certifications v2


Published on

Presentation about risk management and security compliance, governance and certification

1 Comment
  • I appreciate your post. I also wrote that SMS advertising provides a cost effective method of targeting promotions to specific customer profiles. You might want to remind customers of specific events or promotions, but for whatever reasons, SMS allows you to pass information directly to the right customer at very affordable prices and fast delivery.
    iso 9000
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk mgmt key to security certifications v2

  1. 1. Risk Management Key to Security Certifications Risk Management Summit jorge.sebastiao@its.ws
  2. 2. Standards ISO 27000 – principles and vocabulary ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – (ISO/ IEC 17799:2005) ISO 27003 – ISMS Implementation guidelines ISO 27004 – ISMS Metrics and measurement ISO 27005 – ISMS Risk Management ISO 27031 - ICT readiness for business continuity BS25999 – Business Continuity Management
  3. 3. Certification Objective
  4. 4. British Standard BS25999 The BCM Lifecycle: BS 25999-1 2006 BCM Programme Management Understanding the organization Determining BCM strategy Developing & implementing BCM response Exercising, maintaining & reviewing
  5. 5. High level BC & Security policy management technical risk assets threats vulnerability influence Possibility of occurence Non-technical Risk management Implement of plan Policy Driven Process
  6. 6. ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
  7. 7. ISO 27005: ISMS Risk Management A new standard on ‘Information Security Risk Management’ This standard is being drawn up by the DTI/Cabinet Office – with significant input from CSIA (central Sponsor for Information Assurance) Will be linked to MITS-2 - a new management standard for ICT risk management Leverages ISO13335-4
  8. 8. Organizational Operational 1. Security policy 2. Organizating security 3. Asset Management 7. Access control 4. HR security 5. Physical and environmental security 8. Systems development and maintenance 6. Communicati ons and operations management 9. Business continuity management 10. Compliance 11. Incidence Managment 11 Key contexts ISO27001
  9. 9. Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Review of existing security controls Risk Assessment Rating/ranking of Risks Risk Management Identification of new security controls Policy and Procedures Implementation and Risk Reduction Risk Acceptance (Residual risk) Gap analysis Degree of Assurance Risk Assessment & Mgmt Process
  10. 10. Quantitative Risk Analysis 2 fundamental elements probability of event likely loss Annual Loss Expectancy, ALE’ or ‘Estimated Annual Cost, EAC’ ALE or EAC calculated by multiplying the potential loss by the probability Rank events in order of risk & make priorities Problem with risk analysis: associated with the unreliability & inaccuracy of the data Probability not precise Controls and countermeasures often tackle interrelated events
  11. 11. Qualitative Risk Analysis Most widely used approach to risk analysis Probability data NOT required Make use of the following interrelated elements: Threats: things that can go wrong or can ‘attack’ the system. E.g. fire or fraud Vulnerabilities: make a system more prone to attack E.g. a vulnerability for fire would be the presence of inflammable materials (e.g. paper) Impact: loss as a result of threats. E.g. loss of reputation and interruption of business activity.
  12. 12. Process Asset Register Project evaluation Process Mapping Evaluating System Risk Assessment Applying Controls Writing Statement Initial Assessment Pre- Assessment Awareness Client timeline Implementation Process Gap Analyses
  13. 13. Threats Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats Industrial Espionage
  14. 14. Business Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  15. 15. Threats and Risk
  16. 16. 16 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
  17. 17. 17 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
  18. 18. Examples - 1
  19. 19. Examples - 2
  20. 20. Can you afford it? eBay 12 June 1999 outage: 22 hrs. Operating System failure Cost: $3 million to $5 million revenue hit 26% decline in stock price AT&T 13 April 1998 outage: 6 to 26 hrs. Software Upgrade Cost: $40 million in rebates Forced to file SLAs with the FCC (frame relay) MCI August 1999 frame relay outage: 10 days Software Upgrade Cost: Up to 20 days free service to 3,000 enterprises Hershey Foods September 1999 system failures Application Rollout Cost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98 Dev. Bank of Singapore 1 July 1999 to August 1999: Processing Errors Incorrect debiting of POS due to a system overload Cost: Embarrassment/loss of integrity; interest charges Charles Schwab & Co. 24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs. Upgrades/Operator Errors Cost: ???; Announced that it had made a $70 million new infrastructure investment. Causes of Unplanned Application Downtime Operator Errors 40% Application Failures 40% Technology Failures 20%
  21. 21. Sources of Disaster Survey of Disasters
  22. 22. Impact of Disaster 22 Productivity: Number of employees x impacted x hours out x burdened hours = ? productivity/ employees $millions minutes daystime $impact$billions Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses direct financial/ customer Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners damaged reputation Governance & performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines Governance Performance constant increase Indirect impact of downtime can be far more severe and unpredictable exponential increase
  23. 23. Importance of Critical Infrastructures
  24. 24. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
  25. 25. Business Continuity timeline Active Business A successful recovery
  26. 26. Processes - Business Continuity Mgmt Business Continuity Assessments / Audits Risk Analysis Business Impact Analysis Continuity Strategies Business Continuity Testing Awareness and Training
  27. 27. Processes - Workflow
  28. 28. Risk and PDCA Model Plan Act Check Do Test BCP BCP Residual Risks Implement Training Plan Risk Assessment
  29. 29. Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
  30. 30. Risk = Application Prioritization Application Priority Rating Recovery RequirementsRecovery Time Objective AAA 0–6 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered AA 6–12 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. A 12–24 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. B 24-48 Hours Fail over Local, Disaster Recovery C 48–96 Hours Scheduled/Delayed Recovery D Recovery in 1 Week Scheduled/Delayed Recovery E Recovery when Resources Permit Scheduled/Delayed Recovery
  31. 31. Metrics and Risk
  32. 32. Risk Management Elimination Reduction/Controls Transfer/Outsource Insurance Residual Not all risk can be eliminated via controls
  33. 33. DR Strategies Options Immediate, High-Impact Strategies Weekly Backup and Off-site Storage Daily Backup and Off-site Storage Weekly Mirroring & Electronic Vaulting Daily Mirroring & Electronic Vaulting Real-time Mirroring & Electronic Vaulting Vendor Agreements Quick Ship Agreements Owned Cold Site Owned Hot Site External Cold Site External Hot Site Decision Tree contains 5 x 2 x 4 = 40 strategic options
  34. 34. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
  35. 35. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
  36. 36. New Technologies, New Risks Laptops Mobiles Bluetooth PDA Smart Card
  37. 37. Social Engineering Risk … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  38. 38. Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  39. 39. 39 0 5 10 15 20 25 30 Number of Responses (n=35) Unauthorized manipulation of components, switches, breakers, etc. from the SCADA system Denial of service to SCADA system Disaster Recovery Software / patch management Operating system vulnerabilities Vandalism or sabotage (electronic) Computer viruses, worms, Trojan horses, zero day attacks Remote access/VPN SCADA Security Survey – May 2005 Example: Top SCADA Risks
  40. 40. Integration of Logical and Physical Business Security Management Physical Security Management ICT Security Management
  41. 41. Leveraging Standards ICT & Business Continuity Risk Key Performance Indicators CoBiT, Metrics ITIL ISO20000 ( & BS15000) ISO27001 ISO27031 BS25999
  42. 42. Risk Provides Focus High Medium Low High A B C Medium B B C Low C C D Business Impact Vulnerability
  43. 43. Part of Defense in depth
  44. 44. Risk Trade Offs Secure Low Risk Fast/EasyCheap In Risk Management there are trade-offs
  45. 45. Risk Management ISO27001 SOA Risk Assessment Risk Mitigation Controls ISO27031 BS25999 Risk Analysis Risk Management/Security Certifications
  46. 46. Questions