Risk Management
Key to Security Certifications
Risk Management Summit
jorge.sebastiao@its.ws
Standards
ISO 27000 – principles and vocabulary
ISO 27001 – ISMS requirements (BS7799 – Part 2)
ISO 27002 – (ISO/ IEC 1779...
Certification Objective
British Standard BS25999
The BCM Lifecycle: BS 25999-1 2006
BCM
Programme
Management
Understanding
the organization
Determ...
High level BC &
Security policy
management
technical risk
assets
threats
vulnerability
influence
Possibility of
occurence
...
ISO 27004 : Metrics & Measurement
ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
This deve...
ISO 27005: ISMS Risk Management
A new standard on ‘Information Security Risk
Management’
This standard is being drawn up b...
Organizational
Operational
1. Security
policy
2. Organizating
security
3. Asset
Management
7. Access
control
4. HR securit...
Asset Identification
and Valuation
Identification of
Vulnerabilities Identification of
Threats
Evaluation of Impacts
Busin...
Quantitative Risk Analysis
2 fundamental elements
probability of event
likely loss
Annual Loss Expectancy, ALE’ or ‘Estima...
Qualitative Risk Analysis
Most widely used approach to risk analysis
Probability data NOT required
Make use of the followi...
Process
Asset
Register
Project
evaluation
Process
Mapping
Evaluating
System
Risk
Assessment
Applying
Controls
Writing
Stat...
Threats
Environmental
Natural
Disasters
Unexpected
(“OOPS” factor)
Cyber terrorism Viruses
Threats
Industrial
Espionage
Business Risks
Employee &
customer
privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Im...
Threats and Risk
16
Complexity: Increased Risk
“The Future of digital systems is
complexity, and complexity is the
worst enemy of security....
17
More complexity more Security Flaws
Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Comp...
Examples - 1
Examples - 2
Can you afford it?
eBay
12 June 1999 outage: 22 hrs.
Operating System failure
Cost: $3 million to $5 million
revenue hit
2...
Sources of Disaster
Survey of Disasters
Impact of Disaster
22
Productivity:
Number of employees x
impacted x hours out x
burdened hours = ?
productivity/
employee...
Importance of Critical Infrastructures
Business Continuity Management
Business Impact Analysis
Risk Analysis
Recovery Strategy
Group Plans
and Procedures
Busines...
Business Continuity timeline
Active
Business
A successful
recovery
Processes - Business Continuity Mgmt
Business Continuity
Assessments / Audits
Risk Analysis
Business Impact
Analysis
Conti...
Processes - Workflow
Risk and PDCA Model
Plan
Act
Check
Do
Test BCP
BCP
Residual Risks
Implement
Training
Plan
Risk Assessment
Risk Analysis provides focus
High
Medium
Low
Low Medium High
Area of
Major
Concern
Risk = Application Prioritization
Application
Priority
Rating
Recovery RequirementsRecovery Time Objective
AAA 0–6 Hours
D...
Metrics and Risk
Risk Management
Elimination
Reduction/Controls
Transfer/Outsource
Insurance
Residual
Not all risk can be
eliminated via
co...
DR Strategies Options
Immediate,
High-Impact
Strategies
Weekly Backup and
Off-site Storage
Daily Backup and
Off-site Stora...
Strategy Optimization
Recovery strategy must be optimized to business requirements
Time
CostofStrategy
Mitigation
LostReve...
Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“cri...
New Technologies, New Risks
Laptops
Mobiles
Bluetooth
PDA
Smart Card
Social Engineering Risk
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Micha...
Framework must address Risk
Threats Vulnerabilities
Controls Risks Assets
Security
Requirements
Business
Impact
exploit
ex...
39
0 5 10 15 20 25 30
Number of Responses (n=35)
Unauthorized manipulation of components, switches,
breakers, etc. from th...
Integration of Logical and Physical
Business Security Management
Physical
Security
Management
ICT
Security
Management
Leveraging Standards
ICT & Business Continuity
Risk Key Performance Indicators
CoBiT, Metrics
ITIL
ISO20000
( & BS15000)
I...
Risk Provides Focus
High Medium Low
High
A B C
Medium
B B C
Low
C C D
Business Impact
Vulnerability
Part of Defense in depth
Risk Trade Offs
Secure Low Risk
Fast/EasyCheap
In Risk Management there are
trade-offs
Risk
Management
ISO27001
SOA
Risk
Assessment
Risk Mitigation
Controls
ISO27031
BS25999
Risk Analysis
Risk Management/Secur...
Questions
Upcoming SlideShare
Loading in...5
×

Risk mgmt key to security certifications v2

1,480

Published on

Presentation about risk management and security compliance, governance and certification

1 Comment
5 Likes
Statistics
Notes
  • I appreciate your post. I also wrote that SMS advertising provides a cost effective method of targeting promotions to specific customer profiles. You might want to remind customers of specific events or promotions, but for whatever reasons, SMS allows you to pass information directly to the right customer at very affordable prices and fast delivery.
    iso 9000
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,480
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Risk mgmt key to security certifications v2

  1. 1. Risk Management Key to Security Certifications Risk Management Summit jorge.sebastiao@its.ws
  2. 2. Standards ISO 27000 – principles and vocabulary ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – (ISO/ IEC 17799:2005) ISO 27003 – ISMS Implementation guidelines ISO 27004 – ISMS Metrics and measurement ISO 27005 – ISMS Risk Management ISO 27031 - ICT readiness for business continuity BS25999 – Business Continuity Management
  3. 3. Certification Objective
  4. 4. British Standard BS25999 The BCM Lifecycle: BS 25999-1 2006 BCM Programme Management Understanding the organization Determining BCM strategy Developing & implementing BCM response Exercising, maintaining & reviewing
  5. 5. High level BC & Security policy management technical risk assets threats vulnerability influence Possibility of occurence Non-technical Risk management Implement of plan Policy Driven Process
  6. 6. ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
  7. 7. ISO 27005: ISMS Risk Management A new standard on ‘Information Security Risk Management’ This standard is being drawn up by the DTI/Cabinet Office – with significant input from CSIA (central Sponsor for Information Assurance) Will be linked to MITS-2 - a new management standard for ICT risk management Leverages ISO13335-4
  8. 8. Organizational Operational 1. Security policy 2. Organizating security 3. Asset Management 7. Access control 4. HR security 5. Physical and environmental security 8. Systems development and maintenance 6. Communicati ons and operations management 9. Business continuity management 10. Compliance 11. Incidence Managment 11 Key contexts ISO27001
  9. 9. Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Review of existing security controls Risk Assessment Rating/ranking of Risks Risk Management Identification of new security controls Policy and Procedures Implementation and Risk Reduction Risk Acceptance (Residual risk) Gap analysis Degree of Assurance Risk Assessment & Mgmt Process
  10. 10. Quantitative Risk Analysis 2 fundamental elements probability of event likely loss Annual Loss Expectancy, ALE’ or ‘Estimated Annual Cost, EAC’ ALE or EAC calculated by multiplying the potential loss by the probability Rank events in order of risk & make priorities Problem with risk analysis: associated with the unreliability & inaccuracy of the data Probability not precise Controls and countermeasures often tackle interrelated events
  11. 11. Qualitative Risk Analysis Most widely used approach to risk analysis Probability data NOT required Make use of the following interrelated elements: Threats: things that can go wrong or can ‘attack’ the system. E.g. fire or fraud Vulnerabilities: make a system more prone to attack E.g. a vulnerability for fire would be the presence of inflammable materials (e.g. paper) Impact: loss as a result of threats. E.g. loss of reputation and interruption of business activity.
  12. 12. Process Asset Register Project evaluation Process Mapping Evaluating System Risk Assessment Applying Controls Writing Statement Initial Assessment Pre- Assessment Awareness Client timeline Implementation Process Gap Analyses
  13. 13. Threats Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats Industrial Espionage
  14. 14. Business Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  15. 15. Threats and Risk
  16. 16. 16 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
  17. 17. 17 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
  18. 18. Examples - 1
  19. 19. Examples - 2
  20. 20. Can you afford it? eBay 12 June 1999 outage: 22 hrs. Operating System failure Cost: $3 million to $5 million revenue hit 26% decline in stock price AT&T 13 April 1998 outage: 6 to 26 hrs. Software Upgrade Cost: $40 million in rebates Forced to file SLAs with the FCC (frame relay) MCI August 1999 frame relay outage: 10 days Software Upgrade Cost: Up to 20 days free service to 3,000 enterprises Hershey Foods September 1999 system failures Application Rollout Cost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98 Dev. Bank of Singapore 1 July 1999 to August 1999: Processing Errors Incorrect debiting of POS due to a system overload Cost: Embarrassment/loss of integrity; interest charges Charles Schwab & Co. 24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs. Upgrades/Operator Errors Cost: ???; Announced that it had made a $70 million new infrastructure investment. Causes of Unplanned Application Downtime Operator Errors 40% Application Failures 40% Technology Failures 20%
  21. 21. Sources of Disaster Survey of Disasters
  22. 22. Impact of Disaster 22 Productivity: Number of employees x impacted x hours out x burdened hours = ? productivity/ employees $millions minutes daystime $impact$billions Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses direct financial/ customer Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners damaged reputation Governance & performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines Governance Performance constant increase Indirect impact of downtime can be far more severe and unpredictable exponential increase
  23. 23. Importance of Critical Infrastructures
  24. 24. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
  25. 25. Business Continuity timeline Active Business A successful recovery
  26. 26. Processes - Business Continuity Mgmt Business Continuity Assessments / Audits Risk Analysis Business Impact Analysis Continuity Strategies Business Continuity Testing Awareness and Training
  27. 27. Processes - Workflow
  28. 28. Risk and PDCA Model Plan Act Check Do Test BCP BCP Residual Risks Implement Training Plan Risk Assessment
  29. 29. Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
  30. 30. Risk = Application Prioritization Application Priority Rating Recovery RequirementsRecovery Time Objective AAA 0–6 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered AA 6–12 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. A 12–24 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. B 24-48 Hours Fail over Local, Disaster Recovery C 48–96 Hours Scheduled/Delayed Recovery D Recovery in 1 Week Scheduled/Delayed Recovery E Recovery when Resources Permit Scheduled/Delayed Recovery
  31. 31. Metrics and Risk
  32. 32. Risk Management Elimination Reduction/Controls Transfer/Outsource Insurance Residual Not all risk can be eliminated via controls
  33. 33. DR Strategies Options Immediate, High-Impact Strategies Weekly Backup and Off-site Storage Daily Backup and Off-site Storage Weekly Mirroring & Electronic Vaulting Daily Mirroring & Electronic Vaulting Real-time Mirroring & Electronic Vaulting Vendor Agreements Quick Ship Agreements Owned Cold Site Owned Hot Site External Cold Site External Hot Site Decision Tree contains 5 x 2 x 4 = 40 strategic options
  34. 34. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
  35. 35. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
  36. 36. New Technologies, New Risks Laptops Mobiles Bluetooth PDA Smart Card
  37. 37. Social Engineering Risk … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  38. 38. Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  39. 39. 39 0 5 10 15 20 25 30 Number of Responses (n=35) Unauthorized manipulation of components, switches, breakers, etc. from the SCADA system Denial of service to SCADA system Disaster Recovery Software / patch management Operating system vulnerabilities Vandalism or sabotage (electronic) Computer viruses, worms, Trojan horses, zero day attacks Remote access/VPN SCADA Security Survey – May 2005 Example: Top SCADA Risks
  40. 40. Integration of Logical and Physical Business Security Management Physical Security Management ICT Security Management
  41. 41. Leveraging Standards ICT & Business Continuity Risk Key Performance Indicators CoBiT, Metrics ITIL ISO20000 ( & BS15000) ISO27001 ISO27031 BS25999
  42. 42. Risk Provides Focus High Medium Low High A B C Medium B B C Low C C D Business Impact Vulnerability
  43. 43. Part of Defense in depth
  44. 44. Risk Trade Offs Secure Low Risk Fast/EasyCheap In Risk Management there are trade-offs
  45. 45. Risk Management ISO27001 SOA Risk Assessment Risk Mitigation Controls ISO27031 BS25999 Risk Analysis Risk Management/Security Certifications
  46. 46. Questions

×