Risk Management 101 with Mark E.S. Bernard

23,179 views
22,779 views

Published on

Risk Management 101 with Mark E.S. Bernard

Published in: Business, Technology
14 Comments
29 Likes
Statistics
Notes
No Downloads
Views
Total views
23,179
On SlideShare
0
From Embeds
0
Number of Embeds
590
Actions
Shares
0
Downloads
756
Comments
14
Likes
29
Embeds 0
No embeds

No notes for slide

Risk Management 101 with Mark E.S. Bernard

  1. 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  2. 2. • Introduction • Current Known Threats • Potential Impacts to Enterprise Assets • Legal Risks • Managing Compliance Risks • Preventive Security Measurers • Risk Management Policy • Risk Management Process • Ranking & Prioritization of Risks • Treating Risks • Monitoring Risks • Conclusion *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  3. 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  4. 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Notable Accomplishments • Author of the NIST CyberSecurity Foundation: http://itprn.rs/1MscLu8 • In 2012 Provided consulting services to multiple US based Cloud Service Provider ISO/IEC 27001 • Registration/Certification, Technology, Financial Services, Executive Services • In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification, Technology. • In 2009 led first Canadian Public Sector ISO/IEC 27001 Registration/Certification, Financial. • In 2009 led On-boarding Project for ERP Service Provider, Financial • In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal, Financial. • In 2007 led first Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification, Financial. • In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization, Financial. • In 2002 led Information Security Program development for International Food Manufacturer. • In1999 led Independent Security Assurance Review of financial systems located off shore. • In 1998 led ERP consolidation for International Pharmaceutical Manufacturer and ISO 9001 and ISO • 9002 re-certification of lab systems in compliance with FDA and Health Canada regulations. • In 1997 led mid range upgrades and BCP for Stock Exchange and Wealth Management Services. • In 1995 led HRIS during acquisition and merger of #1 and #2 Canadian General Insurance organizations. • In 1992 led HRIS during midrange system upgrade Canadian General Insurance organizations. Skype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernard Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, COBiT, ITIL Mark E.S. Bernard is a CyberSecurity Thought Leader who created the first CyberSecurity Framework that has been share with over 580,000 professionals in 197 countries. Formally a Professor of Systems Engineering and a Red Team member with IBM Global Services he also led the Y2K audit of TD Wealth Management applications and Sprint Canada applications. In 2014 Mark created the first NIST CyberSecurity Foundation course and is currently developing a companion Practitionnaire course. Mark has also led the design and implementation of information security programs for Central 1 Credit Union, McCain Foods Limited, HyperWallet Payments, BC Government Corporate Accounting Services, and Trimble Hosting. Mark has contributed GAP Assessments and Conformity Audits to SureScripts, Phontronics, Aspreva pharmaceuticals, Taro pharmaceuticals, Foley and Lardner Legal, AIReS, Cetera Financial Group, Calabrio Inc., GovDelivery, and Jabil.
  5. 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.
  6. 6. The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  7. 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  8. 8. Source: Computer Security Institute 2010/11 Survey *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  9. 9. Source: Verizon business 2011 Data Breach Investigations Report *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** • Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers. • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches. • Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card- skimming schemes. • Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities. • Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
  10. 10. Source: 2010 Cloud Security Alliance Threats #1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  11. 11. Source: 2010 OWSAP Top 10 Web Application Security Risks A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  12. 12. Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011 •Employee-related incidents of fraud, on average, occur weekly in participating organizations. • Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or high within their organizations. • CEO’s and other C-level executives may be ignoring the threat, according to respondents. • The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to future such incidents. • The threat vectors most difficult to secure and safeguard from insider fraud are mobile devices, outsourced relationships (including cloud providers) and applications. • The majority of respondents do not believe their organization has the appropriate technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT resources. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  13. 13. Source: Computer Security Institute 2010/11 Survey ***THISDOCUMENTISCLASSIFIEDFORPUBLICACCESS***
  14. 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  15. 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Enterprise Risk Management system identifies five major areas of risk within strategic planning, hazard, financial services, compliance management and operations. Generally capital and resources are allocated based on priority determined by the Board of Directors and Executive Team. There are six major groups of Enterprise Assets that contribute to the Enterprise strategy, people, information, software, hardware, telecommunications and facilities. The risk associated with each asset can be assessed and treated based on Enterprise Strategic priorities. A risk score can be calculated for each product, service channel, and revenue stream and risk treatment can be applied again based on strategic priorities.
  16. 16. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following example is a subset demonstrating the potential results of an exploited vulnerability within ‘People Assets’ and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
  17. 17. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following example is a subset demonstrating the potential results of an exploited vulnerability within ‘Information Assets’ and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
  18. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following example is a subset demonstrating the potential results of an exploited vulnerability within ‘Software Assets’ and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
  19. 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following example is a subset demonstrating the potential results of an exploited vulnerability within ‘Hardware Assets’ and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
  20. 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following example is a subset demonstrating the potential results of an exploited vulnerability within ‘Telecommunication Assets’ and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
  21. 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The following example is a subset demonstrating the potential results of an exploited vulnerability within ‘Facility Assets’ and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
  22. 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  23. 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  24. 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  25. 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Here is an example of how ISO 27001 – ISMS can easily and seamlessly address all HIPA Act legal requirements.
  26. 26. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When all the mapping has been completed approximately 70 of the already existing 133 ISO 27001 control objectives will be leveraged to address HIPAA Compliance.
  27. 27. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  28. 28. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing.
  29. 29. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** • Health Insurance Portability and Accountability Act (HIPAA) • Health Information Technology for Economic and Clinical Health Act (HITECH Act) • Federal Information Security Management Act (FISMA) • Gramm-Leach-Bliley Act (GLBA) • Payment Card Industry Data Security Standard (PCI-DSS) • Payment Card Industry Payment Application Standard • Sarbanes-Oxley Act (SOX) • U.S. state data breach notification law • International privacy or security laws
  30. 30. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Before we can treat compliance concerns we need to identify, record and map ISO 27001 controls listed in the Statement of Applicability to specific legal obligations defined by provisions and clauses within statutes, regulations and internal/external facing contracts.
  31. 31. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  32. 32. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** We can choose to respond to the security incident after the fact? Or before a Threat exploit the known Vulnerability? We can choose to identify the threats and matching vulnerabilities and remediate them to acceptable levels.
  33. 33. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** ISO 27001 has already developed controls that are designed to remediate common or known threats, vulnerabilities and risks.
  34. 34. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A close assessment of the technology stack can easily identify vulnerabilities that might be exposed to threats leading to risks.
  35. 35. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  36. 36. Risk Management Goals • To assess risks to Information Assets and System Resources • To state the goals of the RM, along with the desired security level to be attained, consistent with the Enterprise’s risk appetite and Information Assets sensitivity • To identify vulnerabilities within the infrastructure and facilitate the decision making process by determining the likelihood and impact based on motive and opportunity • To identify potential impacts should a threat agent successfully exploit the identified vulnerability further impacting the Information Assets and System Resource and business functions supported along with applications, expressed in terms of confidentiality, integrity and availability and • To provide recommendations that will mitigate and/or eliminate risk to acceptable levels. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  37. 37. Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that management can choose from based on the results of a Risk Assessment and the overall Risk Rating include the following: • Management can choose to accept the risk in which case they do nothing to remediate it. They should understand that they will be held accountable for any security incident, however the risk of a security may not be a concern to management and thus they tend to accept low risks as part of normal daily operations. • Management may choose to remediate the risk in which case management takes some sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the Enterprise’s environment. • Management may also choose to transfer the risk in which case management has chosen to outsource the process causing the risk and/or purchase insurance to cover the potential damages caused by the realization of a risk. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  38. 38. Temporary ISMS Exemption Application There may be occasions where compliance is not possible during a particular period of time and an exemption from compliance is this best method of identifying those occasions and following up to ensure that they are closed. During these instances it is important to identify the manager responsible for these security gaps and have them sign off. This will not only help the Enterprise’s security office to document gaps but also to identify the responsible party who will ensure that they are closed. The following information is required for the Temporary Exemption Form to be completed: • Exemption period - From-To • ISMS policy, procedure or standard reference ID • Reason for Exemption Application • Department or division unit affected • Information system affected • Network location affected • Rational by not granting this application: a). would adversely affect the accomplishment of Enterprise’s business b). would cause a major adverse financial impact • Rational explanation • Signature of Responsible Manager and date *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  39. 39. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  40. 40. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Where possible and practical organizations need to integrate the Risk Management decision tool within existing business processes. The Control Self Assessment technique is an excellent approach to RM integration.
  41. 41. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The ‘optimal’ time to initiate the RM process with SDLC is during the creation of the systems definition and functional design criteria or during development and acquisition.
  42. 42. •Identify Assets in Scope: in this work task we document department name, asset owner and asset name. •Identify Threats: in this work task we document threat(s) to asset(s) in scope of the risk analysis as defined within the RA worksheet including the threat identification, description, and rating. •Identify Business Impact: in this work step we clarify the business perspective for confidentiality, integrity and availability based on a ‘high’, ‘medium’ or ‘low’ impact to regular business processes. •Identify Vulnerabilities: in this work task we document vulnerabilities associated with the asset in scope for risk analysis as defined in RA worksheet including the vulnerability identification, description, and rating. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  43. 43. •Control Selection: in this work task we list the existing controls for further consideration during the preparation of remediation activities designed to lower the overall risk rating. It is possible that existing controls may be implemented incorrectly or suffer from other deficiency that if corrected would eliminate the need for additional controls. •Risk Assessment: in the work task we calculate the overall risk rating, calculated sum of the threat and CIA business impact ratings multiplied by business impact rating multiplied by vulnerability rating. •Recommendations: in this work task we identify the manager who has been assigned the responsibility of facilitating the risk mitigation activity, the date of expected delivery and the current status of progress in the resolution process. •Report to Management: in this work task we identify and report to management the planned targets for risk mitigation expressed in terms of high, medium, and low impacts to confidentiality, integrity and availability. These values are rolled up into an overall revised ‘Residual Risk Rating’. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  44. 44. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within the Risk Management Process we systematically identify and address threats, vulnerabilities to Enterprise Assets, and take action to mitigate those risks to acceptable levels.
  45. 45. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** ‘Control Design’ is where Risk Management, Quality Management and Vulnerability Management come together. The Assets at risk potentially leading to a breach of Data Protection & loss of Confidentiality include ‘People’, ‘Information’, ‘Property /Facilities’, ’Software /Systems’, ‘Hardware’, ‘Telecommunications’.
  46. 46. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within the following example I list out the specific threat, potential impact and mitigating control.
  47. 47. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within this example I take the process one step further and identify the test scenario designed to verify and validate the control design. This is a requirement for SOX.
  48. 48. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The are thousands of threats to the Enterprise but only a small subset maintain the potential to negatively impact the Enterprise, so a 9 point evaluation of threats is essential to help establish a common threat index for the risk assessment process.
  49. 49. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** There are hundreds of vulnerabilities within any Enterprise however only a subset will be identified with a matching threat, so its very likely that some vulnerabilities will not be remediated as the overall risk rating will rank them below the risk appetite.
  50. 50. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** ISO 27001 has identified the most common controls utilized to remediate the most common threats, vulnerabilities and risks to most Enterprises. The emphasis of Total Quality Management is the remediation of those risks based on a standard series of controls listed within the Statement of Applicability.
  51. 51. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  52. 52. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Risk Rating helps match actual risks to the risk appetite.
  53. 53. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  54. 54. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Corrective Action and Preventive Action plans are important pieces of the evidence based Quality Management component of Risk Management. The CA or PA can be initiated together or completely separate from one another. CAPA reports will be audited and include specific information like the date, source of nonconformity, who’s responsible for taking action and the date it will be completed. The Root-Cause must also be documented. Once the CAPA has been completed it must be independently validated.
  55. 55. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risk Treatment Plans are defined by Corrective Action plans and Preventive Action plans. The RTP is basically a rolled up dashboard utilized for tracking and monitoring CAPA by ISMS Governance Committee.
  56. 56. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  57. 57. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Following the assessment of threats, vulnerabilities and identification of risks management makes a decision and we begin monitoring and tracking risks.
  58. 58. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** In more advanced ISMS Risk Management programs we monitor and track risks in connection with the Enterprise Risk Management program.
  59. 59. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** We should not only track risks internally as many risks are shared with external vendors and service providers through Service Management processes and Service Desk.
  60. 60. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risk Management is a useful process that should be seamlessly integrated within every business process to help support and facilitate management decisions. Need help with your Risk Management adoption or integration project please contact me, thanks.
  61. 61. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Web; www.SecureKM.COM Twitter; @Secure_KM LinkedIn; http://ca.linkedin.com/in/markesbernard

×