1. Review of Enterprise Security Risk
Management
Rand W. Hirt CISSP, CISA
Sr. Systems Security Specialist
2. Let’s start with the basics…
Let’s define Risk (from a security perspective):
Risk = Likelihood of an occurrence of adverse event
(probability) x impact of the adverse event should
it occur (value).
Thus, the measure of Risk is product of threat,
vulnerability and asset values.
3. Risk Management concept
Therefore, Risk Management is defined:
RM = the identification, selection and adoption of
countermeasures to mitigate identified risks to
assets and the reduction of those risks to
acceptable levels, as determined by key
stakeholders and executive management.
4. Risk Management, cont.
Once Risk levels have been determined, Risk is
treated in one of several ways:
• Risk Acceptance (accept as is or decide proposed controls are too
expensive)
• Risk Transfer (i.e. insurance or outsourcing)
• Risk Mitigation (apply further controls/countermeasures)
5. Risk Management, cont.
Once Risk has been identified and mitigated to
acceptable levels, continuous monitoring of the
Enterprise will provide assurance that the
Company’s Risk posture will remain consistent
and that any new risks introduced into the
environment can be identified, rated and mitigated
to acceptable levels.
6. Risk Management, cont.
The process looks like this:
ISO/IEC Guide 73 Risk
Management - Vocabulary - Guidelines
7. Risk Management vs.
Risk Assessment
Risk Assessment is a means to an end to the overall
objective of the Risk Management process:
Risk Management Risk Assessment
Goal Manage risks across business to acceptable level Identify and prioritize risks
Cycle Overall program across all phases Single phase of risk management program
Schedule Ongoing As needed
Alignment Aligned with budgeting cycles N/A
8. Risk Assessment approaches
There are two primary methods to approach
Risk Assessments:
• Quantitative
(calculate objective numeric values to derive a cost/benefit analysis)
• Qualitative
(calculate relative values not tied to actual financial values for cost/benefit)
9. Approach to Assessing Risk, cont.
Advantages/Disadvantages of either approach:
Quantitative Qualitative
Benefits • Risks are prioritized by financial impact; assets are
prioritized by financial values.
• Results facilitate management of risk by return on
security investment.
• Results can be expressed in management-specific
terminology (for example, monetary values and
probability expressed as a specific percentage).
• Accuracy tends to increase over time as the organization
builds historic record of data while gaining experience.
• Enables visibility and understanding of risk ranking.
• Easier to reach consensus.
• Not necessary to quantify threat frequency.
• Not necessary to determine financial values of assets.
• Easier to involve people who are not experts on
security or computers.
Drawbacks • Impact values assigned to risks are based on subjective
opinions of participants.
• Process to reach credible results and consensus is very
time consuming.
• Calculations can be complex and time consuming.
• Results are presented in monetary terms only, and they
may be difficult for non-technical people to interpret.
• Process requires expertise, so participants cannot be
easily coached through it.
• Insufficient differentiation between important risks.
• Difficult to justify investing in control implementation
because there is no basis for a cost-benefit analysis.
• Results are dependent upon the quality of the risk
management team that is created.
10. Attributes of an effective Risk
Assessment methodology
• Should result in a explicit definition of objectives and contain
explicit steps and supporting templates to assist in that goal.
• Should provide explicit definitions of what Security risk is, vs. Project
risk, Business risk, etc.
• Should be aimed at modeling and documenting risks qualitatively.
• Should be able to use both ratio and ordinal scale risk rankings to
prioritize risks reliably.
• Should use to concept of utility loss to rank the loss associated with
risk.
• Should have operational guidance and training support and a tutorial
available, along with templates and examples.
11. So, which approach will we use?
• The Microsoft Security Risk Management process uses
a Hybrid approach that joins the best of both traditional
approaches.
– Uses a Qualitative approach to assess over-all risk.
– Uses a Quantitative approach (if desired) to assess the High
Impact assets within the Organization.
• Faster than traditional Quantitative approach.
• Yields more detailed and justifiable results that executives
want over a traditional Qualitative approach.
• Meets most, if not all, of the desired qualities of an
effective Risk Assessment methodology.
• The MSRM Guide was reviewed by participants from
major corporations (Siemens, BofA) for writing, developing
and testing, including NIST for comments that were
incorporated into the guide.
14. The Risk Assessment Process
(High Level)
The 5 Step process for the Risk Assessment:
1. Determine Scope of Assessment
- Budget, Boundaries, Objectives, etc.
- What assets are trying to protect?
2. Gather Information
- Questionnaires directed at specific groups/project members
- Acquiring information from specific areas
Administrative (policies, training, organization, etc)
Technical (controls, configurations, pen tests, etc.)
Physical (procedures, observations, etc.)
3. Assess Risk
- Asset valuation/criticality
- Threat/Vulnerability mapping
- Calculating risk
- Obtaining consensus
4. Recommend Controls
- What’s the cost?
- What’s the effectiveness (preventative, detective, corrective)
- Are there unintended consequences of the proposed solution?
5. Determine Residual Risk
- It is at an acceptable level?
- What are the trade-offs, if any, and are they acceptable to implement?
15. The Risk Assessment Process
(Lower Level)
Step 1 – Determine Scope of Assessment
• Enterprise vs. project/system
• Budget and/or deadlines to consider
• Identify Stakeholders to the Assessment
• Identifying the Assets that are relative to the Assessment
• Develop a step by step plan to address these concerns
16. The Risk Assessment Process
(Lower Level)
Step 2 – Gathering Information
• Use of questionnaires can help speed-up process
• Data gathering involves three main areas:
1. Administrative areas
a. Policies
b. Procedures
c. Staff interviews
2. Technical areas
a. Configurations (Architecture/Design)
b. Current controls (i.e. Hardening, Patching, etc.)
c. Targeted Vulnerability/Penetration testing
3. Physical areas
a. Procedures and Safeguards (HA, Fault Tolerance, etc.)
b. Access control (physical)
c. Documentation (BCP and DR processes)
17. The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk
The object is to arrive at a well-formed Risk Statement. We do this as follows:
Ex: A Hacker (Threat Agent) may exploit known vulnerabilities (Vulnerability) in the remote authentication
protocol (Vulnerability Target) to disrupt (Policy violated) remote authentication (Asset exposed).
18. The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk
The specific steps to arrive at a well-formed Risk Statement:
• Classify Assets
• Low Business Impact (LBI) - public information, high-level information
• Medium Business Impact (MBI) - Network designs, employee lists, purchase order info.
• High Business Impact (HBI) - Financial data, PII, SSNs, medical record info.
• Define Threats and Vulnerabilities
• Threat Agents
• Identify current Vulnerabilities
• Calculate Asset Exposure (Impact)
• Low exposure (minor or no loss)
• Medium exposure (limited or moderate loss)
• High exposure (severe or complete loss)
• Estimate the Threat Probability
• Low (Not probable - not expected to occur within 3 years)
• Medium (Probable - expected to occur with 2-3 years)
• High (Likely - one or more occurrences within 1 year)
19. The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk (cont.)
We can do a finer-grained analysis on High Value Assets:
20. The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk (cont.)
Which results in a finer-grained result:
21. The Risk Assessment Process
(Lower Level)
Step 4 – Recommend Controls
1. Identify Functional Requirements
• Need to define objectives of control
2. Identify Control Solutions
• Organizational controls (separation of duties, etc.)
• Operational controls (physical protections, etc.)
• Technological controls (Authentication, Access control, etc.)
3. Review Solution vs. Requirements
• Does it meet the Functional requirements
• Are there unintended consequences of the proposed solution?
4. Estimating Degree of Risk Reduction
• Will it stop the Threat Agent, or detect an Exploit?
5. Estimating the Solution Cost
• Acquisition, Implementation, On-going, Training, Productivity, etc.
6. Selecting the Risk Mitigation Solution
22. The Risk Assessment Process
(Lower Level)
Step 5 – Determine Residual Risk
• Does the proposed Solution reduce Risk to an acceptable
level?
• Are there trade-offs to the proposed Solution, and if so, are
they acceptable to implement?
• Would Management rather Transfer or Assign the Residual
Risk?
23. The Risk Assessment Process,
cont.
• Final recommendations
– Risk mitigation, transfer or acceptance
– Document final decisions on Risk treatment
• Report to Upper Management
– Communicate Risk decisions
– Align with Security Risk Scorecard
24. The Risk Assessment Process,
cont.
• Measure Control Effectiveness
– Use of audit / verification tools
– Review of logs
• Reassess New and Changed Assets for Risks
– Review and update previous assessments
– Review any Architectural changes for overall impact to
the Organization Risk posture
25. Steps going forward
• Solidify the Risk Management Framework.
• Build out the processes, guidance, templates and
training to make the process real.
• Identify RM application to assist in process.
• Identify further steps, timeline, etc.