Risk Based Security Management (RBSM) may be defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organizations information assets and IT infrastructure.
Agenda• THE PROBLEM• STEPS TO RBSM• GLINTT’S APPROACH• CONCLUSIONS• Q&A
.: Many of the true assets of value are items that are intangibleand are typically not considered in technical approaches toinformation security .:THE PROBLEM
FRIGHT INDEXThreats to information security faced by organizations Ponemon Institute 2012
FRIGHT INDEX IIThe greatest rise of potential security risk within today’s IT environment Ponemon Institute 2012
FRIGHT INDEX IIISecurity technology categories used to thwart internal and external threats Ponemon Institute 2012
IDENTIFYING RISKSteps taken to identify security risks Ponemon Institute 2012
ADDRESSING RISKPerceived security risk by layer in the security infrastructure and the allocated level of spending Ponemon Institute 2012
.: The goal is not perfection but to improve our decision makingability by reducing our uncertainty .:STEPS TO RBSM
IDENTIFY WHAT MATTERS• How can this be achieved? »» Survey the organization and its management. »» Engage those who are responsible for business. »» Gather relevant information about the organization.
COLLECT DATA ON WHAT MATTERS• What kind of data can be useful to gather? »» Asset valuation »» Impact »» Threat landscapes »» Frequency and likelihood »» Vulnerabilities
PERFORM A RISK ASSESSMENT• Risk Assessment should: »»Create meaningful analysis of probabilities and information on the magnitude of an event and its impact; »»Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk analyses of all sizes and types.
PRESENT TO THE ORGANIZATION• The presentation of any risk analysis should: »» State the assets that were considered; »» The key threats to those assets; »» Assumptions that were made in the analysis »» The identified risks.
IDENTIFY CONTROL OBJECTIVES• A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk. »» In simple terms, control objectives are “what is it that needs to be achieved”.
IDENTIFY AND SELECT CONTROLS• The process of selecting controls should consider: »»What is the total cost of ownership of the control? »»How flexible is the control to changes in the organization or the elements that make up the risk?
IMPLEMENT CONTROLS• If the control is implemented in a way that does not support the control objectives, the risk will likely not be reduced.
OPERATE CONTROLS• RBSM takes an additional step that measures the effectiveness of the control itself and its operation.
MONITOR AND MEASURE• The measures must focus on clearly identifying changes in risks. »» Bear in mind that not all of these elements are precisely measurable. »» Attempting to measure the number of threats is problematic, but some qualitative or combination of measures can provide insight.
ADJUST & REPEAT»»Are there changes in the environment that canalso affect the metrics?»»Are there changes in the threats as time changes?»» Is the control being operated as intended and/orare the measures acting as indicators of controldesign and its operation?
.: If the risk assessment is based on relevant data then thediscourse should be rewarding, collaborative, and highlyinteractive. :.GLINTT’S APPROACH
RBSM Managed Services»» Creates an environment of informed choice.»» Strives to reduce uncertainty and eliminate conjecture.»» Is best achieved through a surplus of relevant data.
RBSM Managed Services»» Based on analysis of frequency of threats and vulnerabilities.»» Cyclical and provide an opportunity for continuous learning.»» Involve feedback loops and challenging assumptions.
RBSM Managed Services»» Minimize the threats, reduce frequency and/or likelihood, and reduce the vulnerabilities that make the threats viable.
.: A vulnerability lacks significant meaning if it is associated witha worthless asset, just as a vulnerability is highly significant if it isassociated with a highly valuable asset .:CONCLUSIONS
CONCLUSIONS»» Anyone undertaking this process (RBSM) should be prepared to suspend their presuppositions and not to be shocked if ideas long held as truth are refuted by the data collected and analyses performed.»» We challenge you to try our Services!