File000170

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Taxpayer Data at IRS Remains
Vulnerable, GAO Warns
January 13, 2009 (Computerworld) Less than three months after the Treasury Inspector General for Tax
Administration reported that there were major security vulnerabilities in two crucial Internal Revenue
Service systems, the IRS's security practices have been panned by another government entity.
This time, the criticism comes from the Government Accountability Office, which last week released a
report highlighting several problems with how the IRS protects taxpayer data. The 24-page assessment
examined existing policies and controls as well as IRS efforts to fix security issues reported in a previous
GAO audit.
The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected
at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security
issues, several critical areas remain vulnerable.
For example, the IRS still does not always enforce strong password management rules for identifying and
authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said. It also
noted that the IRS has a tendency to allow sensitive information such as user IDs and passwords to be
"readily available" to any user on its networks. Weak passwords and excessive access on the network for
authenticated users were also cited as potential threats to taxpayer data.
Source: http://www.computerworld.com/

EC-Council
Module Objective
• Risk
• Security Planning
• Risk Management
• Risk Analysis
• Risk Policy
• Risk Assessment
• Approval to Operate (ATO) and Interim Approval to Operate (IATO)
• Risk Assessment Process
• Analyze Threats and Vulnerabilities of an Information System
• Residual Risk
• Cost/benefit Analysis
• Risk Acceptance
• Risk Analysts
• Risk Mitigation
• Role of Documentation in Reducing Risk
This module will familiarize you with:

EC-Council
Module Flow
Risk Assessment Process
Cost/benefit Analysis Risk Acceptance
Risk MitigationRisk Analysts
Residual Risk
Analyze Threats and
Vulnerabilities of an
Information System
Role of Documentation
in Reducing Risk
Security PlanningRisk
ATO and IATO
Risk Management
Risk Analysis Risk AssessmentRisk Policy

EC-Council
Risk
Risk is a measure of possible inability to achieve a goal, objective, or
target within defined security, cost, plan, and technical limitations
It refers to a possibility of loss resulting from a hazard, security incident,
or event
It adversely affects the organization’s operations and revenues
Risk=(Probability of event occurring) X (Impact of event occurring)

EC-Council
Security Planning
• Risk Analysis
• Roles and responsibilities of the team/personnel
• Configuration of the system
• Antivirus controls and Intrusion Detection
• Physical Security
• Network Security
• Data access
• Outsourcing
• Policies and Procedures
• Planning a Team
Security planning involves:
Security planning helps in managing and reducing the probability of risk

EC-Council
Risk Management
Risk Management is the process of identifying risk, addressing risk, and
taking steps to eliminate or reduce risk at an acceptable level
Risk management involves:
• Identifying risks
• Analyzing risks
• Developing strategies to manage identified risks
• Implementing risk mitigation plans
• Managing efforts accordingly

EC-Council
Importance of Risk Management
Protects an organization’s information assets
Protects the organization and enables to accomplish its task
Minimizes the effect of risk on an organization’s assets and earning
Creates a new corporation value
Helps organizations to control IT security system related mission risks
Allows organizations to balance the operational and financial costs of the
protective measures
Helps the organization’s management to identify the suitable controls for
security capabilities essential for any task

EC-Council
Principle of Risk Management
• It is a practice of coming up with other options so that the risk in question
is not realized
Risk Avoidance:
• It is a practice of transferring the risk in question to another entity
Risk Transfer:
• It includes all the procedures and practices to eliminate or considerably
decrease the level of risk
Risk Mitigation:
• In some cases, it is vital for an organization to accept the risk present in
some entities
• Risk acceptance is a practice of accepting some risks
Risk Acceptance:

EC-Council
IT Security Risk Management
• Provides information regarding “how to reduce exposure to identified risks”
Risk mitigation process:
• Detects the source of primary and secondary attacks
Risk domains:
• Provides an analysis of risk exposure to threats or vulnerabilities
Risk exposure:
• Provides an end-to-end method for risk mitigation
Risk analysis:
IT security risk management comprises:

EC-Council
Risk Analysis
• Assets (resources of an organization)
• Disruptive events (disaster or threat to an organization)
• Vulnerabilities (weakness of an organization)
• Losses (due to the occurrence of the disaster)
• Safeguards (preventive measures against vulnerabilities)
It helps in analyzing five elements:
Risk analysis is the method that defines procedures through which an
organization can survive or reduce the probability of risks

EC-Council
Business Impact Analysis (BIA)
Step-by-step approach to conduct successful Business Impact Analysis (BIA):
Define potential system threats and the probability at which they may occur
Discover the Maximum Acceptable Outage (MAO) for each system
Estimate the cost to identify and recover operations for each system
Approximate the impacts such as financial, revenue, and non-revenue impacts related to each system
Define the systems which are having cross dependencies
Categorize each important or non-critical system as business critical system
Define critical business systems operated by your organization
Define gross profit and net profit generated by your organization in the year

EC-Council
Roles and Responsibilities of All the
Players in the Risk Analysis Process
Organization divides its targets by distributing the responsibilities within the team
The team involves superior personnel who undertake the responsibility of
considering even minute details of the project
The roles and responsibilities of team members or the employees are as follows:
• Checks the level of security to manage the risks
• Establishes the risk management process
• Ensures that the information resources meet the audit requirements and
participates in all levels of employees to implement policies and procedures
• Prepares disaster recovery plan for information resources to maintain it
Chief Administrative Officer/Information Resources Manager:

EC-Council
Roles and Responsibilities of All the Players
in the Risk Analysis Process (cont’d)
• Identifies threats and vulnerabilities
• Identifies restricted, sensitive, and unrestricted information resources
• Develops and maintains risk management processes, disaster recovery/
contingency planning for information, and updated security procedures
Information Resources Security Officer:
• Assess information and identifies the risk
• Classify the information
• Approve access to information for the restricted employees
• Plan contingencies to recover data
Owners of Information Resources:
• Implements security controls determined by the owner
• Provides administrative access and preventive measures to information
resources
Custodian:

EC-Council
Roles and Responsibilities of All the Players
in the Risk Analysis Process (cont’d)
• Ensures technical support is provided by using cost effective controls
• Develops and maintains contingency plans
• Develops procedures to report on monitored controls
Technical Management:
• Assist the other personnel to implement the security plan
• Assist to update the software or hardware and brief them with the
vulnerabilities
• Maintain user accounts, passwords, keys, etc.
Security Administrators:
• Calculation of effective security control
• Provides security policies, standards, and guidelines
• Examines security controls that are planned and participates in risk
analysis process
Internal Auditor:

EC-Council
Risk Analysis and/or Vulnerability
Assessment Components
Vulnerability assessment is the evaluation of the current
security features (personnel involvement and policies
and procedures) of the organization
Vulnerability assessment report provides a clear idea of
the current weaknesses of an organization
The questionnaires and surveys of the computer users
are the important part of a vulnerability assessment
Questioning the users should be based on the standards,
policies, and guidelines

EC-Council
Risk Policy
Risk policy is a set of ideas of what to do in particular conditions that have been
approved authoritatively by a group of people, a business organization, or
government
• Rules of behavior for the computer system and the end results
for violating those rules
• Personnel and technical controls for the computer system
• Methods for identifying, properly limiting, and controlling
interconnections with other systems and particular methods to
monitor and manage such limits
• Procedures for the ongoing training of employees who are
authorized access to the system
• Procedures for the ongoing monitoring of the efficiency of the
security controls
• Provisions for continuing support if there is an interruption in
the system or the system crashes
Risk policy includes:

EC-Council
Risk Assessment
Risk assessment is the process of identifying and accessing
resources that pose a threat to the business or project
environment
It is a qualitative and/or quantitative evaluation of the likelihood
and consequences of a risk
It is the first step in a risk management methodology
The output of the risk assessment process helps to identify
suitable controls for reducing or eliminating risk during the risk
mitigation process

EC-Council
Importance of Risk Assessment
Identifies and prioritizes security risk to critical information
assets and key business processes
Determines the extent of the possible threat, vulnerability,
and risk related with an IT system
Determines the probability of adverse events and threats to
an IT system
Identifies appropriate controls for reducing or eliminating
risk throughout the risk mitigation process

EC-Council
Approval to Operate (ATO) and
Interim Approval to Operate (IATO)
• It is a formal declaration by the Designated Approving
Authority (DAA) that an IT system is approved to operate in a
particular security mode using a prescribed set of safeguards
at an acceptable level of risk
Approval to Operate (ATO)
• It is a provisional approval for a system to operate if a set of
mitigating conditions require that the system be turned on
even though the risk is unacceptable
Interim Approval to Operate (IATO)

EC-Council
Importance of Risk Assessment
to Obtain an IATO and ATO
DAA’s decision to grant IATO/ATO is based on the perception of an efficient and
effective allocation of risk assessment resources at the subsystem level during
development and implementation of information systems
A proper risk assessment helps in assessing and evaluating level of risk, residual
risks, and remedies for risks that are essential prerequisites for obtaining
IATO/ATO
A comprehensive risk assessment policy and infrastructure implemented in
organizations ensure designated approving authorities that information systems
of the organization will operate within an accepted risk level

EC-Council
Risk Assessment Methodology
• Develop the risk assessment team
• Set the scope of the project
• Identify assets covered by the assessment
• Classify potential losses
• Identify threats and vulnerabilities
• Identify existing controls
• Analyze the data
• Determine cost-effective safeguards
• Generate the report
Risk assessment methodology provides the
following guidelines:

EC-Council
Information Sources for Risk
Assessments
While assessing risk, it is important to make a decision based on the
information sources, which include:
• Any written information
• Interviews and discussion
• Direct observation
• Work study techniques
• Personal experience
• Acts and regulations
• Manufacturers’ instructions
• Accident statistics
• Task analysis

EC-Council
Risk Assessment Process
Characterize IT-system
Identify the threats
Identify the vulnerabilities
Analyze the controls
Determine the likelihood
Analyze the impact of threats
Determine the level of risk to the IT-system
Recommend the control to mitigate the identified risks
Document the results

EC-Council
Risk Assessment Process (cont’d)
Characterize IT-system
Identify the threats
Identify the vulnerabilities
Analyze the controls
Risk Assessment ProcessInput Output
•Hardware and software
•System interfaces
•Data and information people
•System mission
•History of system attack
•Data from intelligence
agencies, NIPC, OIG,
FedCIRC, mass media
•Reports from prior risk
assessments
•Any audit comments
•Security requirements
•Security test results
•Current controls
•Planned controls
•System boundary
•System functions
•System and data
sensitivity
•Threat statement
•List of potential
vulnerabilities
•List of current and
planned controls

EC-Council
Risk Assessment Process (cont’d)
•Threat-source motivation
•Threat capacity
•Nature of vulnerability
•Current controls
Risk Assessment ProcessInput Output
•Mission impact analysis
•Asset criticality assessment
•Data criticality
•Data sensitivity
•Likelihood of threat
exploitation
•Magnitude of impact
•Adequacy of planned or
current controls
•Likelihood rating
•Impact rating
•Risks and associated
risk levels
•Recommended controls
•Risk assessment
report
Determine the likelihood
Analyze the impact of threats
Determine the risk
Recommend the control
Document the results

EC-Council
Develop Policy and Procedures for
Conducting a Risk Assessment
Senior management in the organization develop the policies and procedures to safeguard the
IT system for their long term assignment according to their business objective
They implement some controls to reduce the expected losses from attackers, intruders, and
hackers:
• Preventive control:
• Use only certified copies of software files or data
• Implement read-only access over software
• Check new software with anti-virus before it is installed
• Educate the users about the dangerous viruses and Trojans
• Detective control:
• Frequently run anti-virus software to detect infections
• Implement and regulate date and time stamps of updation, modification, and user access to the
operating system, server, network, Internet etc.
• Corrective control:
• Ensure that clean backup is maintained
• Maintain a good documentation plan for backup and recovery
• Run anti-virus software to eliminate infection on the IT-system

EC-Council
Write Risk Assessment Reports
Once the risk assessment process is completed, the result
should be documented briefly in an official report
Risk assessment report is a complete report of assessment
process which helps the organization’s management in
making decisions on policy, procedural, budget, system
operational, and management changes
The report should be presented in a proper manner so that
the organization’s management can easily understand the
risks and assign resources to reduce or avoid potential losses

EC-Council
Write Risk Assessment Reports
(cont’d)
• Observation number and brief description of the observation
• A conversation of the threat-source and vulnerability pair
• Identification of the existing mitigating security controls
• Likelihood discussion and evaluation
• Impact analysis discussion and evaluation
• Risk rating based on the risk-level matrix
• Recommended controls or substitute options for reducing the risk
The risk assessment report should include:

EC-Council
Coordinate Resources to Perform
a Risk Assessment
Senior Management:
• Responsible for mission accomplishment and apply necessary resources to develop the capabilities
needed to accomplish the mission
Chief Information Officer:
• Responsible for the organization’s IT planning, budgeting, and performance of information security
elements
System and Information Owners:
• Responsible for ensuring that appropriate controls are in place to address integrity, confidentiality,
and availability of the IT systems
Business and Functional Managers:
• Responsible for business operations and IT procurement process and also take part in risk
management process
IT security program managers:
• Responsible for organization’s security programs such as risk management
IT Security Practitioners:
• Responsible for suitable implementation of security requirements in their IT systems

EC-Council
Risk Assessment Plan
A risk assessment plan is a document prepared by senior
management to predict risks, to estimate the effectiveness, and to
create response plans to mitigate them
It also consists of the risk assessment matrix that is used in risk
assessment process
Senior management assesses the risks continually and develops
plans to address them
It contains an analysis of the expected risks with both high and
low impact, as well as mitigation strategies to avoid the project
from derailing

EC-Council
Analyze Threats and Vulnerabilities
of an Information System
• Any incident or event with the potential to cause harm to an IT system
Threat-source:
• It is the potential for a specific threat-source to effectively exercise a
particular vulnerability
• Common threat sources:
• Natural threats:
• Floods, earthquakes, tornadoes, landslides, etc.
• Human threats:
• Unintentional acts or deliberate actions
• Environmental Threats:
• Long-term power failure, pollution, chemicals, etc.
Threat:
• It is a weakness that can be accidentally triggered or intentionally exploited
Vulnerability:

EC-Council
of an Information System (cont’d)
• Identify and develop a list of potential threat-sources
• Develop a practical estimation of the resources and potentials that
may be needed to carry out an attack
• Obtain known threats from the government and private sector
organizations
Threat Analysis:

EC-Council
of an Information System (cont’d)
• Develop a list of system flaws and weaknesses through site
investigations, conducting interviews with employees accountable
for the system, and network scanning tools
• Some practical methods to gather vulnerability information:
• Automated vulnerability scanning
• Network mapping
• Security testing and evaluation
• Penetration testing
Vulnerability Analysis:

EC-Council
Residual Risk
The residual risk is the risk or danger still remaining even after the implementation
of new or enhanced control
Residual Risk = (Inherent Risk) X (Control Risk)
• Where inherent risk = (threats x vulnerability)
Reduce number of
flaws or errors
Add a targeted
control
Reduce magnitude
of impact
New or enhanced
controls
Residual risk

EC-Council
Residual Risk
Residual risk means the risk remaining after the
implementation of risk control process
Risk with a higher strategic impact should be effectively
controlled in order to maintain the residual risk acceptable
Risk with a lower strategic impact needs less risk control
The level of acceptable residual risk depends on the senior
management’s risk appetite and it differs for each
organization

EC-Council
Residual Risk (cont’d)
Impact of
Risk
Level of Risk Control
(Quality level)
Start Low Medium High
Risk

EC-Council
Residual Risk Policy
Residual risk policy considers the economic, social, political factors in addition to
risk
This policy may have an effect on all sources within the category of the applicability
criteria
• Control equipment
• Performance such as ambient concentrations, emission rates,
and percent reduction
• Work practices
This policy may specify:

EC-Council
Residual Risk Standard: ISO/IEC
27005:2008
ISO/IEC 27005:2008 standard provides security guidelines for information security risk
management
It supports the general perceptions specified in ISO/IEC 27001
It helps to successfully implement an information security based on the risk management
process
This standard is relevant for all types of organizations to manage accidental threats caused by
the use of applications of IT systems
Knowledge of concepts, procedures, models, and terminologies specified ISO/IEC 27001 and
ISO/IEC 27002 is fundamental for understanding of ISO/IEC 27005:2008

EC-Council
Cost/Benefit Analysis
Cost/benefit analysis is conducted for each proposed control after
identifying all possible controls to find out which controls are required
and suitable for their conditions
It can be qualitative or quantitative
It helps the organization in making a decision on what risk mitigation
option to use
The main aim of cost/benefit analysis is to show that the costs of
implementing the controls can be justified by the reduction in the level of
risk
For example, the organization does not want to waste $1,000 on a control
to reduce a $200 risk

EC-Council
Cost/Benefit Analysis (cont’d)
• Determining the impact of implementing and not
implementing the new or enhanced controls
• Estimating the costs of the implementation such as:
• Hardware and software purchases
• Reduced operational effectiveness
• Cost of implementing added policies and procedures
• Cost of hiring extra personnel to implement planned
policies and procedures
• Training and maintenance cost
• Evaluating the implementation costs and profits
against system and data criticality
A cost-benefit analysis for enhanced
controls includes:

EC-Council
Cost/Benefit Analysis for Information
Assurance
According to the U.S. Government's National Information Assurance
Glossary, information assurance is defined as:
• “Measures that protect and defend information and information systems by
ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation”

EC-Council
Cost/Benefit Analysis for Information
Assurance (cont’d)
Benefits of Information Assurance:
• Net Benefits = (Expected Collaboration benefits – Degraded benefits without
Assurance) – Total Costs of Information Assurance
Level of
Collaboration
Information
Assets
Assurance
Policy (Tools,
Processes,
Practices)
Security
Risks
Threats and
Vulnerabilities
Cost of
Information
Assurance
Model
Net
Benefits
Benefits

EC-Council
Importance of Cost/Benefit
Analysis for Information Assurance
Helps to identify critical information assets and finds out the upper limit of total
costs of information assurance
Establishes the collaboration objectives with the security of information assets as
a high priority
Verifies information assurance requirements
Provides a roadmap for upcoming collaborative information assurance
requirements
Helps to find out the cost spent on information security to deliver desired
information assurance

EC-Council
Cost/Benefit Analysis Procedure
Define objectives and project scope
Identify project options
Identify costs and benefits
• Identify quantitative costs
• Identify quantitative benefits
• External costs and benefits
• Equity and broader distributional considerations
• Presenting incremental costs and benefits
Discount future costs and benefits
Calculate the decision criteria
Sensitivity analysis
Identify preferred option
Prepare report
• Full evaluation report
• Summary reporting

EC-Council
Cost/Benefit Analysis Procedure
(cont’d)
Define objectives
and project scope
Identify
project option
Identify
unqualified
costs and
benefits
Identify
quantified
benefits
Identify
quantified
costs
Discount
future
costs and
benefits
Criteria
calculate
the
decision
criteria
Undertake
sensitivity
tests
Identify
preferred
option
Prepare
the report

EC-Council
Risk Acceptance
In some cases, it is vital for the organization to accept the risk
present in some entities
Risk acceptance is a practice of accepting some risks based on
the business decision
It is a part of the risk treatment decision making process in
which the organization has to decide that the system can
continue with a particular risk
The decision about risk acceptance is made by the
organization’s committee

EC-Council
Risk Acceptance (cont’d)
• Financial capacity of the organization to absorb the
consequences of risk
• Level of conservatism of the decision maker
• Quantity of the risk inherent in the business activity
normally carried out by the organization
• Diversity of the business
• Extent to which risk can be transferred or reduced
Risk acceptability depends on:

EC-Council
Risk Acceptance Process
Develop risk acceptance statement for remaining exposures:
• Responsible manager prepares a statement about the acceptable risks and sends it to
the higher management
• The statement includes detailed information of the associated risk, loss potential, and
review procedures
Approve the risk acceptance statement:
• After completing the risk acceptance statement, it is submitted to the corporate
information risk group for review and approval and other interested parties
• Corporate information risk group approved the risk acceptance after reviewing the risk
acceptance statement
Document results:
• All the outcomes of the risk acceptance process are documented and paper copies of
the risk acceptance statements are maintained

EC-Council
Management’s Risk Acceptance
Posture
The management’s decision of risk acceptance is based on the selection from a range of
alternatives
Businesses take risks in the hope of resulting profits
The role of the security manager is to help the management in controlling risks which are
considered unacceptable by the management
• Adopting alternative procedures and processes that may reduce
the need for security
• Buying insurance is also a way to prevent the failure of security
efforts
• Installing security schemes is one of the best ways to minimize
risks and effects of the threats
• Accepting the risks as a cost of doing business is an alternate way
to manage potential losses
Business risks can be dealt with by:

EC-Council
Risk Assessment and Countermeasures
Various controls are implemented in risk assessment process to
reduce the mission risk such as:
• Technical security controls:
• This control is used to protect against given types of threats
• Management security controls:
• This control is used in combination with technical and operational controls and is
implemented to manage and reduce the risk of loss and to protect an
organization’s mission
• Operational security controls:
• This control is implemented by the organization in accordance with a available set
of requirements and good organization practices

EC-Council
Risk Analysts
Risk analysts identify and quantify the risks faced by an organization or business
unit
Estimate the financial and other impacts of adverse circumstances
A risk analyst’s report contains the following points:
• Summary and conclusions
• Objectives and scope
• Limitations, assumptions and justification of hypotheses
• Description of relevant parts of the system
• Analysis methodology
• Hazard identification results
• Models used, including assumptions and validation
• Data and their sources
• Risk estimation results
• Sensitivity and uncertainty analysis
• Discussion of results (including discussion of analytic difficulties)
• References

EC-Council
Risk Mitigation
Risk mitigation encompasses all methodologies and efforts taken
to reduce either the probability or consequences of a threat
These may range from physical measures to financial measures
Risk managers start with risk analysis, then seek to take actions
to mitigate the risks
Risk mitigation efforts may involve direct costs such as increased
capital expenditure on incident handling and response

EC-Council
Risk and Certification/Accredition of
Information Systems
Certification and accreditations ensure that the information
systems are operating under an acceptable risk level which in
turn helps in planning risk mitigation strategies
It helps in building the trust of stakeholders on the
organization and helps in mitigating intangible risks such as
loss of customers and reputation
Motivates organizations to deliver quality products and
services

EC-Council
Role of Documentation in Reducing
Risk
Proper documentation of the risk analysis reduces the
risk and enables people to handle the awkward
situations
Documentation of risk analysis is a direct input to the
risk management process
It helps in reviewing potential threats and vulnerabilities
promptly
It is a reminder about the anticipated errors that may
occur while setting up the critical information systems

EC-Council
Summary
Risk is a measure of possible inability to achieve a goal, objective, or target
within defined security, cost, plan, and technical limitations
Risk management is the process of identifying risk, addressing risk, and taking
steps to eliminate or reduce risk at an acceptable level
Risk assessment is the process of identifying and accessing resources that pose a
threat to the business or project environment
The residual risk is the risk or danger remaining after the implementation of new
or enhanced control
Risk mitigation encompasses all methodologies and efforts taken to reduce
either the probability or consequences of a threat

EC-Council

File000170

More Related Content

What's hot

Similar to File000170

More from Desmond Devendran

Recently uploaded

File000170