The risk of cyber threat is high for organizations that manage sensitive data. Therefore, a need to have a robust security and compliance program. By doing so, protects the information system resources from a wide range of threats and brings the company into compliance with regulatory regulatory requirements.
As meeting industry standard does not guarantee protection from data breaches, the security & compliance program should start by identifying and analyzing organizational security needs rather than solely meeting compliance requirements. Following risk management approach is, therefore, a best practice instead of relying on checklists. By following this method, organizations avoid unnecessary compliance effort and cost on insignificant threats and will have sustainable security and compliance program.
Accordingly, the program should identify, analyze and prioritize risks. Consequently, selecting a comprehensive set of appropriate security controls by referencing from established frameworks such as National Institution of Standards and Technologies (NIST) risk assessment framework. NIST is a prescriptive guideline for implementing security controls. However, an organization should first develop a risk assessment methodology/framework that is tailored to its environment.
When following a risk-based approach the security and compliance program has to align with the business objectives of the organization. Risk needs to be identified and prioritized not only from an information system perspective but also from a business perspective. By doing so, the program will ensure information security risk identified, analyzed and prioritized from input across the organization. This will provide clear justification and assurance on the information security investments. It will also increase a sense of ownership for information security efforts among all stakeholder.
1. IT Risk Management for XXX
By
Etsegenet F. Gebreabe
University of Dallas
This Paper Submitted in Partial Fulfillment of the Requirements for
CYBS 7351 -, Strategic Cyber Security Management
Summer 2016
Presented to XXX
2. XXX July 5, 2016
Revision
Number Summary of Revision
Revision
Author Date Accepted by
V1.0 Initial document Etsegenet
Gebreabe
07-05-
2016
3. XXX July 5, 2016
Table of Contents
IT RISK MANAGEMENT COMPLETION........................................................................................3
IT RISK MANAGEMENT ACCEPTANCE........................................................................................3
SYSTEM CATEGORIZATION AND RISK MANAGEMENT..........................................................4
IT RISK MITIGATION STRATEGY................................................................................................14
GENERAL IT RISK MANAGEMENT INFORMATION ................................................................16
ACRONYM .........................................................................................................................................17
REFERENCE......................................................................................................................................17
4. XXX July 5, 2016
IT Risk Management Completion
This document describes the initial IT Risk Management for XXX
Submitted by Etsegenet Gebreabe
Printed name Title
Etsegenet F. June 05, 2016
Signature Date
Contracting Company Contract Number
IT Risk Management Acceptance
Approval
Printed name Title
Signature Date
Approval
Printed name Title
Signature Date
Approval
Printed name Title
Signature Date
5. XXX July 5, 2016
System Categorization and Risk Management
The following assets identification and categorization is done based on the level of impact to the organization should
there be a breach to security (confidentiality, Integrity and availability) as per FIPS 199 and FIPS 200 standards. The
risk analysis is based on qualitative measurement. The impact level values are high, medium and critical. The
categorization of these assets is according to the potential impact values assigned to the respective security
objectives (confidentiality, integrity, availability) in which the resulting value is the highest values (i.e., high water
mark). (NIST, 2004). Five assets are identified that have high impact value which indicates the assets are very
sensitive for the profitability of the organization.
System Name/ID: Application Development Systems
Description/purpose:
The application development systems perform software and website development. It consists of information related
to front end and back end application.
System Type: Major Application
System operation status: Operational
System Owner: Michael Cave, Department Manager for system development
Mark Clark, Chief Information Officer
Vulnerability: The System lacks change control process that ensures alteration to the application is implemented
based on approved procedures. Hence, there is no control mechanism to track the change in the code. This can be a
security hole that an attacker can exploit. In addition, it creates difficulty in troubleshooting. Issues on the system
may kept undiscovered until a major failure happens on the application. Consequently, alteration of application
will disrupt the normal operation of the application that will adversely impact the business. The outcome ranges
from poor customer service to disruption of service and huge financial loss.
6. XXX July 5, 2016
Minimum Security controls: Develops, disseminates, and reviews/updates documented policy and procedure that
explains the process for application change management
Impact Rating:
High (H): a critical concern
Medium (M): an important concern, but not necessarily paramount in the organization’s priorities
Low (L): some minimal level or security is required, but not to the same degree as the
previous two categories
Category Need
Impact
Level Reason
Confidentiality Protect the data contained
within the application
development from
disclosure at all times;
Allow only authorized
individuals access to data on
an “as-needed” basis.
H
M
L
Loss of confidentiality of information could be
expected to have limited adverse effect on
operations and assets. It requires that attackers
be knowledgeable about the in-house system
operation to exploit the system if they get hold
of the application development data.
Integrity Protect data contained
within the Application
Development system from
unauthorized changes;
The system must: - allow
only authorized individuals
the ability to alter records,
and
- track to the specific
individual who made and/or
authorized each change to
system records.
H
M
L
The unauthorized modification or destruction
of information could be expected to have
serious adverse effect on operations and
assets.
Availability The Application
Development system is
expected to be available
during work hours.
H
M
L
The disruption of access to or use of
Application development information systems
could be expected to have a limited adverse
effect on operations, assets, or employees.
Overall System Categorization:
7. XXX July 5, 2016
Low Moderate High
Based on water mark for the protection requirements of confidentiality, integrity and availability, the overall
system sensitivity is MODERATE. The effect of the loss, misuse or unauthorized access to Application
development data could have a serious adverse effect on operations and assets.
System Name/ID: Desktop Support System
Description/purpose
Desktop Support system is IT asset which includes Active Directory, Mail Server and DNS Server. The
information residing in desktop support system is sensitive network information an attacker can use to exploit the
network.
System Type: General Support System
System Operation Status: operational
System Owner: Brendan Liddick, Department Manager for System Administration and desktop support
Mark Clark, Chief Information Officer
Vulnerability:
Risk associated with access control where too many people may have access to devices and data that they have no
need to access. desktop support information such as DNS information could lead in theft of company’s sensitive
information which is expected to have serious adverse effect on normal operations.
Minimum Security controls
Develops, disseminates, and reviews/updates documented policy and procedure for implementing a robust IT
Access control.
High (H): a critical concern
Medium (M): an important concern, but not necessarily paramount in the organization’s priorities
Low (L): some minimal level or security is required, but not to the same degree as the
previous two categories
Category Need
Impact
Level Reason
8. XXX July 5, 2016
Confidentiality Protect the data contained
within the desktop Support
system from disclosure at all
times; Allow only
authorized individuals
access to data on an “as-
needed” basis.
H
M
L
Loss of confidentiality of desktop support
system expected to have serious adverse
effect on operations, assets, or employees,
as they can be used to exploit the
company’s asset therefore impact the
profitability of the company.
Security requirements for assuring
information confidentiality are therefore an
important concern.
Integrity Protect data contained
within the desktop support
system from unauthorized
changes;
The system must: - allow
only authorized individuals
the ability to alter system
parameters.
H
M
L
The unauthorized modification or
destruction of information could be
expected to have severe adverse effect on
operations, assets, or employees, therefore
impact the profitability of the company.
Security requirements for assuring
information integrity are therefore an
important concern.
Availability The desktop support system
is expected to be available
during work hours.
H
M
L
The disruption of access to or use of
desktop support system could be expected
to have severe adverse effect on operations,
assets, or employees, therefore impact the
profitability of the company.
Security requirements for assuring
information availability are therefore an
important concern.
Overall System Categorization
Low Moderate High
Based on water mark for the protection requirements of confidentiality, integrity and availability, the overall
system sensitivity is HIGH. The effect of the loss, misuse or unauthorized access to desktop support data could
have a sever adverse effect on operations and assets.
9. XXX July 5, 2016
System Name/ID: Network and Infrastructure
Description/purpose
Network and Infrastructure includes Private and public network such as servers, routers and firewall. It’s designed
to manage communication between systems and manage bandwidth.
System Type: Major Application
System operation status: operational
System owner: Sean Laur, Department Manager for Network infrastructure and telecommunication
Mark Clark, Chief Information Officer
Herbig Chris, Server Manager
Vulnerability: XXX have a flat network which a major security weakness. Flat network avoids the needs for layer
3 routing and firewalls, therefore lacks enough security.
Minimum Security controls: Revision of network topology to segment networks and provide multi-layer
protection for more sensitive assets.
High (H): a critical concern
Medium (M): an important concern, but not necessarily paramount in the organization’s priorities
Low (L): some minimal level or security is required, but not to the same degree as the
previous two categories
Category
Need
Impact
Level Reason
Confidentiality Protect the data contained
within the network and
infrastructure from
disclosure at all times;
Allow only authorized
individuals access to data on
an “as-needed” basis.
H
M
L
Loss of confidentiality of network and
infrastructure information can be expected
to have a serious adverse effect on
operations and assets.
Security requirements for assuring
information confidentiality are therefore an
important concern.
10. XXX July 5, 2016
Integrity Protect data contained
within the network and
infrastructure from
unauthorized changes;
The system must: - allow
only authorized individuals
the ability to alter records,
and
- track to the specific
individual who made and/or
authorized each change to
system records.
H
M
L
The unauthorized modification or
destruction of network and infrastructure
information could be expected to have a
serious adverse effect on operations and
assets.
Assurance of information integrity is
required to the extent that destruction of
information would require a major
investment of time and effort to restore to
an operational state once it was determined
that the integrity of the information was
compromised.
Availability The network and
infrastructure system is
expected to be available
during work hours.
H
M
L
The disruption of access to use of network
and infrastructure could be expected to have
severe effect on operations, assets, or
employees.
Overall System Categorization
Low Moderate High
Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity
is HIGH. The effect of the loss, misuse or unauthorized access to network and infrastructure data could have
severe adverse effect on operations and assets.
System Name/ID: Data Base System
Description/purpose
The data base system is a centralized data base system for XXX that consists of storage servers and database
software, the information contained in database system includes sensitive product design information, customer’s
health related and credit card information which are very sensitive.
System Type: Major Application
System operation status: operational
11. XXX July 5, 2016
System Owner: Ahmed Asrar, Department Manager for Data Administration
Mark Clark, Chief Information Officer
Vulnerability: Information stored in XXX database are sensitive as it consists of product design Information,
customer’s health and payment information. XXX has weak protection on the database system. If the database
system is compromised, it can cause XXX to serious legal issues due to the violation of compliance standards such
as HIPAA and PCI-DSS
Minimum Security controls: Implement strong Database encryption to all database containing Company’s design
information, customer payment and heath information.
High (H): a critical concern
Medium (M): an important concern, but not necessarily paramount in the organization’s priorities
Low (L): some minimal level or security is required, but not to the same degree as the
previous two categories
Category Need
Impact
Level Reason
Confidentiality Protect the data contained
within the Database System
from disclosure at all times;
Allow only authorized
individuals access to data on
an “as-needed” basis.
H
M
L
Loss of confidentiality of company’s
product design information and customer
information such as health related and
payment card information. Loss of
confidentiality of these information could
lead to severe legal consequence and loss of
sensitivity company’s information
Security requirements for assuring
information confidentiality are therefore
very important concern.
12. XXX July 5, 2016
Integrity Protect data contained
within the database system
from unauthorized changes;
The system must: - allow
only authorized individuals
the ability to alter records,
and
- track to the specific
individual who made and/or
authorized each change to
system records.
H
M
L
The unauthorized modification or
destruction of sensitive customer
information could be expected to have a
severe adverse effect on operations and
assets.
Information integrity is required to the
extent that destruction of information would
require a major investment of time and
effort to restore to an operational state once
it was determined that the integrity of the
information was compromised.
Availability The database system is
expected to be available
during work hours.
H
M
L
The disruption of access to or use of
information or information systems could
be expected to have severe effect on
operations, assets, or employees.
Overall System Categorization
Low Moderate High
Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity
is HIGH. The effect of the loss, misuse or unauthorized access to database system could have a severe adverse
effect on operations and assets.
System Name/ID: Human Resource
Description/purpose
Human resources are one of the major asset of XXX. The human resource includes employees and third party
(customers and vendors)
System Type: Major Application
System operation status: operational
13. XXX July 5, 2016
System Owner: Krabacher Jon, VP for Human Resource
Angelin Andreen, Department Manager for Training
Paul Lee, Department Manager for Personal Security and safety
Vulnerability: Not having adequate awareness for cyber security is a major weakness that jeopardize the security
of XXX.
Minimum Security controls: Plan, Develop and implement employee and third party (customer and vendor)
training and awareness program.
High (H): a critical concern
Medium (M): an important concern, but not necessarily paramount in the organization’s priorities
Low (L): some minimal level or security is required, but not to the same degree as the
previous two categories
Category Need
Impact
Level Reason
Confidentiality Protect the data contained
within the Web Server from
disclosure at all times;
Allow only authorized
individuals access to data on
an “as-needed” basis.
H
M
L
Loss of confidentiality of company’s sales
transaction and customer information such
as payment card information could lead to
severe legal consequence and loss of
sensitive company’s information
Security requirements for assuring
information confidentiality are therefore
very important concern.
14. XXX July 5, 2016
Integrity Protect data contained
within the Web Server from
unauthorized changes;
The system must: - allow
only authorized individuals
the ability to alter records,
and
- track to the specific
individual who made and/or
authorized each change to
system records.
H
M
L
The unauthorized modification or
destruction of sensitive customer
information could be expected to have a
severe adverse effect on operations and
assets.
Information integrity is required to the
extent that destruction of information would
require a major investment of time and
effort to restore to an operational state once
it was determined that the integrity of the
information was compromised.
Availability The Web Server is expected
to be available during work
hours.
H
M
L
The disruption of access to or use of
information or information systems could
be expected to have severe effect on
operations, assets, or employees.
Overall System Categorization
Low Moderate High
Based on water mark for the impact on the confidentiality, integrity and availability, the overall system sensitivity
is HIGH. The effect of the loss, misuse or unauthorized access to Web Server could have a severe adverse effect
on operations and assets.
15. XXX July 5, 2016
E= Extreme Risk: immediate action required
H=High Risk: Senior management attention required
M=Moderate Risk Management responsibility must be specified
L=Low Risk: management by routine procedure required
IT Risk Mitigation Strategy
Risk Mitigation strategy is needed to define the overall approach used for reducing risk. The risk mitigation strategy
for XXX is done not only from system perspective but also from a business perspective. By doing so, the risk
mitigation strategy aims to prioritize risk that are major from both business and technical perspective. An
appropriate risk management methodology is selected to ensure results are repeatable and comparable for future use.
The NIST 800-39- Risk Management Model is chosen as it is flexible and can easily be integrated into the broader
risk management process. Therefore, the risk assessment will be conducted according to risk assessment hierarchy
having three-tiered approach.
Impact Consequence rare(1) Unlikely(2) Possiby (3) Likely(4) Almost Certain (5)
High (3) H E E E E
Moderate(2) M M H H E
Low(1) L L L M H
Likelihood
16. XXX July 5, 2016
The risk assessment conducted at Tier 1 focused on organizational operation, assets and individuals. It will assess if
threats are directed at the corporate level that may affect policy decision. Tier 2 risks assessment will focus on
mission/business process which includes multiple information system risks identified at lower level risk assessment.
It will evaluate the varying degree of criticality of the different information system with regards to core
organizational mission/ business function. Tier 3 risk assessment is a risk assessment conducted in the initial phase
by using Risk management framework. It is a system level assessment that will evaluate the anticipated vulnerability
affecting confidentiality integrity and availability of the information system and implement corrective action to
mitigate risk. The result of risks assessment at a lower level will be an input for risk assessment at a higher level.
(NIST 2011)
Figure 1: NIST Risk Management Approach (NIST, 2011)
The three-tier risk assessment methodology will be integrated to the system level risk assessment methodology
namely Risk Management Framework as defined in NIST 800-39. Therefore, risk assessment will be done
throughout SDLC. (NIST 2011)
17. XXX July 5, 2016
Figure 2: Risk Management Framework (NIST, 2011)
Five security controls have been proposed based on identified system level problems from an initial risk analysis.
The security controls proposed for the identified risk are minimum security controls, and risk mitigation is not a
comprehensive set.
Finally based on the risk matrix, risk is prioritized. Extreme risk level needs an immediate implementation of
security control for mitigating risk followed by high level, moderate level, and low-level risks.
General IT Risk Management Information
Chief Information Officer (CIO) Name and Contact Information:
Name:
Title:
Telephone Number:
Email address:
18. XXX July 5, 2016
Information Security Officer Name and Contact Information:
Name: Etsegenet Gebreabe
Title: CISO
Telephone Number: 4696840429
Email address: egebreabe@udallas.edu
IT Risk Management Approved by:
Name
Title
Telephone Number
Email address
Date: July 5, 2016
Acronym
CIO: Chief Information Officer
HIPAA: Health Insurance Portability and Accountability Act
PCI: The Payment Card Industry Data Security Standard
Reference
Whiteman, Mattord (2014) Management of Information security (PP.313-341)
“FIPS, 199: Standards for Security Categorization of Federal Information and Information Systems.”
National Institute of Standards and Technology, February 2004. Accessed July 4,2016 @
http://csrc.nist.gov
“FIPS, 200: Standards for Security Categorization of Federal Information and Information Systems.”
National Institute of Standards and Technology, March 2006. Accessed July 4,2016 @ http://csrc.nist.gov
“SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View”
National Institute of Standards and Technology, March 2011. Accessed July 5,2016 @
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf