Presentation about risk management and security compliance, governance and certification

1. Risk Management
Key to Security Certifications
Risk Management Summit
jorge.sebastiao@its.ws

2. Standards
ISO 27000 – principles and vocabulary
ISO 27001 – ISMS requirements (BS7799 – Part 2)
ISO 27002 – (ISO/ IEC 17799:2005)
ISO 27003 – ISMS Implementation guidelines
ISO 27004 – ISMS Metrics and measurement
ISO 27005 – ISMS Risk Management
ISO 27031 - ICT readiness for business continuity
BS25999 – Business Continuity Management

3. Certification Objective

4. British Standard BS25999
The BCM Lifecycle: BS 25999-1 2006
BCM
Programme
Management
Understanding
the organization
Determining
BCM
strategy
Developing &
implementing
BCM response
Exercising,
maintaining
& reviewing

5. High level BC &
Security policy
management
technical risk
assets
threats
vulnerability
influence
Possibility of
occurence
Non-technical
Risk
management
Implement of
plan
Policy Driven Process

6. ISO 27004 : Metrics & Measurement
ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
This development is aimed at addressing
how to measure the effectiveness of ISMS
implementations (processes and controls)
Performance targets
What to measure
How to measure
When to measure

7. ISO 27005: ISMS Risk Management
A new standard on ‘Information Security Risk
Management’
This standard is being drawn up by the DTI/Cabinet
Office – with significant input from CSIA (central
Sponsor for Information Assurance)
Will be linked to MITS-2 - a new management standard
for ICT risk management
Leverages ISO13335-4

8. Organizational
Operational
1. Security
policy
2. Organizating
security
3. Asset
Management
7. Access
control
4. HR security
5. Physical and
environmental
security
8. Systems
development
and
maintenance
6.
Communicati
ons and
operations
management
9. Business
continuity
management
10.
Compliance
11.
Incidence
Managment
11 Key contexts ISO27001

9. Asset Identification
and Valuation
Identification of
Vulnerabilities Identification of
Threats
Evaluation of Impacts
Business Risks
Review of existing
security controls
Risk Assessment
Rating/ranking of Risks
Risk Management
Identification of
new security
controls
Policy and
Procedures
Implementation and
Risk Reduction
Risk Acceptance
(Residual risk)
Gap analysis
Degree of Assurance
Risk Assessment & Mgmt Process

10. Quantitative Risk Analysis
2 fundamental elements
probability of event
likely loss
Annual Loss Expectancy, ALE’ or ‘Estimated Annual
Cost, EAC’
ALE or EAC calculated by multiplying the potential
loss by the probability
Rank events in order of risk & make priorities
Problem with risk analysis:
associated with the unreliability & inaccuracy of the data
Probability not precise
Controls and countermeasures often tackle interrelated events

11. Qualitative Risk Analysis
Most widely used approach to risk analysis
Probability data NOT required
Make use of the following interrelated elements:
Threats: things that can go wrong or can ‘attack’ the system.
E.g. fire or fraud
Vulnerabilities: make a system more prone to attack
E.g. a vulnerability for fire would be the presence of inflammable
materials (e.g. paper)
Impact: loss as a result of threats.
E.g. loss of reputation and interruption of business activity.

12. Process
Asset
Register
Project
evaluation
Process
Mapping
Evaluating
System
Risk
Assessment
Applying
Controls
Writing
Statement
Initial
Assessment
Pre-
Assessment
Awareness
Client timeline
Implementation Process
Gap Analyses

13. Threats
Environmental
Natural
Disasters
Unexpected
(“OOPS” factor)
Cyber terrorism Viruses
Threats
Industrial
Espionage

14. Business Risks
Employee &
customer
privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Trust
Business
Risks

15. Threats and Risk

16. 16
Complexity: Increased Risk
“The Future of digital systems is
complexity, and complexity is the
worst enemy of security.”
Bruce Schneier
Crypto-Gram Newsletter, March 2000

17. 17
More complexity more Security Flaws
Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Complex, moderate risk
21 – 50 Complex , high risk
>50 Untestable, VERY HIGH RISK
Complexity & Bad Fix Probability
Essential Complexity (Un-structuredness) &
Maintainability (future Reliability) Risk
1 – 4 Structured, little risk
> 4 Unstructured, High Risk
Structural Analysis … Providing Actionable Metrics
Complexity and Risk

18. Examples - 1

19. Examples - 2

20. Can you afford it?
eBay
12 June 1999 outage: 22 hrs.
Operating System failure
Cost: $3 million to $5 million
revenue hit
26% decline in stock price
AT&T
13 April 1998 outage: 6 to 26 hrs.
Software Upgrade
Cost: $40 million in rebates
Forced to file SLAs with the FCC
(frame relay)
MCI
August 1999 frame relay outage:
10 days
Software Upgrade
Cost: Up to 20 days free service
to 3,000 enterprises
Hershey Foods
September 1999 system failures
Application Rollout
Cost: delayed shipments; 12%
decrease in 3Q99 sales; 19%
drop in net income from 3Q98
Dev. Bank of Singapore
1 July 1999 to August 1999:
Processing Errors
Incorrect debiting of POS due
to a system overload
Cost: Embarrassment/loss of
integrity; interest charges
Charles Schwab & Co.
24 February 1999 through 21 April
1999: 4 outages of at least 4 hrs.
Upgrades/Operator Errors
Cost: ???; Announced that it had
made a $70 million new
infrastructure investment.
Causes of Unplanned
Application Downtime
Operator
Errors
40%
Application
Failures
40%
Technology
Failures
20%

21. Sources of Disaster
Survey of Disasters

22. Impact of Disaster
22
Productivity:
Number of employees x
impacted x hours out x
burdened hours = ?
productivity/
employees
$millions
minutes daystime
$impact$billions
Revenue:
Direct loss, compensatory
payment, lost future
revenues, billing losses and
investment losses
direct financial/
customer
Damaged reputation:
Customers, competitors gain
advantage, suppliers,
financial markets, business
partners
damaged
reputation
Governance &
performance:
Revenue recognition, cash
flow, credit rating, stock
price, regulatory fines
Governance
Performance
constant
increase
Indirect impact of downtime can be
far more severe and unpredictable
exponential
increase

23. Importance of Critical Infrastructures

24. Business Continuity Management
Business Impact Analysis
Risk Analysis
Recovery Strategy
Group Plans
and Procedures
Business Continuity Planning Initiation
Risk
Reduction
Implement
Standby Facilities
Create Planning Organization
Testing
PROCESS
Change Management Education Testing Review
Policy ScopeResourcesOrganization
BCM
Ongoing
Process
BCM
Project

25. Business Continuity timeline
Active
Business
A successful
recovery

26. Processes - Business Continuity Mgmt
Business Continuity
Assessments / Audits
Risk Analysis
Business Impact
Analysis
Continuity Strategies
Business Continuity
Testing
Awareness and
Training

27. Processes - Workflow

28. Risk and PDCA Model
Plan
Act
Check
Do
Test BCP
BCP
Residual Risks
Implement
Training
Plan
Risk Assessment

29. Risk Analysis provides focus
High
Medium
Low
Low Medium High
Area of
Major
Concern

30. Risk = Application Prioritization
Application
Priority
Rating
Recovery RequirementsRecovery Time Objective
AAA 0–6 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered
AA 6–12 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered.
A 12–24 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered.
B 24-48 Hours
Fail over Local,
Disaster Recovery
C 48–96 Hours Scheduled/Delayed Recovery
D Recovery in 1 Week Scheduled/Delayed Recovery
E
Recovery when
Resources Permit
Scheduled/Delayed Recovery

31. Metrics and Risk

32. Risk Management
Elimination
Reduction/Controls
Transfer/Outsource
Insurance
Residual
Not all risk can be
eliminated via
controls

33. DR Strategies Options
Immediate,
High-Impact
Strategies
Weekly Backup and
Off-site Storage
Daily Backup and
Off-site Storage
Weekly Mirroring &
Electronic Vaulting
Daily Mirroring &
Electronic Vaulting
Real-time Mirroring &
Electronic Vaulting
Vendor
Agreements
Quick Ship
Agreements
Owned
Cold Site
Owned
Hot Site
External
Cold Site
External
Hot Site
Decision Tree contains
5 x 2 x 4 = 40 strategic options

34. Strategy Optimization
Recovery strategy must be optimized to business requirements
Time
CostofStrategy
Mitigation
LostRevenue
Optimum Mitigation
Strategy

35. Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“critical few” with crisis
management team
Assess impact of events &
implement appropriate controls
Monitor & resolve at
appropriate level using
processesIncident Management
Process
Crisis Management
Process

36. New Technologies, New Risks
Laptops
Mobiles
Bluetooth
PDA
Smart Card

37. Social Engineering Risk
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Michael. 2005. Retrieved from
http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1
Bar of chocolate

38. Framework must address Risk
Threats Vulnerabilities
Controls Risks Assets
Security
Requirements
Business
Impact
exploit
exposeincreaseincrease
increase have
protect against
met by indicate
reduce

39. 39
0 5 10 15 20 25 30
Number of Responses (n=35)
Unauthorized manipulation of components, switches,
breakers, etc. from the SCADA system
Denial of service to SCADA system
Disaster Recovery
Software / patch management
Operating system vulnerabilities
Vandalism or sabotage (electronic)
Computer viruses, worms, Trojan horses, zero day attacks
Remote access/VPN
SCADA Security Survey – May 2005
Example: Top SCADA Risks

40. Integration of Logical and Physical
Business Security Management
Physical
Security
Management
ICT
Security
Management

41. Leveraging Standards
ICT & Business Continuity
Risk Key Performance Indicators
CoBiT, Metrics
ITIL
ISO20000
( & BS15000)
ISO27001
ISO27031
BS25999

42. Risk Provides Focus
High Medium Low
High
A B C
Medium
B B C
Low
C C D
Business Impact
Vulnerability

43. Part of Defense in depth

44. Risk Trade Offs
Secure Low Risk
Fast/EasyCheap
In Risk Management there are
trade-offs

45. Risk
Management
ISO27001
SOA
Risk
Assessment
Risk Mitigation
Controls
ISO27031
BS25999
Risk Analysis
Risk Management/Security Certifications

46. Questions