Risk Management Insight
FAIR
(FACTOR ANALYSIS OF INFORMATION RISK)
Basic Risk Assessment Guide
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
NOTE: Before using this assessment guide…
Using this guide effectively requires a solid understanding of FAIR concepts
‣ As with any high-level analysis method, results can depend upon variables that may not be accounted for at
this level of abstraction
‣ The loss magnitude scale described in this section is adjusted for a specific organizational size and risk
capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.) may need to be adjusted when analyzing
organizations of different sizes
‣ This process is a simplified, introductory version that may not be appropriate for some analyses
Basic FAIR analysis is comprised of ten steps in four stages:
Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration
Stage 2 – Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF)
4. Estimate the Threat Capability (TCap)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)
Stage 3 – Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss
Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk
Risk
Loss Event
Frequency
Probable Loss
Magnitude
Threat Event
Frequency
Vulnerability
Contact Action
Control
Strength
Threat
Capability
Primary Loss
Factors
Secondary
Loss Factors
Asset Loss
Factors
Threat Loss
Factors
Organizational
Loss Factors
External Loss
Factors
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 1 – Identify Scenario Components
Step 1 – Identify the Asset(s) at risk
In order to estimate the control and value characteristics within a risk analysis, the analyst must first identify the asset
(object) under evaluation. If a multilevel analysis is being performed, the analyst will need to identify and evaluate the
primary asset (object) at risk and all meta-objects that exist between the primary asset and the threat community. This
guide is intended for use in simple, single level risk analysis, and does not describe the additional steps required for a
multilevel analysis.
Asset(s) at risk: ______________________________________________________
Step 2 – Identify the Threat Community
In order to estimate Threat Event Frequency (TEF) and Threat Capability (TCap), a specific threat community must first be
identified. At minimum, when evaluating the risk associated with malicious acts, the analyst has to decide whether the
threat community is human or malware, and internal or external. In most circumstances, it’s appropriate to define the
threat community more specifically – e.g., network engineers, cleaning crew, etc., and characterize the e.
1. Risk Management Insight
FAIR
(FACTOR ANALYSIS OF INFORMATION RISK)
Basic Risk Assessment Guide
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
NOTE: Before using this assessment guide…
Using this guide effectively requires a solid understanding of
FAIR concepts
‣ As with any high-level analysis method, results can depend
upon variables that may not be accounted for at
this level of abstraction
‣ The loss magnitude scale described in this section is adjusted
for a specific organizational size and risk
capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.)
may need to be adjusted when analyzing
organizations of different sizes
‣ This process is a simplified, introductory version that may not
be appropriate for some analyses
2. Basic FAIR analysis is comprised of ten steps in four stages:
Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration
Stage 2 – Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF)
4. Estimate the Threat Capability (TCap)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)
Stage 3 – Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss
Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk
Risk
Loss Event
Frequency
Probable Loss
4. Stage 1 – Identify Scenario Components
Step 1 – Identify the Asset(s) at risk
In order to estimate the control and value characteristics within
a risk analysis, the analyst must first identify the asset
(object) under evaluation. If a multilevel analysis is being
performed, the analyst will need to identify and evaluate the
primary asset (object) at risk and all meta-objects that exist
between the primary asset and the threat community. This
guide is intended for use in simple, single level risk analysis,
and does not describe the additional steps required for a
multilevel analysis.
Asset(s) at risk:
_____________________________________________________
_
Step 2 – Identify the Threat Community
In order to estimate Threat Event Frequency (TEF) and Threat
Capability (TCap), a specific threat community must first be
identified. At minimum, when evaluating the risk associated
with malicious acts, the analyst has to decide whether the
threat community is human or malware, and internal or external.
In most circumstances, it’s appropriate to define the
5. threat community more specifically – e.g., network engineers,
cleaning crew, etc., and characterize the expected nature
of the community. This document does not include guidance in
how to perform broad-spectrum (i.e., multi-threat
community) analyses.
Threat community:
_____________________________________________________
_
Characterization
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 2 – Evaluate Loss Event Frequency
Step 3 – Threat Event Frequency (TEF)
The probable frequency, within a given timeframe, that a threat
agent will act against an asset
Contributing factors: Contact Frequency, Probability of Action
Very High (VH) > 100 times per year
High (H) Between 10 and 100 times per year
Moderate (M) Between 1 and 10 times per year
6. Low (L) Between .1 and 1 times per year
Very Low (VL) < .1 times per year (less than once every ten
years)
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 4 – Threat Capability (Tcap)
The probable level of force that a threat agent is capable of
applying against an asset
Contributing factors: Skill, Resources
Very High (VH) Top 2% when compared against the overall
threat population
High (H) Top 16% when compared against the overall threat
population
Moderate (M) Average skill and resources (between bottom 16%
and top 16%)
Low (L) Bottom 16% when compared against the overall threat
population
Very Low (VL) Bottom 2% when compared against the overall
7. threat population
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 5 – Control strength (CS)
The expected effectiveness of controls, over a given timeframe,
as measured against a baseline
level of force
Contributing factors: Strength, Assurance
Very High (VH) Protects against all but the top 2% of an avg.
threat population
High (H) Protects against all but the top 16% of an avg. threat
population
Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat
population
Very Low (VL) Only protects against bottom 2% of an avg.
threat population
Rationale
8. FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 6 – Vulnerability (Vuln)
The probability that an asset will be unable to resist the actions
of a threat agent
Tcap (from step 4):
CS (from step 5):
Vulnerability
VH VH VH VH H M
H VH VH H M L
Tcap M VH H M L VL
L H M L VL VL
VL M L VL VL VL
VL L M H VH
Control Strength
Vuln (from matrix above):
FAIR™ Basic Risk Assessment Guide
9. All Content Copyright Risk Management Insight, LLC
Step 7 – Loss Event Frequency (LEF)
The probable frequency, within a given timeframe, that a threat
agent will inflict harm upon an
asset
TEF (from step 3):
Vuln (from step 6):
Loss Event Frequency
VH M H VH VH VH
H L M H H H
TEF M VL L M M M
L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
Vulnerability
LEF (from matrix above):
FAIR™ Basic Risk Assessment Guide
10. All Content Copyright Risk Management Insight, LLC
Stage 3 – Evaluate Probable Loss Magnitude
Step 8 – Estimate worst-case loss
Estimate worst-case magnitude using the following three steps:
‣ Determine the threat action that would most likely result in a
worst-case outcome
‣ Estimate the magnitude for each loss form associated with that
threat action
‣ “Sum” the loss form magnitudes
Loss Forms
Threat Actions Productivity Response Replacement
Fine/Judgments Comp. Adv. Reputation
Access
Misuse
Disclosure
Modification
Deny Access
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 --
High (H) $1,000,000 $9,999,999
11. Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 9 – Estimate probable loss
Estimate probable loss magnitude using the following three
steps:
‣ Identify the most likely threat community action(s)
‣ Evaluate the probable loss magnitude for each loss form
‣ “Sum” the magnitudes
Loss Forms
Threat Actions Productivity Response Replacement
Fine/Judgments Comp. Adv. Reputation
Access
Misuse
Disclosure
Modification
12. Deny Access
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 --
High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 4 – Derive and Articulate Risk
Step 10 – Derive and Articulate Risk
The probable frequency and probable magnitude of future loss
Well-articulated risk analyses provide decision-makers with at
least two key pieces of information:
‣ The estimated loss event frequency (LEF), and
‣ The estimated probable loss magnitude (PLM)
This information can be conveyed through text, charts, or both.
13. In most circumstances, it’s advisable to also provide the
estimated high-end loss potential so that the decision-maker is
aware of what the worst-case scenario might look like.
Depending upon the scenario, additional specific information
may be warranted if, for example:
‣ Significant due diligence exposure exists
‣ Significant reputation, legal, or regulatory considerations exist
Risk
Severe H H C C C
High M H H C C
PLM Significant M M H H C
Moderate L M M H H
Low L L M M M
Very Low L L M M M
VL L M H VH
LEF
LEF (from step 7):
PLM (from step 9):
WCLM (from step 8):
Key Risk Level
14. C Critical
H High
M Medium
L Low
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Course Name:Information Security and Risk Management
Topic: https://www.hipaajournal.com/oig-2017-fisma-
compliance-review-hhs/
Rules to Follow:
APA format
Total pages 22
References
1. Introduction: (2 paragraphs, half page)
Introduce the topic you are going to brief to the board of
directors (senior management). In this case, it will be me.
1.1 Purpose : (1 paragraph, half page))
What is the purpose of this report? (Summarize the reason
why you are performing this analysis? Why did you perform this
analysis? (This is your personal summary explaining the reason
for this analysis was to meet the requirements for this class).
1.2 Scope of this analysis: (1 paragraph, half page))
Articulate the scope of the analysis you performed. Add
limitations you encountered when performing this analysis.
(This section will be completed when you have completed your
analysis).
2. Analysis Approach: (2 paragraph, 1 page)
15. Articulate the steps you took to complete this analysis. What
method did you use? (Be specific here. You will complete this
section after the report is completed, therefore, you will have
all the information needed).
2.2 Risk Model Used
Identify the model you used for this analysis (e.g. your risk
assessment table). Discuss your table in detail in this section
and how it was used. Preliminary information is found in your
instructions for this assignment, to include other tables!
3. System Characterization
Discuss the system or organization you analyzed. Be
detailed. Include (if possible) charts, etc.
3.1 Technology components
Identify and discuss the technology in use by the
organization you analyzed, to include how it is used. Identify
and discuss non-technical processes relating to the technical
controls as well (e.g. access controls). Be as detailed as
possible.
3.2 Physical Location
Identify and discuss the location of the system and/or
organization that was reported on, and why (if possible) the
report was done. Basically, why did the auditors assess the
organization; routine review?
3.3 Data Used/Produced by the System/s identified in the report
you analyzed
Discuss the type of data (or information) being processed by
the system/organization. This to itself will help to characterize
the threat statement (para. 3.7 below).
3.4 Users
After you review the report, identify who the users were of
the system/organization. For instance, their specializations. Or,
were they customers?
3.5 Flow Diagram
Draw a flow diagram (if possible) of the system/organization
you analyzed. I will discuss this during my lecture at residency.
16. 3.6 Vulnerability Statement
Create a table of the ‘top’ five vulnerabilities found from
your analysis of the reported findings, and their description.
This section will be completed towards the end.
3.7 Threat Statement
Create a table of the threats that exist to the organization
being analyzed, and their description. This section will be
completed towards the end.
3.8 Risk Assessment
Cut and paste your risk assessment table here (see residency
instructions). You will then update this table as you proceed to
complete your analysis.
4. Written Component (minimum 12pages)
Note: This is what you would brief to the board of directors
about the findings from your analysis of the report. Remember,
senior management is more likely not familiar with technical
terms, so you need to articulate the findings in words they can
understand. This is the challenge we face when briefing
executives.
The following is an example of information to include in your
narrative:
4.1 A discussion on the importance of why the risk assessment
was performed.
4.2 Discuss each threat the organization is facing, and why
these threats are relevant. Use internet sources where applicable
to augment your points. Include sources and cite them! Use in-
text citation at all times!
4.3 Discuss the top five findings and tie them (if possible) to
the identified threats.
4.4 Discuss how the found vulnerabilities/risks can impact the
organization’s business objectives or any other objectives of the
organization/system.
4.5 Include a discussion on information that ‘you’ feel needs to
be addressed. This is the portion of your narrative I will pay
very close attention to!
4.6 Discuss the recommendations that were made in the report
17. you analyzed, and include the ‘why’ these recommendations
should be implemented. More importantly, what are your
thoughts about these recommendations?
4.7 Discuss your team’s recommendations to be considered, to
include the ‘why’ it should be implemented.
4.8 Use APA format for this portion of the assignment. It must
be at the very least 12 pages long, with in-text citations in each
paragraph.
Note: Follow the below mentioned table as reference or example
Template to use for your qualitative risk assessment
You will read through the report and look for findings and
recommendations from the FISMA audit of the agency’s
security practices. Your team’s job will be to develop a
qualitative risk assessment from these findings to assess the
likelihood and impact. A listing of threats has been
prepopulated for you. These threats have been categorized by
type as shown below:
Threat Origination Category
Type Identifier
Threats launched purposefully
P
Threats created by unintentional human or machine errors
U
Threats caused by environmental agents or disruptions
E
Purposeful threats are launched by threat actors for a variety of
reasons and the reasons may never be fully known. Threat
actors could be motivated by curiosity, monetary gain, political
gain, social activism, revenge or many other driving forces. It is
possible that some threats could have more than one threat
origination category.
Some threat types are more likely to occur than others. The
following table takes threat types into consideration to help
18. determine the likelihood that vulnerability could be exploited.
The threat table below is designed to offer typical threats to
information systems and these threats have been considered for
the organization.
Not all of these will be relevant to the findings in your risk
assessment, however you will need to identify those that are or
potentially may not be.
ID
Threat Name
Type ID
Description
Typical Impact to Data or System
Confidentiality
Integrity
Availability
T-1
Alteration
U, P, E
Alteration of data, files, or records.
Modification
T-2
Audit Compromise
P
An unauthorized user gains access to the audit trail and could
cause audit records to be deleted or modified, or prevents future
audit records from being recorded, thus masking a security
relevant event. Also applies to a purposeful act by an
Administrator to mask unauthorized activity.
19. Modification or Destruction
Unavailable Accurate Records
T-3
Bomb
P
An intentional explosion.
Modification or Destruction
Denial of Service
T-4
Communications Failure
U, E
Cut of fiber optic lines, trees falling on telephone lines.
Denial of Service
T-5
Compromising Emanations
P
Eavesdropping can occur via electronic media directed against
large scale electronic facilities that do not process classified
National Security Information.
Disclosure
T-6
Cyber Brute Force
P
Unauthorized user could gain access to the information systems
by random or systematic guessing of passwords, possibly
supported by password cracking utilities.
Disclosure
Modification or Destruction
Denial of Service
T-7
20. Data Disclosure
P, U
An attacker uses techniques that could result in the disclosure
of sensitive information by exploiting weaknesses in the design
or configuration. Also used in instances where misconfiguration
or the lack of a security control can lead to the unintentional
disclosure of data.
Disclosure
T-8
Data Entry Error
U
Human inattention, lack of knowledge, and failure to cross-
check system activities could contribute to errors becoming
integrated and ingrained in automated systems.
Modification
Sheet1Risk eventProbabilityprobability ArticlesProbability
JustificationImpactOverall Risk RatingOverall Risk Rating
ArticlesOverall Risk Rating Justificationpros/cons of
changeReferences50 words2-3 articlesLaptop or mobile device
with proprietary data lost or stolenAdd refernecs used to
analyse risk eventexample: must atleast 50 wordsAdd 2-3
refernences for overall risk ratingTransfer the risk,Accept
risk,Avoid the risk and Militigatio plan . Choose either of these
values and example why it is consideredInternal netwrok break-
In from outsideAdd refernecs used to analyse risk
eventexample: must atleast 50 wordsAdd 2-3 refernences for
overall risk ratingTransfer the risk,Accept risk,Avoid the risk
and Militigatio plan . Choose either of these values and example
why it is consideredVirus, worm or trojan InfectionsAdd
refernecs used to analyse risk eventexample: must atleast 50
21. wordsTransfer the risk,Accept risk,Avoid the risk and
Militigatio plan . Choose either of these values and example
why it is consideredSource code stolen by external attacker or
InsiderAdd refernecs used to analyse risk eventexample: must
atleast 50 wordsAdd 2-3 refernences for overall risk
ratingTransfer the risk,Accept risk,Avoid the risk and
Militigatio plan . Choose either of these values and example
why it is consideredDenial of Service attacker(s)Add refernecs
used to analyse risk eventexample: must atleast 50 wordsAdd 2-
3 refernences for overall risk ratingTransfer the risk,Accept
risk,Avoid the risk and Militigatio plan . Choose either of these
values and example why it is consideredData security breach for
personal, Finicial and/or customer dataAdd refernecs used to
analyse risk eventexample: must atleast 50 wordsAdd 2-3
refernences for overall risk ratingTransfer the risk,Accept
risk,Avoid the risk and Militigatio plan . Choose either of these
values and example why it is consideredProlonged IT
outageAdd refernecs used to analyse risk eventexample: must
atleast 50 wordsAdd 2-3 refernences for overall risk
ratingTransfer the risk,Accept risk,Avoid the risk and
Militigatio plan . Choose either of these values and example
why it is consideredPirated software, Music or movies issued
within code GaloreAdd refernecs used to analyse risk
eventexample: must atleast 50 wordsAdd 2-3 refernences for
overall risk ratingTransfer the risk,Accept risk,Avoid the risk
and Militigatio plan . Choose either of these values and example
why it is consideredAttack against others initated by code
galore employeeAdd refernecs used to analyse risk
eventexample: must atleast 50 wordsAdd 2-3 refernences for
overall risk ratingTransfer the risk,Accept risk,Avoid the risk
and Militigatio plan . Choose either of these values and example
why it is consideredData extrusion through interception of
wireless signalsAdd refernecs used to analyse risk
eventexample: must atleast 50 wordsAdd 2-3 refernences for
overall risk ratingTransfer the risk,Accept risk,Avoid the risk
and Militigatio plan . Choose either of these values and example
23. 4
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Background Information
Building a comprehensive business function automation
software that performs many functions (decision making in
approaching new initiatives, goal setting and tracking, financial
accounting, a payment system, and much more).
The software is largely the joint brainchild of the Chief
Technology Officer (CTO) and a highly visionary Marketing
Manager who left the company a year ago
5
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Background Information – What We Do
Financed 100% by investors who are extremely anxious to make
a profit.
Investors have invested more than US $35 million since
inception and have not received any returns.
The organization expected a small profit in the last two
24. quarters. However, the weak economy led to the cancellation of
several large orders. As a result, the organization was in the red
each quarter by approximately US $250,000.
6
Background Information – Financials
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Code Galore is a privately held company with a budget of US
$15 million per year. Sales last year totaled US $13.5 million
(as mentioned earlier, the company came within US $250,000 of
being profitable each of the last two quarters).
The investors hold the preponderance of the company’s stock;
share options are given to employees in the form of stock
options that can be purchased for US $1 per share if the
company ever goes public.
Code Galore spends about five percent of its annual budget on
marketing. Its marketing efforts focus on portraying other
financial function automation applications as ‘point solutions’
in contrast to Code Galore’s product.
7
Background Information – Financials
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
25. 8
Background Information – Org. Structure
Figure 1—Code Galore Organisational Chart
CEO
CSO
VP, Finance
VP, Business
CTO
VP, Human Resources
Security
Administrator
Sales Mgr
Accounting
Dir.
Sr. Financial
Analyst
Infrastructure
Mgr.
Sys. Dev. Mgr.
HR Manager
What we do
Org. Structure
Operational
Industry
26. Products
Sales
Financials
The board of directors:
Consists of seasoned professionals with many years of
experience in the software industry
Is scattered all over the world and seldom meets, except by
teleconference
Is uneasy with Code Galore being stretched so thin financially,
and a few members have tendered their resignations within the
last few months
9
Background Information – Org. Structure
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The CEO:
Is the former chief financial officer (CFO) of Code Galore that
replaced the original CEO who resigned to pursue another
opportunity two years ago
Has a good deal of business knowledge, a moderate amount of
experience as a C-level officer, but no prior experience as a
CEO
As a former CFO, tends to focus more on cost cutting than on
creating a vision for developing more business and getting
better at what Code Galore does best
Background Information – Org. Structure
27. 10
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Engineers perform code installations. The time to get the
product completely installed and customized to the customer’s
environment can exceed one month with costs higher than US
$60,000 to the customer.
Labour and purchase costs are too high for small and medium-
sized businesses. So far, only large companies in the US and
Canada have bought the product.
C-level officers and board members know that they have
developed a highly functional, unique product for which there is
really no competition. They believe that, in time, more
companies will become interested in this product, but the
proverbial time bomb is ticking. Investors have stretched
themselves to invest US $35 million in the company, and are
unwilling to invest much more.
11
Background Information – Operational
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
28. Business function automation software is a profitable area for
many software vendors because it automates tasks that
previously had to be performed manually or that software did
not adequately support.
The business function automation software arena has many
products developed by many vendors. However, Code Galore is
a unique niche player that does not really compete (at least on
an individual basis) with other business automation software
companies.
Background Information – Industry
12
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The product is comprehensive—at least four other software
products would have to be purchased and implemented to cover
the range of functions that Code Galore’s product covers.
Additionally, the product integrates information and statistics
throughout all functions—each function is aware of what is
occurring in the other functions and can adjust what it does
accordingly, leading to better decision aiding.
Background Information – Products
13
What we do
Org. Structure
Operational
Industry
Products
Sales
29. Financials
Sales have been slower than expected, mainly due to a
combination of the economic recession and the high price and
complexity of the product.
The price is not just due to the cost of software development; it
also is due to the configuration labour required to get the
product running suitably for its customers.
Background Information – Sales
14
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Acquisition
Code Galore is in many ways fighting for its life, and the fact
that, four months ago, the board of directors made the decision
to acquire a small software start-up company, Skyhaven
Software, has not helped the cash situation.
Skyhaven consists of approximately 15 people, mostly
programmers who work at the company’s small office in
Phoenix, Arizona, USA. Originally, the only connection
between your network and Skyhaven’s was an archaic public
switched telephone network (PSTN).
Setting up a WAN
Two months ago, your company’s IT director was tasked with
setting up a dedicated wide area network (WAN) connection to
allow the former Skyhaven staff to remotely access Code
Galore’s internal network and vice versa.
30. You requested that this implementation be delayed until the
security implications of having this new access route into your
network were better understood, but the CEO denied your
request on the grounds that it would delay a critical business
initiative, namely getting Skyhaven’s code integrated into Code
Galore’s.
15
The Problems
Information Security
More recently, you have discovered that the connection does not
require a password for access and that, once a connection to the
internal network is established from outside the network, it is
possible to connect to every server within the network,
including the server that holds Code Galore’s source code and
software library and the server that houses employee payroll,
benefits and medical insurance information.
Fortunately, access control lists (ACLs) limit the ability of
anyone to access these sensitive files, but a recent vulnerability
scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
You have told the IT director that these vulnerabilities need to
be patched, but because of the concern that patching them may
cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted
the IT director a delay of one month in patching the servers.
16
The Problems – Overview
31. Bots
What now really worries you is that, earlier today, monitoring
by one of the security engineers who does some work for you
has shown that several hosts in Skyhaven’s network were found
to have bots installed in them.
Source Code
Furthermore, one of the Skyhaven programmers has told you
that Skyhaven source code (which is to be integrated into Code
Galore’s source code as soon as the Skyhaven programmers are
through with the release on which they are currently working) is
on just about every Skyhaven machine, regardless of whether it
is a workstation or server.
17
The Problems – Overview
Code Galore vs. Skyhaven Employee knowledge
Code Galore employees are, in general, above average in their
knowledge and awareness of information security, due in large
part to an effective security awareness programme that you set
up two months after you started working at Code Galore and
have managed ever since.
You offer monthly brown bag lunch events in a large conference
room, display posters reminding employees not to engage in
actions such as opening attachments that they are not expecting,
and send a short monthly newsletter informing employees of the
direction in which the company is going in terms of security and
how they can help.
Very few incidents due to bad user security practices occurred
until Skyhaven Software was acquired. Skyhaven’s employees
appear to have almost no knowledge of information security.
You also have discovered that the Skyhaven employee who
informally provides technical assistance does not make backups
and has done little in terms of security configuration and patch
32. management.
18
The Problems – Overview
19
Your Role
Hired two years ago as the only Chief Security Officer (CSO)
this company has ever had.
Report directly to the Chief Executive Officer (CEO).
Attend the weekly senior management meeting in which goals
are set, progress reports are given and issues to be resolved are
discussed.
The Information Security Department consists of just you; two
members of the security engineering team from software are
available eight hours each week.
10 years of experience as an information security manager, five
of which as a CSO, but you have no previous experience in the
software arena.
Four years of experience as a junior IT auditor.
Undergraduate degree in managing information systems and
have earned many continuing professional education credits in
information security, management and audit areas.
Five years ago, you earned your CISM certification.
The focus here is not on a business unit, but rather on Code
Galore as a whole, particularly on security risk that could
cripple the business.
Due primarily to cost-cutting measures the CEO has put in
place, your annual budget has been substantially less than you
requested each year.
33. Frankly, you have been lucky that no serious incident has
occurred so far. You know that in many ways your company has
been tempting fate.
You do the best you can with what you have, but levels of
unmitigated risk in some critical areas are fairly high.
Your Role and the Business Units
20
Mr. Wingate’s focus on cost cutting is a major reason that you
have not been able to obtain more resources for security risk
mitigation measures.
He is calm and fairly personable, but only a fair communicator,
something that results in your having to devote extra effort in
trying to learn his expectations of your company’s information
security risk mitigation effort and keeping him advised of risk
vectors and major developments and successes of this effort.
21
Your Role and the CEO, Ernest Wingate
Code Galore’s IT director is Carmela Duarte. She has put a
system of change control into effect for all IT activities
involving hardware and software.
This system is almost perfect for Code Galore—it is neither
draconian nor too lax and very few employees have any
complaints against it.
34. You have an excellent working relationship with her, and
although she is under considerable pressure from her boss, the
CTO, and the rest of C-level management to take shortcuts, she
usually tries to do what is right from a security control
perspective.
She is working hard to integrate the Skyhaven Software network
into Code Galore’s, but currently, there are few resources
available to do a very thorough job. She would also do more for
the sake of security risk mitigation if she had the resources.
Carmela has worked with Code Galore since 2006, and she is
very much liked and respected by senior management and the
employees who work for her.
22
Your Role and the IT Director, Carmela Duarte
You believe that Code Galore’s (but not Skyhaven Software’s)
security risk is well within the risk appetite of the CEO and the
board of directors.
You have a good security policy (including acceptable use
provisions) and standards in place, and you keep both of them
up to date.
You have established a yearly risk management cycle that
includes asset valuation, threat and vulnerability assessment,
risk analysis, controls evaluation and selection, and controls
effectiveness assessment, and you are just about ready to start a
controls evaluation when you suddenly realise that something
more important needs to be done right away (outlined in The
Problem section).
23