Docstoc

Risk Management Process Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” special publication 800 30

Document Sample
Risk Management Process Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” special publication 800 30 Powered By Docstoc
					Risk Management Process

Based on recommendations of the National
Institute of Standards and Technology in
“Risk Management Guide for Information
Technology Systems” (special publication
800-30)

                                  Lianne Stevens
                          Nebraska Health System
                                   April 16, 2003
Goal of Risk Management Process

   Protect the organization’s ability to
    perform its mission
   An essential management function
Definitions

   Risk - “…a function of the likelihood
    of a given threat-source’s exercising
    a particular potential vulnerability,
    and the resulting impact of that
    adverse event on the organization.”
   Risk management – process of
    identifying, assessing and reducing
    risk
Definitions
   Threat – “The potential for a threat-
    source to exercise (accidentally trigger or
    intentionally exploit) a specific
    vulnerability.”
   Threat-Source – “Either (1) intent and
    method targeted at the intentional
    exploitation of a vulnerability or (2) a
    situation and method that may
    accidentally trigger a vulnerability
NIST Guide Purpose

   Provide a foundation for risk
    management program development
   Provide information on cost-
    effective security controls
Guide Structure

   Risk Management Overview
   Risk Assessment Methodology
   Risk Mitigation Process
   Ongoing Risk Evaluation
Risk Management Overview

   Encompasses 3 processes
       Risk Assessment
       Risk Mitigation
       Ongoing Risk Evaluation
   Integrated into System
    Development Life Cycle (SDLC)
Risk Management Overview

   Key roles
       Senior Management
       Chief Information Officer
       System & Information Owners
       Business & Functional Managers
       Information System Security Officers
       IT Security Practitioners
       Security Awareness Trainers
Risk Assessment

   1st process in risk management
    methodology
   Used to determine potential threats
    and associated risk
   Output of this process helps to
    identify appropriate controls to
    reduce or eliminate risk
Risk Assessment Methodology

   Step 1: System Characterization
       Collect system-related information
        including:
          Hardware
          Software

          Criticality

          Users

          Technical controls

          Environment
Risk Assessment Methodology

   Step 2: Threat Identification
       Identify potential threat-sources that
        could cause harm to the IT system and
        its environment
       Can be natural, human or
        environmental
Risk Assessment Methodology
   Step 3: Vulnerability Identification
       Develop list of system vulnerabilities
        (flaws or weaknesses) that could be
        exploited
            Proactive System Security Testing
             methods include:
                 Automated vulnerability scanning tool
                 Security test and evaluation
                 Penetration testing
       Develop Security Requirements
        Checklist
Risk Assessment Methodology

   Step 4: Control Analysis
       Control Methods – may be technical or
        non-technical
       Control Categories – preventative or
        detective
       Control Analysis Technique – use of
        security requirements checklist
Risk Assessment Methodology

   Step 5: Likelihood Determination
       Governing factors
          Threat-source motivation & capability
          Nature of the vulnerability

          Existence & effectiveness of current
           controls
       Levels – High, Medium or Low
Risk Assessment Methodology

   Step 6: Impact Analysis
       Prerequisite information
          System mission
          System and data criticality

          System and data sensitivity

       Adverse impact described in terms of
        loss or degradation of integrity,
        confidentiality, availability
       Quantitative vs. qualitative assessment
Risk Assessment Methodology

   Step 7: Risk Determination
       Develop Risk-Level Matrix
            Risk Level = Threat Likelihood x Threat
             Impact
       Develop Risk Scale
            Risk Levels with associated Descriptions
             and Necessary Actions
Risk Assessment Methodology

   Step 8: Control Recommendations
       Factors to consider
          Effectiveness of recommended option
          Legislation and regulation

          Organizational policy

          Operational impact

          Safety and reliability
Risk Assessment Methodology

   Step 9: Results Documentation
       Risk Assessment Report
         Presented to senior management and
          mission owners
         Describes threats & vulnerabilities,
          measures risk and provides
          recommendations on controls to
          implement
Risk Mitigation
   2nd process of risk management
   Involves prioritizing, evaluating and
    implementing controls
   Options
       Risk assumption
       Risk avoidance
       Risk limitation
       Risk planning
       Research and acknowledgment
       Risk transference
Risk Mitigation
   Strategy
Risk Mitigation

   Control Implementation Approach
       Step 1 – Prioritize actions
       Step 2 – Evaluate recommended
        control options
       Step 3 – Conduct cost-benefit analysis
       Step 4 – Select control
       Step 5 – Assign responsibility to
        implement control
Risk Mitigation

   Control Implementation Approach
       Step 6 – Develop Safeguard
        Implementation Plan (action plan)
          Prioritizes implementation actions
          Projects start & target completion dates

       Step 7 – Implement selected control(s)
            Identify any residual risk
Risk Mitigation

   Control Categories
       Technical Security Controls
            Supporting
                 Identification (of users, processes)
                 Cryptographic key management
                 Security administration
                 System protections
Risk Mitigation

   Control Categories
       Technical Security Controls
            Preventive
                 Authentication (e.g. passwords, tokens)
                 Authorization (e.g. update vs. view)
                 Access control enforcement
                 Non-repudiation (e.g. digital certificate)
                 Protected communications (encryption)
                 Transaction privacy (e.g. SSL)
Risk Mitigation

   Control Categories
       Technical Security Controls
            Detection and Recovery
                 Audit
                 Intrusion detection and containment
                 Proof of wholeness (e.g. system integrity
                  tool)
                 Restore secure state
                 Virus detection and eradication
Risk Mitigation

   Control Categories
       Management Security Controls
           Preventive
                Assign security responsibility
                Develop & maintain system security plans
                Implement personnel security controls
                Conduct security awareness & training
Risk Mitigation

   Control Categories
       Management Security Controls
           Detection
                Implement personnel security controls
                Conduct periodic review of controls
                Perform periodic system audits
                Conduct ongoing risk management
                Authorize IT systems to address/accept
                 residual risk
Risk Mitigation

   Control Categories
       Management Security Controls
           Recovery
                Develop, test and maintain continuity of
                 operations plan
                Establish incident response capability
Risk Mitigation
   Control Categories
       Operational Security Controls
          Preventive
               Control data media access and disposal
               Limit external data distribution’
               Control software viruses
               Safeguard computing facility
               Secure wiring closets
               Provide backup capability
               Establish off-site storage
               Protect laptops, PCs, workstation
               Protect IT resources from fire damage
               Provide emergency power
               Control computing facility environment (HVAC)
Risk Mitigation

   Control Categories
       Operational Security Controls
            Detection
                 Provide physical security (e.g. motion
                  detectors, closed-circuit TV monitors)
                 Ensure environmental security (e.g. smoke
                  and fire detectors)
Risk Mitigation

   Cost-Benefit Analysis
       Can be qualitative or quantitative
       Purpose: demonstrate that costs of
        implementing controls can be justified
        by reduction in level of risk
Risk Mitigation

   Residual Risk
       Risk remaining after implementation of
        controls
       If not reduced to acceptable level, risk
        management cycle must be repeated
Evaluation and Assessment
   Good Security Practice
       Should have a specific schedule for repeating
        risk assessment process
       Should be flexible to allow for major system
        and processing changes
   Keys for success
       Senior management commitment
       Support & participation of IT team
       Competence of risk assessment team
       Awareness and cooperation of user community
       Ongoing evaluation & assessment
Appendices
   Sample IT system assessment questions
   Sample risk assessment report outline
   Sample safeguard implementation plan
    (action plan) summary table
   Acronyms
   Glossary
   References

				
DOCUMENT INFO
Description: Safeguard Business System document sample