Information Security Risk Assessment Program

INFORMATION SECURITY RISK ASSESSMENT PROGRAM HANDBOOK Jesse Torres jstorres@ix.netcom.com CISA, CISSP, CIA TABLE OF CONTENTS OVERVIEW ............................................................................................................................................. 1 RISKS, THREATS AND VULNERABILITIES .................................................................................... 4 INTERNAL CONTROLS ........................................................................................................................ 6 RISK ASSESSMENT PROCESS ............................................................................................................ 7 EVALUATION OF PROTECTION STRATEGY PRACTICES ......................................................... 10 INFORMATION ASSET DOCUMENTATION PHASE .................................................................... 11 DOCUMENT INFORMATION ASSETS ..................................................................................... 11 DOCUMENT ASSET PURPOSE AND DESCRIPTION ............................................................. 11 DOCUMENT ASSET ENVIRONMENT AND OTHER CONSIDERATIONS .......................... 11 DOCUMENT ASSET INTERCONNECTION/INFORMATION SHARING .............................. 11 DOCUMENT ASSET SECURITY LEVEL .................................................................................. 12 RISK DETERMINATION .................................................................................................................... 14 THREAT DESCRIPTION.............................................................................................................. 15 VULNERABILITY DECRIPTION ............................................................................................... 15 EXISTING CONTROLS ................................................................................................................ 16 LIKELIHOOD OF OCCURRENCE .............................................................................................. 16 IMPACT SEVERITY ..................................................................................................................... 17 RISK LEVEL.................................................................................................................................. 18 EFFECT ON CONFIDENTIALITY, INTEGRITY AND/OR AVAILABILITY ......................... 19 CONTROLS DETERMINATION ........................................................................................................ 20 THREAT/VULNERABILITY PAIR ............................................................................................. 20 RECOMMENDED CONTROLS ................................................................................................... 20 RESIDUAL LIKELIHOOD OF OCCURRENCE ......................................................................... 21 RESIDUAL SEVERITY OF IMPACT .......................................................................................... 21 RESIDUAL RISK LEVEL ............................................................................................................. 21 PRAS WORKSHEET – SECTION 1: PROCESS TECHNOLOGIES ................................................ 22 Process Technology Asset* .................................................................................................................... 22 PRAS WORKSHEET – SECTION 2: TRANSMITTING TECHNOLOGIES ................................... 23 Transmitting Technology Asset* ........................................................................................................... 23 PRAS WORKSHEET – SECTION 3: STORAGE TECHNOLOGIES ............................................... 24 Storage Technology Asset* .................................................................................................................... 24 PRAS WORKSHEET – SECTION 5: VENDORS ............................................................................... 26 INFORMATION ASSETS .................................................................................................................... 27 PROCESS TECHNOLOGIES........................................................................................................ 27 TRANSMITTING TECHNOLOGIES ........................................................................................... 27 STORAGE TECHNOLOGIES - PAPER BASED......................................................................... 27 STORAGE TECHNOLOGIES - FILM AND FICHE ................................................................... 27 STORAGE TECHNOLOGIES - ELECTRONIC BASED ............................................................ 28 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM i TABLE OF CONTENTS COMMON INFORMATION SECURITY VULNERABILITIES ....................................................... 29 INFORMATION SECURITY RISK ASSESSMENT SURVEY – PART I ......................................... 34 INFORMATION ASSET DOCUMENTATION WORKSHEET ........................................................ 34 INFORMATION SECURITY RISK ASSESSMENT SURVEY – PART II ....................................... 35 INFORMATION SECURITY RISK ASSESSMENT SURVEY – PART III ...................................... 36 SECURITY PRACTICES ...................................................................................................................... 37 STRATEGIC PRACTICES - SECURITY AWARENESS AND TRAINING ............................. 37 STRATEGIC PRACTICES - SECURITY STRATEGY ............................................................... 38 STRATEGIC PRACTICES - SECURITY MANAGEMENT ....................................................... 39 STRATEGIC PRACTICES - SECURITY POLICIES AND REGULATIONS ............................ 40 STRATEGIC PRACTICES - COLLABORATIVE SECURITY MANAGEMENT .................... 42 STRATEGIC PRACTICES - CONTINGENCY PLANNING/DISASTER RECOVERY ........... 43 OPERATIONAL PRACTICES - PHYSICAL SECURITY PLANS AND PROCEDURES ........ 44 OPERATIONAL PRACTICES - PHYSICAL ACCESS CONTROL ........................................... 45 OPERATIONAL PRACTICES - MONITORING AND AUDITING PHYSICAL SECURITY . 46 OPERATIONAL PRACTICES - SYSTEM AND NETWORK MANAGEMENT ...................... 47 OPERATIONAL PRACTICES - SYSTEM ADMINISTRATION TOOLS ................................. 48 OPERATIONAL PRACTICES - MONITORING AND AUDITING IT SECURITY ................. 49 OPERATIONAL PRACTICES - AUTHENTICATION AND AUTHORIZATION.................... 50 OPERATIONAL PRACTICES - AUTHENTICATION AND AUTHORIZATION.................... 51 OPERATIONAL PRACTICES - VULNERABILITY MANAGEMENT .................................... 52 OPERATIONAL PRACTICES - ENCRYPTION ......................................................................... 53 OPERATIONAL PRACTICES - SECURITY ARCHITECTURE AND DESIGN ...................... 54 OPERATIONAL PRACTICES - INCIDENT MANAGEMENT .................................................. 55 OPERATIONAL PRACTICES - GENERAL STAFF PRACTICES ............................................ 56 OPERATIONAL PRACTICES - GENERAL STAFF PRACTICES ............................................ 57 COMMON INFORMATION SECURITY THREATS ........................................................................ 58 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM ii OVERVIEW Bank’s Information Security Risk Assessment Program (“ISRAP”) provides a systematic approach for evaluating the Bank’s exposure to information-related risks. The ISRAP focuses on four components: assets, vulnerabilities, threats and controls. The Bank’s information security efforts are intended to achieve one basic goal: the protection of the Confidentiality, Integrity and Availability of Bank information assets. Bank management is responsible for ensuring that systems and data are adequately protected. One of the Bank’s business objectives is to maintain a secure environment with respect to the security of customer and Bank information. Additional pressure to protect information is placed upon the Bank through compliance requirements imposed by information security regulations including the federal Gramm-Leach-Bliley Act. These regulatory requirements hold Bank management accountable for the protection of private information and require risk assessments as one component of an effective information security program. The ISRAP is used to identify, evaluate, document, monitor and manage the risks related to critical Bank operations. It is the first step and the key component of the Bank’s risk management process. Through the ISRAP the Bank is able to identify and prioritize information-related risks and develop appropriate risk management strategies. Such strategies include the establishment of appropriate policies and the selection of cost-effective controls that implement the policies. The first step in the risk assessment process is to identify the information-related assets that support business operations. These assets include physical, logical and human assets such as data center systems, employee computers, network communications devices and channels, remote work areas such as employee’s home computers, customer and Bank data, employee data and intellectual property and trade secrets. Particular attention is paid to processes or systems that manipulate, store, manage or transmit customer information. Such systems include electronic and non-electronic processes such as file cabinets, shred bins, fax machines, printers, etc. Increased reliance on the Internet and computer networks as well as the risk of identity theft and related crimes exposes the Bank to various types of risks that could result in a number of consequences including:    Breached confidentiality, failed integrity or unavailability of information or services; Unforeseen costs from physical destruction, loss, theft, extortion, etc.; Costs to resolve incidents such as internal productivity loss or outside consultant fees; 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 1       Decreased quality of services; Failure to meet regulatory requirements; Failure to meet contractual agreements; Legal liability; Delayed delivery of services; and, Negative publicity/reputational harm/loss of consumer confidence. The ISRAP considers information security risks from both within the Information Technology Department as well as the user community. The ISRAP in and of itself does not assure adequate protection against information-related risks. Rather, the ISRAP is part of the Bank’s overall Information Security Program that includes the Bank’s written information security policy, information security guidelines, system design, physical security, employee awareness and an independent review of the Bank’s information security practices including but not limited to internal and external penetration testing. The ISRAP concludes with a determination of the adequacy of existing controls relative to existing threats and vulnerabilities. The ISRAP allows management to determine the need for additional controls to reduce the Bank’s risk exposure. The ISRAP is comprised of three parts:    Information Asset Documentation; Risk Determination; and, Controls Determination. The ISRAP takes into account the business impact of a loss of data confidentiality, integrity and availability. It also considers the sensitivity of information stored in or processed by the system. Finally, and as previously stated, the ISRAP considers the vulnerability of the asset to particular threats. Since risks and threats change over time, the ISRAP is updated and reviewed on a regular basis to ensure the appropriateness and effectiveness of the controls in place. Updates are minor changes to the existing risk profile. These include changes resulting from the implementation and/or removal of a control(s), or when the effectiveness of a control changes. Updates occur when the following events take place: 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 2   New control is implemented; An incident highlights a minor discrepancy in the current risk profile (i.e., the likelihood or severity of a threat requires minor adjusting or the effectiveness of a control requires adjustment); A risk is no longer applicable; and, A new risk emerges.   Reviews are the formal process of recreating the risk assessment. Reviews generally occur on an annual basis through the use of the Information Security Risk Assessment Survey (“ISRAS”). Reviews may also result from:        Infrastructure changes such as new system/application/building; Major system modification; Increase in security risks/exposures due to an event or series of events (i.e., changes in technology, changes in business operations, etc.); Cumulative updates indicate the need for a review; Changes in regulatory requirements; Increase of overall system security level; and, Serious information security incident. The results of the ISRAP are reviewed by the IT Steering Committee and reported to the Board of Directors as updates and reviews are completed and no less frequently than annually. The Bank’s Information Security Officer (“ISO”) maintains ISRAP documentation. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 3 RISKS, THREATS AND VULNERABILITIES Risk is the possibility of an act or event occurring that would have an adverse effect on the Bank and its information assets. Risk can also be the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to, the assets. Risk is generally measured by a combination of severity and likelihood of occurrence. A threat is an action or event that might jeopardize security. It is a sequence of circumstances and events that allow a human (intruder, criminal, disgruntled employee, terrorist, etc.) or other agent (virus, Trojan horse, natural disaster, etc.) to cause an information-related misfortune by exploiting vulnerabilities. A vulnerability is a weakness related to an information asset that allows a threat to manifest itself within the system. Threats cannot affect assets unless the assets are vulnerable to the specific threats. Considerations to keep in mind when determining threats:  Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) as well as through insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the Bank to reputational risk and the potential loss of deposits. Further, the Bank could be harmed if human resource data (e.g., salaries and personnel files) were made public. Determining the legal implications and contingent liability concerns associated with any identified risks. For example, if hackers successfully access the Bank’s system and use it to subsequently attack others, the Bank may be liable for damages incurred by the party that is attacked. Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the Bank’s system. Another example involves vendors that may be allowed to access the Bank’s system without proper security safeguards. This could result in open access to critical information that the vendor may have “no need to know.” Identifying mission-critical information systems, and determining the effectiveness of current information security practices. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet or accessible via modem or not physically secured. Capability and motivation are important attributes of threats. Threats need both attributes (capability and motivation) to be credible. For example, a skilled hacker seeking entry into a customer database accessible through the Internet is     2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 4 considered a credible threat because the hacker has the capability (skills) and motivation (financial gain from sale/use of customer information).  Interested parties. Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime rings or even agents of espionage pose a potential threat to the Bank’s information security. Poor security program. Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the Bank. Poor employee security awareness. Misuse or theft of passwords allows hackers to use password-cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. Hackers may use “social engineering,” a scheme using social techniques to obtain technical information required to access a system. Inadequate network protection. Trojan horses are programs that contain additional hidden functions that usually allow malicious activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying or destroying data. Viruses are computer programs that may be embedded in other programs or files and can selfreplicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs.    2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 5 INTERNAL CONTROLS Internal controls are mechanisms that enable the Bank to achieve its business objectives. With appropriate controls in place the Bank is able to effectively mitigate the risk posed by a threat. With respect to information security, internal controls are designed to meet three main objectives: 1. Confidentiality: preventing the disclosure of sensitive information; 2. Integrity: preventing unauthorized modifications to information and maintaining internal and external consistency; and, 3. Availability: ensuring that the systems are working and that the data is accessible to users as required. In addition to requiring the documentation of assets, threats and vulnerabilities, the ISRAP also requires managers to document associated controls. To maintain an effective information security program, managers must ensure that every asset generally has protective measures in the following areas: Preventative Controls: These controls are established to avoid occurrences of unwanted events. This type of control may include passwords, locks, security policies and procedures, security awareness program, etc. These controls are considered “proactive.” Detective Controls: These controls alert and identify violations after the fact. These controls can include exception reports and other information that provides notification after the event has occurred. These controls are considered “reactive.” Corrective Controls: These controls are intended to remedy unauthorized events and to restore the original controls. For example, the ability to re-set an account that has been locked-out after three unsuccessful login attempts is considered a corrective control. Deterrent Controls: These controls discourage violations. For example, a policy that states that violators may be terminated for non-compliance with the information security program is considered a deterrent control. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 6 RISK ASSESSMENT PROCESS The ISRAP is a component of the Bank’s overall risk management strategy. The need for a risk assessment within each department is based on:    The criticality of systems to the Bank’s operations; The sensitivity of its information; and, The time and changes within the department, since the last assessment. Generally, a risk assessment will be conducted within each department on an annual basis. The ISRAP focuses on existing systems. New systems must undergo a formal risk assessment during the due diligence process and prior to implementation. As such, managers must ensure that a risk assessment is completed and approved by the IT Steering Committee prior to the implementation of a new system, application or other information-related asset. The fundamental basis of the risk assessment program is to balance the Bank’s information security requirements with other factors associated with doing business. Management and the Board recognize that some risk must be accepted to conduct business. As such, the risk assessment program provides a practical approach to efficiently and cost-effectively identifying risks associated with the Bank’s systems, whether they are physical, logical or human. Risk assessments also help ensure that line managers comply with mandatory bankwide security requirements as outlined in the Bank’s information security policy, code of conduct policy and other related policies. The program also raises employee awareness regarding the risks associated with their business unit’s reliance on automated systems and electronic information as well as information leakage that can result from low/no technology practices (i.e., file storage, faxes, etc.). Additionally, the risk assessment program assists managers in making informed decisions about the need for additional risk mitigation controls. The ISRAP requires each department manager to identify all department information assets. Assets can include information (data), systems, software, hardware and people. This process takes place during pre-risk assessment sessions (“PRAS”) between department managers and the ISO as well as members of the Information Technology Department and Compliance Department. This information is gathered on the “PRAS Worksheet” contained as Appendix “A.” Additional information gathering occurs during IT Steering Committee discussions and meetings with Information Technology Department staff. Appendix “B” contains the list of critical information assets included with the prior year’s ISRAS. Managers, IT Steering Committee members and Information Technology Department staff must review the list of information assets for the purpose of updating the PRAS Worksheet. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 7 In addition to identification of information assets, the PRAS is intended to provide information relative to:    Security practices; Current protection strategy practices; and, Current organizational vulnerabilities. After the assets are identified, managers must determine each asset’s security threats and associated vulnerabilities. For each vulnerability the manager must determine the severity of impact upon the system’s confidentiality, integrity and availability, and determine the likelihood of the vulnerability exploit occurring given existing security controls. The product of the likelihood of occurrence and the impact severity results in the risk level. Managers are required to document the risk assessment process on the ISRAS. The ISRAS process must be completed for all information assets with a “Moderate” or “High” Risk Level in Sections 1, 2 and 3 of the PRAS Worksheet. A copy of the ISRAS is found at Appendix “D.” Once the risk level is determined for each vulnerability, additional controls are identified for moderate- and high-risk levels. The risk is re-evaluated to determine what the remaining risk (residual risk) would be after the recommended control is implemented. The outcome of the ISRAP process is the mitigation of risk to acceptable levels, thereby providing adequate protection to the Bank’s information assets. As such, to the extent that moderate- and high-risk levels exist after the implementation of mitigating controls, responsible managers must submit a Written Statement of Risk Acceptance (“WSRA”) to the IT Steering Committee. The IT Steering Committee will review and accept or reject the WSRA. If the WSRA is rejected, the IT Steering Committee will request the evaluation of additional controls. In all circumstances (acceptance or denial) department managers are accountable for the day-to-day management of all departmental information security risks. In all cases in which additional controls must be implemented to mitigate moderate and high risks, the department manager must develop an action plan that documents the controls. The action plan must include the steps to be taken, the time frame for completion and the individual responsible for implementation of the controls. Within 90 days of implementation, the ISO will conduct a cursory review of the controls to ensure that they have been properly implemented and that the moderate- and high-risk exposures haven been mitigated through reduction or elimination of the risk. Throughout the ISRAP process the ISO collects information asset information from each department as well as from documentation, including policies and procedures, audits, etc. The process also identifies changes made to the systems since the last assessment. Both quantitative and qualitative aspects of the systems are documented, including descriptions of each asset’s purpose, functionality and location, as well as 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 8 other relevant information that affects information confidentiality, integrity and availability. Department managers must designate an individual within the department to act as the Risk Assessment Liaison (“RAL”) or the manager may assume the RAL responsibilities. RALs are charged with continuing responsibility for facilitating, coordinating and executing the department’s risk assessment activities – both information security and general. During the ISRAP process the ISO meets with the RAL to reach a consensus regarding the level of risk associated with selected systems and to identify existing controls that mitigate such risks. RALs are also required to meet at regularly scheduled RAL Forums, where risk-related information is disseminated and crosscutting departmental risk issues are discussed. The ISO oversees the information security risk assessment process. The ISO leads the discussions with department managers or RALs relative to the discovery of important information-based systems. The ISO also provides guidance throughout the assessment and coordinates with the Information Technology, Compliance and other departments, to the extent that their expertise is required to successfully complete the risk assessment process. The results of the ISRAP process are presented to the IT Steering Committee on at least a quarterly basis. The IT Steering Committee is responsible for evaluating the reports and providing additional direction to the ISO with respect to the results of the ISRAP. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 9 EVALUATION OF PROTECTION STRATEGY PRACTICES Security practices are actions that help initiate, implement and maintain security within the Bank. The ISRAP’s evaluation of security practices focuses on strategic and operational issues. The evaluation includes managers, end users and information technology staff. In addition to revealing what the Bank is doing to protect its assets, the evaluation will also reveal organizational vulnerabilities. Organizational vulnerabilities are weaknesses related to the Bank’s policies or practices that can result in the occurrence of unauthorized access or modification. Appendix “E” contains a series of questions that address the Bank’s practices. Participants in the ISRAP process must thoughtfully complete all relevant questions during the PRAS stage. Each department is not required to complete every item contained within the Security Practices Questionnaire (Appendix “E”). Instead, the ISO will provide each department manager with a list of specific questions that must be addressed by each department. The responses are evaluated by the ISO to determine the strengths and weaknesses of the Bank’s overall information security policies, procedures and practices. Identified organizational vulnerabilities are addressed with department management. The intent of this evaluation process is to identify the vulnerabilities that are unique to each department as well as to identify changes in the risk profile of each department. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 10 INFORMATION ASSET DOCUMENTATION PHASE The Information Asset Documentation Phase provides background information to describe the asset and the related information. This phase establishes a framework for subsequent ISRAS phases. The department manager must provide an asset description, business function and asset security level determination. DOCUMENT INFORMATION ASSETS The ISRAS requires the documentation of the information asset’s name, other related information, and the responsible department. The asset must be classified as:    Process technology; Transmitting technology; or, Storage technology. DOCUMENT ASSET PURPOSE AND DESCRIPTION To identify the assets covered by the ISRAS, the department manager is required to provide a brief description of the function and purpose of the asset. DOCUMENT ASSET ENVIRONMENT AND OTHER CONSIDERATIONS The department manager must provide a brief general technical description of any environmental factors that raise special security concerns and document the physical location of the asset. DOCUMENT ASSET INTERCONNECTION/INFORMATION SHARING For networked assets (i.e., those where the application and/or the system/application data reside on the Bank’s network), show how the various components and subnetworks are connected and/or interconnected to any other Local Area Network (“LAN”) or Wide Area Network (“WAN”). If the Information Technology Department maintains the asset on a day-to-day basis (i..e, FPS Gold) any non-IT department manager should indicate “NA” in this section of the ISRAS. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 11 DOCUMENT ASSET SECURITY LEVEL The Department manager must describe and document the information handled by the system and identify the overall security level as “LOW,” “MODERATE” or “HIGH.” This section of the ISRAS requires a general description of the information, the information sensitivity, and system criticality; which includes requirements for confidentiality, integrity and availability. The table on the following page defines the security levels to be used in this section of the ISRAS: 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 12 Security Level Low Asset Security Level Table Description Information asset whose corruption, misuse, exposure or unavailability would: 1. Be unlikely and would not be a target of unauthorized attempts to gain access, OR 2. Have little, if any benefit, to any party accessing it, OR 3. Require minimal investment of resources (financial and manpower) to restore, OR 4. Have little or no impact on the Bank or its customers. Information asset whose corruption, misuse, disclosure or unavailability would: 1. Not be a primary target of unauthorized attempts to gain access, OR 2. Could have a modicum of benefit to any party accessing it, OR 3. Require moderate investment of resources (financial and manpower) to restore, OR 4. Have a moderate adverse impact on both the Bank and/or its customers (e.g. could cause interruption of service to customer, result in monetary loss to the Bank or its customer, or would be undesirable, but not significantly damaging to the Bank’s reputation). Information asset that is critical, confidential and whose corruption, misuse, disclosure or unavailability: 1. Would be a primary target of unauthorized attempts to gain access, OR 2. Could significantly benefit any party accessing it, OR 3. Would require a significant investment of resources (financial and manpower) to restore OR 4. Could have a significant adverse impact on both the Bank and/or its customers (e.g., could expose the Bank to litigation, regulatory sanction or fines, extended interruption of service to customers, monetary loss to the Bank or its customers, significantly damage the Bank’s reputation). Moderate High 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 13 RISK DETERMINATION The objective of the Risk Determination section of the ISRAS is to determine the level of risk for each vulnerability based on:   The likelihood of a threat exploiting a vulnerability; and, The severity of impact that the exploited vulnerability would have on the asset, its data and its business function in terms of loss of data confidentiality, integrity and availability. The Risk Determination section is comprised of seven steps: 1. Identification of potential threats to information assets. 2. Identification of vulnerabilities that could be exploited. 3. Identification of existing controls to reduce the risk of the threat to exploit the vulnerability. 4. Determination of the likelihood that of an occurrence of a threat exploiting a related vulnerability with the existing controls. 5. Determination of the severity of impact on the information asset by an exploited vulnerability. 6. Determination of the risk level associated with a threat/vulnerability pair, given the existing controls. 7. Determination of the threat upon the asset’s confidentiality, integrity and/or availability. This seven-step process for risk assessment is conducted for each identified threat. This information is documented on the Risk Determination Table that is the core component of the ISRAS. The Risk Determination Table records details of all the threats identified, their grading in terms of likelihood of occurring and severity of impact on business operations with respect to confidentiality, integrity and availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 14 RISK DETERMINATION THREAT VULNERABILITY EXISTING CONTROLS LIKELIHOOD OF OCCURRENCE IMPACT RISK SEVERITY LEVEL EFFECT ON C I A The Item Number designated in the left-most column is for reference purposes only. It is assigned in numerical order as rows are added to the table for different threat/vulnerability pairs. The Item Number is also used in the Controls Determination section, to correlate the analysis completed in both sections. THREAT DESCRIPTION This section of the ISRAS is used to identify threats that could have the ability to exploit existing information asset vulnerabilities. As previously stated, a threat is an indication of a potential undesirable event. It refers to a situation in which a person could do something undesirable (i.e., a hacker initiating an attack against the Bank) or a natural occurrence that could cause an undesirable outcome (i.e., a fire damaging the Bank’s information technology hardware). The department manager must consider the interconnection and interdependencies among the various assets in use within the department that may introduce new threats to the assets under review. For example, the use of a system for both e-mail retrieval and storage of customer information may place the customer data at risk in the event a virus or Trojan horse is installed while viewing e-mail. Therefore, an understanding of the asset’s interconnections and subordinate processes, if any, will provide significant information regarding inherited and new risks and controls that may affect the asset. Refer to Appendix “F” for a list of common information security threats. VULNERABILITY DESCRIPTION The vulnerability evaluation performed under this section of the ISRAS provides a systematic examination of the Bank’s information assets in an effort to: 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 15     Determine the adequacy of the Bank’s security measures; Identify security deficiencies; Provide data from which to predict the effectiveness of proposed security measures; and, Confirm the adequacy of security measures after implementation. As previously described, a vulnerability is a weakness that can be exploited to gain unauthorized access to information or to disrupt information processing. This section of the ISRAS incorporates vulnerability information to the related threat. Each information asset can be subject to multiple vulnerabilities. In other words, a single threat may exploit more than a single vulnerability. Appendix “C” contains a list of the common vulnerabilities that information assets should be evaluated against when conducting the vulnerability analysis. Previous ISRAS documentation, audit reports, security advisories and bulletins, technical security evaluations and other similar information should be used to identify threats and vulnerabilities. EXISTING CONTROLS This section of the ISRAS identifies existing controls that reduce the likelihood or probability of a threat exploiting an identified vulnerability, and/or the magnitude of impact of the exploited vulnerability. Existing controls may include management, operational and/or technical controls depending on the identified threat. LIKELIHOOD OF OCCURRENCE This section requires the department manager to determine the likelihood that a threat will exploit a known vulnerability. The likelihood is an estimate of the frequency or the probability of such an event. Likelihood of occurrence is a subjective value based on manager familiarity with the asset as well as a number of factors that include:    Architecture; Environment; Access; 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 16     Existing Controls; Presence, Motivation, Tenacity, Strength and Nature of the Threat; Presence of Vulnerabilities; and, Effectiveness of Existing Controls. The following table contains guidelines for determining the likelihood that a threat will be realized and exploit the asset’s vulnerability. Likelihood of Occurrence Table Description Unlikely to occur. Likely to occur two/three times every five years. Likely to occur once every year or less. Likely to occur once every six months or less. Likely to occur once per month or less. Likely to occur multiple times per month. Likely to occur multiple times per day. Likelihood Negligible Very Low Low Moderate High Very High Extreme IMPACT SEVERITY This section requires the department manager to determine the magnitude or severity of impact on the asset’s operational capabilities and data if the threat is realized and exploits the related vulnerability. The manager must determine the severity of impact for each vulnerability by considering the potential loss in each security category (confidentiality, integrity and availability). The impact can be determined by:     Loss of Functionality; Degradation of Response Time; Inability to Meet Business Mission; Dollar Losses; 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 17   Loss of Public Confidence; or, Unauthorized Disclosure of Data. Refer to the following table for guidelines on impact severity levels. Impact Severity Levels Description Almost no impact if the threat is realized and vulnerability is exploited. Minor effect on the system/application that will require minimal effort to repair or reconfigure the system/application. Some negligible yet tangible harm that will require some expenditure of resources to repair. Damage to the reputation of system/application management, and/or notable loss of confidence in the system’s/application’s resources or services. Will require expenditure of significant resources to repair. Considerable system outage and/or loss of customer/business partner confidence. May result in the compromise of services or a large amount of customer/Bank information. Extended system outage or permanent closure, causing operations to resume in a hot site environment. May result in complete compromise of services or confidential information. Impact Severity Insignificant Minor Significant Damaging Serious Critical RISK LEVEL The risk level can be expressed in terms of the likelihood of the threat exploiting the vulnerability and the impact severity of that exploitation on the confidentiality, integrity and availability of the asset. Mathematically, the Risk Level is the product of the Likelihood of Occurrence and the Severity of Impact. The following table shows risk levels resulting from the affect of both likelihood and severity on the risk level. The department manager may increase the risk to a higher level depending on the system’s information security level and the level of compromise if a threat is realized. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 18 Likelihood Of Occurrence Negligible Very Low Low Moderate High Very High Extreme Insignificant Low Low Low Low Low Low Low Risk Levels Impact Severity Minor Significant Damaging Low Low Low Low Moderate Moderate Moderate Low Low Moderate Moderate High High High Low Low Moderate High High High High Serious Low Moderate High High High High High Critical Low Moderate High High High High High EFFECT ON CONFIDENTIALITY, INTEGRITY AND/OR AVAILABILITY The ISRAS summarizes whether a threat affects confidentiality, integrity and/or availability. A threat to an information asset may affect one or more of these factors. For example, hardware theft affects both confidentiality and availability. Knowing what aspects of the information are affected assists the Bank in determining how to adequately protect the information. Appendix “F” provides assistance in determining what aspects are affected for the common information threats. Completion of this section requires the department manager to indicate what aspects are affected by “checking off” the appropriate box(es). 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 19 CONTROLS DETERMINATION The Controls Determination section involves identification of additional controls, safeguards or corrective actions to minimize the potential threat exposure related to each vulnerability identified in the Risk Determination section that resulted in moderateor high-risk. Identification of new security measures should address the level of risk already assessed for the vulnerability and should reduce the risk level. The residual risk level is determined by assuming full implementation of the recommended controls/safeguards. The selected controls should be based on (1) the effectiveness of the control in reducing either the probability or severity of a potential threat and (2) cost to implement the control. The Controls Determination section is comprised of four steps: 1. Identify the controls/safeguards to reduce the risk level of an identified threat/vulnerability pair, if the risk level is moderate or high. 2. Determine the residual likelihood of occurrence of the threat if the recommended safeguard is implemented. 3. Determine the residual impact severity of the exploited vulnerability once the recommended safeguard is implemented. 4. Determine the residual risk level for the asset. The table below is used to summarize the analysis performed during the Controls Determination section of the ISRAS. Controls Determination Recommended Residual Control Likelihood of Occurrence Threat/Vulnerability Pair Residual Impact Severity Residual Risk Level THREAT/VULNERABILITY PAIR List all threat/vulnerability pairs that resulted in a “moderate” or “high” Risk Level in Section II of the ISRAS. RECOMMENDED CONTROLS Identify controls for each vulnerability with a moderate or high-risk level as identified in the Risk Determination Table. The purpose of the recommended control(s) is to reduce or minimize the level of risk. When identifying a control, consider the: 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 20 1. Type of control (i.e., management, operational, technical); 2. Method the control employs to reduce the likelihood that the threat will be able to exploit the vulnerability; 3. Effectiveness of the proposed control to mitigate the risk level; and, 4. Policy and architectural parameters required for implementation (i.e., technical or political feasibility). If more than one control is identified for the same vulnerability, list them in separate rows. RESIDUAL LIKELIHOOD OF OCCURRENCE Follow the directions under the section entitled “Existing Controls” in the “Risk Determination” portion of this handbook and assume full implementation of the recommended control. RESIDUAL SEVERITY OF IMPACT Follow the directions under the section entitled “Likelihood of Occurrence” in the “Risk Determination” portion of this handbook and assume full implementation of the recommended control. RESIDUAL RISK LEVEL Determine the residual risk level for the vulnerability by assuming that the control is implemented. The residual risk level is determined by examining the likelihood of occurrence of the threat exploiting the vulnerability and the impact severity factors. Follow the directions under the section entitled “Severity of Impact” in the “Risk Determination” portion of this handbook to determine the residual risk level assuming the control is fully implemented. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 21 APPENDIX “A” PRAS WORKSHEET – SECTION 1: PROCESS TECHNOLOGIES SECTION 1: In the space below list ALL process technologies that the department utilizes. Refer to the ISRAP Handbook, Appendix “B” for a list of previously reported process technologies. Process Technology Asset* 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. * Process Technology refers to information assets that process data, requests, etc. An example includes the FPS Gold client screens that process requests for certain information and produce screen or other types of output. Another example includes Microsoft Excel spreadsheets that process information through the use of formulas, etc. ** Risk Level is determined by applying the definitions contained in the Asset Security Level Table within the Information Asset Documentation Phase section of the ISRAP Handbook. Risk Level** (Low/Med/High) 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 22 APPENDIX “A” PRAS WORKSHEET PRAS WORKSHEET – SECTION 2: TRANSMITTING TECHNOLOGIES SECTION 2: In the space below list ALL transmitting technologies that the department utilizes. Refer to ISRAP Handbook, Appendix “B” for a list of previously reported transmitting technologies. Transmitting Technology Asset* 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. * Transmitting Technology refers to information assets that transmit or transfer data/information from one location to another, either physically or electronically. An example includes printers that transmit information from a computer to a printing device. Another example includes FedEx, which transmits physical information from the Bank’s premises to another location. ** Risk Level is determined by applying the definitions contained in the Asset Security Level Table within the Information Asset Documentation Phase section of the ISRAP Handbook. Risk Level** (Low/Med/High) 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 23 APPENDIX “A” PRAS WORKSHEET PRAS WORKSHEET – SECTION 3: STORAGE TECHNOLOGIES SECTION 3: In the space below list ALL storage technologies that the department utilizes. Refer to ISRAP Handbook, Appendix “B” for a list of previously reported storage technologies. Storage Technology Asset* 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. * Storage Technology refers to information assets that store data/information, either physically or electronically. An example includes file cabinets where paper-based materials containing customer/Bank information are kept. Another example includes desktop computers, which electronically store electronic information. ** Risk Level is determined by applying the definitions contained in the Asset Security Level Table within the Information Asset Documentation Phase section of the ISRAP Handbook. Risk Level** (Low/Med/High) 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 24 APPENDIX “A” PRAS WORKSHEET SECTION 4: In the space below list ALL computer applications that the department utilizes that are installed on a department computer. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 25 APPENDIX “A” PRAS WORKSHEET PRAS WORKSHEET – SECTION 5: VENDORS SECTION 5: In the space below list ALL vendors that the department utilizes – regardless of the service provided. ATTACH COPIES OF SIGNED AGREEMENTS WITH SUCH VENDORS. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 26 APPENDIX “B” INFORMATION ASSETS The following are examples of common information assets. This list should not be considered complete. Each manager must evaluate the information assets accessed within the department. At the conclusion of each annual ISRAP, this list will be updated. PROCESS TECHNOLOGIES        FPS Gold applications Servers and Back-up Tapes Gateways Check Scanner Encoders Cameras Other Applications (List Below) TRANSMITTING TECHNOLOGIES           US Mail Printers FedEx Telephone System Interoffice Mail FAX machines Email Internet Modem Connections to Third Parties Couriers STORAGE TECHNOLOGIES - PAPER BASED          Computer reports Files at desk Files in file cabinets Files in file rooms Files in vaults Files at Iron Mountain Miscellaneous Paper/Notes Policies and Procedures Business Resumption Plan STORAGE TECHNOLOGIES - FILM AND FICHE     Microfiche Microfilm Processor Microfilm In House Microfiche In House 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 27 APPENDIX “B” INFORMATION ASSETS STORAGE TECHNOLOGIES - ELECTRONIC BASED     Desktop Files Hardware/Software Inventory Control Password Security Unique Software (list below) 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 28 APPENDIX “C” COMMON INFORMATION SECURITY VULNERABILITIES HARDWARE AND SOFTWARE-RELATED VULNERABILITIES Description Hardware is sensitive to electro-magnetic radiation. Hardware is sensitive to thermal radiation. Hardware sensitive to electro-magnetic pulse. Hardware might generate compromising emanations. Hardware is valuable (financial, technological or strategic value). Hardware is portable or easy to carry (laptops, etc.). System allows easy information exchange (floppy, messaging system, fax, telephone, etc.). Information asset reliability is poor. Probability of poor configuration, installation or modification of the information asset. Hardware is worn or is likely to malfunction due to age/use. Proper use/operation of information asset is insufficiently documented. Information asset is subject to incompatibility when combined with other assets. Poorly configured asset. Bad development or installation of software. Bad management of software versions and setup. Fragility of asset. Obsolete equipment. Equipment setup impossible to enhance/upgrade. The system is connected to external networks. By design/configuration, the system is accessible and usable by everyone The hardware can be used for purposes other than those that it is intended to serve (software development for non organizational purpose). Possibility of the use of a trap door in a program. Possibility of a modification to the executable. Possibility of erasing or modifying program files. Possibility of being infected by a virus. Possibility of exploiting the asynchronous function of some parts or commands of the operating system. Possibility of creating or modifying system commands. Possibility of installing illegal software. Use of non-evaluated hardware. Possibility of easily copying "Off the shelf" or valuable software. Possibility of the system using illegally copied or forged software. By design, the system allows access to data (database). Not "user friendly" hardware. Processing requires human action. Misappropriation of some functions performed by the system allows to gain profits (gains, promotion,...) or harm a third party. Possibility that parts of the equipment are harmful to personnel (screens, etc.) Network can face serious disturbances. ID 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 29 APPENDIX “C” COMMON INFORMATION SECURITY VULNERABILITIES HARDWARE AND SOFTWARE-RELATED VULNERABILITIES 137 Network can be destroyed 138 Hardware enables passive eavesdropping (wires, plugs, etc.) 139 By design, the network facilitates the internal disclosure of information (telephone, fax, messaging system, etc.). 140 Network can generate system overloads 141 Network can submit the system to request overloads or intensive interference 142 Characteristics of the network generate software dysfunction (protocol compatibility, etc.). 143 Maintenance or operation of the network is performed via a network. 144 Network allows the use of external resources. 145 Network allows the introduction of malicious software (worms, viruses, logic bombs, etc.). 146 Network allows software downloads. 147 Network allows non-accredited individuals to try to benefit from rights they do not have. 148 Network allows use of services from outside without identification/authentication (fax, telephone, etc.). 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 30 APPENDIX “C” COMMON INFORMATION SECURITY VULNERABILITIES ID 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 SITE-RELATED VULNERABILITIES Description Inconsistent measures against fire. Water pipes next to Information Technology Department/server rooms. Information Technology Department/server rooms in the vicinity of a source of pollution (smoke, gas, etc.). Information Technology Department/server rooms in the vicinity of hazardous areas (explosions, etc.). Probability of destruction caused by a crash (plane, railway, etc.). No on-site protection against weather conditions. Not an anti-seismic building. Information Technology Department/server rooms in the vicinity of an active volcano. No protection against lightning. No protection against meteorological phenomenon (storm, hurricane, etc.). No protection against floods. Poor reliability of air conditioning equipment. No device against blackouts. Poor characteristics of the emergency network. Poor characteristics of the internal power plant. Ability to access to the internal switch. External network dysfunction. Bad operation of the internal telephone network. Information Technology Department/server rooms in the vicinity of a source of electro-magnetic radiation. Information Technology Department/server rooms in the vicinity of a source of thermic radiation. Probability for the system to experience electro magnetic pulse. Environment facilitates compromising emanation interception. Ability to plug interception devices (electrical wires, pipes, etc.). Ability to observe by optical means. Ability to watch over the activities. Ability to penetrate the site. Ability to intercept external transmissions. Ability to penetrate the facilities. Ability to go through the access controls Ability to penetrate by indirect accesses 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 31 APPENDIX “C” COMMON INFORMATION SECURITY VULNERABILITIES ID 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 PERSONNEL-RELATED VULNERABILITIES Description Lack of watchfulness. Lack of moral rules or ethics. No awareness of security issues. No "duty of reserve." Gain of a profit. Personnel subject to manipulations. No knowledge about insurance Regardless personnel. No awareness of the role of the IS in the organization. No knowledge of the laws. Negligence, no concerns. Lack of rigor. Potential conflicts between persons. No awareness of security issues. No enforcement of the rules. Unfavorable working conditions. No motivation for data entry. Personnel not accustomed to data entry Poorly trained personnel Lack of professionalism The notion of Law is not defined for the personnel Lack of trust in the organization Importance of the categories of personnel Responsibility issues No availability due to absenteeism No availability due to illness Intended unavailability due to social issues 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 32 APPENDIX “C” COMMON INFORMATION SECURITY VULNERABILITIES ID 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 ORGANIZATION-RELATED VULNERABILITIES Description No security organization No awareness of security issues No awareness of confidentiality issues No awareness of the hardware by the personnel No control procedures for communication tools use No "duty of reserve" Absence of a service or a maintenance officer Absence of order related to the use of the equipment Absence of order related to the use of the IS equipment Absence of a service or an IS officer No training plan on IS management Exaggerated trust of third parties in the services provided Poor organization of the services managing orders and budgets No protocol on the choice of information No working order No protection plan against the failure of maintenance companies No awareness of IS security issues No accreditation of the personnel No control plan on equipment Probability to use the equipment without control No control over floppies from outside No security measures during the analysis, development and implementation stages No awareness or information about copyrights No training on the software / hardware used Not clearly defined users' attributions No regulation defining the rights No definition of the "need to know" No definition of the responsibilities No control over actions performed by the personnel 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 33 APPENDIX “D” INFORMATION SECURITY RISK ASSESSMENT SURVEY – PART I INFORMATION ASSET DOCUMENTATION WORKSHEET ASSET NAME: [INSERT HERE] [INSERT HERE] ASSET TYPE (PROCESSING, TRANSMITTING,STORAGE) ASSET PURPOSE AND DESCRIPTION (BELOW) [INSERT HERE] ASSET ENVIRONMENT/OTHER CONSIDERATIONS (BELOW) [INSERT HERE] ASSET INTERCONNECTION/INFORMATION SHARING (BELOW) [INSERT HERE] ASSET SECURITY LEVEL (LOW, MODERATE, HIGH) DEPARTMENT/MANAGER NAME [INSERT HERE] [INSERT HERE] NOTE: Parts I, II and III (if applicable) must be completed for every information asset listed in Sections 1, 2 and 3 of the PRAS Worksheet IF the noted Risk Level on the PRAS Worksheet was “Moderate” or “High.” 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 34 APPENDIX “D” INFORMATION SECURITY RISK ASSESSMENT SURVEY – PART II RISK DETERMINATION THREAT VULNERABILITY EXISTING CONTROLS LIKELIHOOD OF OCCURRENCE IMPACT SEVERITY RISK LEVEL EFFECT ON C I A 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 35 APPENDIX “D” INFORMATION SECURITY RISK ASSESSMENT SURVEY – PART III THREAT/VULNERABILITIES PAIR CONTROLS DETERMINATION RECOMMENDED CONTROL RESIDUAL LIKELIHOOD OF OCCURRENCE RESIDUAL IMPACT SEVERITY RESIDUAL RISK LEVEL 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 36 APPENDIX “E” SECURITY PRACTICES STRATEGIC PRACTICES - SECURITY AWARENESS AND TRAINING 100 101 102 Staff members understand their security roles and responsibilities. This is documented and verified. There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Training includes these topics:       security strategies, goals, and objectives security regulations, polices, and procedures policies and procedures for working with third parties contingency and disaster recovery plans physical security requirements users’ perspective on  system and network management  system administration tools  monitoring and auditing for physical and information technology security  authentication and authorization  vulnerability management  encryption  architecture and design incident management general staff practices enforcement, sanctions, and disciplinary actions for security violations how to properly access sensitive information or work in areas where sensitive information is accessible termination policies and procedures relative to security      2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 37 APPENDIX “E” STRATEGIC PRACTICES - SECURITY STRATEGY 103 104 105 The organization’s business strategies routinely incorporate security considerations. Security strategies and policies take into consideration the organization’s business strategies and goals. Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 38 APPENDIX “E” STRATEGIC PRACTICES - SECURITY MANAGEMENT 106 107 108 109 110 Management allocates sufficient funds and resources to information security activities. Security roles and responsibilities are defined for all staff in the organization. The organization’s hiring and termination practices for staff take information security issues into account. The required levels of information security and how they are applied to individuals and groups are documented and enforced. The organization manages information security risks, including     111 assessing risks to information security both periodically and in response to major changes in technology, internal/external threats, or the organization’s systems and operations taking steps to mitigate risks to an acceptable level maintaining an acceptable level of risk using information security risk assessments to help select cost-effective security/control measures, balancing implementation costs against potential losses Management receives and acts upon routine reports summarizing the results of        review of system logs review of audit trails technology vulnerability assessments security incidents and the responses to them risk assessments physical security reviews security improvement plans and recommendations 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 39 APPENDIX “E” STRATEGIC PRACTICES - SECURITY POLICIES AND REGULATIONS 112 The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. These policies address key security topic areas, including                 113 security strategy and management security risk management physical security system and network management system administration tools monitoring and auditing authentication and authorization vulnerability management encryption security architecture and design incident management staff security practices applicable laws and regulations awareness and training collaborative information security contingency planning and disaster recovery There is a documented process for management of security policies, including    114 creation administration (including periodic reviews and updates) communication The organization has a documented process for periodic evaluation (technical and non-technical) of compliance with information security policies, applicable laws and regulations, and insurance requirements. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 40 APPENDIX “E” STRATEGIC PRACTICES - SECURITY POLICIES AND REGULATIONS (CONT.) 115 116 117 The organization has a documented process to ensure compliance with information security policies, applicable laws and regulations, and insurance requirements. The organization uniformly enforces its security policies. Testing and revision of security policies and procedures is restricted to authorized personnel. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 41 APPENDIX “E” STRATEGIC PRACTICES - COLLABORATIVE SECURITY MANAGEMENT 118 119 120 121 122 The organization has documented, monitored, and enforced procedures for protecting its information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners). The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements. The organization documents, monitors, and enforces protection strategies for information belonging to external organizations that is accessed from its own infrastructure components or is used by its own personnel. The organization provides and verifies awareness and training on applicable external organizations’ security polices and procedures for personnel who are involved with those external organizations. There are documented procedures for terminated external personnel specifying appropriate security measures for ending their access. These procedures are communicated and coordinated with the external organization. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 42 APPENDIX “E” STRATEGIC PRACTICES - CONTINGENCY PLANNING/DISASTER RECOVERY 123 124 An analysis of operations, applications, and data criticality has been performed. The organization has documented    125 126 127 business continuity or emergency operation plans disaster recovery plan(s) contingency plan(s) for responding to emergencies The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls. The contingency, disaster recovery, and business continuity plans are periodically reviewed, tested, and revised. All staff are   aware of the contingency, disaster recovery, and business continuity plans understand and are able to carry out their responsibilities 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 43 APPENDIX “E” OPERATIONAL PRACTICES - PHYSICAL SECURITY PLANS AND PROCEDURES 128 129 130 131 There are documented facility security plan(s) for safeguarding the premises, buildings, and any restricted areas. These plans are periodically reviewed, tested, and updated. Physical security procedures and mechanisms are routinely tested and revised. There are documented policies and procedures for managing visitors, including     132 sign in escort access logs reception and hosting There are documented policies and procedures for physical control of hardware and software, including      workstations, laptops, modems, wireless components, and all other components used to access information access, storage, and retrieval of data backups storage of sensitive information on physical and electronic media disposal of sensitive information or the media on which it is stored reuse and recycling of paper and electronic media 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 44 APPENDIX “E” OPERATIONAL PRACTICES - PHYSICAL ACCESS CONTROL 133 There are documented policies and procedures for individual and group access covering      134 the rules for granting the appropriate level of physical access the rules for setting an initial right of access modifying the right of access terminating the right of access periodically reviewing and verifying the rights of access There are documented policies, procedures, and mechanisms for controlling physical access to defined entities. This includes   135 136 work areas hardware (computers, communication devices, etc.) and software media There are documented procedures for verifying access authorization prior to granting physical access. Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 45 APPENDIX “E” OPERATIONAL PRACTICES - MONITORING AND AUDITING PHYSICAL SECURITY 137 138 139 Maintenance records are kept to document the repairs and modifications of a facility’s physical components. An individual’s or group’s actions, with respect to all physically controlled media, can be accounted for. Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 46 APPENDIX “E” OPERATIONAL PRACTICES - SYSTEM AND NETWORK MANAGEMENT 140 141 142 There are documented security plan(s) for safeguarding the systems and networks. Security plan(s) are periodically reviewed, tested, and updated. Sensitive information is protected by secure storage, such as     143 144 145 defined chains of custody backups stored off site removable storage media discard process for sensitive information or its storage media The integrity of installed software is regularly verified. All systems are up to date with respect to revisions, patches, and recommendations in security advisories. There is a documented data backup plan that     is routinely updated is periodically tested calls for regularly scheduled backups of both software and data requires periodic testing and verification of the ability to restore from backups 146 147 148 All staff understand and are able to carry out their responsibilities under the backup plans. Changes to IT hardware and software are planned, controlled, and documented. IT staff members follow procedures when issuing, changing, and terminating users’ passwords, accounts, and privileges.   149 Unique user identification is required for all information system users, including third-party users. Default accounts and default passwords have been removed from systems. Only necessary services are running on systems – all unnecessary services have been removed. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 47 APPENDIX “E” OPERATIONAL PRACTICES - SYSTEM ADMINISTRATION TOOLS 150 151 New security tools, procedures, and mechanisms are routinely reviewed for applicability in meeting the organization’s security strategies. Tools and mechanisms for secure system and network administration are used, and are routinely reviewed and updated or replaced. Examples are  data integrity checkers  cryptographic tools  vulnerability scanners  password quality-checking tools  virus scanners  process management tools  intrusion detection systems  secure remote administrations  network service tools  traffic analyzers  incident response tools  forensic tools for data analysis 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 48 APPENDIX “E” OPERATIONAL PRACTICES - MONITORING AND AUDITING IT SECURITY 152 System and network monitoring and auditing tools are routinely used by the organization.      153 Activity is monitored by the IT staff. System and network activity is logged/recorded. Logs are reviewed on a regular basis. Unusual activity is dealt with according to the appropriate policy or procedure. Tools are periodically reviewed and updated. Firewall and other security components are periodically audited for compliance with policy. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 49 APPENDIX “E” OPERATIONAL PRACTICES - AUTHENTICATION AND AUTHORIZATION 154 Appropriate access controls and user authentication (e.g., file permissions, network configuration) consistent with policy are used to restrict user access to        155 information systems utilities program source code sensitive systems specific applications and services network connections within the organization network connections from outside the organization There are documented information-use policies and procedures for individual and group access to  establish the rules for granting the appropriate level of access  establish an initial right of access  modify the right of access  terminate the right of access  periodically review and verify the rights of access Access control methods/mechanisms restrict access to resources according to the access rights determined by policies and procedures. Access control methods/mechanisms are periodically reviewed and verified. 156 157 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 50 APPENDIX “E” OPERATIONAL PRACTICES - AUTHENTICATION AND AUTHORIZATION 158 159 Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner. Authentication mechanisms are used to protect availability, integrity, and confidentiality of sensitive information. Examples are   digital signatures biometrics 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 51 APPENDIX “E” OPERATIONAL PRACTICES - VULNERABILITY MANAGEMENT 160 There is a documented set of procedures for managing vulnerabilities, including        161 162 selecting vulnerability evaluation tools, checklists, and scripts keeping up to date with known vulnerability types and attack methods reviewing sources of information on vulnerability announcements, security alerts, and notices identifying infrastructure components to be evaluated scheduling of vulnerability evaluations interpreting and responding to the results maintaining secure storage and disposition of vulnerability data Vulnerability management procedures are followed and are periodically reviewed and updated. Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 52 APPENDIX “E” OPERATIONAL PRACTICES - ENCRYPTION 163 Appropriate security controls are used to protect sensitive information while in storage and during transmission, including      164 165 data encryption during transmission data encryption when writing to disk use of public key infrastructure virtual private network technology encryption for all Internet-based transmission Encrypted protocols are used when remotely managing systems, routers, and firewalls. Encryption controls and protocols are routinely reviewed, verified, and revised. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 53 APPENDIX “E” OPERATIONAL PRACTICES - SECURITY ARCHITECTURE AND DESIGN 166 System architecture and design for new and revised systems include considerations for    167 security strategies, policies, and procedures history of security compromises results of security risk assessments The organization has up-to-date diagrams that show the enterprise-wide security architecture and network topology. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 54 APPENDIX “E” OPERATIONAL PRACTICES - INCIDENT MANAGEMENT 168 Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations, including    169 170 network-based incidents physical access incidents social engineering incidents Incident management procedures are periodically tested, verified, and updated. There are documented policies and procedures for working with law enforcement agencies. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 55 APPENDIX “E” OPERATIONAL PRACTICES - GENERAL STAFF PRACTICES 171 There are documented procedures for authorizing and overseeing those who work with sensitive information or who work in locations where the information resides. This includes     172 173 174 175 176 177 178 179 180 181 182 employees contractors, partners, collaborators, and personnel from third-party organizations systems maintenance personnel facilities maintenance personnel Employees only have access to information needed to carry out their assignments. Employee access levels are periodically reviewed to ensure it is commensurate with employee responsibilities. Employees understand the importance of reporting security glitches or other problems relating to the confidentiality and integrity of customer information. Employees are provided with any training/guidance regarding proper system login and logoff procedures. Employees are required to maintain a separate, unique and secure user ID and password for access. Employees are trained not to share their login passwords with other individuals, including management. Employees are trained not to write down their password. Employees are trained to logoff their workstations before leaving their workstation. Employees are required to regularly change their system login passwords. Are employees only allowed to add/change/delete records in accordance with their responsibilities? Routine inspection of department occurs to ensure that confidential customer information is properly safeguarded. Review includes a review of counters, desks and unlocked drawers accessible by unauthorized individuals as well as workstations, etc. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 56 APPENDIX “E” OPERATIONAL PRACTICES - GENERAL STAFF PRACTICES 183 184 185 186 Documents and reports containing customer information are only accessible by authorized personnel and documents/reports are stored in a secure location. Discarded documents/reports are placed in locked shred bins or disposed of in another secure manner. Appropriate physical security measures are implemented with respect to the physical perimeter of the department and all documents containing confidential bank and/or customer information. Employees receive training regarding the importance of protecting confidential customer information. This does not refer to privacy training but rather to training related to the safeguarding of customer information such as signature cards, applications, internal reports, etc. Every employee receives privacy training. Employees are trained to positively identify customers before releasing confidential customer information such as account balances, etc. Employees are trained to positively identify customers before permitting customers to change information. Employees are trained to provide customers with a copy of the Bank’s privacy policy upon request by the customer. Employees are aware of the instances under which customer information may be released to governmental entities such as the IRS, etc. 187 188 189 190 191 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 57 APPENDIX “F” COMMON INFORMATION SECURITY THREATS THREAT CATEGORY: PHYSICAL ACCIDENTS THREAT FIRE DESCRIPTION UNINTENTIONAL: Total or partial destruction by fire, of a site or facilities. INTENTIONAL: Fire is due to an incendiary device or any mechanism. EFFECT UPON: Availability. WATER DAMAGE UNINTENTIONAL: Total or partial destruction of facilities due to leakage in a water supply, sewage, air conditioning pipe or any running water. INTENTIONAL: Deliberate pipe puncture, triggering of fire extinguishing equipment, water hose or other similar act. EFFECT UPON: Availability. POLLUTION UNINTENTIONAL: Dust, steam, corrosive or toxic gas in surrounding atmosphere. INTENTIONAL: Pollution introduced can come from ventilation, heating or air conditioning shafts. EFFECT UPON: Availability. MAJOR ACCIDENTS UNINTENTIONAL: Site damaged or destroyed by the explosion of industrial sites nearby, landslides, avalanches, tidal waves, aircraft crashes, etc. EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 58 APPENDIX “F” THREAT CATEGORY: ACTS OF GOD THREAT CLIMATIC PHENOMENON DESCRIPTION Information systems are located and subject to extreme weather conditions (high or low temperatures, humidity, wind). EFFECT UPON: Availability. SEISMIC PHENOMENON Information systems are located in an area subject to seismic activity. UNINTENTIONAL: it is required to know before building the facility if the site is located in a seismic area in order to apply anti-seismic norms. EFFECT UPON: Availability VOLCANIC PHENOMENON UNINTENTIONAL: Information systems are located in a volcanic area. EFFECT UPON: Availability. METEOROLOGICAL PHENOMENON Information systems can be damaged or destroyed by storms, hurricanes, typhoons, ice showers or lightning. UNINTENTIONAL: Lightning and other meteorological events can cause damage if it is not properly protected. INTENTIONAL: Sabotage of protection devices against lightning (i.e., surge protectors, etc.) EFFECT UPON: Availability. FLOOD UNINTENTIONAL: The site is located within an area subject to frequent flooding. EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 59 APPENDIX “F” THREAT CATEGORY: LOSS OF ESSENTIAL SERVICES THREAT AIR CONDITIONING DEFAULT DESCRIPTION UNINTENTIONAL: Air conditioning not turned off when required resulting in the halting, disturbance or damage of hardware. INTENTIONAL: Sabotage of the facility. EFFECT UPON: Availability. LOSS OF POWER SUPPLY UNINTENTIONAL: No service from the electric company (strike, dysfunction, work underway, network error, etc.), fortuitous internal or external cable failure. In addition, any default from the corporate power facility or from the emergency electric network, if any. INTENTIONAL: Sabotage of the electric facility. EFFECT UPON: Availability. LOSS OF TELECOMMUNICATION SERVICES UNINTENTIONAL: No service from the telephone company (strike, dysfunction, etc.). INTENTIONAL: Sabotage of the lines or exchange facility. EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 60 APPENDIX “F” THREAT CATEGORY: DISRUPTIONS DUE TO RADIATIONS THREAT ELECTRO-MAGNETIC RADIATIONS DESCRIPTION UNINTENTIONAL: Disturbances of the hardware located next to an electro-magnetic source (i.e., radar, radio antenna, power plant, electrical equipment, etc.). INTENTIONAL: Scrambling due to compromising emanations with the intent to disable communication systems, etc. EFFECT UPON: Availability. THERMAL RADIATIONS UNINTENTIONAL / INTENTIONAL: Thermal effects cause dysfunction or destruction of the equipment (i.e., thermo-nuclear explosion). EFFECT UPON: Availability. ELECTRO-MAGNETIC PULSE (EMP) UNINTENTIONAL / INTENTIONAL: EMP from a nuclear explosion can destroy the equipment. EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 61 APPENDIX “F” THREAT CATEGORY: INFORMATION CORRUPTION THREAT COMPROMISING EMANATION INTERCEPTION DESCRIPTION INTENTIONAL: Compromising emanations come from electro-magnetic radiation or electrical conduction through electrical or ground wires. Capturing these emanations depends on distance to the site or on the ability to connect to the wires or other devices. EFFECT UPON: Confidentiality. REMOTE EAVESDROPPING INTENTIONAL: Eavesdropping can be performed from outside, by observing the activity, using powerful optical devices or by collecting materials due to be destroyed. Theft of documents or equipment (laptops, etc.) out of the site must be considered. EFFECT UPON: Confidentiality. PASSIVE EAVESDROPPING INTENTIONAL: Passive eavesdropping consists of connecting to a network (including wireless) and in analyzing and storing information circulating on it. EFFECT UPON: Confidentiality. MATERIAL OR DOCUMENT THEFT INTENTIONAL: theft of magnetic devices (floppies, cartridges, tapes,...) or paper documents (files, notes, maps, reports,...) by the staff or aliens in order to analyze stolen data. EFFECT UPON: confidentiality. HARDWARE THEFT INTENTIONAL: it is about "interesting" hardware (PC, printers, modems,...) by the staff or aliens. EFFECT UPON: confidentiality, availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 62 APPENDIX “F” THREAT INTERNAL DISCLOSURE THREAT CATEGORY: INFORMATION CORRUPTION (Cont.) DESCRIPTION UNINTENTIONAL: Disclosure by any talkative or careless person to another person within the Bank. Also includes disclosure through use of a telecommunication device (telephone, fax, email, etc.) INTENTIONAL: Disclosure intended to harm the Bank. EFFECT UPON: Confidentiality. EXTERNAL DISCLOSURE UNINTENTIONAL: Disclosure by any talkative or careless person to an external party through the use of a telecommunication device. INTENTIONAL: Disclosure intended to harm, to gain profit from or to blackmail the Bank. EFFECT UPON: Confidentiality. INFORMATION WITHOUT GUARANTEE OF ORIGIN UNINTENTIONAL / INTENTIONAL: Use of data from a third party without assurance of the source, accuracy and/or integrity of the data. EFFECT UPON: Integrity and Availability. HARDWARE ENTRAPMENT INTENTIONAL: Implementation or unauthorized change of hardware enabling interception or information transmission (i.e., inserting a card in a computer, circuit bypass, etc.). EFFECT UPON: Confidentiality. UNAUTHORIZED USE OF HARDWARE THROUGH MALICIOUS CONNECTION INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through a malicious connection that provides unauthorized access. EFFECT UPON: Confidentiality, Integrity and Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 63 APPENDIX “F” THREAT UNAUTHORIZED USE OF HARDWARE THROUGH SECURITY LEVEL VIOLATION THREAT CATEGORY: INFORMATION CORRUPTION (Cont.) DESCRIPTION INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through the use of a less restrictive security policy, backdoor, etc. EFFECT UPON: Confidentiality, Integrity and Availability. INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through the thorough analysis all the files and the variables of an information system in order to retrieve valuable data. EFFECT UPON: Confidentiality. UNAUTHORIZED USE OF HARDWARE THROUGH SCAVENGING UNAUTHORIZED USE OF HARDWARE THROUGH HOAX INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through the thorough the simulation of the behavior of a machine in order to cheat a legal user and get his/her name and password. EFFECT UPON: Confidentiality, Integrity and Availability. SOFTWARE ENTRAPMENT THROUGH USE OF TROJAN HORSE INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A Trojan horse is a program with an apparently or actual function that contains additional, hidden functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. EFFECT UPON: Confidentiality and Integrity. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 64 APPENDIX “F” THREAT SOFTWARE ENTRAPMENT THROUGH USE OF TRAP DOOR THREAT CATEGORY: INFORMATION CORRUPTION (Cont.) DESCRIPTION INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A trap door is a hidden software or hardware mechanism that permits system protection mechanisms to be circumvented. EFFECT UPON: Confidentiality, Integrity and Availability. SOFTWARE ENTRAPMENT THROUGH USE OF A COVERT CHANNEL INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A covert channel is a communication channel that allows a process to transfer information in manner that violates the system's security policy. EFFECT UPON: Confidentiality. RIGHTS ABUSE UNINTENTIONAL: An individual who has specific rights (network administrator, maintenance staff, etc.) can modify the setup parameters of the resources without notice. INTENTIONAL: Rights abuse by an individual who has privileges over the system. EFFECT UPON: Confidentiality, Integrity and Availability. UNAUTHORIZED RIGHTS THROUGH MASCARADE INTENTIONAL: An attack on the system in which an unauthorized entity pretends to be an authorized one for the purpose of gaining access to system assets. EFFECT UPON: Confidentiality, Integrity and Availability. UNAUTHORIZED RIGHTS THROUGH SUBSTITUTION INTENTIONAL: An attack on the system in which an attacker performs eavesdropping and intercepts the interruption request of a user working on a remote machine. He/she can replace the user and go on working using the nominal session without having the system notice it. EFFECT UPON: Confidentiality, Integrity and Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 65 APPENDIX “F” THREAT FRAUD THREAT CATEGORY: INFORMATION CORRUPTION (Cont.) DESCRIPTION Unauthorized use of resources by a non-authorized individual, which leads to financial losses for the Bank (misappropriation of funds, assets, services). INTENTIONAL: Sometimes, linking non-sensitive data together enable to obtain sensitive information. EFFECT UPON: Confidentiality 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 66 APPENDIX “F” THREAT CATEGORY: TECHNICAL BREAKDOWN THREAT HARDWARE BREAKDOWN DESCRIPTION UNINTENTIONAL: Breakdown due to wear, obsolescence, poor maintenance or misuse of the resource. EFFECT UPON: Availability. HARDWARE DEFAULT UNINTENTIONAL: Damages, normal wear of the equipment; software bugs, misuse, etc. EFFECT UPON: Availability. HARDWARE SATURATION UNINTENTIONAL: Jamming, insufficient capacity of storage, processing, querying, etc. INTENTIONAL: Intensive or continuous interference with the resource. EFFECT UPON: Availability. SOFTWARE DEFAULT UNINTENTIONAL: Programs may not run the right way (e.g. infinite loop) due to a poor design, a poor implementation or fortuitous changes. EFFECT UPON: Availability and Integrity. DAMAGE TO THE INFORMATION SYSTEM’S MAINTAINABILITY UNINTENTIONAL / INTENTIONAL: The information systems cannot be maintained any longer due to lack of suppliers, lack of maintenance suppliers, faulty administrative organization (lack of specialized staff, lack of credits, lack of assurance contracts, lack of source code, etc.). EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 67 APPENDIX “F” THREAT CATEGORY: PHYSICAL ATTACK THREAT HARDWARE DESTRUCTION DESCRIPTION UNINTENTIONAL: Hardware can be destroyed or damaged because of an act of god, a major accident, etc. INTENTIONAL: Physical attacks against the information systems hardware (computers, communication media, transmission equipment, data storage, etc.) EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 68 APPENDIX “F” THREAT CATEGORY: UNAUTHORIZED ACTIONS THREAT HARDWARE ENTRAPMENT DESCRIPTION INTENTIONAL: Implementation or unauthorized change of hardware enabling interception or information transmission (i.e., inserting a card in a computer, circuit bypass, etc.). EFFECT UPON: Confidentiality. SOFTWARE ENTRAPMENT THROUGH USE OF TROJAN HORSE INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A Trojan horse is a program with an apparently or actual function that contains additional, hidden functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. EFFECT UPON: Confidentiality and Integrity. SOFTWARE ENTRAPMENT THROUGH USE OF TRAP DOOR INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A trap door is a hidden software or hardware mechanism that permits system protection mechanisms to be circumvented. EFFECT UPON: Confidentiality, Integrity and Availability. SOFTWARE ENTRAPMENT THROUGH USE OF A COVERT CHANNEL INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A covert channel is a communication channel that allows a process to transfer information in manner that violates the system's security policy. EFFECT UPON: Confidentiality. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 69 APPENDIX “F” THREAT RIGHTS ABUSE THREAT CATEGORY: UNAUTHORIZED ACTIONS (Cont.) DESCRIPTION UNINTENTIONAL: An individual who has specific rights (network administrator, maintenance staff, etc.) can modify the setup parameters of the resources without notice. INTENTIONAL: Rights abuse by an individual who has privileges over the system. EFFECT UPON: Confidentiality, Integrity and Availability. UNAUTHORIZED RIGHTS THROUGH MASCARADE INTENTIONAL: An attack on the system in which an unauthorized entity pretends to be an authorized one for the purpose of gaining access to system assets. EFFECT UPON: Confidentiality, Integrity and Availability. UNAUTHORIZED RIGHTS THROUGH SUBSTITUTION INTENTIONAL: An attack on the system in which an attacker performs eavesdropping and intercepts the interruption request of a user working on a remote machine. He/she can replace the user and go on working using the nominal session without having the system notice it. EFFECT UPON: Confidentiality, Integrity and Availability. REPUDIATION INTENTIONAL: Repudiation consists of the denial by one of the entities involved in a communication of having participated in all or part of the communication. EFFECT UPON: Integrity FRAUD Unauthorized use of resources by a non-authorized individual, which leads to financial losses for the Bank (misappropriation of funds, assets, services). INTENTIONAL: Sometimes, linking non-sensitive data together enable to obtain sensitive information. EFFECT UPON: Confidentiality 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 70 APPENDIX “F” THREAT CATEGORY: FUNCTION CORRUPTION THREAT HARDWARE THEFT DESCRIPTION INTENTIONAL: Theft of "interesting" hardware (PC, printers, modems, etc.) by the staff or third parties. EFFECT UPON: Confidentiality and Availability. HARDWARE SATURATION UNINTENTIONAL: Jamming, insufficient capacity of storage, processing, querying, etc. INTENTIONAL: Intensive or continuous interference with the resource. EFFECT UPON: Availability. DAMAGE TO THE INFORMATION SYSTEM’S MAINTAINABILITY UNINTENTIONAL / INTENTIONAL: The information systems cannot be maintained any longer due to lack of suppliers, lack of maintenance suppliers, faulty administrative organization (lack of specialized staff, lack of credits, lack of assurance contracts, lack of source code, etc.). EFFECT UPON: Availability. INFORMATION WITHOUT GUARANTEE OF ORIGIN UNINTENTIONAL / INTENTIONAL: Use of data from a third party without assurance of the source, accuracy and/or integrity of the data. EFFECT UPON: Integrity and Availability. HARDWARE ENTRAPMENT INTENTIONAL: Implementation or unauthorized change of hardware enabling interception or information transmission (i.e., inserting a card in a computer, circuit bypass, etc.). EFFECT UPON: Confidentiality. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 71 APPENDIX “F” THREAT UNAUTHORIZED USE OF HARDWARE THROUGH MALICIOUS CONNECTION THREAT CATEGORY: FUNCTION CORRUPTION (Cont.) DESCRIPTION INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through a malicious connection that provides unauthorized access. EFFECT UPON: Confidentiality, Integrity and Availability. INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through the use of a less restrictive security policy, backdoor, etc. EFFECT UPON: Confidentiality, Integrity and Availability. UNAUTHORIZED USE OF HARDWARE THROUGH SECURITY LEVEL VIOLATION UNAUTHORIZED USE OF HARDWARE THROUGH SCAVENGING INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through the thorough analysis all the files and the variables of an information system in order to retrieve valuable data. EFFECT UPON: Confidentiality. UNAUTHORIZED USE OF HARDWARE THROUGH HOAX INTENTIONAL: Attackers’ illegal benefit from services offered by the Bank through the thorough the simulation of the behavior of a machine in order to cheat a legal user and get his/her name and password. EFFECT UPON: Confidentiality, Integrity and Availability. SOFTWARE CORRUPTION THROUGH LOGIC BOMB INTENTIONAL: Any action using software to damage or destroy programs or even alter the resource. A logic bomb is a resident computer program that triggers the perpetration of an unauthorized act when particular states of the system are realized. EFFECT UPON: Integrity and Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 72 APPENDIX “F” THREAT SOFTWARE CORRUPTION THROUGH VIRUS THREAT CATEGORY: FUNCTION CORRUPTION (Cont.) DESCRIPTION INTENTIONAL: Any action using software to damage or destroy programs or even alter the resource. A virus is a piece of code that adds itself to other programs, including operating systems, but cannot run independently, requiring its running host program to activate it. EFFECT UPON: Integrity and Availability. Worm: A worm is a program that can run by itself and can propagate a fully working version of itself to other machines. EFFECT UPON: integrity, availability. SOFTWARE CORRUPTION THROUGH WORM INTENTIONAL: Any action using software to damage or destroy programs or even alter the resource. A worm is a program that can run by itself and can propagate a fully working version of it to other machines. EFFECT UPON: Integrity and Availability. SOFTWARE ENTRAPMENT THROUGH USE OF TROJAN HORSE INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A Trojan horse is a program with an apparently or actual function that contains additional, hidden functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. EFFECT UPON: Confidentiality and Integrity. SOFTWARE ENTRAPMENT THROUGH USE OF TRAP DOOR INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A trap door is a hidden software or hardware mechanism that permits system protection mechanisms to be circumvented. EFFECT UPON: Confidentiality, Integrity and Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 73 APPENDIX “F” THREAT SOFTWARE ENTRAPMENT THROUGH USE OF A COVERT CHANNEL THREAT CATEGORY: FUNCTION CORRUPTION (Cont.) DESCRIPTION INTENTIONAL: Attacker introduces hidden functions, usually during the development, implementation, transport or maintenance stage. A covert channel is a communication channel that allows a process to transfer information in manner that violates the system's security policy. EFFECT UPON: Confidentiality. USE OF COPIED OR FORGED SOFTWARE UNINTENTIONAL / INTENTIONAL: Use of software that has not been certified but which seems genuine. EFFECT UPON: Integrity. DATA CORRUPTION INTERCEPTION INTENTIONAL: Interception is an access to the transmitted data through communication ways and changes on data. INTENTIONAL: The four types of interception are 1) message destruction; 2) message modification; 3) message insertion; 4) service denial. EFFECT UPON: integrity. DATA CORRUPTION SCANNING INTENTIONAL: Scanning consists of sending information of different types in order to determine what type of information triggers a positive response. EFFECT UPON: Confidentiality. RIGHTS ABUSE UNINTENTIONAL: An individual who has specific rights (network administrator, maintenance staff, etc.) can modify the setup parameters of the resources without notice. INTENTIONAL: Rights abuse by an individual who has privileges over the system. EFFECT UPON: Confidentiality, Integrity and Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 74 APPENDIX “F” THREAT UNAUTHORIZED RIGHTS THROUGH MASCARADE THREAT CATEGORY: FUNCTION CORRUPTION (Cont.) DESCRIPTION INTENTIONAL: An attack on the system in which an unauthorized entity pretends to be an authorized one for the purpose of gaining access to system assets. EFFECT UPON: Confidentiality, Integrity and Availability. UNAUTHORIZED RIGHTS THROUGH SUBSTITUTION INTENTIONAL: An attack on the system in which an attacker performs eavesdropping and intercepts the interruption request of a user working on a remote machine. He/she can replace the user and go on working using the nominal session without having the system notice it. EFFECT UPON: Confidentiality, Integrity and Availability. REPUDIATION INTENTIONAL: Repudiation consists of the denial by one of the entities involved in a communication of having participated in all or part of the communication. EFFECT UPON: Integrity FRAUD Unauthorized use of resources by a non-authorized individual, which leads to financial losses for the Bank (misappropriation of funds, assets, services). INTENTIONAL: Sometimes, linking non-sensitive data together enable to obtain sensitive information. EFFECT UPON: Confidentiality ATTACK ON PERSONNEL AVAILABILITY UNINTENTIONAL: Unavailability can be caused by illness or any unintentional cause that results in the absence of personnel. INTENTIONAL: Absenteeism, strikes or any absence intended to harm the Bank. EFFECT UPON: Availability. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 75 APPENDIX “F” THREAT CATEGORY: ERROR THREAT DATA ENTRY ERROR DESCRIPTION UNINTENTIONAL: Data entry error, using a keyboard or any other device, and done by chance by members of the Bank. EFFECT UPON: Availability and Integrity. MISUSE UNINTENTIONAL: Incorrect manipulation, use of equipment or damage caused to hardware or software due to the intentional acts of employees of the Bank. EFFECT UPON: Availability and Integrity. 2008-06 INFORMATION SECURITY RISK ASSESSMENT PROGRAM 76