23 january 2003© all rights reserved, 2002 understanding facilitated risk analysis process (frap)...
Post on 21-Dec-2015
215 views
TRANSCRIPT
23 January 2003 © All rights Reserved, 2002
Understanding Facilitated Risk Understanding Facilitated Risk Analysis Process (FRAP) Analysis Process (FRAP)
and and Security Policies for OrganizationsSecurity Policies for Organizations
Infocomm Security
and
Computer Security Institute
23 January 2003 © All Rights Reserved
ABSTRACT
Facilitated Risk Analysis Process (FRAP)
The dictionary defines RISK as "someone or something that creates or suggests a hazard". In today's environment, it is one of the many costs of doing business or providing a service. Information security professionals know and understand that nothing ever runs smoothly for very long. Any manner of internal or external hazard or risk can cause a well running organization to lose competitive advantage, miss deadline and/or suffer embarrassment. As security professionals, management is looking to us to provide a process that allows for the systematic review of risk, threats, hazards and concerns and provide cost-effective measures to lower risk to an acceptable level. This session will review the current practical application of cost-effective risk analysis.
23 January 2003 © All Rights Reserved
AGENDA
Risk Analysis Basics Difficulties and Pitfalls Making the FRAP a Business
Process Key FRAP Issues
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Frequently Asked Questions Why should a risk analysis be conducted? When should a risk analysis be conducted? Who should conduct the risk analysis? How long should a risk analysis take? What can a risk analysis analyze? What can the results of a risk analysis tell an organization? Who should review the results of a risk analysis? How is the success of the risk analysis measured?
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 1. Scope
This standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization.
It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.
Recommendations from this standard should be selected and used in accordance with applicable laws and regulations.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 2. Terms and definitions
2.1 Information Security Confidentiality Integrity Availability
2.2 Risk Assessment Assessment of threats to, impacts on and vulnerabilities of
information and information processing facilities and the likelihood of their occurrences
2.3 Risk Management Process of identifying, controlling and minimizing or eliminating
risks that may affect information systems, for an acceptable cost.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 3. Security Policy
provide management direction and support 4. Asset Classification and Control
maintain appropriate protection of corporate assets 5. Computer and Network Management
ensure the correct and secure operation of information processing facilities
minimize risk of system failures protect integrity of software and information
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 5. Communications and Network Management
maintain integrity and availability of information processing and communications
ensure the safeguarding of information networks and protection of the supporting infrastructure
prevent damage to assets and interruptions to business activities prevent loss, modification or misuse exchanged between
organizations
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 6. Security Organization
to manage information security within the enterprise maintain security of enterprise information processing facilities and
information assets by third parties maintain the security of information when the responsibility for
information processing has been outsourced to another organization
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 7. Personnel Security
to reduce risks of human error, theft, fraud or misuse of facilities ensure user are aware of information security threats and concerns
and are equipped to support the enterprise security policy minimize the damage from security incidents and malfunctions
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 8. Compliance
to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements
ensure compliance of systems with enterprise security policy and standards
maximize the effectiveness of and to minimize interference to/from system audit process
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 9. Physical and Environmental Security
to prevent unauthorized access, damage and interference to business premises and information
prevent loss, damage or compromise of assets and interruption to business activities
prevent compromise or theft of information and information processing facilities.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 10. System Development and Maintenance
ensure security is built into operational systems prevent loss, modification or misuse of user data in application
systems protect the confidentiality, authenticity and integrity of information ensure IT projects and support activities are conducted in a secure
manner maintain the security of application system software and data.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 11. System Access Control
control access to information prevent unauthorized access to information systems ensure the protection of networked services prevent unauthorized system access detect unauthorized activities ensure information security when using mobile computing and
networking facilities
23 January 2003 © All Rights Reserved
Effective Risk Analysis
ISO 17799 Information Security Standard 12. Business Continuity Planning
counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.
23 January 2003 © All Rights Reserved
Effective Risk Analysis The United States National Institute of Standards and
Technology (NIST) has published valuable information security documents that can be obtained by accessing their web site at csrc.nist.gov/publications/nistpubs/. SP 800-12An Introduction to Computer Security: The NIST Handbook SP 800-18Guide for Developing Security Plans for Information
Technology Systems SP 800-26Security Self-Assessment Guide for Information Technology
Systems SP 800-30Risk Management Guide for Information Technology Systems SP 800-47Security Guide for Interconnecting Information Technology
Systems
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Information protection in quality assurance works with three key elements: Integrity - the information is as intended without inappropriate
modification or corruption Confidentiality - the information is protected from unauthorized or
accidental disclosure Availability - authorized users can access applications and systems
when required to do their job
23 January 2003 © All Rights Reserved
Effective Risk Analysis
No matter what risk analysis process is used, the method is always the same: Identify the asset Ascertain the risk Determine the probability Identify the corrective action
Remember - sometimes accepting the risk is the appropriate corrective action.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Definitions Threat - an undesirable event Impact - Effect on the business objectives or mission of the
enterprise Probability - Likelihood that the risk may occur Losses - these include direct and indirect loss
disclosure integrity denial of service
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Accreditation - formal acceptance of system’s overall security by management
Certification - process of assessing security mechanisms and controls and evaluating their effectiveness.
Vulnerability - a condition of a missing or ineffectively administered safeguard or control that allows a threat to occur with a greater impact or frequency or both.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Definitions Safeguard/Control - a countermeasure that acts to prevent, detect,
or minimize the consequences of threat occurrence. Exposure Factor - how much impact or loss of asset value is
incurred from 0% to 100%
Single-time Loss Algorithm (SLA) - when a threat occurs, how much the loss of asset value is expected to be in monetary terms
Annualized Rate of Occurrence (ARO) - how often a threat might be expected to happen in a one year period.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Risk Analysis Objectives Identify potential undesirable or unauthorized events, “RISKS”,
that could have a negative impact on the business objectives or mission of the enterprise.
Identify potential “CONTROLS” to reduce or eliminate the impact of RISK events determined to be of MAJOR concern.
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Threats
Potential Damage
Systems/ApplicationsSupporting Enterprise
Operations
Attempts toaccess privateinformation
Fraud
Malicious attacks
Pranks
Natural disasters
Sabotage
User error
Customer loss of confidence
Critical operations halted
Sensitive information disclosed
Services and benefits interrupted
Failure to meet contractual obligations
Assets lostIntegrity of data and reports compromised
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Maintain customer, constituent, stockholder, or taxpayer confidence in the organization
Protect confidentiality of sensitive information (personal, financial, trade secret, etc.)
Protect sensitive operational data for inappropriate disclosure
Avoid third-party liability for illegal or malicious acts committed with the organization’s systems
Ensure that organization computer, network, and data are not misused or wasted
Avoid fraud Avoid expensive and disruptive
incidents Comply with pertinent laws and
regulations Avoid a hostile workplace
atmosphere
Information Security Objectives
Source GAO/AIMD 98-68
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Risk Management Principles Assess risk and determine needs Establish a central management focal point Implement appropriate policies and related controls Promote awareness Monitor and evaluate policy and control effectiveness
Source GAO/AIMD 98-68
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Risk Management Cycle
Central FocalPoint
PromoteAwareness
ImplementPolicies &Controls
Monitor &Evaluate
Assess Risk& Determine
Needs
Source GAO/AIMD 98-68
23 January 2003 © All Rights Reserved
Effective Risk Analysis
1. Assess Risk and
Determine Needs
1. Recognize information resources as essential organizational assets
2. Develop practical risk assessment procedures that link security to business needs
3. Hold program and business managers accountable
4. Manage risk on a continuing basis
Sixteen Practices Employed by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
23 January 2003 © All Rights Reserved
Effective Risk Analysis
2. Establish a Central
Management Focal Point
5. Designate a central group to carry out key activities
6. Provide the central group ready and independent access to senior executives
7. Designate dedicated funding and staff
8. Enhance staff professionalism and technical skills
Sixteen Practices Employed by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
23 January 2003 © All Rights Reserved
Effective Risk Analysis
3. Implement Appropriate
Policies and Related Controls
9. Link policies to business risks
10. Distinguish between policies and guidelines
11. Support policies through central security group
Sixteen Practices Employed by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
23 January 2003 © All Rights Reserved
Effective Risk Analysis
4. Promote Awareness 12. Continually educate users and others on the risks and related policies
13. Use attention-getting and user-friendly techniques
Sixteen Practices Employed by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
23 January 2003 © All Rights Reserved
Effective Risk Analysis
5. Monitor and Evaluate
Policy and Control
Effectiveness
14. Monitor factors that affect risk and indicate security effectiveness
15. Use results to direct future efforts and hold managers accountable
16. Be alert to new monitoring tools and techniques
Sixteen Practices Employed by Leading Organizationsto Implement the Risk Management Cycle
Principle Practices
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Assess Risk and Determine Needs Risk considerations and related cost-benefit trade-off are the
primary focus of a security program. Security is not an end in itself Controls and safeguards are identifies and implemented to address
specific business risks
Understanding the business risks associated with information security is the starting point of an effective risk analysis and management program
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Organizations that are most satisfied with their risk analysis procedures are those that have defined a relatively simple process that can be adapted to various organizational units and involved a mix of individuals with knowledge of business operations and technical aspects of the enterprise’s systems and security controls.*
*Source GAO/AIMD 98-68
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Facilitated Risk Analysis Process (FRAP) FRAP analyzes one system, application or segment of business
process at a time Team of individuals that include business managers and support
groups is convened Team brainstorms potential threats, vulnerabilities and resultant
negative impacts to data integrity, confidentiality and availability Impacts are analyzed to business operations Threats and risks are prioritized
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Facilitated Risk Analysis Process (FRAP) The FRAP users believe that additional effort to develop precisely
quantified risks are not cost effective because: such estimates are time consuming risk documentation becomes too voluminous for practical use specific loss estimates are generally not needed to determine if
controls are needed
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Facilitated Risk Analysis Process (FRAP) After identifying and categorizing risks, the Team identifies
controls that could mitigate the risk A common group of controls are used as a starting point
The decision for what controls are needed lies with the business manager
The Team’s conclusions as to what risks exist and what controls are needed are documented along with a related action plan for control implementation
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Facilitated Risk Analysis Process (FRAP) Each risk analysis session takes approximately 4 hours Includes 7 to 15 people Additional time is required to develop the action plan Results remain on file for same time as Audit papers
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Facilitated Risk Analysis Process (FRAP) Team does not attempt to obtain or develop specific numbers for
threat likelihood or annual loss estimates It is the team’s experience that sets priorities After identifying and categorizing risks, the groups identifies
controls that can be implemented to reduce the risk focusing on cost-effective
23 January 2003 © All Rights Reserved
Effective Risk Analysis
Business managers bear the primary responsibility for determining the level of protection needed for information resources that support business operations.
Security professionals must play a strong role in educating and advising management on exposures and possible controls.