ch06 complying with mandates
DESCRIPTION
ArSITITRANSCRIPT
Complying with Mandates
and Managing Risk
In This Chapter
• Recognizing the importance of compliance• Reviewing the risk management process• Developing risk management strategies
Keeping Your Company Compliant
• Legal mandates that affect the organization• Discovery and retention• Additional requirements
Legal mandates that affect the organization• Sarbanes-Oxley Act (SOX)
publicly traded U.S. companies
• Gramm-Leach-Bliley Act (GLBA)Privacy and protection of personally identifying information (PII) are required by privacy laws
• Health Insurance Portability and Accountability Act (HIPAA)Requirements for segregation of electronic personal health information from other organizational data, for example, may complicate data storage, backup, and archival planning
• Federal Educational Rights Protection Act (FERPA)• Children’s Online Privacy Protection Act (COPPA)
Discovery and retention
• Because so many legal investigations and compliance reviews require access to electronic records, you should include provisions for information archival and reporting in your long-term planning. • Subpoena-management practices should be firmly in place before requests for data
are received to ensure continuity of operations and minimal impact on operations.• An enterprise architect can provide great value to your organization by including
data archival, storage, and handling options in your long-term enterprise strategy. Mapping data resources together with details on backup and archival practices for each can act to identify data held beyond a desirable discovery window. This map also provides a ready reference for organizations presented with a to avoid accidental destruction of data due to normal backup media and archival procedures.
Additional requirements
• Beyond information technology–specific directives, legal requirements can include generalized mandates. • You must consider accessibility requirements under Section 508 of the
Rehabilitation Act of 1973 (amended), for example, in authentication and data access planning. • Complex multi-factor or biometric authentication systems may prove difficult to operate for
individuals with physically disabling conditions. • Public-facing applications that don’t support assistive screen reading technologies such as
JAWS and Window-Eyes may be unusable by some consumers.
• You also need to consider legal requirements that are likely to be enacted in the near future. Following recent large-scale accidental data exposure events, particularly in the retail and financial industries, it is likely that new laws will deal with backup media and other responsibilities in the management.
…Additional requirements…
• In addition, legislation under consideration could impose mandatory data retention for Internet service providers and other agencies responsible for the storage, processing, and transmission of information that could be useful in law enforcement investigations.• In the United States, multiple states recently passed privacy laws that require
encryption in storage and use whenever personally identifying data is collected on citizens living in that location. • Many of these laws require not only protective measures, but also a mechanism for
registration of the data storage with affected citizens’ home state and mandates for reporting security breaches of databases containing personal information. These laws can suddenly affect an organization merely because a person living in one of these states becomes a client, member, or consumer of services that involves entering data classified by their home state’s legislature as protected.
Planning to Manage Risk
• Identifying threats• Identifying vulnerabilities• Assessing risk
Identifying threats
Threats typically fall into three categories :• Natural or environmental threats• Electronic threats• Human threats
Natural or environmental threats
• Natural threats include weather events such as floods, storms, tornadoes, and hurricanes. • Environmental threats include events such as fire, extended power
failures, and water leaks. • Natural/Environmental threats can cause a significant amount of
direct physical damage, as well as a general disruption of business.• Unlike natural threats, however, Environment threats may be caused
by human elements with various motivations.
Electronic threats
• Malware such as viruses, Trojan horses, and spyware• Bugs and weaknesses in software applications and operating systems• Bots and botnets, which are computers infected by malware and
controlled by malicious individuals• Phishing e-mails, which attempt to trick individuals into providing
passwords, bank account numbers, credit card numbers, or other sensitive data to fraudulent Web sites
Human threats
• Human threats can be deliberate attacks by malicious individuals for purposes such as causing damage to an organization’s assets, data, or reputation, or stealing its physical or electronic assets. • Criminals• Disgruntled employees • Organization’s competition, Industrial espionage — the theft of trade secrets.
• Not all attempts to circumvent security controls involve malicious intent. Examples of such benign events • Propping open a secure door while moving equipment• Software developers leaving “back doors” in applications for testing or administrative
purposes• Employees sharing login credentials instead of waiting for access requests to be approved.
…Human threats…
• Human threats aren’t limited only to physical actions taken by individuals. The electronic threats often originate with or perpetuate because of a human element.• Consider motivation when people are involved because it can help
determine the methods they’ll use. • If industrial espionage is the motivation, attackers may be likely to use social
engineering techniques to trick employees into giving them access. • Disgruntled employee with revenge in mind may destroy or corrupt data or
provide his or her login credentials to unauthorized persons. • Other motivations include curiosity, monetary gain, blackmail, and destruction,
and other methods include hacking, theft, bribery, denial of service attacks, and system intrusion.
Identifying vulnerabilities
• You will continually spend time reviewing emerging and returning vulnerabilities, exploits, and threats that must be dealt with through updates, patches, or changes to protocol and service settings. • There’s no such thing as “secure forever” — attack and vulnerability options are
always evolving into new forms and mechanisms that must be included in enterprise defensive planning.• Some online sources for review include
• The SANS Institute’s Top Cyber Security Risks (www.sans.org/topcyber-security-risks/?ref=top20)
• United States Computer Emergency Readiness Team (www.uscert.gov)• National Vulnerability Database (http://nvd.nist.gov)• SecurityFocus (www.securityfocus.com)• Vendor Web sites for software in use in the enterprise
Assessing risk
• In assessing risk, each threat is analyzed to determine its probability and impact. • Probability is the likelihood that the threat will materialize into an actual event• Impact refers to the loss that would occur from a successful threat event.
• This loss can be tangible, such as loss of funds, equipment, or personnel• Intangible, such as a loss of reputation.
• IT risk assessment typically involves qualitative analysis. • Instead of numbers, values such as Low, Medium, or High are assigned to probability and
impact, and a risk matrix determines the level of risk. You define Low, Medium, and High based on what is appropriate to your organization’s business.
• To be more granularity, add ratings such as Very Low or Negligible on the low end or Very High, Severe, or Critical on the high end.
…Assessing risk…
• Determining probability• Determining impact• Calculating risk rating
Determining probability
• Probability can be determined by looking at how often threat events (both successful and unsuccessful) occur in your organization and in general and also by whether or not there are appropriate countermeasures in place to protect against exploitation of vulnerabilities.
For example, if your organization’s antivirus software is blocking hundreds of viruses per day, then a probability rating of High could be assigned for any threats involving malware.
• For countermeasures :• High might be assigned if no countermeasures are in place• Medium if inadequate countermeasures exist • Low if the countermeasures in place are sufficient.
• For example, the probability of unauthorized access if a confidential data file is stored in : • open file share - High; • file share with appropriate access control but weak passwords - Medium• encrypted file share with appropriate access control and strong passwords - Low.
Determining impact
• Impact can be determined by the nature and severity of the consequences of a successful threat event. • In some cases the impact is simple to establish :
• cost of repairing or replacing stolen or damaged equipment, • cost of penalties or credit monitoring service in the event of unauthorized access to customer personally
identifiable information • sales lost due to a denial of service attack on your organization’s Web site.
• Deciding the impact rating for loss of reputation or other intangible consequences may be more difficult. However, in a qualitative assessment there is quite a bit of wiggle room.
• In all cases, the impact rating depends upon the organization. One company may consider $10,000 in lost sales deserving of a High impact rating, while another might consider that Low. Regardless, these ratings must be defined and used consistently to accurately compare risk between threats.
• In circumstances where threat events could lead to loss of life, the impact should always be considered High and may need to be rated even at Very High or Critical, depending upon the potential for harm. Examples of this include threats against network-enabled medical equipment, control software for industrial facilities, or traffic control systems.
Calculating risk rating
• Use a risk matrix to determine the risk rating. • Simple risk matrix using ratings of Low, Medium, and High. • Note that if probability and impact are both rated as High, the matrix
lists the risk rating as Critical. • You can also use more granular ratings, which results in a more
complex matrix.
Addressing Risk
• Prioritizing threats• Reducing probability• Reducing impact• Choosing appropriate mitigations
Prioritizing threats
Generally, risks are addressed in order of priority, highest to lowest. There are four possible strategies that may be used to address an identified threat:• Acceptance: The risk may be identified, examined, and accepted, provided
that the impact is fully understood and recognized.• Avoidance: The risk may be avoided by selecting an alternative option that
does not include the same level of risk or by simply not engaging in the risky behavior.• Mitigation: The risk may be reduced to an acceptable level by including
additional protections or by altering the parameters producing the risk.• Transference: The risk may be transferred to another responsible party, often
through outsourcing or insurance protections.
Reducing probability
Reducing impact
• The most effective strategy for reducing impact is to have a comprehensive contingency plan. Contingency plans include actions to take in the event of a specific occurrence.
Other strategies include• Implementing redundant solutions such as clusters, load balancing, and alternative sites.• Ensuring that copies of critical data are stored in a secure, off-site facility for use in the
event that on-site data is corrupted or deleted.• Training users to report suspected security incidents to appropriate personnel.• Configuring intrusion detection applications, integrity verification solutions, data loss
prevention software, and other security solutions to notify appropriate personnel of threat events such as denial of service, attempted theft of data, or unauthorized altering of system files so that the threat may be contained in a timely manner.
Choosing appropriate mitigations
The goal of risk mitigation is reduce risk. Because all risk mitigation requires expenditure of resources (money), personnel, or equipment, your organization must obtain the best value out of those resources. A cost benefit analysis may assist with decision making, particularly in the following scenarios :• If the cost of a mitigation strategy exceeds the expected loss, you should investigate other
less-expensive strategies.• A mitigation strategy that isn’t cost effective for one asset may become so when spread
across multiple assets.• The cost of a mitigation strategy may be minimal, but can significantly impact business
productivity due to an increase in the time it takes to perform certain tasks.• A mitigation strategy that calls for security measures that are so burdensome to users that
they actively try to circumvent it, is a clear waste of resources.• If no mitigation strategies are cost effective and acceptance isn’t possible due to regulatory
or legal mandates, evaluate the possibility of transferring the risk through outsourcing.
Watching out for risk homeostasis• Sometimes a change made to reduce risk can cause people to act in a
more risky manner, which offsets the intended reduction. This is known as risk homeostasis • For example, users may be more likely to open unexpected e-mail
attachments if they know antivirus software is installed on their workstations.