Information Risk ManagementFighting for control of critical systems

Rick DakinRick.dakin@coalfiresystems.com

February 19, 2009

2

• Vulnerability versus Risks• Why Maintain a Risk Management Program?• Risk Management Process

o Risk Analysis o Control Selectiono Control Operationso Risk Measurement

• Reporting Risk

Agenda

Why Manage RISK ?

3

• Increasing Cyber Threats• Reduced Tolerance for Service Disruption• More Demanding Compliance Requirements• Need for more Efficient Data Sharing Across

Agencies• Justification to establish Risk Mitigation Priorities

and Allocation of Resources

Elements of RISK

Natural Disasters

SecurityControls &

Policies

Vulnerabilities

Good security controls can stop

certain attacks

Poor SecurityPolicies couldLet an attack

through

NO security policies orcontrols could be disastrous

MaliciousThreats

Non-MaliciousThreats

Motivesand

Goals

Methodsand

Tools

Methodsand

Tools

Methodsand

Tools

ASSE

TS

Threat + Motive + Method + Vulnerability = RISK

Risk Management Perspective

5

Risk Management on the Battlefield:

See It

Shoot It

Kill It

Risk Management Process

6

Step 1: Categorize Assets

7

Inventory Critical Services and InformationProcesses: Medicaid Disbursements, Patient Enrollment…Information: Patient Records, Patient Contact Info, Prescription

Records…

Inventory supporting information systemsApplications: MedCore, PharmTrackSystems: WEB01, SYS01, PHSYS12, WEB01_DR, SYS01_DRNetworks: 172.29.50.1/24, 10.1.52.1/16

Define Security Categorization Value SystemConfidentiality (High, Medium, Low)Integrity (High, Medium, Low)Availability (High, Medium, Low)

Assign Values to Information, Services, and Information Systems

Medicaid Disbursements (C:High, I:High, A:High)Patient Enrollment (C:High, I:Medium, A: Medium)

Categorize Assets

Goal:Identify critical assets and inventory supporting systems

Sample Data Flow

Customer Production Environment

Acquiring BankWells Fargo, BoA,

Chase

Admin Environment

Portal Access to Reconciliation Data (Charge Back / Sales Audit)

Transaction Servers or Payment Gateway

Transaction Record & Archive

Data WarehousePayment Gateway and Transaction Database

Batch Settlement

Application Servers

Back Office & Customer Svc

• Marketing

• Customer Service

• Ecommerce• Phone / Fax• Gift Cards

• Fraud• Accounting /

Administration

Ph

on

e,

Fa

x,

Em

ail

Web Server(card not present)

POS Terminals(card present in

stores and parking facilities)

Authorization

Document VaultsPaper records

Step 2: Assess Risk

9

Identify relevant threatsHuman Threats: Theft, Vandalism, Error, Interception, Tampering…Environmental Threats: Earthquake, Power Disruptions, Water Damage…

Link threats to specific assets / asset groupsService Threats: Power Outages, Earthquakes…Information Threats: Theft, Tampering, Interception…System Threats: Theft, Power Outages, Tampering, Water Damage…Network Threats: Power Outages, Water Damage, Tampering…

Test assets for vulnerabilities that could amplify riskVulnerability Scans, Pen Tests, Social Engineering…

Create risk statements (Threat + Asset)

Evaluate risk statement against impact and likelihood of occurrence

Assess Risk

Goal:Determine the reasonable level of risk that exists to organizational assets.

Risk ID Threat AssetRisk 1 An outsider could tamper with SYS01 in order to gain system access.Risk 2 A burst pipe above the MPOE could disrupt external communications.Risk 3 An outsider could use the SSLv2 vulnerability to intercept patient records.

Risk ID Likelihood ImpactRisk 1 Low HighRisk 2 Low HighRisk 3 High High

Risk Analysis

Each risk should be reviewed based upon a combination of severity and likelihood.

LOW

HIGH

HIGHSEVERITY

LIK

ELIH

OO

D

MEDIUM RISK

HIGH RISK

LOW RISK

Step 3: Select Controls

11

Select Controls

Goal:Select controls to protect data and system justified by risk levels

Identify compliance requirements• Determine by service/process inventories, line-of-business, and

information• Consult with Legal Counsel• Obtain source legal/contractual requirements

Identify best-practices requirements• Commercial sector best-practices (ISO)• Government best-practices (NIST)

Group requirements into control activities• Construct a control framework.• Eliminate and/or reduce redundancies in requirements

Review risks and implement to assets as necessary

Select justified controls

Risk ID Likelihood Impact Mitigating Controls)Risk 1 Low High 2.2.1, 2.2.2, 2.2.3Risk 2 Low High 4.3.4Risk 3 High High 3.1.2

Step 4: Operate Controls

12

Operate Controls

Goal:Observe strict adherence to organizational control activities in order to ensure that risks are managed to appropriate levels.

Establish Policies and Procedures from selected Control Activities• Ensure clear direction for control standards• Establish organizational risk position and risk expectations• Set firm tone for risk management

Communicate control responsibilities•Communicate responsibilities to all staff, contractors, and 3rd parties•Ensure that all service providers adhere to control standards•Keep employees up-to-date with controls and responsibilities through awareness programs

Establish Process to Verify Ongoing Control Effectiveness•Generate an audit trail of control activities•Keep activity and event logs•Prepare for audit

Step 5: Measure Controls

13

Report and Measure

Goal:Ensure that “bottoms-up” information emerges from control operation to keep decision-makers informed of changing risk landscape.

Report and Measure Against Existing Controls•Statewide or entity-level control frameworks should be homogenous•Control frameworks produce easily understood reports and reporting frameworks•Measuring against control frameworks allows state to measure real “residual risks” (amount of risk left over after controls).

Highlight “Residual Risks” from Control Deficiencies and Immaturity•Immaturity and poor operation of control reveals residual risks. These risks can be mitigated through remediation•Other residual risks may occur due to a lack or unawareness of the need for control.

Stay Consistent•Keep risk reporting processes aligned to control framework;•Framework should be highly organized, yet flexible for year-over-year changes•Consistency allows for better analysis of risk patters and year-over-year trends

Provide Report Data to Executive Decision-Makers•Develop consistent reports for both state entities and state executives•Report against key framework objectives (e.g., “Logical Access Controls”, “Personnel Security”, “Physical Access Controls”, “Malicious Code Prevention”, etc.)

Measure Progress

5 Optimized Management reviews reports and makes consistent program adjustments4 Managed Documented processes and policies have accountability to specific metrics

that are routinely measured and reported3 Documented The repeatable processes are defined, documented and staff trained.2 Repeatable Processes are routinely performed in a similar fashion by multiple staff

members.1 Ad Hoc Processes are performed on an individual basis and risk are dependent on

the dedication and insight of specific staff

0Unaware

1Ad Hoc

2Repeatable

3Documented

4Managed

5Optimized

The COBIT model will help guide IT staff to design, deploy and operate a sustainable security program that is not dependent on any single individual.

Current State

Challenges for Statewide Risk Management

15

1. Oversight for Processes and Standardso Where is the locus of control? Within a Centralized Authority or

Decentralized Authority?o Have standards for information security across all state entities been

established or codified into state law?o Do agencies/state entities have sufficient internal security leadership

to implement programs? o Are resources allocated to remediate most vulnerable systems with the

highest impact?o Does the state have sufficient processes in place to enforce security

controls and standards?

Challenges for Statewide Risk Management

16

2. Coordinating Risk Assessment Planso Are regular risk assessments executed across all state entities?o Are standards for risk assessment methodology established, so risk

information can be compared across state entities?o Are there sufficient tools and staff available to adequately assess risk?o Can agencies share data with the expectation of uniform protection?

Challenges for Statewide Risk Management

17

3. Measuring Risko How does the state measure risk?o At the executive level, controls and risks are not “black and white”.

Findings must not be based on prescribed control frameworks, since some level of control will always be “not in place”. Issue: provide credible report to justify action.

o Need to assess maturity of risk management and reporting processes in such a way as to test comfort with risk, rather than prescribed controls.

Challenges for Statewide Risk Management

18

4. Reportingo How are risk assessment and audit results communicated to

executives?o Are state executives and legislators sufficiently informed of risk?o Have reporting expectations been established for state entities?o Is there a repeatable reporting process in place across the state

entities, so results are centrally coordinated, organized, and managed?

Overcoming the Challenges

19

MS-ISAC and State of OklahomaState Challenges-Need to coordinate risk assessment planning and implement consistent risk methodology-Need to ensure risk is accurately captured (and not prescribed) from smaller entities to large agencies-Need to efficiently collect risk data from across hundreds of state entities

MS-ISAC Challenges-Need to generate consistent standards for cyber security risk reporting and measurement from the 50 participating states-Need to implement risk-based measurement system that could reflect disparity in control from state to state-Need to overcome disparity in security leadership and security standards that exist from state to state. ( Need a common yardstick )

Overcoming the Challenges

20

• Relational control requirements link different security programs together• Common measurement system (Control Maturity Ranking Index- CMRI) allows for flexible risk

measurement, even at state executive level• Flexible organizational structures permit hierarchical risk reporting• System automatically implements centralized intrastate and interstate risk reporting structures

Coalfire Navis Risk Management Platform

• Common Control Framework• Extensive Control Library • Hierarchical Risk Reporting• Coordinated Control & Risk Data• Centralized Reporting Processes• Coordinated Risk Measurement

Common Risk Measurement- CMRI

21

Level Control Performance & Implementation IndicatorsAd-Hoc Activities for this control are either not in place or are performed

through undocumented, unstructured activities. The implementation of the control is unstructured at best.

Documented State Policy The state has adopted a state-wide policy on this control, but the exact

standards and specifications for its implementation are undefined.

Documented Standard and/or Procedures

Statewide or agency-specific standards and specifications have been documented and communicated to all state agencies/ departments/ functions.

Risk Awareness

The State is aware that there is risk that may drive the selection of this control, but the control may not be in place within all risk areas. The State measures the implementation and adoption of the control, but only partial results may be available.

Risk TreatedThe state makes formal risk-based decisions on when to implement the control based the outcomes of risk assessment. These assessments cover all areas of state operations deemed appropriate.

Risk Validated

Control has been formally audited and/or tested by an independent entity. The control has been validated as sufficiently meeting risk mitigation/ treatment requirements.

Immature

Very Mature

Mature

Risk Determination

Remediation Plan

Priority

Resources

Funding

Joint Responsibility

Residual Risk

Comparative Analysis

Questions

Rick DakinRick.dakin@coalfiresystems.com

303.554.6333 ext. 7001

Knowledge – Action = Risk Acceptance