risk assessment - where security meets compliance caroline r. hamilton, ceo riskwatch, inc
TRANSCRIPT
Risk Assessment - Where Security Meets
Compliance
Caroline R. Hamilton, CEORiskWatch, Inc.
3 New Watchwords
1. Governance
2. Risk
3. Compliance
TJMAXX
• TJX discovered the intrusion in December and reported it to authorities in the U.S. and Canada as well as the major credit card companies and its payment processors. At the request of law enforcement, the breach was kept quiet until Wednesday, TJX said.
• The breach appears broad. In Massachusetts, 28 banks have been contacted by credit card companies indicating that some of their customers have had personal information that may have been exposed, the Massachusetts Bankers Association said in a statement Thursday. That number is likely to grow as more banks report into the association, it said.
Governance, Risk & Compliance
Compliance
Sarbanes Oxley has increased the accountability of management
New regulations for financial institutions require every institution complete a risk analysis by December 2006
Risk - Physical Security
Increase in terrorism around the world has hit multi-nationals
Cargo security now requires risk analysis
Workplace violence continues to affect U.S. companies
Concept of Integrated, Holistic Security
Governance - Information Technology
IT has become the important part of most organizations
New international standards require more IT risk analysis
New Requirements for Security Risk Assessments
Based on Published Standards
Governments are instituting requirements or expecting that companies will perform security risk assessments. Assessments can include identification of threats, vulnerabilities, and — based on both — an analysis of security gaps and mitigation strategies. Some of the assessment requirements also require that companies identify the most critical assets and propose plans to protect core business functions and human assets.
Compliance Regulations, Standards and Guidelines
Financial & Regulatory Compliance GLBA (Gramm Leach Bliley Act)FFIEC Audit Framework for Information
Security and for Risk AnalysisCalifornia SB 1386 (Identity Theft)Bank Secrecy Act (BSA)PCI Data Security StandardSarbanes Oxley Act
HIPAAHealth Insurance Portability and
Accountability Act of 1996
Utilities
NERC – CIP 002-009(North American Electric Reliability Council) Critical Infrastructure Protection
Nuclear Power Generators NRC (Nuclear Regulatory Commission) &NEI (Nuclear Energy Institute)
PHYSICAL SECURITY
Army Field Manual Best Practices FEMA 426 – Protecting Buildings Against
TerrorismC-TPAT (Customs Trade Partnership Again
Terrorism)
FEMA 426 – School Security GuidelinesNFPA Maritime & Port Security – ISPS, MTSA
Information Security/ISO 17799NIST 800-26, NIST 800-53ISO/IEC 1779:2005ISO/IEC 27001Office of Management and Budget
(OMB) A-123, A-124, A-127, and A-130
COBIT 4
Mapping to Audit
• Must map to audit Guidelines – ISACA(ASIS partner organization)
• Every Vulnerability or Risk AssessmentEnds Up with Corporate Management – CFO or IG
• Executives are being held PERSONALLY ACCOUNTABLE and need the assessments to demonstrate Due Care
APPROACH TO GOOD SECURITY
“The approach to good security is fundamentally similar regardless of the assets being protected. As GAO has previously reported for homeland security and information systems security, applying risk management principles can provide a sound foundation for effective security whether the assets are information, operations, people, or facilities. These principles, which have been followed by members of the intelligence and defense community for many years, can be reduced to five basic steps:
GAO-02-687T National Security
ELEMENTS OF RISK ASSESSMENT VS. COMPLIANCE ASSESSMENT
ASSETS
THREATS
VULNERABILITIES
LOSSES
SAFEGUARDS
What Is Risk Assessment compared to a Site Survey ?
A process used to determine what controls are neededto protect critical or sensitive assets adequately & cost-effectively
The process examines five variable functions:1. Specific Assets to be protected (value)
2. Potential Threats to the various assets
3. Vulnerabilities that would allow the threats to materialize
4. Kinds of Losses that the threats could cause
5. Safeguards that would reduce the loss or eliminate the threats
The Risk Assessment Process
Respondents
Automated Survey
Management
Analyst
Process Manageme
nt
Data Aggregatio
n & Analysis
Content(Rules &
Data)
Risk Analysis
Customization Reporting
Estimating Asset Values
FINDING THREAT DATA OR INPUT YOUR OWN ORGANIZATIONAL DATA SUCH AS INCIDENT
REPORT DATA
• Quantified threat data is hard to find.• Categories of Threats:
Natural Disasters, Criminal Activity Terrorism, Theft, Systems Failures
• Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs.
• Use data from internally collected sources
Standard Threat Data or Enter your own Site Specific Incident Data
Discovering Vulnerabilities
• Vulnerabilities specific by organization
• Can be completed only by the analyst
• Or include key individuals
• Web-Based surveys increase accuracy and
speed of survey collection & aggregation
Question answers map up to over forty customizable vulnerability areas
• Questions Follow Audit Format
• Control Standard matches Question
• Analyst Sets Threshold for Compliance
• Questions Validate Compliance with Standards
• Analyst can Add, Delete or Modify Questions
Analysts Can Customize Questions or Add New Questions
SAMPLE QUESTION CREATION ELEMENTS
Use of Server-Based Questionnaires Make it Easy to Collect Information
Including all Relevant Safeguards and Controls
•Alarm Systems•Background Checks•Barriers•Biometric Controls•Bomb Threat Procedures•Bomb Detection & Identification•CCTV Cameras•Disaster Recovery Planning•Emergency Response Planning•Entry Controls•Fire Controls
•Guard Services•Incident Reporting•Incident Response•Intrusion Detection•Lock & Key Controls•Monitoring Systems•Risk Assessment•Security Planning•Security Policies•Security Staff•Technical Surveillance•Training Programs•Visitor Controls
Controls with default values for implementation and life cycles
Equipment
Generators
Facility
Staff
Patients
Security
Personnel
Reputation
Related Loss
Direct Loss
Disruption
Injury
Intangibles
Loss of Life
Accident
Fire
Vandalism
Power Loss
Theft
Workplace Viol
Homicide
Personnel Screening
Controlled Areas
Personnel ID
Key Controls
No Security Plan
Observation
Doors
Construction
Asset VulnerabilityThreatLoss
Data Aggregation & Analysis
Incident Class Inciden
tConditioned Incident
Degree of Seriousness
Risk = Asset Loss Threat Vulnerability
WRITING REPORTS
• Data which can be benchmarked
• Making sure you include audit trails
• Use of recognized statistical probability models
• Includes both current and new directives
• Creating management level reports
MITIGATION STRATEGIES
1. Accept Risk
2. Transfer Risk
2. Mitigate Risk
3. Better Risk Reactions
5. Dealing with Residual Risk
EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL
COMPLIANCE VS. NON-COMPLIANCE
46%
54%
Compliant Non-Compliant
VULNERABILITY DISTRIBUTION CHART SHOWS THE WEAKNESSES IN THE
CURRENT SECURITY PROFILE
Non Compliant Answers by Question Category
6%
7%
4%
9%9% 9%
11%
12%
18%4%11% Entry Control
Internal Bldg Security
General
Integrated Systems
Bldg Security
Parking Structures
Security Guards
Loading Dock
Lobby Control
Perimeter/Intrusion Detection
Remaining
Survey Answers Can be Shown by Job Title, or by Individual Name
Non Compliant Answers by Respondent
1%0%0%2%4%9%
9%
12%
17%
21%
25%
internal1
guard
internal2
badging
external
delivery
personnel
safety
recovery
Remaining
Shows the Annual Loss Expectancy By Threat
ALE by Threat
4%3%
4% 4% 5%
10%10%
7%
8%
6% 6%
33%Communications Loss
Arson
Explosions Major
Theft - Company Property
Vandalism
Assault, Simple
Sabotage/Terrorist
Explosions Minor/Mail-Bomb
Cold/Frost/Snow
Flooding/Water Damage
Sabotage/Disgruntled Employee
Remaining
Loss Expectancy is Also Shown by Asset Category Impact
25%
50%
0%0%0%3%4%
18%
0%0%0%
Facilities/Buildings
Personnel
Communications Equipment
Office Equipment
Computer Hardware
Electronic Equipment
Remaining
Reports Can Include Loss Protection by Threat Category
0% 10% 20% 30% 40% 50% 60% 70% 80%
Assault , Simple
Activist
Assault , Aggravated
Assault , Sexual
Kidnapping
Vandalism
Homicide
Stalking
Burglary/Break In
Robbery
Remaining
Loss Protection by Threat
How to Calculate Return on Investment to Support Proper Budgeting for Security.
In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating
the plan – the organization saves $2,000,000
1. Finish Disaster Recovery Plan 2000:1
2. Finish the Security Plan 1200:1
3. Complete Security Training 943:1
Security Controls are Listed Recommended by Return On Investment
0.0 0.5 1.0 1.5 2.0 2.5
ID Infrared Motion Detectors
GD Policy/Procedure
GD Patrol/Tour Reporting
CN Steel Bars/Grills
BR Policy/Procedure
LK Policy/Procedure
FR Marshal/Brigade
ID Magnetic/Contact Switches
ID UPS Dedicated
EC Biometric Access
Return on Investment (10% Discount)
0.0% 1.0% 2.0% 3.0% 4.0% 5.0% 6.0%
CN Steel Bars/GrillsID Infrared Motion Detectors
GD Policy/ProcedureGD Patrol/Tour Reporting
ID Magnetic/Contact SwitchesBR Policy/ProcedureLK Policy/ProcedureFR Marshal/Brigade
ID UPS DedicatedBR Jersey Walls
EC Biometric AccessPR Personnel Termination
VC RemovalVC Vehicle Barriers
ID Microwave Motion DetectorsSC Security Manual
SC Security PolicyCN Steel Mesh Walls
OV CCTV Cameras
This Graph Illustrates how Implementing the Top 20 Controls will Contribute to a Cumulative
Reduction in Loss Potential
Single vs. Cumulative Loss Reductions
The Bottom Line
• Security Risk Management Requirements will Continue to Increase and need to be standardized.
• Measuring and Managing Security by Return on Investment gives you the ‘best bang for the buck’
• Conducting Risk Assessments are the best way to meet security requirements, quantify areas of weakness, justify security controls, and manage and validate the security budget.
