tom walsh, cissp - hipaa of...
TRANSCRIPT
Risk Analysis - Nine Steps to Follow
1
Effectively Completing and Documenting a Risk Analysis
Tom Walsh, CISSP Tom Walsh Consulting, LLC
Overland Park, KS
Copyright © 2014, Tom Walsh Consulting, LLC
Session Objectives
• Identify the difference between risk analysis and risk assessment
• Define the basic steps used in completing a risk analysis: how to identify threats, evaluate current security controls, determine vulnerabilities, and prioritize risks
• Demonstrate how to perform and document a risk analysis through “hands-on” exercises
• Describe how to present a risk analysis report and manage risks through a remediation plan
Copyright © 2014, Tom Walsh Consulting, LLC
Introduction – Tom Walsh
• Certified Information Systems Security Professional (CISSP)
• 11 years – Tom Walsh Consulting (tw-Security)
• Co-authored four books on security
• Former information security manager for large healthcare system in Kansas City, MO
• A little nerdy, but overall, a nice guy
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
2
Risk Analysis
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis vs. Risk Assessment • Assessment – A judgment about something based on an
understanding of the situation; a method of evaluating
performance
• Analysis – The close examination of something in detail in
order to understand it better or draw conclusions from it;
the separation of something into its constituents in order to
find out what it contains, to examine individual parts, or to
study the structure of the whole Source: Encarta Dictionary
• Risk Analysis – A systematic and ongoing process of
identifying threats, controls, vulnerabilities, likelihood,
impact, and an overall rating of risk
Copyright © 2014, Tom Walsh Consulting, LLC
NIST Risk Assessment Process
Copyright © 2014, Tom Walsh Consulting, LLC
Note: NIST SP 800-30 Guide for Conducting Risk Assessments, Revision 1, is the source for this diagram. NIST often refers to the term “assessment” to imply the “risk analysis process.”
Risk Analysis - Nine Steps to Follow
3
PCI DSS Requirement 12.2
Copyright © 2014, Tom Walsh Consulting, LLC
PCI DSS Requirement 12.2
Copyright © 2014, Tom Walsh Consulting, LLC
Key words:
“…performed at least annually and upon significant changes…”
Threats, controls, vulnerabilities, likelihood, and impact
A closer look at the requirement…
PCI DSS Risk Assessment Guidelines
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
4
HIPAA – Risk Analysis
§164.308(a)(1)(ii)(A) Risk analysis (Required)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity [or business associate].
Copyright © 2014, Tom Walsh Consulting, LLC
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Assessment / Analysis
Each organization has to:
• Assess its own security risks
• Determine its risk tolerance or risk aversion
• Devise, implement, and maintain appropriate security to address its business requirements
• Document its security decisions
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis Two types:
• Qualitative – (Easiest and most common) Rating risks on a scale such as:
• Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations
Risk Analysis - Nine Steps to Follow
5
Risk Analysis
The nine steps in the risk analysis process:
1. System characterization
2. Threat identification
3. Control assessment
4. Vulnerability identification
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation
Based upon the original
National Institute of Standards
and Technology (NIST) Special
Publication (SP) 800-30,
Risk Management Guide for
Information Technology Systems
Copyright © 2014, Tom Walsh Consulting, LLC
1. System Characterization
• Create an inventory of applications and systems
– Major applications
– General support systems
• Computer workstations
• Laptops and tablets
• Smartphones
• Network (LAN, wireless, extranet, etc.)
• Data Center
Copyright © 2014, Tom Walsh Consulting, LLC
Threats are based upon information assets.
Risk Analysis - Nine Steps to Follow
6
2. Threat Identification
• Identify reasonably anticipated threats
– Acts of nature
• Natural disaster that is beyond our control
• Threats affecting the organization as a whole
– Acts of man
• Unintentional or accidental
• Intentional
– Environmental threats
• Generally, threats affecting Data Center operations
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis – Exercise
Identify reasonably anticipated threats for each threat category (as they pertain to applications and information systems):
– Acts of nature (for the Midwest)
– Human actions
– Environmental threats affecting Data Center operations
Copyright © 2014, Tom Walsh Consulting, LLC
Common mistake: Listing an impact as a threat.
#2 Unreasonable Threats
• Chemical spills
• Biological contamination
• Nuclear mishaps
• Aircraft accident
• Civil unrest / Rioting
• Bomb threats
• Sinking ground
• Tsunami
• Volcano eruption
• Blackmail
• Substance abuse
• Inflation
Copyright © 2014, Tom Walsh Consulting, LLC
Thorough does not mean unreasonable.
Risk Analysis - Nine Steps to Follow
7
3. Control Assessment
• Assess current controls
– Technical (tools)
• Existing security features not in use
• Purchase software and/or hardware
– Non-technical
• Policies, procedures, plans, etc.
• Training (Practices and behavior)
Copyright © 2014, Tom Walsh Consulting, LLC
Checklists are usually used to assess existing controls.
Purpose of Controls and Examples
• Prevention (proactive) – Access controls
• Detection (reactive) – Audit logs
• Assurance (proactive) – Evaluation or assessment
• Recovery (reactive) – Disaster recovery plan
Copyright © 2014, Tom Walsh Consulting, LLC
4. Vulnerability Identification
• Hardware – Improperly configured equipment
• Software – Operating systems needing patching – Poorly written applications
• Environmental – Lack of physical or environmental controls
• Operational practices – Lack of policies and procedures – Untrained personnel
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
8
Checklist – SAMPLE
Copyright © 2014, Tom Walsh Consulting, LLC
“Yes” = Control; “No” = Vulnerability
Control Assessment – Checklists
• How many questions do you really need to ask?
• “Critical few versus the trivial many”
• Diminishing returns –
Copyright © 2014, Tom Walsh Consulting, LLC
Number of questions
Value of
answers
Risk Analysis – Exercise
Developing checklist questions
State one or two checklist questions for assessing controls to address each threat below:
– Authorized user misusing their access privileges (snooping)
– Unauthorized user or inappropriate access (internal)
– Hacking or tampering (external)
– Program error, application bug, and/or system failure
Copyright © 2014, Tom Walsh Consulting, LLC
Bonus: How do you rank the importance of one question from another?
Risk Analysis - Nine Steps to Follow
9
5. Likelihood Determination
What is the likelihood or probability of each threat circumventing the existing controls?
• Likelihood can be rated as being:
– High, Medium, or Low
• To maintain consistency your organization should include some definitions of those ratings
Copyright © 2014, Tom Walsh Consulting, LLC
6. Impact Determination
Evaluate what that would do to your organization if a threat was realized.
• Impact can be rated as being
– High, Medium, or Low
• To maintain consistency, your organization should include some definitions of those ratings
Copyright © 2014, Tom Walsh Consulting, LLC
It can be difficult to precisely quantify the impacts if a threat was realized.
6. Impact – Possible Consequences
• Confidentiality
• Integrity
• Availability
• Opportunity (financial)
• Reputation
• Litigation
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
10
7. Risk Determination
“Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:
(i) the adverse impacts that would arise if the circumstance or event occurs; and
(ii) the likelihood of occurrence.”
Copyright © 2014, Tom Walsh Consulting, LLC
Source: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Guide for Conducting Risk Assessments
7. Risk Determination
The OCTAVE approach to calculate a risk score:
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Score – SAMPLE #1 Likelihood Impact Risk Score Color Rating
H H 9
Red H M 6
M H 6
M M 4
Yellow H L 3
L H 3
M L 2
Green L M 2
L L 1
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
11
Risk Score – SAMPLE #2
Copyright © 2014, Tom Walsh Consulting, LLC
Source: PCI DSS Risk Assessment Guidelines (November 2012) created by
the Risk Assessment Special Interest Group (SIG)
Risk Score – SAMPLE #3
Copyright © 2014, Tom Walsh Consulting, LLC
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis – Exercise
Risk Analysis - Nine Steps to Follow
12
8. Recommended Controls
• Provide recommendations to address each vulnerability (if possible) to reduce or manage risks appropriately
Copyright © 2014, Tom Walsh Consulting, LLC
9. Results Documentation
• Create a summary of key findings, recommendations and estimates to implement
• Document management's decisions:
– Avoid the risk (Many times – not an option)
– Mitigated/Reduced (Applying controls)
– Transferred/Shared (Insuring against a loss) or
– Accepted (Doing nothing, but recognizing risk)
• Risk should be handled in a cost-effective manner relative to the value of the asset
Copyright © 2014, Tom Walsh Consulting, LLC
Management Decisions
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
13
Risk Analysis Reports
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Profile – SAMPLE #1
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Profile – SAMPLE #2
Copyright © 2014, Tom Walsh Consulting, LLC
Source: PCI DSS Risk
Assessment Guidelines
(November 2012)
created by the Risk
Assessment Special
Interest Group (SIG)
Risk Analysis - Nine Steps to Follow
14
Risk Profile – SAMPLE #3-1
Copyright © 2014, Tom Walsh Consulting, LLC
Source: National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-30 Guide for Conducting Risk Assessments
Risk Profile – SAMPLE #3-2
Copyright © 2014, Tom Walsh Consulting, LLC
Source: National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-30 Guide for Conducting Risk Assessments
Copyright © 2014, Tom Walsh Consulting, LLC
Major App 1
Data
Application
Network
Hardware & Operating System
Physical/ Environment
Operational Practices
Major App 2
Data
Application
Network
Hardware & Operating System
Physical/ Environment
Operational Practices
Asse
ssing C
on
trols
Assessin
g Co
ntro
ls
Risk Profile Approach
Risk Analysis - Nine Steps to Follow
15
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Profile
Risk Profile
Risk Profile
Risk Profile
A hierarchical approach to
assessing controls and risks
Asse
ssing
Asse
ssing
Risk Profile Approach Major App 1
Data
Application
Network
Hardware & Operating System
Physical/ Environment
Operational Practices
Major App 2
Data
Application
Network
Hardware & Operating System
Physical/ Environment
Operational Practices
Risk Analysis Picture
Copyright © 2014, Tom Walsh Consulting, LLC
Application
Workstation
Network
Data Center
Risk Analysis Report – SAMPLE #1 Topics to address in a report:
– Overview (Report date, Information/Data Owner, author of report)
– Scope (Application(s) and General Support System(s) (Business functions, data sensitivity, criticality of system)
– Description of Risk Analysis Approach
– Risk Analysis Team Members
– Findings (Vulnerabilities unacceptable risks)
– Recommendations
– Information/System Owner Comments
– Statement of Understanding
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
16
Risk Analysis Report – SAMPLE #2
Topics to address in a report:
– Scope of Risk Assessment
– Asset Inventory
– Threats
– Vulnerabilities
– Risk Evaluation
– Risk Treatment
– Version History
– Executive Summary
Copyright © 2014, Tom Walsh Consulting, LLC
Source: PCI DSS Risk Assessment
Guidelines (November 2012) created
by the Risk Assessment Special
Interest Group (SIG)
Risk Management Process
Output
Output
Goal
To meet business objectives while managing risks to an acceptable level
Risk Analysis
• Risk Profiles
• Risk Analysis Reports (Communicate risks to “Owners”)
• Internal Audit or Evaluation
• Vulnerability Scans
• Penetration Testing
Output Risk Management
• Risk Remediation Plan
• Audit Trails
• Change Control
• Configuration Management / Patch Management
• Incident Reports
• Security Plans
• Contingency Plans
• Disaster Recovery Plans
Validation
“Are safeguards and controls functioning as
stated? Prove it!”
“Trust but verify”
Copyright © 2014, Tom Walsh Consulting, LLC
Remediation Plan – SAMPLE
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
17
Conclusion
Copyright © 2014, Tom Walsh Consulting, LLC
Risk
Likelihood Impact
Connect the Dots
Copyright © 2014, Tom Walsh Consulting, LLC
References
• NIST Computer Security Resource Center, SP 800-30 Guide for Conducting Risk Assessments:
– http://csrc.nist.gov/publications/PubsSPs.html
• PCI DSS Risk Assessment Guidelines:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v2.pdf
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE):
– http://www.cert.org/octave/
• Risk Analysis Myths: – http://www.healthit.gov/providers-professionals/top-10-
myths-security-risk-analysis
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Analysis - Nine Steps to Follow
18
Just released…
Copyright © 2014, Tom Walsh Consulting, LLC
Risk Tool – Physician Practices
• SRA Tool Content – Administrative Safeguards (192 pages)
• SRA Tool Content – Physical Safeguards (104 pages)
• SRA Tool Content – Technical Safeguards (140 pages)
Copyright © 2014, Tom Walsh Consulting, LLC
SRA Tool Content – Technical Safeguards (What is missing in the 140 pages?)
• Hacker
• Scan, intrusion, penetration
• Firewall (only one question and it
pertains to audit logs; not if you have one or how it is configured)
• Network interruptions
• Wireless (appears once, but not as an
assessment question)
• Bandwidth
• System administrator
• Mobile, mobile devices, mobile device management, BYOD
Copyright © 2014, Tom Walsh Consulting, LLC
• Data loss prevention / Data loss protection
• Change control, change management
• Configuration management
• Leakage, data leakage
• Text, texting, text messaging
• Protocol, VPN, https
• Portal
• Telecommute, telemedicine, teleradiology
• Remote access (no questions; once in
comment on “Things to consider”)
• Biomed, biomedical
Risk Analysis - Nine Steps to Follow
19
Questions?
Copyright © 2014, Tom Walsh Consulting, LLC
Copyright © 2014, Tom Walsh Consulting, LLC
Thanks for Attending!
Tom Walsh, CISSP
Tom Walsh Consulting, LLC
Overland Park, KS
www.tw-Security.com
913-696-1573