1 / 25

Information Risk Management Fighting for control of critical systems Rick Dakin

Information Risk Management Fighting for control of critical systems Rick Dakin Rick.dakin@coalfiresystems.com February 19, 2009. Agenda. Vulnerability versus Risks Why Maintain a Risk Management Program? Risk Management Process Risk Analysis Control Selection Control Operations

dandre
Télécharger la présentation

Information Risk Management Fighting for control of critical systems Rick Dakin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Risk Management Fighting for control of critical systems Rick Dakin Rick.dakin@coalfiresystems.com February 19, 2009

  2. Agenda • Vulnerability versus Risks • Why Maintain a Risk Management Program? • Risk Management Process • Risk Analysis • Control Selection • Control Operations • Risk Measurement • Reporting Risk 2

  3. Increasing Cyber Threats Reduced Tolerance for Service Disruption More Demanding Compliance Requirements Need for more Efficient Data Sharing Across Agencies Justification to establish Risk Mitigation Priorities and Allocation of Resources Why Manage RISK ?

  4. Good security controls can stop certain attacks Security Controls & Policies Poor Security Policies could Let an attack through ASSETS Vulnerabilities NO security policies or controls could be disastrous Methods and Tools Methods and Tools Methods and Tools Motives and Goals Natural Disasters Malicious Threats Non- Malicious Threats Elements of RISK Threat + Motive + Method + Vulnerability = RISK

  5. Risk Management Perspective Risk Management on the Battlefield: See It Shoot It Kill It 5

  6. Risk Management Process 6

  7. Step 1: Categorize Assets • Inventory Critical Services and Information • Processes: Medicaid Disbursements, Patient Enrollment… • Information: Patient Records, Patient Contact Info, Prescription • Records… • Inventory supporting information systems • Applications: MedCore, PharmTrack • Systems: WEB01, SYS01, PHSYS12, WEB01_DR, SYS01_DR • Networks: 172.29.50.1/24, 10.1.52.1/16 • Define Security Categorization Value System • Confidentiality(High, Medium, Low) • Integrity(High, Medium, Low) • Availability(High, Medium, Low) • Assign Values to Information, Services, and Information Systems • Medicaid Disbursements (C:High, I:High, A:High) • Patient Enrollment (C:High, I:Medium, A: Medium) Categorize Assets Goal: Identify critical assets and inventory supporting systems 7

  8. Sample Data Flow Customer Production Environment POS Terminals (card present in stores and parking facilities) Web Server (card not present) Authorization Transaction Servers or Payment Gateway Transaction Record & Archive Phone, Fax, Email Admin Environment Batch Settlement • Marketing • Customer Service • Ecommerce • Phone / Fax • Gift Cards • Fraud • Accounting / Administration Application Servers Back Office & Customer Svc Data Warehouse Payment Gateway and Transaction Database Acquiring Bank Wells Fargo, BoA, Chase Document Vaults Paper records Portal Access to Reconciliation Data (Charge Back / Sales Audit)

  9. Step 2: Assess Risk Identify relevant threats Human Threats: Theft, Vandalism, Error, Interception, Tampering… Environmental Threats: Earthquake, Power Disruptions, Water Damage… Link threats to specific assets / asset groups Service Threats: Power Outages, Earthquakes… Information Threats: Theft, Tampering, Interception… System Threats: Theft, Power Outages, Tampering, Water Damage… Network Threats: Power Outages, Water Damage, Tampering… Test assets for vulnerabilities that could amplify risk Vulnerability Scans, Pen Tests, Social Engineering… Create risk statements (Threat + Asset) Evaluate risk statement against impact and likelihood of occurrence Assess Risk Goal: Determine the reasonable level of risk that exists to organizational assets. 9

  10. LIKELIHOOD SEVERITY Risk Analysis Each risk should be reviewed based upon a combination of severity and likelihood. HIGH HIGH RISK MEDIUM RISK LOW RISK LOW HIGH

  11. Step 3: Select Controls • Identify compliance requirements • Determine by service/process inventories, line-of-business, and information • Consult with Legal Counsel • Obtain source legal/contractual requirements • Identify best-practices requirements • Commercial sector best-practices (ISO) • Government best-practices (NIST) • Group requirements into control activities • Construct a control framework. • Eliminate and/or reduce redundancies in requirements • Review risks and implement to assets as necessary • Select justified controls Select Controls Goal: Select controls to protect data and system justified by risk levels 11

  12. Step 4: Operate Controls • Establish Policies and Procedures from selected Control Activities • Ensure clear direction for control standards • Establish organizational risk position and risk expectations • Set firm tone for risk management • Communicate control responsibilities • Communicate responsibilities to all staff, contractors, and 3rd parties • Ensure that all service providers adhere to control standards • Keep employees up-to-date with controls and responsibilities through awareness programs • Establish Process to Verify Ongoing Control Effectiveness • Generate an audit trail of control activities • Keep activity and event logs • Prepare for audit Operate Controls Goal: Observe strict adherence to organizational control activities in order to ensure that risks are managed to appropriate levels. 12

  13. Step 5: Measure Controls • Report and Measure Against Existing Controls • Statewide or entity-level control frameworks should be homogenous • Control frameworks produce easily understood reports and reporting frameworks • Measuring against control frameworks allows state to measure real “residual risks” (amount of risk left over after controls). • Highlight “Residual Risks” from Control Deficiencies and Immaturity • Immaturity and poor operation of control reveals residual risks. These risks can be mitigated through remediation • Other residual risks may occur due to a lack or unawareness of the need for control. • Stay Consistent • Keep risk reporting processes aligned to control framework; • Framework should be highly organized, yet flexible for year-over-year changes • Consistency allows for better analysis of risk patters and year-over-year trends • Provide Report Data to Executive Decision-Makers • Develop consistent reports for both state entities and state executives • Report against key framework objectives (e.g., “Logical Access Controls”, “Personnel Security”, “Physical Access Controls”, “Malicious Code Prevention”, etc.) Report and Measure Goal: Ensure that “bottoms-up” information emerges from control operation to keep decision-makers informed of changing risk landscape. 13

  14. Measure Progress The COBIT model will help guide IT staff to design, deploy and operate a sustainable security program that is not dependent on any single individual. 0 Unaware 1 Ad Hoc 2 Repeatable 3 Documented 4 Managed 5 Optimized Current State 5 Optimized Management reviews reports and makes consistent program adjustments 4 Managed Documented processes and policies have accountability to specific metrics that are routinely measured and reported 3 Documented The repeatable processes are defined, documented and staff trained. 2 Repeatable Processes are routinely performed in a similar fashion by multiple staff members. 1 Ad Hoc Processes are performed on an individual basis and risk are dependent on the dedication and insight of specific staff

  15. Challenges for Statewide Risk Management 15 1. Oversight for Processes and Standards • Where is the locus of control? Within a Centralized Authority or Decentralized Authority? • Have standards for information security across all state entities been established or codified into state law? • Do agencies/state entities have sufficient internal security leadership to implement programs? • Are resources allocated to remediate most vulnerable systems with the highest impact? • Does the state have sufficient processes in place to enforce security controls and standards?

  16. Challenges for Statewide Risk Management 16 2. Coordinating Risk Assessment Plans • Are regular risk assessments executed across all state entities? • Are standards for risk assessment methodology established, so risk information can be compared across state entities? • Are there sufficient tools and staff available to adequately assess risk? • Can agencies share data with the expectation of uniform protection?

  17. Challenges for Statewide Risk Management 17 3. Measuring Risk • How does the state measure risk? • At the executive level, controls and risks are not “black and white”. Findings must not be based on prescribed control frameworks, since some level of control will always be “not in place”. Issue: provide credible report to justify action. • Need to assess maturity of risk management and reporting processes in such a way as to test comfort with risk, rather than prescribed controls.

  18. Challenges for Statewide Risk Management 18 4. Reporting • How are risk assessment and audit results communicated to executives? • Are state executives and legislators sufficiently informed of risk? • Have reporting expectations been established for state entities? • Is there a repeatable reporting process in place across the state entities, so results are centrally coordinated, organized, and managed?

  19. Overcoming the Challenges 19 MS-ISAC and State of Oklahoma State Challenges • Need to coordinate risk assessment planning and implement consistent risk methodology • Need to ensure risk is accurately captured (and not prescribed) from smaller entities to large agencies • Need to efficiently collect risk data from across hundreds of state entities MS-ISAC Challenges • Need to generate consistent standards for cyber security risk reporting and measurement from the 50 participating states • Need to implement risk-based measurement system that could reflect disparity in control from state to state • Need to overcome disparity in security leadership and security standards that exist from state to state. ( Need a common yardstick )

  20. Overcoming the Challenges • Coalfire Navis Risk Management Platform • Common Control Framework • Extensive Control Library • Hierarchical Risk Reporting • Coordinated Control & Risk Data • Centralized Reporting Processes • Coordinated Risk Measurement 20 • Relational control requirements link different security programs together • Common measurement system (Control Maturity Ranking Index- CMRI) allows for flexible risk measurement, even at state executive level • Flexible organizational structures permit hierarchical risk reporting • System automatically implements centralized intrastate and interstate risk reporting structures

  21. Common Risk Measurement- CMRI Immature Mature Very Mature 21

  22. Risk Determination Remediation Plan • Priority • Resources • Funding • Joint Responsibility

  23. Residual Risk

  24. Comparative Analysis

  25. Questions Knowledge – Action = Risk Acceptance Rick Dakin Rick.dakin@coalfiresystems.com 303.554.6333 ext. 7001

More Related