IT Risk and Controls

What is Risk?

• Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
• Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

Multi-tiered Risk Management

The Risk Management Process

Risk management processes include: (i) framing risk

• assessing risk
• responding to risk and
• monitoring risk

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

Risk Assessment

• Risk assessment is the process of identifying, estimating, and prioritizing information security risks
• Risk Assessment/Risk Analysis evaluates:
• Threats to assets
• Vulnerabilities present (Vulnerability Assessment)
• Likelihood that a threat will be realized by taking advantage of an exposure
• The impact of the exposure on the organization
• Countermeasures available
• Residual risk
• Risk Assessment can be qualitative or Quantitative

Implemented Controls and Residual Risk

Source: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

NIST risk assessment methodology flowchart

Risk Factors

• A vulnerability is “a flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the systems security policy” (from NIST)
• A threat is “a potential for a particular threat-source to exercise a particular vulnerability” (from NIST)
• The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities)
• The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.
• Risk Management reduces risks by defining and controlling threats and vulnerabilities

(ISC2)

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

Likelihood

• A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.
• Likelihood is measured by the capabilities of the threat and the presence or absence of countermeasures (from NIST)
• Likelihood along with impact determines risk

Impact

• Impact Level: The magnitude of harm that can be expected to result from the consequences of risk
• Impact Value: The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.
• Define terms (i.e. definitions of impact to the organization – loss of life, loss of prestige, loss of money, loss of market share etc)
• Loss of life is the highest priority and is always given the highest impact rating

Rating Likelihood and Impact/Consequences

Likelihood and Consequences rating

Likelihood Qualification – how to arrive at a likelihood rating

Source: CISSP CBK

Rating likelihood and consequences

Risk Levels

CISSP CBK: ANZ 4360 risk levels

Risk Responses

• Risk Avoidance Risk Transfer
• Risk Mitigation
• Risk Acceptance
• Risk Ownership

NIST Risk Mitigation action points

NIST Risk Mitigation methodology flowchart

Due Care and Due Diligence

• Due care describes the care that a “reasonable person” would exercise under given circumstances.
• Lack of due care is often considered negligence and can be prosecuted.
• In other words, neglecting to follow legally mandated requirements may lead to legal exposure.
• Due diligence is a pre-emptive measure made to avoid harm. Due diligence leads to due care.
• Due diligence should be adopted as a core principle by security professionals.

Security Policies

• The security policy defines what the organization needs to accomplish at a high level and serves as management’s intentions to control the operation of the organization to meet business objectives
• Policy summary statement – says why the policy exists

Security Policy Best Practices

• Clearly defined process for policy initiation, creation, review, approval, distribution and communication
• Use forceful, directive wording
• Avoid technology references, technical jargon, specificity and implementation details
• Provide links to supporting documentation
• Conduct management review and signoff
• Employees should explicitly acknowledge policies
• Define policy exception rules
• Review incidents and adjust policies as needed
• Periodic review
• Sanctions for non-compliance

Types of Security Policies

• Organizational or security program policy
• g. protection of PII
• Functional, Issue specific policies
• g. internet usage
• System specific policies
• g. Modifying fields in a check printing application

Lower level/specific policies require frequent updates

Standards

• Standards define the specific requirements for all systems in an organization
• Selected hardware and software mechanisms for controlling security risks.
• Standards ensure consistence and interoperability
• Security standards are the hardware and software security mechanisms selected as the organization’s method of controlling security risks

Security Baselines

• Baselines are descriptions of how to implement the security configuration of hardware and software such that these implementations are consistent across the enterprise
• Baselines are the specific rules necessary to implement the security policy and related organizational standards
• Must be reviewed and tested periodically

Procedures

• Procedures are step by step instructions in support of the policies, standards, guidelines and baselines
• The procedures indicate how the policy will be implemented as well as the responsibilities of the individuals concerned
• Procedures must be documented in a consistent fashion

Guidelines

• Guidelines are optional or discretionary controls used to give individuals a basis to make judgments with respect to security actions
• Anything that is required should not be a guideline. It should be part of the policy or the baseline
• Industry practice documents
• COBIT, CMM, ISO 17799, security guidelines from NSA, NIST

Security Policies, Procedures, Standards, Guidelines and Baselines

Source: CISSP CBK Step-by-Step Consistent Recommendations

Hardware & Instructions Level of

Software Security

Figure 3.3 Relationships among policies, standards, procedures, baselines, and guidelines

IT CONTROLS

Based on:

Official (ISC)² Guide to the CISSP CBK

NIST Special Publication 800-53 Revision 4

©Bipin Prabhakar. All rights reserved.

Tier 3 Risk Management Framework

Addressing Tier 3 Risk

• Categorize the information system based on a impact analysis
• Select an initial set of baseline security controls for the information system based on system impact level
• Implement the security controls and document the design, development, and implementation details for the controls
• Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
• Authorize information system operation based on a determination of risk resulting from the operation and use of the information system and the decision that this risk is acceptable
• Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, policies, regulations, and standards.

http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf

Security Control Structure

• Security controls have a well-defined organization and structure. They are classified into management, operational, and technical controls, and are organized into 18 families
• They may involve aspects of policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms implemented by information systems

Security Control Identifiers and Classes

http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf

Security Control Structure (contd.)

• Consists of the following components:

1. Control section: Prescribes specific security-related activities or actions to be carried out by organizations or by information systems
2. Supplemental guidance section: Provides non-prescriptive, additional information for a specific security control

• Control enhancements section: provides statements of security capability to add functionality/specificity to a control and/or increase the strength of a control

1. References section: Includes a list of applicable federal laws, policies, regulations, standards, and guidelines relevant to a particular security control
2. Priority and baseline allocation section: Provides the recommended priority codes used for sequencing decisions during security control implementation, and the initial allocation of security controls and control enhancements to the baselines

Security Control Baselines

• Baseline controls are the starting point for the security control selection process and are chosen based on the security category and associated impact level of information systems
• NIST 800-53 Rev 4
• Appendix D provides a listing of baseline security controls.
• Appendix F provides a comprehensive catalog of security controls for information systems and organizations, arranged by control families.

Tailoring Security Control Baselines

• Tailoring guidance helps organizations to customize the security control baselines selected using the results from organizational assessments of risk
• Baseline tailoring actions include:
  • identifying and designating common controls
  • applying scoping considerations
  • selecting compensating controls
  • assigning specific values to security control parameters
  • supplementing initial baselines with additional security controls or control enhancements
  • providing additional information for control implementation

Security Control Designations

• Security Control Designations define

1. The scope of applicability for the control ii. The shared nature of the control

iii. The responsibility for control development, implementation, assessment, and authorization

• Security Control Designations include
• Common controls
• System specific controls
• Hybrid controls

Common Controls

• Security controls that are inheritable by one or more organizational information systems
• Security controls are inheritable when the systems / components receive protection from controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems/components
• Controls needed to protect organizational information systems (e.g., security awareness training, incident response plans, physical access to facilities, rules of behaviour) are excellent candidates for common control status

System Specific and Hybrid Controls

• Security controls not designated as common controls are considered system-specific or hybrid controls
• Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific
• For example, an organization may choose to implement the Incident Response Policy as a hybrid control, with the policy portion designated as common and the procedures portion designated as system-specific

Controls Types

Controls can be categorized by method of implementation

• Directive or administrative controls
• Physical or operational controls
• Technical or logical controls

Directive Controls

• Provide guidance to personnel as to the expected behavior with respect to security within the organization
• Also known as administrative controls
• The most common examples of directive controls are the organization’s security policies and procedures, personnel security, monitoring, user management, and privilege management

Physical Controls

• Protect the organization’s people and physical environment, such as locks, fire management, gates, and guards
• Physical controls may be called “operational controls” in some contexts
• Physical security is based on the notion of establishing security zones or concentric areas within a facility that require increased security as you get closer to the valuable assets inside the facility

Technical Controls

• Electronic hardware and software solutions implemented to control access to information and information networks.
• Also referred to as logical controls
• Examples are user controls, network access, remote access, system access, application access, malware control, and encryption

Primary technical controls

• Support - Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls.
• Prevent - Preventive controls focus on preventing security breaches from occurring in the first place.
• Detect and Recover - These controls focus on detecting and recovering from a security breach

Source: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Control Categories

• Deterrent
• Preventive
• Compensating
• Detective
• Corrective
• Recovery

Deterrent Controls

• Controls that act as a deterrent to threats and attacks because the existence of the control is enough to keep some potential attackers from attempting to circumvent the control
• The effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success
• For example, by forcing identification and authentication, the potential for unwanted incidents can be reduced

Preventative Controls

• Controls that keep a user from performing some activity or function
• Differ from deterrent controls in that the control is not optional and cannot be bypassed
• The only way to bypass the control is to find a flaw in the control’s implementation

Compensating Controls

• Introduced when the existing capabilities of a system do not support the requirement of a policy or when a primary control does not mitigate the risk to a level lower than the acceptable risk
• When an existing system does not support the required controls, compensating controls are introduced to supplement the existing environment, closing the gap in controls, meeting policy requirements, and thus reducing overall risk

Detective Controls

• Detective controls warn when something has happened, and are the earliest point in the post-incident timeline
• Detection aspects of access control can range from evidentiary, such as post incident investigations, to real-time alerting of inappropriate activities
• Examples are intrusion detection systems, virus controls, web filtering, network operations administration, and logs and audit trails

Corrective Controls

• When a security incident occurs, corrective controls are applied that alter the security posture of an environment to correct any deficiencies and return the environment to a secure state
• They can range from “quick fix” changes like new firewall rules, router access control list updates, and access policy changes, to more longterm infrastructure changes like the introduction of encryption, movement from single-factor to multifactor authentication for remote access, or the introduction of smart cards for authentication

Recovery Controls

• Recovery controls are applied to ensure that any changes to the control environment get accurately reinstated and returned to normal operations after an incident occurs
• Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations

Security Control Selection Process

Trustworthiness

• Trust is the belief that a security-relevant entity will behave in a predictable manner when satisfying a defined set of security requirements under specified conditions/circumstances and while subjected to disruptions, human errors, component faults and failures, and purposeful attacks that may occur
• Trust is usually determined relative to a specific security capability and can be decided relative to an individual system component or the entire information system
• Trustworthiness expresses the degree to which the systems can be expected to preserve the confidentiality, integrity, and availability of the information systems

Security Functionality and Assurance

• Two fundamental components affecting the trustworthiness of information systems are security functionality and security assurance
• Security functionality is typically defined in terms of the security features, functions, mechanisms, services, procedures, and architectures implemented within organizational information systems or the environments in which those systems operate
• Security assurance is the measure of confidence that the security functionality is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system

Trustworthiness

Questions?

ERM frameworks

• COSO’s ERM – Integrated Framework
• Australia/New Zealand Standard – Risk Management
• ISO Risk Management - Draft Standard
• The Combined Code and Turnbull Guidance
• A Risk Management Standard by the Federation of European Risk Management Associations (FERMA)

Appendix - Sources

• Official (ISC)² Guide to the CISSP CBK
• NIST Special Publication 800-53 Revision 4