Risk Management

Introduction to Risk

  • What is an Information Security Risk?
    • Risk: Probability of a threat actor exploiting a vulnerability against IT system assets.
    • Assets: Resources with economic value owned to provide future benefits; can be tangible (e.g., routers) or intangible (e.g., trust).
    • Probability: Likelihood of occurrence, ranges from 0 (no risk) to 1 (certainty of occurrence).
    • Threat Actor: Malicious entity or automated program.
    • Vulnerability: Weakness in an asset allowing exploitation.
    • Threat: Action against a vulnerability to achieve negative effect.
    • For more on vulnerabilities, refer to the National Vulnerability Database: NVD

Types of Threat Actors

  • Hacktivists: Hackers with social or political agendas.
  • Script Kiddies: Individuals with limited skills using pre-made tools for attacks.
  • Insiders: Employees within an organization who pose risks.
  • Competitors: External actors aiming to access targeted company's customers.
  • Organized Crime: Funded groups using illegal methods for resource access.
  • Nation State/APT: Government-sponsored attacks, often well-funded and involving advanced persistent threats.

Calculating Risk

  • Formula:
    • Risk = Probability x Vulnerability x Threat
    • Risk = Probability x Impact

Risk Management Framework

  • Defines the structured process for applying security controls within organizations.
  • Concepts:
    • Security Controls: Actions taken to mitigate vulnerabilities.
    • Compliance with laws, standards, and best practices is essential.

Risk Management Framework Steps

  1. Categorize Information System: Identify assets and impact of loss.
  2. Select Security Controls: Establish baseline controls based on categorization.
  3. Implement Security Controls: Apply selected controls.
  4. Assess Security Controls: Verify effectiveness through testing.
  5. Authorize Information System: Grant operation permission for strengthened systems.
  6. Monitor Security Controls: Ongoing checks for new vulnerabilities and overall performance.

Types of Security Controls

  • Deterrent Control: Aims to discourage attacks (e.g., lighting, fake cameras).
  • Preventative Control: Prevents attacks before they occur (e.g., long passwords).
  • Detective Control: Identifies an ongoing attack (e.g., alert systems).
  • Corrective Control: Rectifies effects post-incident (e.g., data recovery).
  • Compensating Control: Temporary solutions until better controls are implemented.
  • Divided into: Technical, Administrative, and Physical Controls.

Security Control Strategies

  • Layered Security: Employ multiple defense layers.
  • Vendor Diversity: Avoid reliance on one vendor for security solutions.
  • Control Diversity: Implement a mix of admin and technical controls to address risks comprehensively.
  • User Training: Ongoing education on security practices and threat identification.

Risk Assessment Methods

  • NIST Special Publication 800-30 provides guidance on conducting risk assessments.
  • Process:
    1. Prepare for assessment
    2. Conduct assessment (identify threats and vulnerabilities)
    3. Communicate results
    4. Maintain assessments

Quantitative Risk Assessment Framework

  • Key Metrics:
    • Asset Value (AV) - Value of the asset.
    • Exposure Factor (EF) - Probability of asset loss (0-1).
    • Single Loss Expectancy (SLE) = AV x EF
    • Annualized Rate of Occurrence (ARO) - Frequency of loss events per year.
    • Annualized Loss Expectancy (ALE) = SLE x ARO

Qualitative Risk Assessment

  • Involves subjective measures via trend analysis rather than numerical values.
  • Assigns descriptive risk levels (low, medium, high) instead of quantitative measurements.

Risk Response Strategies

  • Mitigate: Reduce the impact of risks.
  • Transfer: Share risk burden with another party (e.g., insurance).
  • Accept: Recognize that some risk remains post-control implementation.
  • Avoid: Refuse to engage in activities that introduce undue risk.

Business Impact Analysis (BIA)

  • Analyzes information system requirements and interdependencies to prioritize recovery efforts during disruptions.
  • Phases of BIA:
    1. Identify mission processes and impacts.
    2. Identify resource requirements for recovery.
    3. Establish recovery priorities.

Types of Impact

  • Financial: Loss from sales delays or increased operational costs.
  • Reputation: Damage to organization's public perception due to breaches or outages.
  • Property: Physical damage to organizational assets.
  • Safety/Life: Potential risks to individual safety.
  • Privacy: Assessing impacts on individual privacy from data handling practices.

Data Security and Privacy Policies

  • Data Organization: Cataloging data by sensitivity for appropriate control application.
  • Data Roles: Clear assignments for data management responsibilities (e.g., data owner, custodian, steward, privacy officer).
  • Legal Compliance: Adherence to laws like HIPAA, SOX, and others governing data handling and retention.

Personnel Risks Management

  • Hiring: Background checks and NDAs.
  • Onboarding: Training new hires on security culture and expectations.
  • Policies: Maintaining security through standard operating procedures, job rotations, and mandatory vacations.

Third-Party Risk Management

  • Agreement Types: Establish expectations through SPAs, SLAs, BPAs, MOUs, and ISAs.
  • Risk Awareness and Data Ownership: Ensuring third-parties have risk management programs, and defining data ownership and sensitivity appropriately.
  • Supply Chain Assessment: Evaluate third-party supply chains to secure resource availability.