Risk Management Notes

Risk Management

Assessing Risk - Chapter 6

This chapter covers risk management, its role in organizations, risk management techniques, risk assessment (likelihood of adverse events, effects on information assets), and results of the risk identification process.

Knowing Yourself and Knowing the Enemy

Organizational operations inherently involve risk. Effective risk management requires understanding how information is collected, processed, stored, and transmitted.

Managers need to:

• Identify valuable information assets.
• Categorize and classify these assets.
• Understand current protection measures.
• Identify, examine, and understand threats to information assets.

The Information Security Risk Management Framework

Risk management is the process of discovering and assessing risks to organizational operations and determining how to control or mitigate them.

Key Questions:

• Where and what is the risk (risk identification)?
• How severe is the current level of risk (risk analysis)?
• Is the current level of risk acceptable (risk evaluation)?
• What actions are needed to bring the risk to an acceptable level (risk treatment)?

Risk management is complex, requiring a formal methodology including:

• RM framework: Overall structure for strategic planning and design.
• RM process: Implementation of risk management as specified in the framework.

Both the RM framework and RM process should be continuous improvement activities, assessing current performance to improve future results.

Risk Management Framework and Process

The framework includes:

• Executive governance & support
• Framework design
• Framework implementation
• Framework monitoring & review
• Continuous improvement
• Process communication

The risk management process involves:

• Process preparation
• Risk assessment (identification, analysis, evaluation)
• Risk treatment
• Process monitoring & review

Executive Governance and Support

Prior to framework design, the governance group must demonstrate commitment by:

• Notifying the entire organization of the major RM project underway.
• Emphasizing the project's importance to the strategic future of the organization.
• Mandating participation and cooperation from all aspects of the organization.

Additional governance group tasks:

• Ensuring compliance with legal and regulatory statutes and mandates.
• Guiding the development and formally approving the RM policy.
• Recommending performance measures for the RM effort.
• Assigning roles and responsibilities.
• Ensuring goals and objectives align with the organization’s strategic goals.
• Providing needed resources.

Assigning Key Responsibilities

The governance group specifies key responsibilities:

• Who will be the project manager of the RM framework team?
• Who will be assigned to the framework team?
• Who will be assigned to the process team?
• Who will manage each of these teams?

Typically, the CIO, CISO, or equivalent leads the RM effort, with the CIO often serving as the champion and the CISO as the project manager.

The RM Policy

The project leader, in cooperation with the governance group, drafts a risk management policy. Common elements include:

• Purpose and scope
• RM intent and objectives
• Roles and responsibilities of subordinate groups
• Resource requirements
• Risk appetite and tolerances
• RM program development guidelines
• Special instructions and revision information
• References to other key policies, plans, standards, and guidelines

Framework Design

The framework team designs the RM process to:

• Understand current levels of risk.
• Determine necessary actions to reduce risk to an acceptable level.

Organizations may select an existing methodology or develop their own. The framework team must also formally document the organization’s risk appetite and draft the RM plan.

Defining Risk Tolerance and Risk Appetite

The governance group communicates:

• Acceptable risk levels
• Risks that must be reduced or resolved.

Residual risk is the risk remaining after all current controls are implemented.

Defining what the organization "can live with" is the risk appetite.

The Risk Management Plan

Risk Management Plan: A document that contains specifications for the implementation and conduct of RM efforts.

The RM plan includes specifications of the RM process and framework.

• The RM policy focuses on the "who and why" of RM.
• The RM plan focuses on the "who and how".

Framework Implementation

Implementation of the RM plan and RM process can be based on traditional IT implementation methods:

• Desk Check: Distribute the plan to mid- to upper-level managers prior to deployment.
• Pilot Test: Implement Risk Management in a small area to gauge initial issues and success before organization-wide deployment.
• Phased Approach: Implement a portion of the RM program initially, such as initial meetings with key managers or initial inventory of information assets.
• Direct Cutover: Launch the new RM project in totality across the entire organization.

The Risk Management Process

The RM process evaluates risk and remediation of key assets using team knowledge and perspective to:

• Establish the context
• Identify risk
• Analyze risk
• Evaluate the risk
• Treat the unacceptable risk
• Summarize the findings

RM Process Preparation—Establishing the Context

Ensuring all members of the RM process team:

• Understand the organization’s risk appetite statement
• Are able to translate the statement into appropriate risk treatment

Risk Assessment: Risk Identification

The first operational phase of RM is risk identification, starting with self-examination. Managers must:

• Identify the organization’s information assets
• Classify them
• Categorize them into useful groups
• Prioritize them by overall importance

The RM process team confirms or defines the categories and classifications for information assets.

Identification of Information Assets

The risk identification process begins with identifying and cataloging information assets, including:

• People
• Procedures
• Data
• Software
• Hardware
• Networking elements

An information asset is any asset that collects, stores, processes, or transmits information, or any collection/set/database of information valuable to the organization.

Some commercial RM applications simplify decisions by separating information assets from media.

• Media: Hardware, integral operating systems, and utilities that collect, store, process, and transmit information.
• Information assets: Only the data and applications designed to directly interface with the data.

Separating easily replaceable components (hardware and OS) from information assets streamlines RM efforts.

Organizational Assets Used in Systems

Components include:

• People (Internal & External personnel)
• Procedures (IT and Business standard and sensitive procedures)
• Data (Transmission, Processing, Storage)
• Software (Applications,Operating systems, Utilities, Security components)
• Hardware (Systems and peripherals, security devices, Internet of Things)
• Networking (LAN,Intranet, Internet/Extranet, Cloud-based components)

Identifying Hardware, Software, and Network Assets

Organizations use asset inventory systems to track hardware, network, and software components. The inventory process (automated or manual) requires planning to determine which attributes of each information asset should be tracked, based on the organization's needs and risk management efforts.

Potential Attributes

Consider the following attributes:

• Name
• Asset tag
• IP address
• MAC address
• Asset type
• Serial number
• Manufacturer name
• Manufacturer's model or part number
• Software version, update revision, or FCO number
• Physical location
• Logical location
• Controlling entity

Identifying People, Procedures, and Data Assets

Assign to managers with necessary knowledge, experience, and judgment to identify, describe, and evaluate information assets. Record the identified information assets and use reliable data-handling processes (like those used for hardware/software).

Attributes for People:

• Position name/number/ID
• Supervisor name/number/ID
• Security clearance level
• Special skills

Attributes for Procedures:

• Description
• Intended purpose
• Software/hardware/networking elements to which it is tied
• Location where procedure documents are stored for reference and update

Attributes for Data:

• Classification
• Owner/creator/manager
• Size of data structure
• Data organization used
• Online or offline status
• Physical location
• Media access method
• Backup procedures

Classifying and Categorizing Information Assets

Once an initial inventory is assembled:

• Determine if asset categories are meaningful to the RM program
• Determine the sensitivity and security priority assigned to each information asset
• Categorize assets based on sensitivity and security needs, using a data classification scheme.
• Designate the level of protection needed for assets in classified categories

Classification categories must be comprehensive and mutually exclusive.

Assessing Values in Information Assets

As each information asset is identified, categorized, and classified, a relative value must be assigned.

Relative values are assigned based on criteria such as:

• Criticality to organizational success
• Revenue generation
• Profitability
• Replacement cost
• Protection cost
• Potential for embarrassment or liability from loss/compromise

Importance of Asset

Consider what might happen if there were a loss of confidentiality, integrity, or availability. Would the organization experience any of the following results?

• Violation of legislation and/or regulation
• Impairment of business performance
• Loss of goodwill/negative effect on reputation
• Breach associated with personal information
• Endangerment of personal safety
• Adverse effects on law enforcement
• Breach of confidentiality
• Breach of public order
• Financial loss
• Disruption to business activities
• Endangerment of environmental safety

Prioritizing (Rank Ordering) Information Assets

The final step in risk identification is to prioritize, or rank order, the assets using methods like weighted table analysis. This values information assets by ranking them based on criteria specified by the organization.

Example of a Weighted Factor Analysis Worksheet

Criteria to consider:

• Impact on Revenue (weighted score)
• Impact on Profitability (weighted score)
• Impact on Public Image (weighted score)

Threat Assessment

Threat Assessment: Assessing potential weaknesses in each information asset after proper classification.

Organizations face a wide variety of threats. Project scope becomes too complex if you assume every threat attacks every information asset.

Examples of Threats to Information Security

• Compromises to intellectual property (e.g., software piracy)
• Deviations in quality of service (e.g., power fluctuations)
• Espionage or trespass (e.g., unauthorized access)
• Forces of nature (e.g., fire, flood)
• Human error or failure (e.g., employee mistakes)
• Information extortion (e.g., blackmail)
• Sabotage or vandalism (e.g., damage to systems)
• Software attacks (e.g., malware)
• Technical hardware failures or errors
• Technical software failures or errors (e.g., bugs)
• Technological obsolescence
• Theft

Assessing Threats

Questions to understand threats and their potential effects:

• Which threats represent an actual danger to our organization’s information?
• Which are internal and which are external?
• Which have the highest probability of occurrence and success?
• Which could result in the greatest loss if successful?
• Which is the organization least prepared to handle?
• Which cost the most to protect against or recover from?

Prioritizing Threats

Conduct a weighted table analysis with threats, listing categories and selecting those that correspond to questions of interest. In extreme cases, assess each threat by asset if the severity differs depending on the nature of the information asset.

Vulnerability Assessment

After identifying and prioritizing information assets and threats, compare assets to threats to create a list of vulnerabilities that remain potential risks. Vulnerabilities are specific avenues that threat agents can exploit to attack an asset. Create a list for each information asset to document its vulnerability to each possible or likely attack.

Threat and Vulnerability Assessment of a DMZ Router (Example)

Possible vulnerabilities stem from:

• Compromises to intellectual property
• Espionage or trespass
• Forces of nature
• Human error or failure
• Information extortion
• Quality-of-service deviations from service providers
• Sabotage or vandalism
• Software attacks
• Technical hardware failures or errors
• Technical software failures or errors
• Technological obsolescence
• Theft

The TVA Worksheet

At the end of risk identification, have a prioritized list of assets and threats. Combine these into a Threats-Vulnerabilities-Assets (TVA) worksheet to prepare for adding vulnerability and control information during risk assessment. This provides a starting point, along with other documents and forms.

Risk Assessment: Risk Analysis

Risk Analysis: Assessing the relative risk for each vulnerability, assigning a risk rating or score to gauge the relative risk associated with each vulnerable information asset. It facilitates comparative ratings later in the risk treatment process.

NIST Generic Risk Model

Considers:

• Threat source
• Threat event (initiates and exploits vulnerability)
• Vulnerability
• Impact
• Likelihood
  • Of initiation
  • Of success
• Severity
• Risk
• Influencing and Potentially Modifying Key Risk Factors
  • Degree (Capability, Intent, and Targeting for Adversarial Threats)
  • Sequence of actions, activities, or scenarios
  • Predisposing Conditions
    *Pervasiveness
• Security Controls (Planned / Implemented, Effectiveness)
• ORGANIZATIONAL RISK
  To organizational operations (mission,
  functions, image, reputation), organizational assets, individuals,
  other organizations, and the nation.

Mitigation of Applicable Controls

If a vulnerability is fully managed by an existing control, it can be set aside. If partially controlled, estimate the percentage of the vulnerability that has been controlled.

Determining the Likelihood of a Threat Event

Likelihood is the overall rating (numerical value on a defined scale) of the probability that a specific vulnerability will be exploited.

Assessing Potential Impact on Asset Value

Next, the organization typically looks at the possible impact or consequences of a successful attack. The impact is of great concern in determining where to focus protection efforts using a "worst case/most likely outcome" approach. Most organizations create multiple scenarios to better understand the potential loss.

Defining Risk Impact

The level of impact from a threat event is the magnitude of harm that can be expected to result
from the unauthorized disclosure, modification, disruption, destruction, or loss of information
and/or denial of service. Such adverse impact, and hence harm, can be experienced by a
variety of organizational and non-organizational stakeholders including, for example, heads of
agencies, mission and business owners, information owners/stewards, mission/business
process owners, information system owners, or individuals/groups in the public or private
sectors relying on the organization-in essence, anyone with a vested interest in the
organization's operations, assets, or individuals, including other organizations in partnership
with the organization, or the Nation (for critical infrastructure-related considerations).

Uncertainty

It is not possible to know everything about every vulnerability, such as the likelihood of an attack or the impact of a successful attack. The degree to which a current control can reduce risk is also subject to estimation error. Uncertainty is an estimate made by the manager using judgment and experience.

Risk Determination

Risk determination can use a formula: risk = likelihood \times impact \pm uncertainty.

Most organizations simplify this to: risk = likelihood \times impact

Example

Information asset 1 faced with threat 1 is at risk with general vulnerability 1. The risk rating for A1V1T1 (or T1V1A1 if you prefer) has been assigned a Likelihood value of 3 and an Impact value of 5. You estimate that assumptions and data are 90 percent accurate (uncertainty of ± 10%). The resulting risk rating is 15 ± 1.5, so your risk rating range is 13.5–16.5 on a 25-point scale.
In the same way, the evaluation for other information assets can be done with their respective values.

Risk Evaluation

After calculating risk ratings for all TVA triples, the organization decides whether it can live with the analyzed level of risk (risk appetite). The organization translates its risk appetite from a general statement to a numerical value for comparison to each analyzed risk.

Documenting the Results of Risk Assessment

Compiling risks into a comprehensive list allows the organization to make informed choices based on the best available information.

Deliverables of Risk Assessment

• Information asset and classification worksheet: Assembles information about information assets, their sensitivity levels, and their value.
• Information asset value weighted table analysis: Rank-orders information assets according to criteria.
• Threat severity weighted table analysis: Rank-orders threats to information assets according to criteria.
• TVA controls worksheet: Combines output from asset and threat identification and prioritization, identifies potential vulnerabilities, and incorporates extant and planned controls.
• Risk ranking worksheet: Assigns a risk-rating ranked value to each TVA triple, incorporating likelihood, impact, and possibly uncertainty.

Evaluating Risk

The organization must decide whether the current level of risk is acceptable or if action is required. If the team is comfortable with the risk, the process moves to monitoring and review. If not, the process proceeds to risk treatment.

Risk Treatment/Risk Control

Risk treatment involves addressing risk once it has been identified, assessed, and evaluated as unacceptable. Options include:

• Removing the information asset from harm’s way
• Modifying current protection measures
• Passing responsibility to third parties