Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls...
Transcript of Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls...
![Page 1: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/1.jpg)
Architecting to Auditing Risk Based Controls
Dan Seider, Information Security Architect
Nitin Salvi, Information Security Architect
![Page 2: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/2.jpg)
The views, thoughts, claims or opinions in this presentation are solely those of the presenter. Nothing in this presentation represents the views, thoughts, claims or opinions of GM Financial Corporation, General Motors Corporation or any other organization or entity.
Disclaimer
![Page 3: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/3.jpg)
Architecting risk based security controls
Baseline and Monitoring risk based controls
Developing a risk based control audit plan
Recommendations For:
![Page 4: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/4.jpg)
A risk point of view is a different sort of “Beastie”
A Risk Focus?
Source: © Maurice Sendak
![Page 5: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/5.jpg)
No Standard Definition Oxford dictionary
a situation involving exposure to danger. the possibility that something unpleasant will happen. 3 a person or thing causing a risk or regarded in relation to risk: a fire risk
ISO Guide 73, Risk Management
The combination of the probability of an event and its consequence
ISO 13335, Information Technology Security Techniques
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
Conclusion differences exist between dictionary, government, industry, and Information
Security definitions of well used terms.
Also, Considerable disagreement around definition of “threat,” “impact,” “probability” and “risk”, though the use of “threat” as a circumstance, and “risk” as having elements are largely agreed
Risk Definitions
![Page 6: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/6.jpg)
Risk is the product of 3 primary parts:
“Risk” contains controllable elements of vulnerability, probability and business impact.
It also contains the uncontrollable element of a threatening circumstance (actor, motivation).
Risk Elements
Risk
Threat: What are we
concerned about ?
Vulnerability
with
probabilities
Consequences
Do they Cascade?
X X =
![Page 7: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/7.jpg)
Cyber Threat Actors
John C. Mallery, Massachusetts Institute of Technology
![Page 8: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/8.jpg)
Current Control Environment
![Page 9: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/9.jpg)
Historically controls driven by regulatory and compliance requirements and folklore (i.e. we’ve always done it this way).
Perceived vulnerability.
Synchronization with real threats,
Different levels of the technology stack .
Existing Controls Environment
![Page 10: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/10.jpg)
Risk vs. Spending
2013 Ponemon Institute study on risk-based security management
![Page 11: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/11.jpg)
Dynamic business environment coupled with dynamic risk with static controls,
Multiple risk scenarios – single control assumed adequate,
multiple national and international requirements.
Why the Imbalances?
![Page 12: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/12.jpg)
Managing risk not transferring / ignoring it,
Business aligned and customer focused,
Proactively seeks process improvement based on risk assessments,
Supports continual risk-reassessment.
A Risk Based Architecture Is…
![Page 13: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/13.jpg)
Risk and Opportunity Model
Source: SABSA Institute
![Page 14: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/14.jpg)
Risk and Opportunity
Source: SABSA Institute
![Page 15: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/15.jpg)
Balancing threat, impact and vulnerability
Flexible and agile selection / deployment of safeguards and countermeasures
Protection Using Risk Based Controls
![Page 16: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/16.jpg)
Improves ROI,
Driver for business performance and assurance,
Manages risk and enables the creation and preservation of business value,
Risk-based decisions,
Enables consistent controls tailoring risk level,
Supports continuous monitoring and reporting for risk, compliance and security.
Why Risk Based Controls?
![Page 17: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/17.jpg)
Process
Risk
Control
Design
Control
Implementation
Baseline
& Monitor
Assure /
Audit
Risk Based Control Selection
Identify
Process
Risk
Identify
Security
Services and
Controls
Develop
Assurance/
Audit plan
(KPI – KRI and
Key Enablers)
Mechanisms
to Support
Controls
Create
Process
Baseline
Creating
Metrics
Reporting
Assurance
Matrix
Reporting
![Page 18: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/18.jpg)
Aggregated ScoreCard
Metrics Results Periodic Reporting
Matrix Creations
Controls &Security Services
Solutions &Security Programs &
Implantation Guidelines
Process/Business Risk
BUSINESS (Enterprise)
INFORMATION SECURITY
(Strategic & Enterprise)
ITSECURITY
(Operational)
ITOPERATIONS
(Service Delivery)
AS
SU
RA
NC
E
Implementation Mechanisms
Risk Based Controls Tracing
![Page 19: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/19.jpg)
Defense in Depth
Source: SABSA Institute
![Page 20: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/20.jpg)
Defense In Depth
Application
Middleware
Platform
Network
Def
ense
In
Dep
th
Tec
hn
olo
gy
Sta
ck
![Page 21: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/21.jpg)
Review risk assessments
Perform process risk assessment
Other risk process within your organization
Identify Process Risk
![Page 22: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/22.jpg)
A
2
None / Information would be re-entered or revised with little or no further impact
would result in minor Company losses; not visible to customers
would cause moderate Company losses
would seriously/adversely impact business or Company objectives; risk of financial loss/legal liability exists
A
3
No impact to the organization
Information is important ; unavailable information would have moderate impact to the organization
Information is vital; organization/business partners and/or customers may be adversely impacted
Information is critical; unavailable information would seriously impact organization; financial penalties possible
I,C
4
No
Mandatory business non-regulatory compliance rules (e.g., PCI)
Legal jurisdiction, Federal laws and agencies (e.g., HIPAA-GLBA/Sarbanes-Oxley/SEC)
International jurisdiction
Don’t know
What is the business impact if information owned/generated/used by this business process is inappropriately or
inadvertently modified? Inappropriate or inadvertent modifications:
What is the business impact if information owned/generated/used by this business process
is unavailable for use for one day?
Is this business process governed by or affected International/US laws, regulations, or other mandatory business
requirement?
Example: Identify Process Risk
Process Risk M EDIUM
![Page 23: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/23.jpg)
Identify security services related to the process,
Identify controls related to the services,
Assurance Profiles,
KPI, KRI, Key Enabler.
Controls Design
![Page 24: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/24.jpg)
Process Relationships
External Entities Internal Entities
Business Process
Regulators Suppliers
Partners
External CustomersTechnology ProvidersBusiness Process
Business Units
Internal UsersTechnology Providers
![Page 25: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/25.jpg)
Identify Security Services and Controls
![Page 26: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/26.jpg)
Network Control Map
![Page 27: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/27.jpg)
Assurance Profile
![Page 28: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/28.jpg)
Controls Selection/Audit Plan
Process
Control
Number
Security Service/Requirement Required/Recommende
d/Optional
Controls Register
Referance number
Audit Plan/Guideline
System Hardening
1 Harden Windows Server Required Standard 13 CIS harding benchmark
2 Harden IIS Server Required Standard 13 CIS harding benchmark
Authentication and Identity Management
3 Users are identified with a unique user ID, and avoid the use
of shared or group accounts, dependent on data
classification.
Required Standard 94 users naming convention follow security
standanrds
4 Users are provided with a mechanism for selecting their
own passwords.
Required Standard 95 Password mechnisam supports security
standards
5 Password length and complexity requirements are enforced
for new passwords and password resets as stipulated in
applicable agency Password Standards.
Required Standard 95
6 Authentication controls are enforced on a trusted system
(i.e. server-side instead of client-side).
Required Standard 96
7 High value transactions utilise message integrity checks to
ensure that data has not been modified by an unauthorised
party.
Recommended Standard 97
8 Passwords are stored using cryptographically strong one-
way hashes (e.g. ASP.NET hash setting).
Required Standard 95
9 Existing password and authentication mechanisms (e.g.
ASP.NET membership providers) are used instead of
custom-developed authentication mechanisms.
Required Standard 95
10 Generic responses are returned for all authentication
failures such that they do not indicate which part of the
authentication data was incorrect.
Required Standard 95
![Page 29: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/29.jpg)
Control Mechanisms
![Page 30: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/30.jpg)
Monitor business process to develop baseline (3 to 6 months),
Document any anomalies,
Create alerts based on anomalies,
Create alerts for any activity outside baseline,
Create metrics ( KPIs, KRIs and Key Enablers).
Monitoring
![Page 31: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/31.jpg)
Based on the business risk controls effectiveness is monitored and measured,
Reports are generated and forwarded to the business to assure business risk is properly managed,
Reporting metrics ( KPIs, KRIs and Key Enablers).
Reporting
![Page 32: Architecting to Auditing Risk based Controls - … Pre - Architecting...Existing Controls Environment . ... 1 Harden Windows Server Required Standard 13 CIS harding benchmark ... Architecting](https://reader034.fdocuments.us/reader034/viewer/2022051509/5ad69e2c7f8b9a98098bc74b/html5/thumbnails/32.jpg)
Questions ?