IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Detailed Risk Analysis

(c) 2007 Charles G. Gray 1

IT Risk Management, Planning and Mitigation

TCOM 5253 / MSIS 4253

Detailed Risk Analysis

18 October 2007

Charles G. Gray


Review of Summary Level Risk Analysis

• Communicating a well-documented risk may trigger stakeholder (business owner) action– Must have enough detail to determine an

appropriate mitigation solution– The Risk Management Team must remain

involved


Summary Level Risk Rating

Impact(from Impact Table on Slide 30)

Probability ValueLow Medium High

High Moderate High HighMed Low Moderate

(or High)High

Low Low Low Moderate

Definition of “moderate” or “high” depends on each organization’s needs


Summary Risk Level List• Develop a “summary” level list, including

ALL identified assets (slide 13 – last week)– Based on slide 29 matrix (from last class)

• Extra columns for supporting information can be added

• Tailor the process to meet the organization’s individual needs

• Every organization must define “high risk” in its own unique enterprise– “Medium” impact and “medium” probability

may have “moderate” or “high” risk (slide 30)


Summary Level Risk RatingAsset Exposure

Name ClassHBI MBI LBI

DefenseIn depthlayer

ThreatDescrip-tion

Vulner-ability

Exposure(H, M, L)

Impact(H, M, L)

Proba-bility(H, M, L)

SummaryRiskLevel


Preparing for Detail Level Analysis

• Become familiar with the entire detailed risk analysis process before beginning

• Leverage the inputs used in the summary level analysis, but include considerably more detail– Well organized documentation is essential– Microsoft spreadsheets (from the MS

Management Guide) are ideal


Sample Risk Statements• Summary level – “Within one year, high value

servers may be moderately impacted from a work due to unpatched configurations”

• Detail level (1) – “Within one year, high value servers may be unavailable for three days due to worm propagation caused by unpatched configurations”

• Detail level (2) “Within one year, high value servers may be compromised, affecting the integrity of data due to worm propagation caused by unpatched configurations”


Tasks to Produce the Detailed Level List of Risks

• Task one – Determine impact and exposure

• Task two – Identify current controls• Task three – Determine probability of

impact• Task four – Determine detailed risk level


Confidentiality or Integrity Exposure Ratings

Exposure Rating Confidentiality or Integrity of Asset

5 Severe or complete damage to asset, e.g. externally visible and affects business profitability or success

4 Serious but not complete damage to asset, e.g. affects business profitability or success, may be externally visible

3 Moderate damage or loss, e.g. affects internal business practices, causes increase in operation costs or reduction of revenue

2 Low damage or loss, e.g. affects internal business practices, cannot measure increase in costs

1 Minor or no change in asset


Availability Exposure RatingExposure

RatingAvailability Description

5 WorkStoppage

Substantial support costs or business commitments canceled

4 WorkInterruption

Quantifiable increase in support costs or business commitments delayed

3 WorkDelays

Noticeable impact on support costs and productivity. No measurable business impact

2 WorkDistraction

No measurable impact, minor increase in support or infrastructure costs

1 Absorbed bynormal operations

No measurable impact to support costs, productivity, or business commitments


Composite Exposure Rating• Collect exposure ratings for each potential

impact• Choose the highest value from slide 9 or

10 as the “exposure rating”– E. g., if the “confidentiality” rating is 3, and the

”availability” rating is 4, then choose 4 as the “exposure rating”


Impact Values• Typical impact values for each impact class• May be adjusted to “fit” each organization

Impact class Impact Class Value (V)

HBI (High business impact) 10

MBI (Medium) 5

LBI (Low) 2


Exposure Factor• Microsoft recommends a linear scale • Must be tailored to each organizationExposure Rating (From

slide 9 or 10)Exposure Factor (EF)

5 100%

4 80%

3 60%

2 40%

1 20%


Impact Rating

• Impact = impact class value (V) (from slide 12) times the exposure factor (EF) (from slide 13)

• Impact = V * EF


Impact Rating (Example)Asset Exposure

Asset Name

Impact class rating (2-10)

Defense Layer

Threat Description

Vulnerability Description

Exposure Rating(1-5)

Impact Rating

1 2 3 4 5 6 7Custo-mer finan-cial data

10 (HBI)

Host Unauthorized access to customer data by theft of financial advisor credentials

Theft of credentials due to outdated anti-virus signatures or outdated security patches

4 (80%)or

0.80

8

column 2 *

column 6


Review - Output from Task One• Choose the highest exposure rating

between: – Confidentiality or integrity of an asset– Availability of an asset

• Assign an exposure factor (EF) for each exposure rating (slide 13)

• Determine the “impact rating” (slide 14)• Result is an asset list sorted by impact


Identify Current Controls• Business owners/stakeholders should

identify the various controls– “Directed questioning” by the Risk

Management Team may be needed• The controls themselves may be

“objective”, that is, written down (de jure), or may be only “de facto” (word-of-mouth)– “Effectiveness”, however, will probably be

subjective (see slides18 and 19)


Evaluating Effectiveness of Current Controls

• Effectiveness is subjective and will rely on the experience of the Security Risk Management Team to understand the control environment

• Answer each question (next slide) and total the values

• Lower value means the controls are effective and MAY reduce the probability of an exploit occurring


How Effective are Current Controls?

Yes = 0, No = 1

Is accountability defined and enforced effectively? 0 or 1

Is awareness communicated and followed effectively?

0 o r1

Are processes defined and practiced effectively? 0 or 1

Do existing technology or controls reduce threat effectively?

0 or 1

Are audit practices sufficient to detect abuse or control deficiencies?

0 or 1

Sum of control attributes (0-5) =


Control Effectiveness - ExampleQuestion Value DescriptionIs accountability defined and enforced?

0 (yes) Policy creation and host compliance accountability are well defined

Is awareness communicated and followed effectively?

0 (yes) Regular notifications are sent to users, general awareness training

Are processes defined and practiced effectively

0 (yes) Compliance measurement and enforcement is documented

Do existing technology or controls reduce the threat effectively?

1 (no) Existing controls still allow a length of time between vulnerability and patch

Are current audit practices sufficient to detect abuse or control deficiencies?

0 (yes) Measurement and compliance auditing are effective given current tools

Sum of all control attributes 1


Review – Output from Task Two

• A list of controls and their effectiveness agreed between the stakeholders and the Risk Management Team


Determining Probability of Impact

• Probability rating depends on:– Probability of the vulnerability existing in the

environment based on attributes of the vulnerability and possible exploit (1-5)

– Probability of the vulnerability existing based on the effectiveness of current controls (1-5)

• Relative risk rating = probability rating * impact rating


Vulnerability Attributes (H)• High (Assign value of 5 if ANY apply)

– Large attacker population – script kiddie/hobbyist

– Remotely executable– Anonymous privileges needed– Externally-published exploitation method– Automated attack possible


Vulnerability Attributes (M)• Medium (Assign value of 3 if ANY apply)

– Medium-sized attacker population – expert/specialist

– Not remotely executable– User level privileges required– Exploitation method not publicly published– Non-automated


Vulnerability Attributes (L)• Low (Assign value of 1 if ALL apply)

– Small attacker population – insider knowledge– Not remotely executable– Administrator privileges required– Exploitation method not publicly published– Non-automated


Vulnerability SumExposure attributes

(from slide 23, 24, or 25)High 5

Medium 3

Low 1

Probability value (1, 3, or 5)


Review – Output of Task Three

• Probability rating taking into account the current controls in place

• Sum of vulnerability rating (slide 26) and control effectiveness (slide 19)– Column 9 on the slide 28


Baseline Risk – Current ControlsAsset Exposure

1 2 3 4 5 6 7 8 9 10Name Impact

Rating(HBI, MBI, LBI)

Defense in Depth Layer

Threat Descrip-tion

Vulnera-bility Descrip-tion

Expo-sureRating(1-5)

ImpactRating

(1-10)

Current ControlDescrip-tion

Probability ratingw/control(1-10)

Risk Rating w/control(0 -100))

XYZ 10(HBI)

Host Enter Details

Be specific

4 (80%)

8 List every control

Vulner = 5Control = 1Total = 6

Col 7*9 = 48

ABC 10 (HBI)

Host EnterDetails

Be specific

4(80%)



Col 7*9= 80

YourCom-pany

5(MBI)

Perimeter EnterDetails

Be specific

2(40%)



Col 7*9= 15


Summary Qualitative Ranking

Impact

H 10 0 10 20 30 40 50 60 70 80 90 100

9 0 9 18 27 36 45 54 63 72 81 90

8 0 8 16 24 32 40 48 54 64 72 80

7 0 7 14 21 28 35 42 49 56 63 70

6 0 6 12 18 24 30 36 42 48 54 60

M 5 0 5 10 15 20 25 30 35 40 45 50

4 0 4 8 12 16 20 24 28 32 36 40

3 0 3 6 9 12 15 18 21 24 27 30

2 0 2 4 6 8 10 12 14 16 18 20

L 1 0 1 2 3 4 5 6 7 8 9 10

0 1 2 3 4 5 6 7 8 9 10

L M H

Probability


Review – Output of Task Four• Detailed prioritized risk list with an

objective (mostly) “risk rating” with a range of 0 to 100

• A risk analysis chart to assist stakeholders in visualizing the relative risk ratings

• Risk levels should be used only as a guide for decision makers, and some adjustments are allowed by stakeholders– However, everybody must recognize that

every asset cannot be “number one” on the priority list


Next Week• Quantifying Risk• The hard work starts

– Putting numbers ($$$) to the assets and the loss expectancy

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Detailed Risk Analysis

Documents

Transcript of IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Detailed Risk Analysis