Paradigm Shift! - Customer Information Centric IT Risk Assessments

The CICRAMTM

Paradigm Shift!Customer Information Centric

IT Risk Assessments

CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved


The CICRAMIT Risk Assessment

Methodology for GLBA & HIPAA

Compliance

May 7th 2009

1

Why PerformIT Risk Assessments?

• Management Request• Regulatory Requirement• IT Best Practice


CICRAMTM IT Risk Assessment Methodology © Copyright 2004-2009 Fernando Reiser, All Rights Reserved 2

• IT Best Practice

What is “RISK”?• First and most obvious, “Risk” is a probability issue.

• “Risk” has both a frequency and a magnitude component.

• The fundamental nature of “Risk” is universal; regardlessof it’s context.

An Introduction to Factor Analysis of Information Risk (FAIR)A framework for understanding, analyzing, and measuring information risk


“Risk is the association of the probability/frequency of a negative

event occurrence, with the projected magnitude of a future loss.”

Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009

Jack A. Jones, CISSP, CISM, CISA

It’s All About IT Risk

The Basic “IT Risk” Formula

Information Security Professionals generally

can agree that:


IT Controls mitigate Risk bylowering the Probability of a

Threat acting on a Vulnerabilityto harm an organization’s Asset.

4

High Level Goals & Objectives• Assess current threats & vulnerabilities • Identity and assess “Risk Factors” to the Organization• Present information in a way that management canuse to make informed business decisions based on risk.

Assessing “IT Risk”


use to make informed business decisions based on risk.

• Identify assets – information stores & IT systems.• Quantify the probability of a negative event occurrence.• Determine the value of information & IT assets.• Assess the business impact of negative events.

Processes

Assessing “IT Risk”It’s a simple concept,

but a difficult and complex analytical problem to solve.


Most IT Risk Assessment Methodologies Attempt to Determine the Threats,

Vulnerabilities, Negative Event Likelihood and Information Security

Impacts to Specific IT Assets.

6

What IT Risk AssessmentMethodology Should I Use?

Quantitative Risk Analysis-Two basic elements are assessed: the probability of a negative event – “ARO” (annual rate of occurrence) and the likely financial loss – the


occurrence) and the likely financial loss – the “SLE” (single loss expectancy). The Annual Loss is then calculated – “ALE”.

Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only the estimated financial loss is used.

“Published” IT Risk Assessment Methodologies

What IT Risk AssessmentMethodology Should I Use?

Quantitative Methodologies:


CRAMM BITS (Kalculator)FAIR FMEA

Quantitative Methodologies:

Qualitative Methodologies:

FRAP COBRAOCTAVE

Assessing IT Risk:“The Problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle.”

“We don’t know how well our


Does risk management make sense?Bruce Schneier – Oct 2008

“We don’t know how well our network security will keep the

bad guys out, and we don’t know the cost to the company if we

don’t keep them out.”

In Addition, Traditional IT Risk Assessments

Methodologies Do Not Assess IT Risks To

Customer Information

• Storage


I Stipulate That The IT Security Profession Has A Dirty Little Secret ...

• Storage• Transmission• Access & Processing

Randy Pausch Said In His Now Famous “Last Lecture” …

“When There Is An Elephant In The Room

Introduce Him” Randy Pausch

Graphic – www.thelastlecture.com


Randy Pausch

“Most IT SecurityProfessionals Can Not

Accurately Assess IT Risks.”

Graphic – www.thelastlecture.com

Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009

“Ask a dozen information security professionalsto define risk and you’re certain to get several different answers.“

In fact, many Information Security professionals cannot even agree

on a definition of IT Risk!

“Technically speaking, risk is the probability of a threat agent

An Introduction to Factor Analysis of Information Risk (FAIR)Jack A. Jones, CISSP, CISM, CISA


“Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact.”

Understanding RiskShon Harris CISSP - 2006

If security professional cannot agreeon what are the risks, how can we

accurately assess “IT Risks”?

What Are Leading Information Security Professionals Saying About Current

IT Risk Assessment Processes & Models?

Why Johnny Can’t Evaluate Security RiskGeorge Cybenko, Editor in Chief

Number-driven risk metrics 'fundamentally broken‘Gamit Yoran, former National Cyber Security Divison director


George Cybenko, Editor in Chief

Taking the risk out of IT risk managementJim Hietala – October 16, 2008

It’s time to think differently about protecting dataBill Ledingham – September 10, 2008

13

Why you shouldn’t wager the house on risk management models

Bruce Schneier and Marcus Ranum – Oct 2008

Traditional IT Risk Assessment Methodologies are Primarily Focused

on the Risks and Impacts to the Organization that is Being Assessed.

There Is A Problem With Many IT Risk Assessment Process.


Organization that is Being Assessed.

Graphic - Microsoft

The Impact to the Confidentiality or Integrity

of Customers and Employee Information is

not Assessed!14

Why Are Risks to CustomerInformation Important?

• Regulatory Requirements Financial Industry – GLBA


Health Care – HIPAA Higher Education – FERPA State Data Breach

• Organizational Reputation • Industry Standards Retail - PCI

Graphic - Microsoft

The CICRAMTM

IT Risk Assessment Methodology for GLBA & HIPAA

Compliance

A Paradigm Shift In IT Risk



A Paradigm Shift In IT Risk Assessment Methodologies!

Assess Risks To Customer & Employee Information, Rather Than Operational

IT Risks To The Organization.

16

CICRAMTM IT Risk Assessment Methodology

Core Concepts:A Simplified View of IT Risks

X X

VulnerabilityThreat Asset Value


An IT Risk is defined within CICRAMTM, as the likelihood of a Threat acting on a Vulnerability to harm an asset which causes a negative impact.

17

X X

Risk =__________

Countermeasures


• There are an infinite number of “Latent” vulnerabilities in softwaresystems that allow attackers to breach computer systems.

• There is a sufficiently high number of “Threats”, that given enoughtime, the likelihood of a vulnerability being exploited is 100%.

Core Concepts:


time, the likelihood of a vulnerability being exploited is 100%.

• “Customer Information” has an inherently high value.

• Assess “Risks” by following the movement of Customer Information.

• Assess the effects of an IT control failure. The “Worst Case Scenario”becomes the “Baseline” for the IT Risk Assessment.

• Effective IT controls reduce risks

• IT Risks are almost never reduced to zero by the implementation ofIT controls, there is usually some “Residual Risk”.


There are a only a few actions that can be performed with an Organization’s Customer Information:

ACTIONINFORMATION

SECURITY RISK FACTOR

Core Concepts:


ACTIONSECURITY RISK FACTOR

View / Access / Use Confidentiality

Copy Confidentiality

Modify Integrity

Loss Confidentiality

Delete / Destroy Integrity and Availability


• Use Qualitative Analysis methods to determine current IT “Threats”.

• Utilize “Data Flow” concepts to analyze risks to Customer Informationas it moves across various environments.

• Use Interogative & RIIOT methods to document the IT environment

“A Hybrid IT Risk Assessment Process”


• Use Interogative & RIIOT methods to document the IT environmentused to transmit, manipulate and store customer data.

• Use Qualitative Analysis methods to develop a “Baseline” of IT Risksfor an IT environment that does not have any IT controls.

• Use Control Maturity Modeling and Quantitative Analysis – methodsto assess the effectiveness of current IT controls.

• Use Quantitative Analysis methods to determine the risk reductionimpact of current IT controls.

CICRAMTM IT Risk Assessment Step#1 – Assess The Current

IT Threat EnvironmentAttack Motivational Factors External Threats

i. Criminal Cyber Gangsii. Former Employeesiii. Consultants & Contractorsiv. Casual Hackers & Script Kidde

Insider threatsi. Malicious Insiders: Corporate Spies & Disgruntled Employees


i. Malicious Insiders: Corporate Spies & Disgruntled Employeesii. Careless Staff: Policy Breakers and the Uninformed

Technical Attacks Malware Applications

i. Viruses, Worms, Trojansii. Spywareiii. Adware

Botnets DNS Denial of ServiceHuman Attacks Social Engineering Identity Theft Email Spam

Data Flow Regions

CICRAMTM IT Risk Assessment Step#2 – Determine Where

Customer Information Is Located


Application Systems

Infrastructure

Business Partners

22

ITRisks

CICRAMTM IT Risk Assessment Step#3 – Document The IT Operational Environment: IT Systems & Applications

Use IT auditing tools and methods like questionnaires, interviewsand diagrams to document the IT systems and applications.


FFIEC & FTCStandards forsafeguarding

customerinformation

ISO 17799SecurityProgram

• Each “Standard” may contain similar information security controls.

• Resolve circular references andoverlapping IT controls across themultiple frameworks.

CICRAMTM IT Risk AssessmentStep#4 - Select an Information Security Controls Framework


NIST SP 800SANSPCI

Controls

COBIT&

ITGIControls

multiple frameworks.

• Use hierarchical clustering to groupIT Controls into categories.

Use current information from:

SANS Institute,Analysts,

Industry Best Practices

=

Your Organization’s

IT Security Control

Framework

+

24

IT Risk Assessment “Factors”: Customer Information Security (Confidentiality)

CICRAMTM IT Risk AssessmentStep#5: Select Key IT Risk

Assessment Factors


Improper/Incorrect Transaction Data (Integrity) Infrastructure Stability/Change Control (Availability) Customer Confidence / Stewardship (Reputation) Regulatory Compliance (Legal) Fraud / Data Breach (Financial Loss)

25

CICRAMTM IT Risk AssessmentStep#6: Determine an IT Risks

Numerical Rating Scale

NUMERICAL IT RISK RATING DEFINITIONS

Level 0 - Functional control area is not relevant Color Range Risk

Level 1 - Functional control area poses an insignificant risk:the significance of a control failure is low or not relevant

White 0 N/A


the significance of a control failure is low or not relevantWhite 0 N/A

Level 2 - Functional control area poses a minimal risk potential: the significance of a control failure is minor

Green 1-2 Low

Level 3 - Functional control area poses a moderate risk potential:the significance of a control failure is considerable

Yellow 3-4 Medium

Level 4 - Functional control area poses an elevated risk potential: the significance of a control failure is extensive

Red 5 High

Level 5 - Functional control area poses a significant risk potential:the implications of a control failure is severe

CICRAMTM IT Risk AssessmentStep #7: Assess “Baseline”

High Level Risks

Use Control Matrix and Apply Threat Analysis to Develop a Heat Map of Baseline IT Risks


Information Security Technical Controls

External Network Security - Perimeter Defense Systems 5 4 4 3 5 3

Internal Network Security - Back Office User Authentication Systems 4 4 3 3 5 4

Virus and Malware Protection 4 4 4 4 3 4

Backup / Recovery 2 0 5 2 5 3

Monitoring and Logging 3 3 2 2 2 1

Heat Map of Baseline IT Risks

CICRAMTM IT Risk AssessmentStep#8: Determine an IT Control

Numerical Rating Scale

IT CONTROL MATURITY RATING

Stage 0 – Nonexistent

Stage 1 - Initial/Ad Hoc

Information SecurityControl Maturity Model-


Stage 1 - Initial/Ad Hoc

Stage 2 - Repeatable but Intuitive

Stage 3 - Defined Process

Stage 4 - Managed and Measurable

Stage 5 - Optimized

Control Maturity Model-CMM Ratings are

Based on Carnegie Mellon’s Process

Improvement Model Ratings Scale – CMMI.

www.sei.cmu.edu/cmmi/general/index.html

CICRAMTM IT Risk AssessmentStep #9: Assess IT Control

Effectiveness

PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref #Control Maturity

GA

P E

xist

s

Comments

Deployment of DMZ

Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability

IT.B.3.1


External Network Security -Perimeter Defense Systems

Impl.

Deployment of DMZ intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access.

Deployment of Network FIREWALL

Where network connectivity is used, appropriate controls, including firewalls, intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access.

IT.B.3.1

Deployment of Network IDS/IPS


IT.B.3.1

Deployment of Wireless Encryption - Authentication


IT.B.3.1

9

CICRAMTM IT Risk AssessmentStep#10: Adjust Baseline Risks for

Control Effectiveness

Use Control Effectiveness Ratings to Adjust Baseline IT Risks


Information Security Technical Controls

External Network Security -Perimeter Defense Systems 3 3 3 2 2 2

Internal Network Security - Back Office User Authentication Systems 4 4 3 3 2 3

Virus and Malware Protection 4 3 3 3 2 3

Backup / Recovery 1 0 3 3 2 2

Physical Security / Environmental 3 2 3 2 2 1

Heat Map of IT Risks Adjusted for Control Effectiveness

30

9

CICRAMTM IT Risk AssessmentStep#11: Generate Narrative

IT Risk Report Document


Develop aWritten Report

9

CICRAMTM IT Risk AssessmentStep#12: Present Risk Report and

Findings to Management

Congratulations,


Congratulations,You Get To Do

This AgainNext Year!


Paradigm Shift!Customer Information

Centric IT Risk Assessments


Questions ?Fernando A. Reiser

[email protected]

33

Centric IT Risk Assessments

Paradigm Shift! - Customer Information Centric IT Risk Assessments

Business

Transcript of Paradigm Shift! - Customer Information Centric IT Risk Assessments