Tom Walsh, CISSP - Hipaa of...

Risk Analysis - Nine Steps to Follow

1

Effectively Completing and Documenting a Risk Analysis

Tom Walsh, CISSP Tom Walsh Consulting, LLC

Overland Park, KS

Copyright © 2014, Tom Walsh Consulting, LLC

Session Objectives

• Identify the difference between risk analysis and risk assessment

• Define the basic steps used in completing a risk analysis: how to identify threats, evaluate current security controls, determine vulnerabilities, and prioritize risks

• Demonstrate how to perform and document a risk analysis through “hands-on” exercises

• Describe how to present a risk analysis report and manage risks through a remediation plan


Introduction – Tom Walsh

• Certified Information Systems Security Professional (CISSP)

• 11 years – Tom Walsh Consulting (tw-Security)

• Co-authored four books on security

• Former information security manager for large healthcare system in Kansas City, MO

• A little nerdy, but overall, a nice guy



2

Risk Analysis


Risk Analysis vs. Risk Assessment • Assessment – A judgment about something based on an

understanding of the situation; a method of evaluating

performance

• Analysis – The close examination of something in detail in

order to understand it better or draw conclusions from it;

the separation of something into its constituents in order to

find out what it contains, to examine individual parts, or to

study the structure of the whole Source: Encarta Dictionary

• Risk Analysis – A systematic and ongoing process of

identifying threats, controls, vulnerabilities, likelihood,

impact, and an overall rating of risk


NIST Risk Assessment Process


Note: NIST SP 800-30 Guide for Conducting Risk Assessments, Revision 1, is the source for this diagram. NIST often refers to the term “assessment” to imply the “risk analysis process.”


3

PCI DSS Requirement 12.2


PCI DSS Requirement 12.2


Key words:

“…performed at least annually and upon significant changes…”

Threats, controls, vulnerabilities, likelihood, and impact

A closer look at the requirement…

PCI DSS Risk Assessment Guidelines



4

HIPAA – Risk Analysis

§164.308(a)(1)(ii)(A) Risk analysis (Required)

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity [or business associate].



Risk Assessment / Analysis

Each organization has to:

• Assess its own security risks

• Determine its risk tolerance or risk aversion

• Devise, implement, and maintain appropriate security to address its business requirements

• Document its security decisions


Risk Analysis Two types:

• Qualitative – (Easiest and most common) Rating risks on a scale such as:

• Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations


5

Risk Analysis

The nine steps in the risk analysis process:

1. System characterization

2. Threat identification

3. Control assessment

4. Vulnerability identification

5. Likelihood determination

6. Impact analysis

7. Risk determination

8. Control recommendations

9. Results documentation

Based upon the original

National Institute of Standards

and Technology (NIST) Special

Publication (SP) 800-30,

Risk Management Guide for

Information Technology Systems


1. System Characterization

• Create an inventory of applications and systems

– Major applications

– General support systems

• Computer workstations

• Laptops and tablets

• Smartphones

• Network (LAN, wireless, extranet, etc.)

• Data Center


Threats are based upon information assets.


6

2. Threat Identification

• Identify reasonably anticipated threats

– Acts of nature

• Natural disaster that is beyond our control

• Threats affecting the organization as a whole

– Acts of man

• Unintentional or accidental

• Intentional

– Environmental threats

• Generally, threats affecting Data Center operations


Risk Analysis – Exercise

Identify reasonably anticipated threats for each threat category (as they pertain to applications and information systems):

– Acts of nature (for the Midwest)

– Human actions

– Environmental threats affecting Data Center operations


Common mistake: Listing an impact as a threat.

#2 Unreasonable Threats

• Chemical spills

• Biological contamination

• Nuclear mishaps

• Aircraft accident

• Civil unrest / Rioting

• Bomb threats

• Sinking ground

• Tsunami

• Volcano eruption

• Blackmail

• Substance abuse

• Inflation


Thorough does not mean unreasonable.


7

3. Control Assessment

• Assess current controls

– Technical (tools)

• Existing security features not in use

• Purchase software and/or hardware

– Non-technical

• Policies, procedures, plans, etc.

• Training (Practices and behavior)


Checklists are usually used to assess existing controls.

Purpose of Controls and Examples

• Prevention (proactive) – Access controls

• Detection (reactive) – Audit logs

• Assurance (proactive) – Evaluation or assessment

• Recovery (reactive) – Disaster recovery plan


4. Vulnerability Identification

• Hardware – Improperly configured equipment

• Software – Operating systems needing patching – Poorly written applications

• Environmental – Lack of physical or environmental controls

• Operational practices – Lack of policies and procedures – Untrained personnel



8

Checklist – SAMPLE


“Yes” = Control; “No” = Vulnerability

Control Assessment – Checklists

• How many questions do you really need to ask?

• “Critical few versus the trivial many”

• Diminishing returns –


Number of questions

Value of

answers


Developing checklist questions

State one or two checklist questions for assessing controls to address each threat below:

– Authorized user misusing their access privileges (snooping)

– Unauthorized user or inappropriate access (internal)

– Hacking or tampering (external)

– Program error, application bug, and/or system failure


Bonus: How do you rank the importance of one question from another?


9

5. Likelihood Determination

What is the likelihood or probability of each threat circumventing the existing controls?

• Likelihood can be rated as being:

– High, Medium, or Low

• To maintain consistency your organization should include some definitions of those ratings


6. Impact Determination

Evaluate what that would do to your organization if a threat was realized.

• Impact can be rated as being

– High, Medium, or Low

• To maintain consistency, your organization should include some definitions of those ratings


It can be difficult to precisely quantify the impacts if a threat was realized.

6. Impact – Possible Consequences

• Confidentiality

• Integrity

• Availability

• Opportunity (financial)

• Reputation

• Litigation



10

7. Risk Determination

“Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:

(i) the adverse impacts that would arise if the circumstance or event occurs; and

(ii) the likelihood of occurrence.”


Source: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Guide for Conducting Risk Assessments

7. Risk Determination

The OCTAVE approach to calculate a risk score:


Risk Score – SAMPLE #1 Likelihood Impact Risk Score Color Rating

H H 9

Red H M 6

M H 6

M M 4

Yellow H L 3

L H 3

M L 2

Green L M 2

L L 1



11

Risk Score – SAMPLE #2


Source: PCI DSS Risk Assessment Guidelines (November 2012) created by

the Risk Assessment Special Interest Group (SIG)

Risk Score – SAMPLE #3





12

8. Recommended Controls

• Provide recommendations to address each vulnerability (if possible) to reduce or manage risks appropriately


9. Results Documentation

• Create a summary of key findings, recommendations and estimates to implement

• Document management's decisions:

– Avoid the risk (Many times – not an option)

– Mitigated/Reduced (Applying controls)

– Transferred/Shared (Insuring against a loss) or

– Accepted (Doing nothing, but recognizing risk)

• Risk should be handled in a cost-effective manner relative to the value of the asset


Management Decisions



13

Risk Analysis Reports


Risk Profile – SAMPLE #1


Risk Profile – SAMPLE #2


Source: PCI DSS Risk

Assessment Guidelines

(November 2012)

created by the Risk

Assessment Special

Interest Group (SIG)

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=9wyMYFzIENk2fM&tbnid=5Qp-3cDNr_j14M:&ved=0CAUQjRw&url=http%3A%2F%2Fwww.opturo.com%2Frisk.php&ei=al-kUojiOsOw2AXDj4HwAQ&bvm=bv.57752919,d.b2I&psig=AFQjCNES3Jtc2e-i6VHgbY_KWX-2X_W30A&ust=1386590382960420


14

Risk Profile – SAMPLE #3-1


Source: National Institute of Standards and Technology (NIST) Special

Publication (SP) 800-30 Guide for Conducting Risk Assessments

Risk Profile – SAMPLE #3-2


Source: National Institute of Standards and Technology (NIST) Special

Publication (SP) 800-30 Guide for Conducting Risk Assessments


Major App 1

Data

Application

Network

Hardware & Operating System

Physical/ Environment

Operational Practices

Major App 2

Data

Application

Network




Asse

ssing C

on

trols

Assessin

g Co

ntro

ls

Risk Profile Approach


15


Risk Profile

Risk Profile

Risk Profile

Risk Profile

A hierarchical approach to

assessing controls and risks

Asse

ssing

Asse

ssing

Risk Profile Approach Major App 1

Data

Application

Network




Major App 2

Data

Application

Network




Risk Analysis Picture


Application

Workstation

Network

Data Center

Risk Analysis Report – SAMPLE #1 Topics to address in a report:

– Overview (Report date, Information/Data Owner, author of report)

– Scope (Application(s) and General Support System(s) (Business functions, data sensitivity, criticality of system)

– Description of Risk Analysis Approach

– Risk Analysis Team Members

– Findings (Vulnerabilities unacceptable risks)

– Recommendations

– Information/System Owner Comments

– Statement of Understanding



16

Risk Analysis Report – SAMPLE #2

Topics to address in a report:

– Scope of Risk Assessment

– Asset Inventory

– Threats

– Vulnerabilities

– Risk Evaluation

– Risk Treatment

– Version History

– Executive Summary


Source: PCI DSS Risk Assessment

Guidelines (November 2012) created

by the Risk Assessment Special

Interest Group (SIG)

Risk Management Process

Output

Output

Goal

To meet business objectives while managing risks to an acceptable level

Risk Analysis

• Risk Profiles

• Risk Analysis Reports (Communicate risks to “Owners”)

• Internal Audit or Evaluation

• Vulnerability Scans

• Penetration Testing

Output Risk Management

• Risk Remediation Plan

• Audit Trails

• Change Control

• Configuration Management / Patch Management

• Incident Reports

• Security Plans

• Contingency Plans

• Disaster Recovery Plans

Validation

“Are safeguards and controls functioning as

stated? Prove it!”

“Trust but verify”


Remediation Plan – SAMPLE



17

Conclusion


Risk

Likelihood Impact

Connect the Dots


References

• NIST Computer Security Resource Center, SP 800-30 Guide for Conducting Risk Assessments:

– http://csrc.nist.gov/publications/PubsSPs.html

• PCI DSS Risk Assessment Guidelines:

– https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v2.pdf

• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE):

– http://www.cert.org/octave/

• Risk Analysis Myths: – http://www.healthit.gov/providers-professionals/top-10-

myths-security-risk-analysis


http://csrc.nist.gov/publications/PubsSPs.html

https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v2.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v2.pdf

http://www.cert.org/octave/

http://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis














18

Just released…


Risk Tool – Physician Practices

• SRA Tool Content – Administrative Safeguards (192 pages)

• SRA Tool Content – Physical Safeguards (104 pages)

• SRA Tool Content – Technical Safeguards (140 pages)


SRA Tool Content – Technical Safeguards (What is missing in the 140 pages?)

• Hacker

• Scan, intrusion, penetration

• Firewall (only one question and it

pertains to audit logs; not if you have one or how it is configured)

• Network interruptions

• Wireless (appears once, but not as an

assessment question)

• Bandwidth

• System administrator

• Mobile, mobile devices, mobile device management, BYOD


• Data loss prevention / Data loss protection

• Change control, change management

• Configuration management

• Leakage, data leakage

• Text, texting, text messaging

• Protocol, VPN, https

• Portal

• Telecommute, telemedicine, teleradiology

• Remote access (no questions; once in

comment on “Things to consider”)

• Biomed, biomedical


19

Questions?



Thanks for Attending!

Tom Walsh, CISSP

Tom Walsh Consulting, LLC

Overland Park, KS

www.tw-Security.com

[email protected]

913-696-1573

http://www.tomwalshconsulting.com/



mailto:[email protected]



Tom Walsh, CISSP - Hipaa of...

Documents

Transcript of Tom Walsh, CISSP - Hipaa of...