MSIS 4253 Systems Certification and Accreditation Exam #1: Lecture Notes- Chapters 1-5

Chapter #1 Information Security Risk Management Imperatives and Opportunities

IT Risk Management Information loss is always rated in the top 5 of concerns for CEO/CIOs Loss of Information Loss of productivity Loss of revenue Vulnerabilities, Threats, Exploits, and Controls Risk: The expected loss. The aggregation of the possibilities, their probabilities, and the loss associated with each possibility Information Security Confidentiality Can we keep communications private Integrity Keeping the information from being manipulated Availability Ex. Amazon Authentication and Non-repudiation (IA) **RM Process Risk identification Asset identification Ex. Expensive car 2014 Mustang? Risk identification Risk assessment Driving Ex. Weather, texting and driving Risk mitigation planning Ex. Driving in Oklahoma- if you can, you should park under cover What insurance should I get to cover my car Risk mitigation implementation Following through with the mitigation Evaluation of RM effectiveness Did it work (car being restored by insurance) Risk Identification Process of identifying threats, threat sources, vulnerabilities, and events Malicious Someone coming trying to harm us. Take down are server, steal our data, mess up our data Environmental Weather Buildings power taken out by storm Planned Things we know are risk (driving out on the road) Random Hitting a Deer

Risk Assessment Calculating quantitatively the potential damage and/or monetary cost. Entails: Quantifying the potential damage Quantifying the probability the damage will occur Based on previous events, subject matter experts, and audits Risk Mitigation Planning Controlling and mitigating IT risks Cost-Benefit Analysis Cost/ benefit of you mitigating the risk? Sargent ex. Sometimes you have to figure out something else Selection, Implementation, Test, and Evaluation of Security Safeguards Prioritizing Look at all risk, threats and where should you spend your money to help your infrastructure Considers effectiveness and efficiency Mission impact Constraints due to policy, regulation and laws (certain controls you cant put into place because of laws) Impact on other systems (Biros added) Risk Mitigation Implementation Deploying the risk mitigation techniques that were determined in risk mitigation planning Deployment decisions Direct cutover Turn off old control and cut the other on Parallel operation Keep both in place for a time and eventually cut over Prioritizing Where certain controls go Evaluation of Mitigation Effectiveness Monitoring environment Pre/Post Measurement Is your intrusion detection system good? Measuring effectiveness against previous set of threats, vulnerabilities, and events Test the effectiveness against the system Determining new threats, vulnerabilities or events do to the modifications Risk Management Models Authors model ISO 27002 NIST SP 800-30 Draft ISO/IEC 31000 AS/NZS 4360:2004 Microsoft approach Operationally Critical Threat Asset and Vulnerability Evaluation-OCTAVE) by CERT

Top Business Liabilities 1. Loss or theft of customer data 2. Business disruptions from IT failures and disruptions 3. Lost of integrity for critical IT assets and information- don't know if right info is being pushed out. o Biros Dissertation-Manipulated military data 4. E-Discovery issues o Hacking 101-Finding all data about your target Orgs That Need a RM Program? Characteristics Has IT assets Data Proprietary information Keeps financial data, health data or PII Personally identifying information Requires formal documentation and policies Required to adhere to SOX, HIPPA, FERPA, FISMA and others Fiduciary responsibility to stockholders Points to Ponder IS Security spending was $30 Bil in 2005; reported losses were at $15 Bil Systems dont configure themselves; tools dont run themselves - Remember theres a huge human factor in this Technological and Procedural IS RM capabilities Ready-to-go human resources - People who knows whats expected from them 90% of all successful IS incidents could have been avoided had RM been accomplished - If we had known the risks - Example: Hospitol back access door, keycard RM Team member skills IT knowledge o What it does what its capable of IS/IA knowledge o What kind of threats are out there vulnerabilities Basic quantitative skills o Cost benefit analysis single loss expectency Understanding of the operational needs of the organization o Security can either enhance or inhibit operational needs Good presentation skills o Oral o Written

Some Perspectives IS is 1/3 technical, 2/3s policy and procedures Security depends more on people than tech Employees are a greater threat than outsiders- not malicious, just ignorant Strong as the weakest link Degree of security depends on: The Risk one is willing to tolerate Functionality of the system- some systems so old people don't know how to hack them Cost one is prepared to pay Security is not a snapshot, but an on-going process- this should never ends Other thoughts: Security techniques have been around since the 1970s According to the Open Security Foundations DataLossDB, in 2008 there were 246 reported incidents that could have been most likely avoided with encryption Majority of companies spend relatively little time on information security Yet According to the Information Security Forums biennial status survey on average a business critical information resource will: Someone (Company) Suffers an IS incident almost every working day (225 incidents a year) Have a 58% chance of experiencing a major incident over the course of a year So whats the problem?

RM Problems Low awareness of RM activities in both the public and private sector Most people don't know what it is. Absence of a common language A lot of people don't understand the risk management language. Lack of surveys on existing methods, tools, and good practices We don't know what works or what works well or not so well Limited or non existent interoperability of methods and integration with corporate governance Critical Components for Successful RM Top leadership support Well defined list of RM stakeholders Understand who they are Org maturity in terms of RM Guy is just trying to make sure companies don't get hacked Open communication Spirit of teamwork Holistic view of the organization Authority throughout the process

In the end Its really about the protection of information in all forms: Printed or written on paper Dumpster diving, shred it Stored electronically Traditional storage - HD Removable storage multi terabyte drives are more difficult to deal with Remnant security In transit Target- from the point of sale to the database Shown on film Spoken EEFI Etc Its about the information stupid

Chapter 2: Information Security Risk Management Defined Basic Definitions Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the systems security policy. Basic Definitions Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability Common Threat-Sources Natural ThreatsFloods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. Human ThreatsEvents that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Environmental ThreatsLong-term power failure, pollution, chemicals, liquid leakage. Basic Definitions Controls: Means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which could be administrative, management, technical, or legal in nature Control Techniques Preventive controls inhibit attempts to violate security policy and include such controls as access control enforcement, encryption, and authentication. Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums. Basic Definitions Risk: The mathematical combination of the likelihood of an event and the impact (expected value of the loss)

Risk Management: The on-going process whereby the threats, vulnerabilities, and potential impacts from the security incident are evaluated against the cost of safeguard implementation

Risk Management Sub-Process Risk assessment Risk analysis Risk mitigation Uncertainty analysis Threats assessment Vulnerability assessment Probability Estimation Internal control reviews Audits Rate of occurrence estimiation Asset valuation Adequate and appropriate protection of assets Cost-Benefit Analysis Application security reviews/audits Verification reviews Mathematical Definition of Risk Risk = (probability of an event occurring) X (impact of the event) Often difficult to exactly calculate risk Many orgs establish 3-5 levels of probability; low to high and establish p via historical data, fiat, SMEs, or other means Timeframes and other data may also be added Financial Metrics To adequately establish a risk value, financial metrics must be used: Monetary value of assets List of significant threats P of each threat occurring Recommended safeguards, controls (and costs) and remediation/implementation actions. Calculating Damage Overall value of the asset to the organization Immediate financial impact of losing the asset Indirect business impact of losing the asset Calculating Damage contd Exposure factor: percentage of lost that a single threat could have on a certain asset Single Loss Expectancy (SLE): total amount of loss from a single occurrence of the risk Annual Rate of Occurrence (ARO): Normalized rate at which the risk exposure resulting in actual damage occurs during one year Annual Loss Expectancy (ALE): Total amount of money that an organization will lose in one year if nothing is done to mitigate the risk ROSI Return On Security Investment (ROSI) ALE before control ALE after control Annual cost of control Simply put, the task is to 1) identify and prioritize assets to be protected, 2) identify relevant threats and the probability of their occurrence and 3) compare the expected loses with the cost of appropriate countermeasures. Minimum IT RM ID software vulnerabilities and patching Data confidentiality controls Data integrity controls System integrity controls (availability)

Basic Threat Checklist See Table 2.4, pages 59-60 of text What are the likelihood and impacts of each? Note the broad range of threats See Table 2.5 page 61 for a partial list of tools to mitigate some of the threats Enterprise Architecture (EA) Creates a map for the IT assets and business processes, along with a set of governance principles that drive an on-going discussion about business strategy and how it can be expressed through IT. The EA seeks to create a unified IT environment (standardize hardware and software) across a firm or all of the firms business units, with tight symbiotic links to the business side of the organization and its strategy. Productivity ParadoxRM Paradox Chapter 2 Appendices Read and review the Chapter 2 Appendices 2A.1 thru 2A.5 for a more complete list of: o IS Threats o IS Vulnerabilities o IS Impacts o IS Risk Events o IS Controls You will be responsible for those appendices Chapter 3: Information Security Risk Management Standards

Whats a Standard Something set up and established by an authority as a rule for the measure of quantity, weight, extent, value, or quality A commonly accepted way of performing a task or doing something

Why Have Standards Provides for a common language Reduces costs Assures quality and integrity Demonstrates accomplishment of legal, regulatory, or policy obligations Demonstrates a level of performance

Common Standard Making Bodies (International and US) International Standards Organization (ISO) Internet Engineering Task Force (IETF) American National Standards Institute (ANSI) National Institute of Standards and Technology (NIST)

Legal Requirements Federal Information Security Management Act of 2002 Family Education Rights and Privacy Act (FERPA) Heath Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX)

Recall the Risk Management Processes Ongoing ID of threats, vulnerabilities, and events Risk assessment (probability of event happening x impact) Risk mitigation planning (i.e., ROSI) Risk mitigation implementation Evaluation of mitigation effectiveness

ISO/ IEC Standards ISO/IEC 13335-1:2004: IT Security Techniques ISO/IEC 27000 Series: Family of standards; all things information security ISO/IEC 27001:2005: IS Management System requirements ISO/IEC 18028:2006: Network Security ISO/IEC 18044:2004: Incident Management ISO/IEC 31000: Risk Management Series

ISO/IEC 13335-3: 1998 Identification of assets Valuation of assets and establishment of dependencies between assets Threat and vulnerability assessment ID of existing or planned safeguards Assessment of risk exposure

ISO/IEC 27000 Series Provides generally accepted best practices and guidance on establishing, operating, monitoring, reviewing, maintaining and improving a documented ISMS The ISMS is a security governance/management process that is or can be used by an organization to handle information security and risk management Describes the fundamentals and vocabulary

ISO/IEC 27001:2005 Defines the requirements for an ISMS An ISMS is a management system for dealing with information security risks exposures o Provides a framework for policies; procedures; physical, legal, and technical controls security controls forming the organizations overall risk management process o Incorporates the Deming Plan, Do, Check, Act cycle

PDCA Plan: Define requirements, access risks, decide controls Do: Implement and operate the ISMS Check: Monitor and review the ISMS Act: Maintain and Continuously improve the ISMS

Why 27000? Certification against an accepted standard is increasingly being demanded by business partners Engenders rigor and formality into the process Certification bodies around the world recognize the standard Still growing as a recognized standard (50 million corporations/institution in the world)

ISO/ IEC 27001:2005 Specifications for an ISMS Formulate security requirements and objectives Ensure security risks are effectively managed Ensure compliance with laws and regulations Framework for implementing controls Incorporate new security processes Identify and clarify existing security processes Status of information security process Used by auditors to demonstrate IS policy Provides information security information to customers

ISO 27002: 2005 Security Controls Identifies a set of 133 controls, under 33 security objectives to address IS risk exposure Controls not mandatory Organizations can choose those that are applicable Code of practices, not a formal specification Provides a listing of best practices

Overarching 27002 Security Tenets Security Policy A high-level policy statement defining key directives and mandates of the organization A comprehensive apparatus of specific organizational security policies and instructions Provides a clear statement of the organizations posture on issues such as: o Computer and Network Security o Acceptable Use o Training o Incident Response o Certification and Accreditation

27002 Tenet: Organization of Information Security Considers security controls for internal and external parties o Internal: Roles and responsibilities, confidentiality agreements, contracts and special interest groups o External: Deals with 3rd party risk exposures such as contractors, service providers, suppliers, and customers

27002 Tenet Asset Management Inventory of information assets Inventory of IT assets o Hardware o Software o Data o Systems o Storage medial o Supporting systems (HVAC, UPS) Should include security priority classification and acceptable use policies

27002 Tenet: Human Resource Security Controls for joiners, movers, and leavers Recruiting best practices IS education and training of employees Disciplinary process for breaches in security Return of corporate assets, removal of access rights Changes in rights and data access privileges for those who move within the organization

27002 Tenet: Physical and Environmental Security Physical protection from malicious or accidental damage o Overheating o Loss of power o Emanations o Cabling Fires, floods, storms, sabotage

27002 Tenet: Communications and Operations Management Operational and procedural responsibilities (separation of operational and development systems) Third-party service delivery management System planning and acceptance Protection against malicious code and mobile code Back up Network management Media handling Exchange of information Electronic commerce services Network monitoring

27002 Tenet: Access Control Codified in access control policy User access management o Authentication o Rights and privileges o Periodic review of rights User responsibilities Network access controls Operating System controls Application and information access controls Mobile computing and telework

27002 Tenet: Information Systems Acquisition, Development and Maintenance Security requirements for IT systems Correct processing in application systems Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management

27002 Tenet: IS Incident Management Responsibilities Procedures CERT Handling of evidence Reporting to public Reconstitution of systems and information

27002 Tenets: Others Business Continuity Management o Disaster recovery o Continuity management o Contingency planning Compliance o Legal Requirements o Security Policy and Standards o Information system audit considerations

ISO/IEC 27003 Provides implementation guidance for ISMS Sections o Obtain management approval for the ISMS o Defining scope and policy o Conducting business analysis o Conducting risk assessments o Designing ISMS o Implementation

ISO/IEC 27004 Security Techniques and Measurements In second final committee draft o Provides guidance toward selecting measurements for evaluating the effectiveness of the ISMS o Usually related to controls o Measurements can take years to adequately develop

ISO/IEC 31000 Provides the first international standard for risk management 27000 series focuses on the ISMS Part of the ISMS is risk management Note that it is for all RM in all domains, not just information systems

ISO.IEC 31000: Principles RM should create value RM should be an integral part of organizational processes RM should be a part of decision making RM should explicitly express uncertainty RM should be systematic and structured RM should be based on the best available information RM should be tailored (to the orgs risk tolerance) RM should take into account human factors RM should be transparent and inclusive RM should be dynamic, iterative, and responsive to change RM should be capable of continuous improvement and enhancement

NIST Standards Provides a series of special publications (SPs) to support information security and risk management Covers vulnerabilities, threats, exploits, controls and measurement For this class, the focus is on specific information systems Will be coved in detail during the latter half of the class

AS/NZS 4360 Will not be covered in this class Students are not responsible for its content

Chapter 4 Information Security Risk Management Methods and Tools

RM Method Well defined process (a series of activities) based on a published standard (Chapter 3) RM Phases o ID threats, vulnerabilities and events o Risk assessment o Risk mitigation planning o Risk mitigation implementation o Evaluation of mitigation effectiveness

RM Tools A plethora of tools (Table 4.1) Can be based on standards National International (ISO 27000) De facto (OCTAVE) Sector based [industry] Individual organization Adoption of a similar system standard

Which tool to use? Varies from organization to organization An industry based approach o Allows for certification against a methodology o Give stakeholders and trading partners some assurance o Due diligence Each tool has trade offs Many tools are now automated

Review of Selected RM Methods Large number of tools Often country based Many follow ISO standards and follow the same basic steps Use both quantitative and qualitative methods Our focus will be limited to US methods However, knowledge of the existence of other countries methods could be helpful o Mergers o Trading partners o Global/International expectations

FAIR Factor Analysis of Information Risk Framework for understanding, analyzing, and measuring information risk Can work with other tools such as COBIT and OCTAVE (Chapter 5) Provides a o Taxonomy of the factors that make up risk o Method for measuring risk

o o

Computational engine to understand relationships between measured factors Simulation model for building risk scenarios

An Example: Terrorist Threat Motive: ideology Primary intent: damage/destroy Sponsorship: unofficial Preferred general target characteristics: entities or people who clearly represent a conflicting ideology Preferred specific target characteristics: high profile, high visibility Preferred targets: human, infrastructure Capability: varies by attack vector Personal risk tolerance: high Concern for collateral damage: low

Points to ponder If the previous example would be a record in a database, what could be derived: o Other threats with like characteristics o Mitigation strategies targeted to those characteristics o Effectiveness of mitigation strategies and controls against multiple threats o Prioritization of mitigation strategies and controls o Comparison to other organizations

FIRM Fundamental Information Risk Management Developed by the Information Security Forum (ISF) Scalable to organizations of all sizes Has supporting products and modules for risk identification, analysis, and evaluation o Standard of good practice for information security o FIRM and the revised FIRM scorecard o Information Security Status Survey o Information Risk Analysis Methodologies (IRAM) project o Simple to apply risk analysis (SARA) o Simplified process of risk evaluation (SPRINT)

SPRINT Can help identify the vulnerabilities of existing systems and the safeguards need to protect them Can define the security requirements for systems under development and define the controls needed to satisfy them o Secure SA&D o Baked-in vs. Bolted-on

FMEA Failure Modes and Effects Analysis Examines potential ways a system might fail and cause adverse effects o Lists assets under consideration and their intended use o Collects security related requirements for assets o Elaborates threats and applies them to systems to determine vulnerabilities o Scores the risks o Proposes and implements mitigation strategies Helps prioritize requirements by analyzing likelihood levels with severity levels (sound familiar?) Uses high, medium, low scores for both axis of the matrix Acceptable risk scores are decided by the organization Goal is to develop measures that will best reduce risk to acceptable levels

FRAP

ISAMM

Facilitated Risk Analysis Process A qualitative approach to RA o Identifies threats o Establishes probability that threat will occur o Determines the impact of the threat o Can adjust risk levels o Identifies mitigating controls and safeguards o Helps to develop implementation action plan Facilitator led process Establishes the: o Assessment scope o Assessment definitions o Process for prioritizing threats Business driven process Helps an organization to select the appropriate methodology for assessing risk

Information Security Assessment Monitoring Method Helps an organization define the ISMS for obtaining ISO 27001 certification Quantitative approach using the formula: o Annual loss expectancy = Probability X Average Impact Planner can show and simulate the effect on the risk ALE with each improvement measure and compare it to the cost of the investment Can show this in a number of visual formats Like most other tools ISAMM helps o ID Assets and threats o Vulnerability level and threat prob and impact o Representation of risks and prob and impact o DS for acceptability of risks o DS for selection of safeguards o Graphic representations and reports ISAMM RM has 4 parts o Scoping o Assessment of compliance and threats o Validation of compliance and threats o Result calculation and reporting

ISO 31000 Methodology Step 1: Understanding the organization and the environment Step 2: Define the RM policy Step 3: Achieve integration in organizational policy Step 4: Define accountability Step 5: Identify resources Step 6: Establish internal communications and reporting measures Step 8: Develop a plan for implementation Step 9: Implementing the framework for managing risk Step 10: Implementing the process o 10.1: Communication and Consultation o 10.2: Establishing the context o 10.3: Developing risk criteria o 10.4: Risk assessment o 10.5: Preparing and Implementing treatment plans o 10.6: Recording the RM process o 10.7: Monitoring and review Step 11: Monitoring and review of the framework Step 12: Continual Improvement of the framework Ultimate goals is to achieve ISO 31000 certification

Other tools include IT Grundschutz (IT Baseline Protection Manual) MAGERIT (Methodology for IS Risk Analysis and Management MEHARI (Harmonized Risk Analysis Method Microsofts Security Risk Management Guide MIGRA NIST NSA IAM/IEM/IA-CMM Open source approach

Commonality among approaches Follow a similar structure: Identify, Analyze Risk, Prioritize, Select and Implement Controls Provides documentation to prove an RM was accomplished Many tools now offer a database of risks and controls to conduct what-if? analysis Tool vendors will helpfor a price

Selecting a tool Standards-based or not Quantitative or qualitative Cost and value of tool (ROI) Maimtainability and support Usability Scaleability

Chapter 5: COBIT and OCTAVE

COBIT Control Objectives for Information and Related Technology o Links IT to business requirements o Organizes IT into a generally accepted process model o Indentifies the major IT resource to be leveraged o Defines management control objective RM is a part of COBIT

Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

IT Resources Considered Application Information Infrastructure People

Process-Oriented Approach Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

IT and Application Control IT Controls o Systems Development o Change Management o Security o Computer Operation Application Controls o Completeness o Accuracy o Validity o Authorization o Segregation of duties

Support Maturity Models What are our industry peers doing and how are we placed in relation to them? What is acceptable industry good practice and how are we placed with regard to these practices Based on these comparisons, can we be said to be doing enough How do we identify what is required to be done to reach an adequate level of management and control over our IT process?

COBIT Points to ponder RM and Security are subsets of COBIT However, if using COBIT for other purposes it can do a lot to help prepare a Risk Analysis or C&A o Can help avoid redundancies of effort o Can help when new systems are developed o Can help with configuration control

OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Series of workshops by teams of organizations personnel o ID critical assets o ID vulnerabilities and threats o Develop protection strategy and risk mitigation plans

OCTAVE Method Keys to success o Senior Management Sponsorship o Select Analysis Team o Scope OCTAVE o Select Participants Phases o Build Asset-Based Threat Profiles o Indentify Infrastructure Vulnerabilities o Develop Security Strategy and Plans

Build Asset-Based Threat Profiles Process 1: Process 2: Process 3: Process 4: Identify Senior Management Team Identify Operation Area Management Knowledge Identify Staff Knowledge Create Threat Profiles

Identify Infrastructure Vulnerabilities Process 5: Identify Key Components Process 6: Evaluated Selected Components

Develop Security Strategy and Plans Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy

OCTAVE Points to Ponder Assumes much of this hasnt already been done o Not necessarily a blank slate Assumes top management team is available for support Somewhat of a precursor for true Risk Management and C & A