Information Security Risk Management in HEIs:

From Processes to Operationalization

Wolfgang Hommel, Stefan Metzger, Michael Steinke
EUNIS 2015 Dundee, June 11th, 2015
 Leibniz Supercomputing Centre (LRZ)

Photo: Ernst A. Graf, 2012

 Data center for all Munich

 National HPC center
HEIs o Flagship: SuperMUC, 3 PetaFlops
o 130,000+ users (~180,000+ systems)
o Large Linux cluster (~ 10k cores)
o Comm. network spawns 550+ buildings
o Gauss Computing Centre member
o 100+ PB file servers/backup/archive
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 2
 Doing information risk management together

 Cooperative approach:
Risk management can‘t be done by one person or
HEI‘s higher-level management alone

 Template supporting this cooperative approach

can be adapted on every HEI‘s infrastructure
(available at: https://git.lrz.de/?p=riskdoc.git)

 Motivation on discussion and feedback for further

improvement of template

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 3
 Overview

 Motivation
 Risk management in HEIs – an analyst‘s perspective
 Gap between reading about risk management and doing it

 Template based risk management

 Objectives and benefits
 Design process
 Selected content

 Next steps

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 4
 SANS Analyst survey (June 2014):
„Higher education: Open and secure?“

55% of organisations Data at risk:

lacking formal risk Personal identifiable
assessment and data (PII) receives
remediation policies special attention

46% of organisations
Security Teams
don‘t encrypt PII
understaffed and
on transit
under budget

https://www.sans.org/reading-room/whitepapers/analyst/higher-education-open-secure-35240

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 5
 Decentral organisation, but cooperative
Business processes

HEI‘s CRM

... Faculty RM
(Team / IO)
Technicians

... ...
Service administrators
Service administrators

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 6
 Decentral information flows, but also cooperative

HEI‘s CRM

... Faculty RM
(Team / IO)

... ...
Service administrators
Service administrators

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 7
 Continuous risk management process

Higher-level management
Define your Establish the
RM Team
risk appetite RM context
Administrators

Likelihood &
Identify threats
Impact

Implemented
safeguards
Remediation

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 8
 Where do I start and what do I do in there?

 Establish the RM context

 Higher-level management focuses on (business) processes
 Technicians and system administrators focus on
information, hard-/software and operational details

 Acquire identical data (RM tools on market lack

required import functions)

 Administrators cover identical threats  delegate to

special groups (e.g. facility management, ...)

 Remediation through mapping of safeguards to threat

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 9
 Template based risk management

Desired benefits

 Enables involved stakeholders to contribute to HEI‘s

overall risk management

 Current overall HEI‘s or faculty-/service-specific risk levels

 For technically staff:

 Is the service‘s risk level acceptable?  nothing to do!

 If risk level is not acceptable  Who has to respond?

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 10
 How we created the risk management template

Interview LRZ security team Interview LRZ administrators Existing LRZ security concepts

Standards/Frameworks Literature:
(ISO/IEC 27005, scientific papers,
BSI IT Base protection, various web sources

Template‘s content and structure

Continual improvement Management approval

and commitment

LRZ Risk management template

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 11
 Template content overview

Document‘s structure:

 Metadata / introduction

 Risk acceptance

 Risk management
context

 Threat identification +
Risk assessment

 Remediation / measures

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 12
 Metadata and introduction

 Metadata
 Author and version information
 Storage location
 Last modification / update until

 Introduction
 Objectives (HEI‘s overall risk
level vs. staff‘s perspective)
 Cooperative risk management process
 How to complete

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 13
 HEI‘s risk appetite / acceptance

 Curve through risk assessment

matrix  divides risks in
acceptable or not

 Criteria for risk acceptance

 (financial impact)
 (legal, contractual liability)
 How many users are affected?
 What is an acceptable MTTR?
 PII processed or not?
 Position/group of affected user

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 14
 HEI‘s risk management context
Systems or / asset‘s prioritization

From: SANS Analyst Survey „Higher Education: Open and secure“ (June
2014)
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 15
 Technicians‘ risk management context

 Bases on HEI‘s primary assets

definition

 (Technical) secondary assets

 Hardware
 Installed software / base services
 Processed information and its flows
 (Operational details)

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 16
 Threat identification

 Threat catalogues (ISO/IEC 27005,

BSI IT base protection, ...)

 How to find further threat events

 Structured, scenario–based description

of threat events

 Actor (trigger or cause of a threat)

 Threat type (e.g. malicious intent, failure, ...)
 Event description
 Asset / asset group affected
 (Time)
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 17
 Risk assessment & remediation

 Each administrator / faculty RM staff

can do it, but have also be done by HEI‘s RM

 Structured, also template-based description of measures

 „Start easy, become complex!“

 Try simple (technical) solutions first
 Share your information/knowledge
and solutions with others
 Generate HEI-wide synergies,
esp. for cost-intensive measures

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 18
 Next steps

 Continuously improve LRZ risk management template

 Discussions in regional and national groups

 Web-application (released as open-source)

 Support of importing existing data
 Central storage
 Reporting of service-/group- or HEI-wide risk level
 Statistics and Export functions

June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 19
 Conclusion

 Our template-based risk management approach

 ... helps doing (technical) risk management
 ... helps service owners to decide if further action is required
 ... provides an estimation of overall risk-level for HEIs
 ... it is not finalized yet but a good starting point

 PDF of current version at https://git.lrz.de/?p=riskdoc.git

 We welcome any feedback! riskmgmtdoc@lrz.de

 How to make the template more intuitive to use?
 Which topics should be covered additionally?
 Another/better risk management approach? Let‘s talk about
June 11th, 2015 Information Security Risk Management in HEIs: From Processes to Operationalization 20