Security Risk Management Overview

Abstract

Introduction

1. Introduction
   • most organisations have information assets that should be protected from improper access or manipulation
   • likelihood and severity of compromise depends primarily on effectiveness and consistency of risk management strategy used
   • historically has been done on an ad hoc basis
   • primarily using physical security mechanisms. with no distinction between information and property
   • in a wired world need to consider a broader perspective
   • and to implement a more rigourous processes?

     Quote HB321 Preface piii: "The vulnerability of today's information society is still not sufficiently realised: Businesses, administrations and society depend to a high degree on the efficiency and security of modern information technology. In the business community, for example, most of the monetary transactions are administered by computers in the form of deposit money. Electronic commerce depends on safe systems for money transactions in computer networks. A company's entire production frequently depends on the functioning of its data-processing system. Many businesses store their most valuable company secrets electronically. Marine, air, and space control systems, as well as medical supervision, rely to a great extent on modern computer systems. Computers and the Internet also play an increasing role in the education and leisure of minors. International computer networks are the nerves of the economy, the public sector and society. The security of these computer and communication systems is therefore of essential importance. European Commission 1998"

2. Risk Management
   • management of risk integral part of management process
   • is multifaceted, needing multi-disciplinary teams
   • can applied at many level in an organisation (strategic & operational)
   • is an iterative process
   • information security risks are special in that considered to only have negative outcomes

     Quote - ACSI33 Ch3 301: "Risk management is a methodology for comprehensively and systematically managing risks in an organisation. Risk management provides a framework to help keep obstacles, opportunities and ultimate goals clearly in sight."
     Hence the purpose of "Risk Management" is to reduce likelihood of asset compromise.
     Points noted are taken from SA HB321 section 3 Intro p7.

3. Risk Analysis
   • key step in risk management process
   • determine what it is you are protecting
   • what you are protecting against
   • how much the protection is worth to you
   • goal: "provide some assurance that cost of security countermeasures is commensurate with risk"
   • without it could spend too little or too much

     Quote above from OLD ACSI33 HB3 301.

4. Risk Analysis Scope
   • Risk Analysis is part of a "harm minimisation" strategy
   • some risk is part of the cost of "doing business"
   • controls/countermeasures can reduce the seriousness of a threat
   • these could be applied to a huge range of assets & threats
   • need to limit to key assets / threats to IT systems
   • will result in a security plan used to manage risk
   • should be brief, to point, <1 to few pages
5. Risk Analysis IS Necessary
   • there are good reasons to do a risk analysis
   • to determine exactly what is protected against whom
   • to provide sufficient information to make considered decisions
   • without it all you have is guesswork and ad hoc decisions
   • which will likely waste money and resources
   • and not provide sufficient protection against all significant threats
   • may well be a requirement to undertake (by auditors, govt, law)
6. AusCERT Crime 2003 - Security Standards
   • AusCERT 2003 Australian Computer Crime and Security Survey identified standards used
   • only 37% of orgs used standards
   • ISO 17799:2001 by 63%
   • AS/NZS 7799.2:2003 by 55%
   • DSD ACSI33 by 33%
   • SA HB231:2000 by 22%
   • RFC 2196 by 9%

     Standards exist to provide guidance as to best practice. But Information Security standards use is still not high. The most cited standards were the International standard 17799 and AS/NZS 7799.2:2003. Also cited were the DSD standard ACSI33, Standards Australia supplement HB 231 to AS/NZS 4444, and the Internet RFC 2196. These are all good sources which organisation should use. Note - the various Australian & International standards are ONLY available for purchase, and are not free online.

7. AS/NZS ISO/IEC 17799:2001 Information technology - Code of practice for information security management
   • recently introduced international standard
   • based on BS7799 (and hence AS4444)
   • defines best practise for information security
   • provides a comprehensive framework
   • which can be externally audited
   • 12 main body sections
   • 65 pages + foreword/introduction/index
   • robust, commercially available, auditable, high level framework standard
   • good guide for "what to address next" in policy or risk analysis
   • nb. AS/NZS 17799 replaces earlier AS/NZS 4444/7799.1 to shadow ISO 17799

     This is the new(ish) International standard for IT security management, subsuming the earlier national standards. cf to ISO9000. Originally created by British govt, publ in Feb 1995, but other concerns (eg Millenium bug) meant not much attention initially. Revised May99, incl formal accreditation scheme and support tools, led to greater interest. Hence is now a key resource for anyone concerned with information security. To quote from its section 1 - Scope:
     "This standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings. Recommendations from this standard should be selected and used in accordance with applicable laws and regulations." nb. this standard like most official standard publications is not freely available, but must be purchased (follow links in refs below). Any organisation serious about IT security ought to buy this standard and associated handbooks such as HB231.

8. AS/NZS ISO/IEC 17799:2001 Major Sections
   1. Scope
   2. Terms and Definitions
   3. Security Policy
   4. Organizational Security
   5. Asset Classification and Control
   6. Personnel Security
   7. Physical and Environmental Security
   8. Communications and Operations Management
   9. Access Control
   10. Systems Development and Maintenance
   11. Business Continuity Management
   12. Compliance

       Here is the list of major sections in 17799, taken from its Contents table.

9. AS/NZS 7799.2:2002 - Information security management - Part 2: Specification for information security management systems
   • companion standard to 17799 (formerly 7799.1 or 4444.1)
   • based on BS7799.2
   • defines a model for an effective Information Security Management System (ISMS)
   • based on Plan-Do-Check-Act process model
   • control objectives aligned with 17799
   • Plan phase requires selecting & implementing a systematic approach to risk assessment

     Quote AS7799.2 1. Scope: "This standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organizations overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof (see Annex B which provides informative guidance on the use of this standard). The ISMS is designed to ensure adequate and proportionate security controls that adequately protect information assets and give confidence to customers and other interested parties."

10. AS/NZS 4360:1999 - Risk management
    • Australian/NZ standard defining elements of the risk management process
    • defines risk management as an iterative process, of well-defined steps, support better decision-making by contributing a greater insight into risks and their impacts
    • specifies general method: establish context, identify, analyze, evaluate, treat, monitor and communicate risks

      Quote: 1 - Scope: "This Standard provides a generic guide for the establishment and implementation of the risk management process involving establishing the context and the identification, analysis, evaluation, treatment, communication and ongoing monitoring of risks."
      Quote: 2 - Application: "Risk management is the term applied to a logical and systematic method of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimize losses and maximize opportunities."

11. HB 231:2000 - Information Security Risk Management Guidelines
    • Standards Australia supplement to AS/NZS 17799/7799.2
    • complements other standards with additional guidance concerning management of information security risks
    • contents include sections on:
      1. Scope, Applications & Definitions
      2. Risk Management Framework
      3. Risk Management Overview
      4. Risk Management Process
      5. Documentation

      HB231 contains some more specific guidance about the information security risk management process for the majority of organisations. It is referenced by ACSI33 which we'll be using, as well as providing a more general form of guidance for non-govt/defence organisations. Was originally a supplement to AS/NZS 4444.1/2, recent errata has changed all references to the replacement AS/NZS ISO/IEC 17799 and AS/NZS 7799.2.

12. ACSI33 - Australian Communications-Electronic Security Instruction 33 - Government IT Security Manual
    • developed by the Information Security section of Defence Signals Directorate (DSD)
    • provide guidance to Australian Govt agencies on protecting IT systems
    • currently undergoing major revision - due out Mar 2004
    • based on various existing govt, national & international standards
    • major sections:
      • Part 1 The High-Level Process of IT Security
      • Part 2 IT Security Administration
      • Part 3 IT Security Standards
    • specifically we're interested in: "Part 2 - Chapter 2 - Risk Management & Threat & Risk Assessments (TRA)"

      ACSI33 is a key standard on Government IT Security. Compliance with it is mandatory for many government activities, and for everyone else it provides a useful guide of issues to consider. Note that ACSI33 is undergoing a major revision, due for release at the Security In Government (SIG) Conference in Mar 2004, which aligns it more closely with the standards listed above, as well as AG's Protective Security Manual.

13. Risk Management Process - AS4360 vs AS7799.2
    • AS/NZS 4360:1999 - Risk management - defines a general framework
      1. Establish Context
         strategic context
         organisational context
         risk management context
         develop criteria
         decide structure
      2. Identify Risks
         what can happen?
         how can it happen?
      3. Analyse Risks
         determine existing controls
         determine likelihood of threats
         determine consequences if threats realised
         estimate level of risk
      4. Evaluated Risks
         compare against criteria
         set risk priorities
      5. Accept Risks??
         if Yes monitor and review
         if No proceed to treat
      6. Treat Risks
         identify treatment options
         evaluate treatment options
         select treatment options
         prepare treatment plans
         implement plans
    • whilst AS7799.2 defines
      1. Define Policy, Define Scope of ISMS
         maps to 1 in AS4360
      2. Identify & Analyse Risks
         maps to 2-3 in AS4360
      3. Manage Risks, Select Controls, Prepare Statement of Applicability
         maps to 4-6 in AS4360

      Here compare the risk assessment frameworks from AS4360 and AS7799.2. The above points for AS4360 are taken from HB321 Fig 3.2 p9. This is the general framework which is then refined and specialised in IT specific risk management, as detailed in ISO17799 et al. Contrast with the framework in AS7799.2 (cf HB231 Table 3.1).

14. The Risk Assessment Process in more Detail
    • will now walk through the steps listed above in more detail
    • following guidance provided in Final Draft of ACSI33 Part 3 Ch 3
    • consistent with and using AG PSM, AS4360, HB231
    • specifies steps as:
      • Stage 1: Establishing the Context
      • Stage 2: Identifying the Risks
      • Stage 3: Analysing the Risks
      • Stage 4: Assessing & Prioritising Risks
      • Stage 5: Determining Appropriate Controls

      Now consider the risk assessment process as detailed in the Final Draft of ACSI 33 Part 3 Ch 3 (nb. section numbers may change between this and final released version).

15. Stage 1: Establishing the Context
    • define basic parameters within which risks managed
    • provide guidance for decisions within more detailed risk management studies
    • critically includes defining the assets being protected (structure)
    • based on HB321 Ch 4.1 Establish the Context
    • includes the following steps:
      1. strategic context
      2. organisational context
      3. risk management context
      4. develop criteria
      5. decide structure
16. Asset Identification (in step 5 above)
    • assets = "what needs to be protected"
    • could be: tangible thing, suitable level of service, staff, information
    • and who is responsible for them
    • important that key assets for the information system be identified
    • need to be determined in conjunction with owners
    • who should help determine a suitable level of granularity
    • dont confuse a container with the information in it
    • see HB231 4.1.6.1 Structured identification of information assets

      Determining assets, both tangible and intangible, for an organisation is the first critical step in the risk analysis process. An asset is anything an organisation can attach a value to, and hence requires protection. Determining what constitutes an asset, assigning a value to it, and determining who "owns" it, is something that has to be done with the people in the organisation.

      Examples from HB321 section 3.4.1 p12: info assets, paper docs, software assets, physical assets (incl h/w), marketing assets, services. Note that HB231 4.1.6.1 Structured identification of information assets provides a longer list of possible asset categories.

17. Stage 2: Identifying the Threats / Risks
    • then need to identify all threats/risks to assets listed above
    • a threat has potential to harm some assets
    • a vulnerability is a weakness associated with an asset
    • a security risk is the potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of assets
    • see HB321 Ch 4.2 Risk Identification
    • for each asset must identify all possible risks - cause & consequence

      Here discuss the process of identifying risks/threats (note both terms used in different places). Definitions from HB231 3.4.

18. Identifying Threats / Risks
    • sometimes risks are similar to other systems or organizations and can use generic lists
    • othertimes specific analysis of risks on case by case basis needed
    • a threat may be accidental or deliberate
    • may have more than one threat per asset
    • likely external threats can be identified from CERT reports, news, previous experience, legal requirements, etc
    • internal threats harder, need to evaluate organisation, use experience
    • should document sources for threats

      HB231 4.2 provides lists of tools and techniques which can help. Information on likelihood of these various types of threats is something a good IT risk analyst needs to bring in. Would use published sources of information, such as the AusCERT Computer crime surveys, (Aus)CERT advisories and lists of known problems, SANS Top 20 lists, plus interviews with people in org/industry on their experiences, esp wrt insider problems. See also HB231 App B which has a list of vulnerabilities to consider.

19. Stage 3: Analysing the Risks
    • here separate minor acceptable risks from major risks
    • and provide data to assist in evaluation and treatment of risks
    • by:
      1. determining the consequence of the risk
      2. determining the likelihood of the risk and documenting the source of information used to determine the likelihood
      3. determining the overall level of risk using a risk matrix table

      This list taken from ACSI33 P3-323.

20. Consequence Determination

    If the consequences would	Then an appropriate consequence rating is
    threaten the survival of not only the program but also the agency, possibly causing major problems for clients and for a large part of the Australian Public Service	extreme
    threaten the survival or continued effective function of the program or project and require top level management or ministerial intervention	very high
    not threaten the program but would mean that the program could be subject to significant review or changed ways of operating	medium
    threaten the efficiency or effectiveness of some aspect of the program but would be dealt with internally	low

    This table from ACSI33 P3-325 is based on ratings in AG PSM.
    Harm estimation needs to be done in conjunction with the asset owners. Need to emphasise that are considering the harm to the organisation as a whole, as a consequence of the threat to an asset being realised. Historically there seems to be a tendency to overestimate harm values in the context of the wider organisation and the effect on it, so care is needed to assume realistic values!

21. Likelihood Determination

    If a risk	Then an appropriate likelihood rating is
    is expected to occur in most circumstances	almost certain
    will probably occur in most circumstances	likely
    might occur at some time and may be difficult to control due to some external influences	possible
    could occur some time	unlikely
    may occur only in exceptional circumstances	rare

    This table from ACSI33 P3-327 is based on ratings in AG PSM.
    Note that the threat likelihood estimation is a measure of the likelihood of a real exploit of an identified vulnerability (being the specific threat in this row of the table), which causes actual harm to the specific asset identified. Emphasise that historically there seems to be a tendency to overestimate, and care is needed to assume realistic values!

22. Risk Matrix

    Likelihood	Consequences
    	Extreme	Very high	Medium	Low	Negligible
    Almost certain	H	H	H	S	M
    Likely	H	H	S	S	M
    Possible	H	H	S	M	L
    Unlikely	H	S	M	L	L
    Rare	S	S	M	L	L

    This table from ACSI33 P3-331 combines the threat likelihood and consequence to determine the overall risk rating of a specific threat.

23. Overall Level of Risk

    High	requiring detailed research and management planning at an executive level
    Significant	requiring senior management attention
    Moderate	manageable by specific monitoring or response procedures
    Low	manageable through routine procedures

    This detail the values in the table above, taken from ACSI33 P3-330

24. Stage 4: Assessing & Prioritising Risks
    • now determine risk management priorities by comparing level of risk against:
      1. predetermined standards,
      2. target risk levels, and/or
      3. other criteria.
    • document these in a risk register, assess each risk against them
    • use criteria to classify risk as acceptable or unacceptable
    • see HB321 Ch 4.4 Risk Evaluation

      Now determine risk management priorities in order to determine where effort needs to be focused.

25. Stage 5: Determining Appropriate Controls
    • a control is a measure that is taken to eliminate or minimise risks
    • aim is to identify controls that reduce residual risk of unacceptable risks by:
      • risk avoidance - by not proceeding with some risky aspect of system
      • reduction of likelihood - by reducing threats or vulnerabilities by changing security controls implemented
      • reduction of consequences - by changing way system is engineered
      • risk transference - to another party by insurance, outsourcing etc
      • risk retention - accept risk and plan to manage it
    • based on HB321 Ch 4.5 Risk Treatment
    • process results in a Control Register identifying response

      Now need to determine an appropriate cost-effective response to unacceptable risks. This may mean redirecting resources to where most needed, changing aspects of system, or even accepting a higher level of risk because its not worth paying more to reduce it.

26. Possible Controls
    • physical security - eg. secure areas, locks, fire control, guards
    • personnel security - eg. recruitment checks, staff monitoring, training
    • procedural security - eg. operating procedures doc, incident handling doc, contingency doc
    • technical security - eg. h/w & s/w security mechanisms
    • evaluated products - as part of system

      Above points are taken from HB321 section 4.5.3.1.

27. Determining Appropriate Controls
    1. Write the unacceptable identified risks from the risk register in priority order in a control register.
    2. Record one or more appropriate controls for each risk on the risk worksheet.
    3. Perform a cost/benefit analysis and write accept or reject against each control in the risk worksheet.
    4. Calculate the residual risk rating taking into consideration the effect of the accepted control/s.
    5. Assess the residual risk rating according to the criteria recorded on the risk register and update the risk register.
    6. Record the accepted controls in the control register.
28. TRA Executive Summary Example
    • Structural context - ACHILLES system and all peripherals, email, office software applications, standalone PCs located in the blue room, implementation of the peach operating system.
    • Risk - Physical damage to equipment
    • Causes and consequences - Malicious damage and industrial sabotage. The system may be totally inoperable until repairs can be made
    • Assets involved - All physical assets identified in the structural context
    • Risk likelihood without controls - Insurance statistics show that the likelihood of physical damage or theft to equipment is high. Personal experience suggests that without controls this risk is likely to occur frequently
    • Risk Rating - Consequence=Low, Likelihood=Likely, Overall Risk Rating=Significant
    • Management Priorities - target risk should be moderate
    • Controls - Perimeter security in accordance with T4 recommendations. Accept

      Here excerpt from the example provided inline in the ACSI33 Part 3 Ch 3 TRA Template - early draft, final version not yet on DSD web site. nb. provided own Risk Rating values since none were supplied ;-)

Conclusion

1. Conclusion
   • have looked at what risk assessment is and why its needed
   • reviewed some relevant standards
   • provided an overview of the DSD ACSI33 TRA process

   • any questions ?????
2. References

   Talk Outline:

   http://lpb.canb.auug.org.au/adfa/seminars/riskanal04/riskanal04.html

   ACSI33 (2000)

   DSD, ACSI33, "Government IT Security Manual", www.dsd.gov.au/library/acsi33/acsi33.html (2000)

   Draft ACSI33 (2004)

   DSD, ACSI33, "Government IT Security Manual Draft", www.dsd.gov.au/library/acsi33/acsi33_draft_information.html (2004)

   DSD Library

   DSD Library, www.dsd.gov.au/library/

   AS/NZS ISO/IEC 17799:2001

   ISO/IEC, "AS/NZS ISO/IEC 17799:2001 - Information technology - Code of practice for information security management"

   AS/NZS 7799.2:2003

   Standards Australia, "AS/NZS 7799.2:2003 - Information security management - Specification for information security management systems"

   AS/NZS 4360:1999

   Standards Australia, "AS/NZS 4360:1999 : Risk management".

   SA HB 231:2000

   Standards Australia, "HB 231:2000 - Information Security Risk Management Guidelines".

   AUSCERT

   AusCERT - www.auscert.org.au/

   AUSCERT Crime03

   AusCERT - 2003 Australian Computer Crime and Security Survey

   SANS

   SANS (System Administration, Networking, and Security) Institute - www.sans.org