Paradigm Shift! - Customer Information Centric IT Risk Assessments

Paradigm Shift!
Customer Information Centric
IT Risk Assessments

TM
The CICRAM
IT Risk Assessment
Methodology for
GLBA & HIPAA
Compliance
May 7th 2009
CICRAMTM IT Risk Assessment Methodology
1
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved

Why Perform
IT Risk Assessments?
• Management Request
• Regulatory Requirement
• IT Best Practice

2

What is “RISK”?
• First and most obvious, “Risk” is a probability issue.
• “Risk” has both a frequency and a magnitude component.
• The fundamental nature of “Risk” is universal; regardless
of it’s context.
An Introduction to Factor Analysis of Information Risk (FAIR)
A framework for understanding, analyzing, and measuring information risk
Jack A. Jones, CISSP, CISM, CISA

“Risk is the association of the
probability/frequency of a negative
event occurrence, with the projected
magnitude of a future loss.”
Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009

3

The Basic “IT Risk” Formula
Information Security
It’s All
About Professionals generally
IT Risk can agree that:

IT Controls mitigate Risk by
lowering the Probability of a
Threat acting on a Vulnerability
to harm an organization’s Asset.
4

Assessing “IT Risk”
High Level Goals & Objectives
• Assess current threats & vulnerabilities
• Identity and assess “Risk Factors” to the Organization
• Present information in a way that management can
use to make informed business decisions based on risk.

Processes
• Identify assets – information stores & IT systems.
• Quantify the probability of a negative event occurrence.
• Determine the value of information & IT assets.
• Assess the business impact of negative events.

5

Assessing “IT Risk”
It’s a simple concept,
but a difficult and
complex analytical
problem to solve.

Most IT Risk Assessment Methodologies
Attempt to Determine the Threats,
Vulnerabilities, Negative Event
Likelihood and Information Security
Impacts to Specific IT Assets.
6

What IT Risk Assessment
Methodology Should I Use?
Quantitative Risk Analysis-
Two basic elements are assessed: the probability
of a negative event – “ARO” (annual rate of
occurrence) and the likely financial loss – the
“SLE” (single loss expectancy). The Annual Loss
is then calculated – “ALE”.
Qualitative Risk Analysis
This is by far the most widely used approach to
risk analysis. Probability data is not required and
only the estimated financial loss is used.
7

What IT Risk Assessment
Methodology Should I Use?
“Published” IT Risk
Assessment Methodologies
Quantitative Methodologies:
CRAMM BITS (Kalculator)
FAIR FMEA

Qualitative Methodologies:
FRAP COBRA
OCTAVE
8

Assessing IT Risk:
“The Problem in the security world
is we often lack the data to do risk
management well. Technological
risks are complicated and subtle.”
“We don’t know how well our
network security will keep the
bad guys out, and we don’t know
the cost to the company if we
don’t keep them out.”
Does risk management make sense?
Bruce Schneier – Oct 2008

9

In Addition, Traditional
IT Risk Assessments
Methodologies Do Not
Assess IT Risks To
Customer Information

• Storage
• Transmission
• Access & Processing
I Stipulate That The IT Security
Profession Has A Dirty Little Secret ...
10

Randy Pausch Said In
His Now Famous
“Last Lecture” …
“When There Is An
Elephant In The Room
Introduce Him”
Randy Pausch Graphic – www.thelastlecture.com

“Most IT Security
Professionals Can Not
Accurately Assess IT Risks.”
Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009

11

In fact, many Information Security
professionals cannot even agree
on a definition of IT Risk!
“Ask a dozen information security professionals
to define risk and you’re certain to get several different
answers.“ An Introduction to Factor Analysis of Information Risk (FAIR)
Jack A. Jones, CISSP, CISM, CISA

“Technically speaking, risk is the probability of a threat agent
exploiting a vulnerability and the resulting business impact.”
Understanding Risk
Shon Harris CISSP - 2006

If security professional cannot agree
on what are the risks, how can we
accurately assess “IT Risks”?
12

What Are Leading Information Security
Professionals Saying About Current
IT Risk Assessment Processes & Models?
Number-driven risk metrics 'fundamentally broken‘
Gamit Yoran, former National Cyber Security Divison director

Why Johnny Can’t Evaluate Security Risk
George Cybenko, Editor in Chief

Taking the risk out of IT risk management
Jim Hietala – October 16, 2008

Why you shouldn’t wager the house on risk
management models
Bruce Schneier and Marcus Ranum – Oct 2008

It’s time to think differently about protecting data
Bill Ledingham – September 10, 2008

13

There Is A Problem With Many IT
Risk Assessment Process.
Traditional IT Risk Assessment
Methodologies are Primarily Focused
on the Risks and Impacts to the
Organization that is Being Assessed.
The Impact to the
Confidentiality or Integrity
of Customers and
Employee Information is
Graphic - Microsoft
not Assessed!
14

Why Are Risks to Customer
Information Important?
• Regulatory Requirements
 Financial Industry – GLBA
 Health Care – HIPAA
 Higher Education – FERPA
 State Data Breach
• Organizational Reputation
Graphic - Microsoft
• Industry Standards
 Retail - PCI
15

TM
The CICRAM
IT Risk Assessment
Methodology for
GLBA & HIPAA
Compliance

A Paradigm Shift In IT Risk
Assessment Methodologies!
Assess Risks To Customer & Employee
Information, Rather Than Operational
IT Risks To The Organization.
16

TM
CICRAM IT Risk
Assessment Methodology
Core Concepts:
A Simplified View of IT Risks
Threat Vulnerability Asset Value

X X
Risk =
__________
Countermeasures
An IT Risk is defined within CICRAMTM, as the likelihood of
a Threat acting on a Vulnerability to harm an asset which
causes a negative impact.
17

TM
CICRAM IT Risk
Core Concepts:
• There are an infinite number of “Latent” vulnerabilities in software
systems that allow attackers to breach computer systems.
• There is a sufficiently high number of “Threats”, that given enough
time, the likelihood of a vulnerability being exploited is 100%.
• “Customer Information” has an inherently high value.
• Assess “Risks” by following the movement of Customer Information.
• Assess the effects of an IT control failure. The “Worst Case Scenario”
becomes the “Baseline” for the IT Risk Assessment.
• Effective IT controls reduce risks
• IT Risks are almost never reduced to zero by the implementation of
IT controls, there is usually some “Residual Risk”.
18

TM
CICRAM IT Risk
Core Concepts:
There are a only a few actions that can be performed
with an Organization’s Customer Information:
INFORMATION
ACTION
SECURITY RISK FACTOR

View / Access / Use Confidentiality

Copy Confidentiality

Modify Integrity

Loss Confidentiality

Delete / Destroy Integrity and Availability

19

TM
CICRAM IT Risk
“A Hybrid IT Risk Assessment Process”

• Use Qualitative Analysis methods to determine current IT “Threats”.
• Utilize “Data Flow” concepts to analyze risks to Customer Information
as it moves across various environments.
• Use Interogative & RIIOT methods to document the IT environment
used to transmit, manipulate and store customer data.
• Use Qualitative Analysis methods to develop a “Baseline” of IT Risks
for an IT environment that does not have any IT controls.
• Use Control Maturity Modeling and Quantitative Analysis – methods
to assess the effectiveness of current IT controls.
• Use Quantitative Analysis methods to determine the risk reduction
impact of current IT controls.

20

TM
CICRAM IT Risk Assessment
Step#1 – Assess The Current
IT Threat Environment
Attack Motivational Factors
 External Threats
i. Criminal Cyber Gangs
ii. Former Employees
iii. Consultants & Contractors
iv. Casual Hackers & Script Kidde
 Insider threats
i. Malicious Insiders: Corporate Spies & Disgruntled Employees
ii. Careless Staff: Policy Breakers and the Uninformed
Technical Attacks
 Malware Applications
i. Viruses, Worms, Trojans
ii. Spyware
iii. Adware
 Botnets
 DNS
 Denial of Service
Human Attacks
 Social Engineering
 Identity Theft
 Email Spam
21

TM
Step#2 – Determine Where
Customer Information Is Located

Data Flow Regions

IT
Risks Business
Partners
Infrastructure

Application Systems

22

TM
Step#3 – Document The IT
Operational Environment:
IT Systems & Applications
Use IT auditing tools and methods like questionnaires, interviews
and diagrams to document the IT systems and applications.

23

TM
Step#4 - Select an Information
Security Controls Framework
• Each “Standard” may contain
ISO 17799 FFIEC & FTC
Security Standards for similar information security controls.
Program safeguarding
customer • Resolve circular references and
information
overlapping IT controls across the
multiple frameworks.

+ • Use hierarchical clustering to group
IT Controls into categories.
COBIT NIST SP 800
Use current
Your
SANS
&
ITGI PCI information from: Organization’s
SANS Institute,
Controls Controls
Analysts, = IT Security
Industry Best Control
Practices
Framework
24

TM
Step#5: Select Key IT Risk
Assessment Factors

IT Risk Assessment “Factors”:
 Customer Information Security (Confidentiality)
 Improper/Incorrect Transaction Data (Integrity)
 Infrastructure Stability/Change Control (Availability)
 Customer Confidence / Stewardship (Reputation)
 Regulatory Compliance (Legal)
 Fraud / Data Breach (Financial Loss)

25

TM
Step#6: Determine an IT Risks
Numerical Rating Scale

NUMERICAL IT RISK RATING DEFINITIONS
Level 0 - Functional control area is not relevant Color Range Risk

Level 1 - Functional control area poses an insignificant risk:
White 0 N/A
the significance of a control failure is low or not relevant
Level 2 - Functional control area poses a minimal risk potential:
Green 1-2 Low
the significance of a control failure is minor
Level 3 - Functional control area poses a moderate risk potential:
Yellow 3-4 Medium
the significance of a control failure is considerable
Level 4 - Functional control area poses an elevated risk potential:
Red 5 High
the significance of a control failure is extensive
Level 5 - Functional control area poses a significant risk potential:
the implications of a control failure is severe

26

TM
Step #7: Assess “Baseline”
High Level Risks

Use Control Matrix and Apply Threat Analysis to
Develop a Heat Map of Baseline IT Risks

Heat Map of Baseline IT Risks
External Network Security - Perimeter
Defense Systems 5 4 4 3 5 3
Internal Network Security - Back
Information Office User Authentication Systems 4 4 3 3 5 4
Security
Technical Virus and Malware Protection 4 4 4 4 3 4
Controls
Backup / Recovery 2 0 5 2 5 3
Monitoring and Logging 3 3 2 2 2 1

27

TM
Step#8: Determine an IT Control
Numerical Rating Scale

IT CONTROL MATURITY RATING

Stage 0 – Nonexistent Information Security
Stage 1 - Initial/Ad Hoc Control Maturity Model-
CMM Ratings are
Stage 2 - Repeatable but Intuitive
Based on Carnegie
Stage 3 - Defined Process Mellon’s Process
Improvement Model
Stage 4 - Managed and Measurable
Ratings Scale – CMMI.
Stage 5 - Optimized www.sei.cmu.edu/cmmi/general/index.html

28

TM
Step #9: Assess IT Control
Effectiveness

GAP Exists
Control
PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref # Comments
Maturity

Where network connectivity is used, IT.B.3.1
appropriate controls, including firewalls,
Deployment of DMZ intrusion detection and vulnerability
assessments, exist and are used to prevent
unauthorized access.
External Deployment of Network
intrusion detection and vulnerability
Network FIREWALL
Security -
Perimeter Impl.
Defense
Systems Deployment of Network
IDS/IPS
Deployment of Wireless
Encryption - Authentication

29

9
TM
Step#10: Adjust Baseline Risks for
Control Effectiveness

Use Control Effectiveness Ratings to Adjust
Baseline IT Risks

Heat Map of IT Risks Adjusted for Control Effectiveness
External Network Security -
Perimeter Defense Systems 3 3 3 2 2 2
Internal Network Security - Back
Information Office User Authentication Systems 4 4 3 3 2 3
Security
Technical Virus and Malware Protection 4 3 3 3 2 3
Controls
Backup / Recovery 1 0 3 3 2 2
Physical Security / Environmental 3 2 3 2 2 1

30

9
TM
Step#11: Generate Narrative
IT Risk Report Document

Develop a
Written Report

31

9
TM
Step#12: Present Risk Report and
Findings to Management

Congratulations,
You Get To Do
This Again
Next Year!

32

TM
CICRAM IT Risk

Paradigm Shift!
Customer Information
Centric IT Risk Assessments

Questions ?
Fernando A. Reiser
freiser@bankitsecurity.com
33

Paradigm Shift! - Customer Information Centric IT Risk Assessments

More Related Content

What's hot (20)

Similar to Paradigm Shift! - Customer Information Centric IT Risk Assessments (20)

Recently uploaded (20)

Paradigm Shift! - Customer Information Centric IT Risk Assessments