More Related Content Similar to Paradigm Shift! - Customer Information Centric IT Risk Assessments (20) Paradigm Shift! - Customer Information Centric IT Risk Assessments1. Paradigm Shift!
Customer Information Centric
IT Risk Assessments
TM
The CICRAM
IT Risk Assessment
Methodology for
GLBA & HIPAA
Compliance
May 7th 2009
CICRAMTM IT Risk Assessment Methodology
1
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
2. Why Perform
IT Risk Assessments?
• Management Request
• Regulatory Requirement
• IT Best Practice
CICRAMTM IT Risk Assessment Methodology
2
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
3. What is “RISK”?
• First and most obvious, “Risk” is a probability issue.
• “Risk” has both a frequency and a magnitude component.
• The fundamental nature of “Risk” is universal; regardless
of it’s context.
An Introduction to Factor Analysis of Information Risk (FAIR)
A framework for understanding, analyzing, and measuring information risk
Jack A. Jones, CISSP, CISM, CISA
“Risk is the association of the
probability/frequency of a negative
event occurrence, with the projected
magnitude of a future loss.”
Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009
CICRAMTM IT Risk Assessment Methodology
3
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
4. The Basic “IT Risk” Formula
Information Security
It’s All
About Professionals generally
IT Risk can agree that:
IT Controls mitigate Risk by
lowering the Probability of a
Threat acting on a Vulnerability
to harm an organization’s Asset.
CICRAMTM IT Risk Assessment Methodology
4
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
5. Assessing “IT Risk”
High Level Goals & Objectives
• Assess current threats & vulnerabilities
• Identity and assess “Risk Factors” to the Organization
• Present information in a way that management can
use to make informed business decisions based on risk.
Processes
• Identify assets – information stores & IT systems.
• Quantify the probability of a negative event occurrence.
• Determine the value of information & IT assets.
• Assess the business impact of negative events.
CICRAMTM IT Risk Assessment Methodology
5
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
6. Assessing “IT Risk”
It’s a simple concept,
but a difficult and
complex analytical
problem to solve.
Most IT Risk Assessment Methodologies
Attempt to Determine the Threats,
Vulnerabilities, Negative Event
Likelihood and Information Security
Impacts to Specific IT Assets.
CICRAMTM IT Risk Assessment Methodology
6
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
7. What IT Risk Assessment
Methodology Should I Use?
Quantitative Risk Analysis-
Two basic elements are assessed: the probability
of a negative event – “ARO” (annual rate of
occurrence) and the likely financial loss – the
“SLE” (single loss expectancy). The Annual Loss
is then calculated – “ALE”.
Qualitative Risk Analysis
This is by far the most widely used approach to
risk analysis. Probability data is not required and
only the estimated financial loss is used.
CICRAMTM IT Risk Assessment Methodology
7
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
8. What IT Risk Assessment
Methodology Should I Use?
“Published” IT Risk
Assessment Methodologies
Quantitative Methodologies:
CRAMM BITS (Kalculator)
FAIR FMEA
Qualitative Methodologies:
FRAP COBRA
OCTAVE
CICRAMTM IT Risk Assessment Methodology
8
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
9. Assessing IT Risk:
“The Problem in the security world
is we often lack the data to do risk
management well. Technological
risks are complicated and subtle.”
“We don’t know how well our
network security will keep the
bad guys out, and we don’t know
the cost to the company if we
don’t keep them out.”
Does risk management make sense?
Bruce Schneier – Oct 2008
CICRAMTM IT Risk Assessment Methodology
9
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
10. In Addition, Traditional
IT Risk Assessments
Methodologies Do Not
Assess IT Risks To
Customer Information
• Storage
• Transmission
• Access & Processing
I Stipulate That The IT Security
Profession Has A Dirty Little Secret ...
CICRAMTM IT Risk Assessment Methodology
10
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
11. Randy Pausch Said In
His Now Famous
“Last Lecture” …
“When There Is An
Elephant In The Room
Introduce Him”
Randy Pausch Graphic – www.thelastlecture.com
“Most IT Security
Professionals Can Not
Accurately Assess IT Risks.”
Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009
CICRAMTM IT Risk Assessment Methodology
11
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
12. In fact, many Information Security
professionals cannot even agree
on a definition of IT Risk!
“Ask a dozen information security professionals
to define risk and you’re certain to get several different
answers.“ An Introduction to Factor Analysis of Information Risk (FAIR)
Jack A. Jones, CISSP, CISM, CISA
“Technically speaking, risk is the probability of a threat agent
exploiting a vulnerability and the resulting business impact.”
Understanding Risk
Shon Harris CISSP - 2006
If security professional cannot agree
on what are the risks, how can we
accurately assess “IT Risks”?
CICRAMTM IT Risk Assessment Methodology
12
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
13. What Are Leading Information Security
Professionals Saying About Current
IT Risk Assessment Processes & Models?
Number-driven risk metrics 'fundamentally broken‘
Gamit Yoran, former National Cyber Security Divison director
Why Johnny Can’t Evaluate Security Risk
George Cybenko, Editor in Chief
Taking the risk out of IT risk management
Jim Hietala – October 16, 2008
Why you shouldn’t wager the house on risk
management models
Bruce Schneier and Marcus Ranum – Oct 2008
It’s time to think differently about protecting data
Bill Ledingham – September 10, 2008
CICRAMTM IT Risk Assessment Methodology
13
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
14. There Is A Problem With Many IT
Risk Assessment Process.
Traditional IT Risk Assessment
Methodologies are Primarily Focused
on the Risks and Impacts to the
Organization that is Being Assessed.
The Impact to the
Confidentiality or Integrity
of Customers and
Employee Information is
Graphic - Microsoft
not Assessed!
CICRAMTM IT Risk Assessment Methodology
14
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
15. Why Are Risks to Customer
Information Important?
• Regulatory Requirements
Financial Industry – GLBA
Health Care – HIPAA
Higher Education – FERPA
State Data Breach
• Organizational Reputation
Graphic - Microsoft
• Industry Standards
Retail - PCI
CICRAMTM IT Risk Assessment Methodology
15
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
16. TM
The CICRAM
IT Risk Assessment
Methodology for
GLBA & HIPAA
Compliance
A Paradigm Shift In IT Risk
Assessment Methodologies!
Assess Risks To Customer & Employee
Information, Rather Than Operational
IT Risks To The Organization.
CICRAMTM IT Risk Assessment Methodology
16
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
17. TM
CICRAM IT Risk
Assessment Methodology
Core Concepts:
A Simplified View of IT Risks
Threat Vulnerability Asset Value
X X
Risk =
__________
Countermeasures
An IT Risk is defined within CICRAMTM, as the likelihood of
a Threat acting on a Vulnerability to harm an asset which
causes a negative impact.
CICRAMTM IT Risk Assessment Methodology
17
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
18. TM
CICRAM IT Risk
Assessment Methodology
Core Concepts:
• There are an infinite number of “Latent” vulnerabilities in software
systems that allow attackers to breach computer systems.
• There is a sufficiently high number of “Threats”, that given enough
time, the likelihood of a vulnerability being exploited is 100%.
• “Customer Information” has an inherently high value.
• Assess “Risks” by following the movement of Customer Information.
• Assess the effects of an IT control failure. The “Worst Case Scenario”
becomes the “Baseline” for the IT Risk Assessment.
• Effective IT controls reduce risks
• IT Risks are almost never reduced to zero by the implementation of
IT controls, there is usually some “Residual Risk”.
CICRAMTM IT Risk Assessment Methodology
18
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
19. TM
CICRAM IT Risk
Assessment Methodology
Core Concepts:
There are a only a few actions that can be performed
with an Organization’s Customer Information:
INFORMATION
ACTION
SECURITY RISK FACTOR
View / Access / Use Confidentiality
Copy Confidentiality
Modify Integrity
Loss Confidentiality
Delete / Destroy Integrity and Availability
CICRAMTM IT Risk Assessment Methodology
19
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
20. TM
CICRAM IT Risk
Assessment Methodology
“A Hybrid IT Risk Assessment Process”
• Use Qualitative Analysis methods to determine current IT “Threats”.
• Utilize “Data Flow” concepts to analyze risks to Customer Information
as it moves across various environments.
• Use Interogative & RIIOT methods to document the IT environment
used to transmit, manipulate and store customer data.
• Use Qualitative Analysis methods to develop a “Baseline” of IT Risks
for an IT environment that does not have any IT controls.
• Use Control Maturity Modeling and Quantitative Analysis – methods
to assess the effectiveness of current IT controls.
• Use Quantitative Analysis methods to determine the risk reduction
impact of current IT controls.
CICRAMTM IT Risk Assessment Methodology
20
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
21. TM
CICRAM IT Risk Assessment
Step#1 – Assess The Current
IT Threat Environment
Attack Motivational Factors
External Threats
i. Criminal Cyber Gangs
ii. Former Employees
iii. Consultants & Contractors
iv. Casual Hackers & Script Kidde
Insider threats
i. Malicious Insiders: Corporate Spies & Disgruntled Employees
ii. Careless Staff: Policy Breakers and the Uninformed
Technical Attacks
Malware Applications
i. Viruses, Worms, Trojans
ii. Spyware
iii. Adware
Botnets
DNS
Denial of Service
Human Attacks
Social Engineering
Identity Theft
Email Spam
CICRAMTM IT Risk Assessment Methodology
21
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
22. TM
CICRAM IT Risk Assessment
Step#2 – Determine Where
Customer Information Is Located
Data Flow Regions
IT
Risks Business
Partners
Infrastructure
Application Systems
CICRAMTM IT Risk Assessment Methodology
22
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
23. TM
CICRAM IT Risk Assessment
Step#3 – Document The IT
Operational Environment:
IT Systems & Applications
Use IT auditing tools and methods like questionnaires, interviews
and diagrams to document the IT systems and applications.
CICRAMTM IT Risk Assessment Methodology
23
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
24. TM
CICRAM IT Risk Assessment
Step#4 - Select an Information
Security Controls Framework
• Each “Standard” may contain
ISO 17799 FFIEC & FTC
Security Standards for similar information security controls.
Program safeguarding
customer • Resolve circular references and
information
overlapping IT controls across the
multiple frameworks.
+ • Use hierarchical clustering to group
IT Controls into categories.
COBIT NIST SP 800
Use current
Your
SANS
&
ITGI PCI information from: Organization’s
SANS Institute,
Controls Controls
Analysts, = IT Security
Industry Best Control
Practices
Framework
CICRAMTM IT Risk Assessment Methodology
24
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
25. TM
CICRAM IT Risk Assessment
Step#5: Select Key IT Risk
Assessment Factors
IT Risk Assessment “Factors”:
Customer Information Security (Confidentiality)
Improper/Incorrect Transaction Data (Integrity)
Infrastructure Stability/Change Control (Availability)
Customer Confidence / Stewardship (Reputation)
Regulatory Compliance (Legal)
Fraud / Data Breach (Financial Loss)
CICRAMTM IT Risk Assessment Methodology
25
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
26. TM
CICRAM IT Risk Assessment
Step#6: Determine an IT Risks
Numerical Rating Scale
NUMERICAL IT RISK RATING DEFINITIONS
Level 0 - Functional control area is not relevant Color Range Risk
Level 1 - Functional control area poses an insignificant risk:
White 0 N/A
the significance of a control failure is low or not relevant
Level 2 - Functional control area poses a minimal risk potential:
Green 1-2 Low
the significance of a control failure is minor
Level 3 - Functional control area poses a moderate risk potential:
Yellow 3-4 Medium
the significance of a control failure is considerable
Level 4 - Functional control area poses an elevated risk potential:
Red 5 High
the significance of a control failure is extensive
Level 5 - Functional control area poses a significant risk potential:
the implications of a control failure is severe
CICRAMTM IT Risk Assessment Methodology
26
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
27. TM
CICRAM IT Risk Assessment
Step #7: Assess “Baseline”
High Level Risks
Use Control Matrix and Apply Threat Analysis to
Develop a Heat Map of Baseline IT Risks
Heat Map of Baseline IT Risks
External Network Security - Perimeter
Defense Systems 5 4 4 3 5 3
Internal Network Security - Back
Information Office User Authentication Systems 4 4 3 3 5 4
Security
Technical Virus and Malware Protection 4 4 4 4 3 4
Controls
Backup / Recovery 2 0 5 2 5 3
Monitoring and Logging 3 3 2 2 2 1
CICRAMTM IT Risk Assessment Methodology
27
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
28. TM
CICRAM IT Risk Assessment
Step#8: Determine an IT Control
Numerical Rating Scale
IT CONTROL MATURITY RATING
Stage 0 – Nonexistent Information Security
Stage 1 - Initial/Ad Hoc Control Maturity Model-
CMM Ratings are
Stage 2 - Repeatable but Intuitive
Based on Carnegie
Stage 3 - Defined Process Mellon’s Process
Improvement Model
Stage 4 - Managed and Measurable
Ratings Scale – CMMI.
Stage 5 - Optimized www.sei.cmu.edu/cmmi/general/index.html
CICRAMTM IT Risk Assessment Methodology
28
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
29. TM
CICRAM IT Risk Assessment
Step #9: Assess IT Control
Effectiveness
GAP Exists
Control
PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref # Comments
Maturity
Where network connectivity is used, IT.B.3.1
appropriate controls, including firewalls,
Deployment of DMZ intrusion detection and vulnerability
assessments, exist and are used to prevent
unauthorized access.
Where network connectivity is used, IT.B.3.1
appropriate controls, including firewalls,
External Deployment of Network
intrusion detection and vulnerability
Network FIREWALL
assessments, exist and are used to prevent
Security -
unauthorized access.
Perimeter Impl.
Where network connectivity is used, IT.B.3.1
Defense
appropriate controls, including firewalls,
Systems Deployment of Network
intrusion detection and vulnerability
IDS/IPS
assessments, exist and are used to prevent
unauthorized access.
Where network connectivity is used, IT.B.3.1
appropriate controls, including firewalls,
Deployment of Wireless
intrusion detection and vulnerability
Encryption - Authentication
assessments, exist and are used to prevent
unauthorized access.
CICRAMTM IT Risk Assessment Methodology
29
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
30. 9
TM
CICRAM IT Risk Assessment
Step#10: Adjust Baseline Risks for
Control Effectiveness
Use Control Effectiveness Ratings to Adjust
Baseline IT Risks
Heat Map of IT Risks Adjusted for Control Effectiveness
External Network Security -
Perimeter Defense Systems 3 3 3 2 2 2
Internal Network Security - Back
Information Office User Authentication Systems 4 4 3 3 2 3
Security
Technical Virus and Malware Protection 4 3 3 3 2 3
Controls
Backup / Recovery 1 0 3 3 2 2
Physical Security / Environmental 3 2 3 2 2 1
CICRAMTM IT Risk Assessment Methodology
30
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
31. 9
TM
CICRAM IT Risk Assessment
Step#11: Generate Narrative
IT Risk Report Document
Develop a
Written Report
CICRAMTM IT Risk Assessment Methodology
31
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
32. 9
TM
CICRAM IT Risk Assessment
Step#12: Present Risk Report and
Findings to Management
Congratulations,
You Get To Do
This Again
Next Year!
CICRAMTM IT Risk Assessment Methodology
32
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved
33. TM
CICRAM IT Risk
Assessment Methodology
Paradigm Shift!
Customer Information
Centric IT Risk Assessments
Questions ?
Fernando A. Reiser
freiser@bankitsecurity.com
CICRAMTM IT Risk Assessment Methodology
33
© Copyright 2004-2009 Fernando Reiser, All Rights Reserved