SlideShare a Scribd company logo

Paradigm Shift! - Customer Information Centric IT Risk Assessments

F
Fernando Reiser

Readers will be exposed to a methodology for the evaluation of information security risks based on the “Value” of customer/employee information rather than on the “Economic Value” of the information to the organization.

Business
1 of 33
Download to read offline
Paradigm Shift! Customer Information Centric IT Risk Assessments TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance May 7th 2009 CICRAMTM IT Risk Assessment Methodology 1 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Why Perform IT Risk Assessments? • Management Request • Regulatory Requirement • IT Best Practice CICRAMTM IT Risk Assessment Methodology 2 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
What is “RISK”? • First and most obvious, “Risk” is a probability issue. • “Risk” has both a frequency and a magnitude component. • The fundamental nature of “Risk” is universal; regardless of it’s context. An Introduction to Factor Analysis of Information Risk (FAIR) A framework for understanding, analyzing, and measuring information risk Jack A. Jones, CISSP, CISM, CISA “Risk is the association of the probability/frequency of a negative event occurrence, with the projected magnitude of a future loss.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 3 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
The Basic “IT Risk” Formula Information Security It’s All About Professionals generally IT Risk can agree that: IT Controls mitigate Risk by lowering the Probability of a Threat acting on a Vulnerability to harm an organization’s Asset. CICRAMTM IT Risk Assessment Methodology 4 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Assessing “IT Risk” High Level Goals & Objectives • Assess current threats & vulnerabilities • Identity and assess “Risk Factors” to the Organization • Present information in a way that management can use to make informed business decisions based on risk. Processes • Identify assets – information stores & IT systems. • Quantify the probability of a negative event occurrence. • Determine the value of information & IT assets. • Assess the business impact of negative events. CICRAMTM IT Risk Assessment Methodology 5 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Assessing “IT Risk” It’s a simple concept, but a difficult and complex analytical problem to solve. Most IT Risk Assessment Methodologies Attempt to Determine the Threats, Vulnerabilities, Negative Event Likelihood and Information Security Impacts to Specific IT Assets. CICRAMTM IT Risk Assessment Methodology 6 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
What IT Risk Assessment Methodology Should I Use? Quantitative Risk Analysis- Two basic elements are assessed: the probability of a negative event – “ARO” (annual rate of occurrence) and the likely financial loss – the “SLE” (single loss expectancy). The Annual Loss is then calculated – “ALE”. Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only the estimated financial loss is used. CICRAMTM IT Risk Assessment Methodology 7 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
What IT Risk Assessment Methodology Should I Use? “Published” IT Risk Assessment Methodologies Quantitative Methodologies: CRAMM BITS (Kalculator) FAIR FMEA Qualitative Methodologies: FRAP COBRA OCTAVE CICRAMTM IT Risk Assessment Methodology 8 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Assessing IT Risk: “The Problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle.” “We don’t know how well our network security will keep the bad guys out, and we don’t know the cost to the company if we don’t keep them out.” Does risk management make sense? Bruce Schneier – Oct 2008 CICRAMTM IT Risk Assessment Methodology 9 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
In Addition, Traditional IT Risk Assessments Methodologies Do Not Assess IT Risks To Customer Information • Storage • Transmission • Access & Processing I Stipulate That The IT Security Profession Has A Dirty Little Secret ... CICRAMTM IT Risk Assessment Methodology 10 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Randy Pausch Said In His Now Famous “Last Lecture” … “When There Is An Elephant In The Room Introduce Him” Randy Pausch Graphic – www.thelastlecture.com “Most IT Security Professionals Can Not Accurately Assess IT Risks.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 11 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
In fact, many Information Security professionals cannot even agree on a definition of IT Risk! “Ask a dozen information security professionals to define risk and you’re certain to get several different answers.“ An Introduction to Factor Analysis of Information Risk (FAIR) Jack A. Jones, CISSP, CISM, CISA “Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact.” Understanding Risk Shon Harris CISSP - 2006 If security professional cannot agree on what are the risks, how can we accurately assess “IT Risks”? CICRAMTM IT Risk Assessment Methodology 12 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
What Are Leading Information Security Professionals Saying About Current IT Risk Assessment Processes & Models? Number-driven risk metrics 'fundamentally broken‘ Gamit Yoran, former National Cyber Security Divison director Why Johnny Can’t Evaluate Security Risk George Cybenko, Editor in Chief Taking the risk out of IT risk management Jim Hietala – October 16, 2008 Why you shouldn’t wager the house on risk management models Bruce Schneier and Marcus Ranum – Oct 2008 It’s time to think differently about protecting data Bill Ledingham – September 10, 2008 CICRAMTM IT Risk Assessment Methodology 13 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
There Is A Problem With Many IT Risk Assessment Process. Traditional IT Risk Assessment Methodologies are Primarily Focused on the Risks and Impacts to the Organization that is Being Assessed. The Impact to the Confidentiality or Integrity of Customers and Employee Information is Graphic - Microsoft not Assessed! CICRAMTM IT Risk Assessment Methodology 14 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
Why Are Risks to Customer Information Important? • Regulatory Requirements  Financial Industry – GLBA  Health Care – HIPAA  Higher Education – FERPA  State Data Breach • Organizational Reputation Graphic - Microsoft • Industry Standards  Retail - PCI CICRAMTM IT Risk Assessment Methodology 15 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance A Paradigm Shift In IT Risk Assessment Methodologies! Assess Risks To Customer & Employee Information, Rather Than Operational IT Risks To The Organization. CICRAMTM IT Risk Assessment Methodology 16 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Methodology Core Concepts: A Simplified View of IT Risks Threat Vulnerability Asset Value X X Risk = __________ Countermeasures An IT Risk is defined within CICRAMTM, as the likelihood of a Threat acting on a Vulnerability to harm an asset which causes a negative impact. CICRAMTM IT Risk Assessment Methodology 17 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Methodology Core Concepts: • There are an infinite number of “Latent” vulnerabilities in software systems that allow attackers to breach computer systems. • There is a sufficiently high number of “Threats”, that given enough time, the likelihood of a vulnerability being exploited is 100%. • “Customer Information” has an inherently high value. • Assess “Risks” by following the movement of Customer Information. • Assess the effects of an IT control failure. The “Worst Case Scenario” becomes the “Baseline” for the IT Risk Assessment. • Effective IT controls reduce risks • IT Risks are almost never reduced to zero by the implementation of IT controls, there is usually some “Residual Risk”. CICRAMTM IT Risk Assessment Methodology 18 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Methodology Core Concepts: There are a only a few actions that can be performed with an Organization’s Customer Information: INFORMATION ACTION SECURITY RISK FACTOR View / Access / Use Confidentiality Copy Confidentiality Modify Integrity Loss Confidentiality Delete / Destroy Integrity and Availability CICRAMTM IT Risk Assessment Methodology 19 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Methodology “A Hybrid IT Risk Assessment Process” • Use Qualitative Analysis methods to determine current IT “Threats”. • Utilize “Data Flow” concepts to analyze risks to Customer Information as it moves across various environments. • Use Interogative & RIIOT methods to document the IT environment used to transmit, manipulate and store customer data. • Use Qualitative Analysis methods to develop a “Baseline” of IT Risks for an IT environment that does not have any IT controls. • Use Control Maturity Modeling and Quantitative Analysis – methods to assess the effectiveness of current IT controls. • Use Quantitative Analysis methods to determine the risk reduction impact of current IT controls. CICRAMTM IT Risk Assessment Methodology 20 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#1 – Assess The Current IT Threat Environment Attack Motivational Factors  External Threats i. Criminal Cyber Gangs ii. Former Employees iii. Consultants & Contractors iv. Casual Hackers & Script Kidde  Insider threats i. Malicious Insiders: Corporate Spies & Disgruntled Employees ii. Careless Staff: Policy Breakers and the Uninformed Technical Attacks  Malware Applications i. Viruses, Worms, Trojans ii. Spyware iii. Adware  Botnets  DNS  Denial of Service Human Attacks  Social Engineering  Identity Theft  Email Spam CICRAMTM IT Risk Assessment Methodology 21 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#2 – Determine Where Customer Information Is Located Data Flow Regions IT Risks Business Partners Infrastructure Application Systems CICRAMTM IT Risk Assessment Methodology 22 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#3 – Document The IT Operational Environment: IT Systems & Applications Use IT auditing tools and methods like questionnaires, interviews and diagrams to document the IT systems and applications. CICRAMTM IT Risk Assessment Methodology 23 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#4 - Select an Information Security Controls Framework • Each “Standard” may contain ISO 17799 FFIEC & FTC Security Standards for similar information security controls. Program safeguarding customer • Resolve circular references and information overlapping IT controls across the multiple frameworks. + • Use hierarchical clustering to group IT Controls into categories. COBIT NIST SP 800 Use current Your SANS & ITGI PCI information from: Organization’s SANS Institute, Controls Controls Analysts, = IT Security Industry Best Control Practices Framework CICRAMTM IT Risk Assessment Methodology 24 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#5: Select Key IT Risk Assessment Factors IT Risk Assessment “Factors”:  Customer Information Security (Confidentiality)  Improper/Incorrect Transaction Data (Integrity)  Infrastructure Stability/Change Control (Availability)  Customer Confidence / Stewardship (Reputation)  Regulatory Compliance (Legal)  Fraud / Data Breach (Financial Loss) CICRAMTM IT Risk Assessment Methodology 25 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#6: Determine an IT Risks Numerical Rating Scale NUMERICAL IT RISK RATING DEFINITIONS Level 0 - Functional control area is not relevant Color Range Risk Level 1 - Functional control area poses an insignificant risk: White 0 N/A the significance of a control failure is low or not relevant Level 2 - Functional control area poses a minimal risk potential: Green 1-2 Low the significance of a control failure is minor Level 3 - Functional control area poses a moderate risk potential: Yellow 3-4 Medium the significance of a control failure is considerable Level 4 - Functional control area poses an elevated risk potential: Red 5 High the significance of a control failure is extensive Level 5 - Functional control area poses a significant risk potential: the implications of a control failure is severe CICRAMTM IT Risk Assessment Methodology 26 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step #7: Assess “Baseline” High Level Risks Use Control Matrix and Apply Threat Analysis to Develop a Heat Map of Baseline IT Risks Heat Map of Baseline IT Risks External Network Security - Perimeter Defense Systems 5 4 4 3 5 3 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 5 4 Security Technical Virus and Malware Protection 4 4 4 4 3 4 Controls Backup / Recovery 2 0 5 2 5 3 Monitoring and Logging 3 3 2 2 2 1 CICRAMTM IT Risk Assessment Methodology 27 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step#8: Determine an IT Control Numerical Rating Scale IT CONTROL MATURITY RATING Stage 0 – Nonexistent Information Security Stage 1 - Initial/Ad Hoc Control Maturity Model- CMM Ratings are Stage 2 - Repeatable but Intuitive Based on Carnegie Stage 3 - Defined Process Mellon’s Process Improvement Model Stage 4 - Managed and Measurable Ratings Scale – CMMI. Stage 5 - Optimized www.sei.cmu.edu/cmmi/general/index.html CICRAMTM IT Risk Assessment Methodology 28 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Step #9: Assess IT Control Effectiveness GAP Exists Control PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref # Comments Maturity Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of DMZ intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, External Deployment of Network intrusion detection and vulnerability Network FIREWALL assessments, exist and are used to prevent Security - unauthorized access. Perimeter Impl. Where network connectivity is used, IT.B.3.1 Defense appropriate controls, including firewalls, Systems Deployment of Network intrusion detection and vulnerability IDS/IPS assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of Wireless intrusion detection and vulnerability Encryption - Authentication assessments, exist and are used to prevent unauthorized access. CICRAMTM IT Risk Assessment Methodology 29 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
9 TM CICRAM IT Risk Assessment Step#10: Adjust Baseline Risks for Control Effectiveness Use Control Effectiveness Ratings to Adjust Baseline IT Risks Heat Map of IT Risks Adjusted for Control Effectiveness External Network Security - Perimeter Defense Systems 3 3 3 2 2 2 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 2 3 Security Technical Virus and Malware Protection 4 3 3 3 2 3 Controls Backup / Recovery 1 0 3 3 2 2 Physical Security / Environmental 3 2 3 2 2 1 CICRAMTM IT Risk Assessment Methodology 30 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
9 TM CICRAM IT Risk Assessment Step#11: Generate Narrative IT Risk Report Document Develop a Written Report CICRAMTM IT Risk Assessment Methodology 31 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
9 TM CICRAM IT Risk Assessment Step#12: Present Risk Report and Findings to Management Congratulations, You Get To Do This Again Next Year! CICRAMTM IT Risk Assessment Methodology 32 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
TM CICRAM IT Risk Assessment Methodology Paradigm Shift! Customer Information Centric IT Risk Assessments Questions ? Fernando A. Reiser freiser@bankitsecurity.com CICRAMTM IT Risk Assessment Methodology 33 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved

Recommended

Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
DFLABS SRL
 
Small Business Technology Challenges
Small Business Technology ChallengesSmall Business Technology Challenges
Small Business Technology Challenges
Infinity Technologies
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...
xKinAnx
 

Recommended

Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
DFLABS SRL
 
Small Business Technology Challenges
Small Business Technology ChallengesSmall Business Technology Challenges
Small Business Technology Challenges
Infinity Technologies
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...
xKinAnx
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
wardell henley
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
Seccuris Inc.
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
Altoros
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Anup Narayanan
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
Dominic Vogel
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
Anup Narayanan
 
College Presentation
College PresentationCollege Presentation
College Presentation
scottfrost
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
nsheel
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
Joseph Schorr
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
Mike Murray
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
Rogers Communications
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
Patrick Florer
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
IT Network marcus evans
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
Iqra khalil
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
Dinesh O Bareja
 
White Paper: Mobile Security
White Paper: Mobile SecurityWhite Paper: Mobile Security
White Paper: Mobile Security
Rogers Communications
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
Conferencias FIST
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
IBMGovernmentCA
 

More Related Content

What's hot

How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
Altoros
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
Joseph Schorr
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
Mike Murray
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
Conferencias FIST
 

What's hot (20)

Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
College Presentation
College PresentationCollege Presentation
College Presentation
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
How Infosec Can Become a Business Enabler: Interview with: Dr Tim Redhead, Di...
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
White Paper: Mobile Security
White Paper: Mobile SecurityWhite Paper: Mobile Security
White Paper: Mobile Security
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
 

Similar to Paradigm Shift! - Customer Information Centric IT Risk Assessments

Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Sirius
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0
Satyanandan Atyam
 
Gartner Information Security Summit Brochure
Gartner Information Security Summit BrochureGartner Information Security Summit Brochure
Gartner Information Security Summit Brochure
trunko
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
IBM Security
 

Similar to Paradigm Shift! - Customer Information Centric IT Risk Assessments (20)

Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based Approach
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0
 
Cyber Risk Management IRM India Affiliate
Cyber Risk Management IRM India AffiliateCyber Risk Management IRM India Affiliate
Cyber Risk Management IRM India Affiliate
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Gartner Information Security Summit Brochure
Gartner Information Security Summit BrochureGartner Information Security Summit Brochure
Gartner Information Security Summit Brochure
 
TrustCheck from Unisys
TrustCheck from UnisysTrustCheck from Unisys
TrustCheck from Unisys
 
NYAI #24: Developing Trust in Artificial Intelligence and Machine Learning fo...
NYAI #24: Developing Trust in Artificial Intelligence and Machine Learning fo...NYAI #24: Developing Trust in Artificial Intelligence and Machine Learning fo...
NYAI #24: Developing Trust in Artificial Intelligence and Machine Learning fo...
 
2020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 22020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 2
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
 
Analisis de Riesgos O-ISM3
Analisis de Riesgos O-ISM3Analisis de Riesgos O-ISM3
Analisis de Riesgos O-ISM3
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 

Recently uploaded

The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
instagramfab782445
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 

Recently uploaded (20)

HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdfTVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From Seosmmearth
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
BeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdfBeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdf
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 

Paradigm Shift! - Customer Information Centric IT Risk Assessments

  • 1. Paradigm Shift! Customer Information Centric IT Risk Assessments TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance May 7th 2009 CICRAMTM IT Risk Assessment Methodology 1 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 2. Why Perform IT Risk Assessments? • Management Request • Regulatory Requirement • IT Best Practice CICRAMTM IT Risk Assessment Methodology 2 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 3. What is “RISK”? • First and most obvious, “Risk” is a probability issue. • “Risk” has both a frequency and a magnitude component. • The fundamental nature of “Risk” is universal; regardless of it’s context. An Introduction to Factor Analysis of Information Risk (FAIR) A framework for understanding, analyzing, and measuring information risk Jack A. Jones, CISSP, CISM, CISA “Risk is the association of the probability/frequency of a negative event occurrence, with the projected magnitude of a future loss.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 3 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 4. The Basic “IT Risk” Formula Information Security It’s All About Professionals generally IT Risk can agree that: IT Controls mitigate Risk by lowering the Probability of a Threat acting on a Vulnerability to harm an organization’s Asset. CICRAMTM IT Risk Assessment Methodology 4 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 5. Assessing “IT Risk” High Level Goals & Objectives • Assess current threats & vulnerabilities • Identity and assess “Risk Factors” to the Organization • Present information in a way that management can use to make informed business decisions based on risk. Processes • Identify assets – information stores & IT systems. • Quantify the probability of a negative event occurrence. • Determine the value of information & IT assets. • Assess the business impact of negative events. CICRAMTM IT Risk Assessment Methodology 5 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 6. Assessing “IT Risk” It’s a simple concept, but a difficult and complex analytical problem to solve. Most IT Risk Assessment Methodologies Attempt to Determine the Threats, Vulnerabilities, Negative Event Likelihood and Information Security Impacts to Specific IT Assets. CICRAMTM IT Risk Assessment Methodology 6 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 7. What IT Risk Assessment Methodology Should I Use? Quantitative Risk Analysis- Two basic elements are assessed: the probability of a negative event – “ARO” (annual rate of occurrence) and the likely financial loss – the “SLE” (single loss expectancy). The Annual Loss is then calculated – “ALE”. Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only the estimated financial loss is used. CICRAMTM IT Risk Assessment Methodology 7 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 8. What IT Risk Assessment Methodology Should I Use? “Published” IT Risk Assessment Methodologies Quantitative Methodologies: CRAMM BITS (Kalculator) FAIR FMEA Qualitative Methodologies: FRAP COBRA OCTAVE CICRAMTM IT Risk Assessment Methodology 8 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 9. Assessing IT Risk: “The Problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle.” “We don’t know how well our network security will keep the bad guys out, and we don’t know the cost to the company if we don’t keep them out.” Does risk management make sense? Bruce Schneier – Oct 2008 CICRAMTM IT Risk Assessment Methodology 9 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 10. In Addition, Traditional IT Risk Assessments Methodologies Do Not Assess IT Risks To Customer Information • Storage • Transmission • Access & Processing I Stipulate That The IT Security Profession Has A Dirty Little Secret ... CICRAMTM IT Risk Assessment Methodology 10 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 11. Randy Pausch Said In His Now Famous “Last Lecture” … “When There Is An Elephant In The Room Introduce Him” Randy Pausch Graphic – www.thelastlecture.com “Most IT Security Professionals Can Not Accurately Assess IT Risks.” Fernando A. Reiser CISSP, CISM, CISA, CIPP – April 2009 CICRAMTM IT Risk Assessment Methodology 11 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 12. In fact, many Information Security professionals cannot even agree on a definition of IT Risk! “Ask a dozen information security professionals to define risk and you’re certain to get several different answers.“ An Introduction to Factor Analysis of Information Risk (FAIR) Jack A. Jones, CISSP, CISM, CISA “Technically speaking, risk is the probability of a threat agent exploiting a vulnerability and the resulting business impact.” Understanding Risk Shon Harris CISSP - 2006 If security professional cannot agree on what are the risks, how can we accurately assess “IT Risks”? CICRAMTM IT Risk Assessment Methodology 12 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 13. What Are Leading Information Security Professionals Saying About Current IT Risk Assessment Processes & Models? Number-driven risk metrics 'fundamentally broken‘ Gamit Yoran, former National Cyber Security Divison director Why Johnny Can’t Evaluate Security Risk George Cybenko, Editor in Chief Taking the risk out of IT risk management Jim Hietala – October 16, 2008 Why you shouldn’t wager the house on risk management models Bruce Schneier and Marcus Ranum – Oct 2008 It’s time to think differently about protecting data Bill Ledingham – September 10, 2008 CICRAMTM IT Risk Assessment Methodology 13 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 14. There Is A Problem With Many IT Risk Assessment Process. Traditional IT Risk Assessment Methodologies are Primarily Focused on the Risks and Impacts to the Organization that is Being Assessed. The Impact to the Confidentiality or Integrity of Customers and Employee Information is Graphic - Microsoft not Assessed! CICRAMTM IT Risk Assessment Methodology 14 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 15. Why Are Risks to Customer Information Important? • Regulatory Requirements  Financial Industry – GLBA  Health Care – HIPAA  Higher Education – FERPA  State Data Breach • Organizational Reputation Graphic - Microsoft • Industry Standards  Retail - PCI CICRAMTM IT Risk Assessment Methodology 15 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 16. TM The CICRAM IT Risk Assessment Methodology for GLBA & HIPAA Compliance A Paradigm Shift In IT Risk Assessment Methodologies! Assess Risks To Customer & Employee Information, Rather Than Operational IT Risks To The Organization. CICRAMTM IT Risk Assessment Methodology 16 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 17. TM CICRAM IT Risk Assessment Methodology Core Concepts: A Simplified View of IT Risks Threat Vulnerability Asset Value X X Risk = __________ Countermeasures An IT Risk is defined within CICRAMTM, as the likelihood of a Threat acting on a Vulnerability to harm an asset which causes a negative impact. CICRAMTM IT Risk Assessment Methodology 17 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 18. TM CICRAM IT Risk Assessment Methodology Core Concepts: • There are an infinite number of “Latent” vulnerabilities in software systems that allow attackers to breach computer systems. • There is a sufficiently high number of “Threats”, that given enough time, the likelihood of a vulnerability being exploited is 100%. • “Customer Information” has an inherently high value. • Assess “Risks” by following the movement of Customer Information. • Assess the effects of an IT control failure. The “Worst Case Scenario” becomes the “Baseline” for the IT Risk Assessment. • Effective IT controls reduce risks • IT Risks are almost never reduced to zero by the implementation of IT controls, there is usually some “Residual Risk”. CICRAMTM IT Risk Assessment Methodology 18 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 19. TM CICRAM IT Risk Assessment Methodology Core Concepts: There are a only a few actions that can be performed with an Organization’s Customer Information: INFORMATION ACTION SECURITY RISK FACTOR View / Access / Use Confidentiality Copy Confidentiality Modify Integrity Loss Confidentiality Delete / Destroy Integrity and Availability CICRAMTM IT Risk Assessment Methodology 19 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 20. TM CICRAM IT Risk Assessment Methodology “A Hybrid IT Risk Assessment Process” • Use Qualitative Analysis methods to determine current IT “Threats”. • Utilize “Data Flow” concepts to analyze risks to Customer Information as it moves across various environments. • Use Interogative & RIIOT methods to document the IT environment used to transmit, manipulate and store customer data. • Use Qualitative Analysis methods to develop a “Baseline” of IT Risks for an IT environment that does not have any IT controls. • Use Control Maturity Modeling and Quantitative Analysis – methods to assess the effectiveness of current IT controls. • Use Quantitative Analysis methods to determine the risk reduction impact of current IT controls. CICRAMTM IT Risk Assessment Methodology 20 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 21. TM CICRAM IT Risk Assessment Step#1 – Assess The Current IT Threat Environment Attack Motivational Factors  External Threats i. Criminal Cyber Gangs ii. Former Employees iii. Consultants & Contractors iv. Casual Hackers & Script Kidde  Insider threats i. Malicious Insiders: Corporate Spies & Disgruntled Employees ii. Careless Staff: Policy Breakers and the Uninformed Technical Attacks  Malware Applications i. Viruses, Worms, Trojans ii. Spyware iii. Adware  Botnets  DNS  Denial of Service Human Attacks  Social Engineering  Identity Theft  Email Spam CICRAMTM IT Risk Assessment Methodology 21 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 22. TM CICRAM IT Risk Assessment Step#2 – Determine Where Customer Information Is Located Data Flow Regions IT Risks Business Partners Infrastructure Application Systems CICRAMTM IT Risk Assessment Methodology 22 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 23. TM CICRAM IT Risk Assessment Step#3 – Document The IT Operational Environment: IT Systems & Applications Use IT auditing tools and methods like questionnaires, interviews and diagrams to document the IT systems and applications. CICRAMTM IT Risk Assessment Methodology 23 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 24. TM CICRAM IT Risk Assessment Step#4 - Select an Information Security Controls Framework • Each “Standard” may contain ISO 17799 FFIEC & FTC Security Standards for similar information security controls. Program safeguarding customer • Resolve circular references and information overlapping IT controls across the multiple frameworks. + • Use hierarchical clustering to group IT Controls into categories. COBIT NIST SP 800 Use current Your SANS & ITGI PCI information from: Organization’s SANS Institute, Controls Controls Analysts, = IT Security Industry Best Control Practices Framework CICRAMTM IT Risk Assessment Methodology 24 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 25. TM CICRAM IT Risk Assessment Step#5: Select Key IT Risk Assessment Factors IT Risk Assessment “Factors”:  Customer Information Security (Confidentiality)  Improper/Incorrect Transaction Data (Integrity)  Infrastructure Stability/Change Control (Availability)  Customer Confidence / Stewardship (Reputation)  Regulatory Compliance (Legal)  Fraud / Data Breach (Financial Loss) CICRAMTM IT Risk Assessment Methodology 25 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 26. TM CICRAM IT Risk Assessment Step#6: Determine an IT Risks Numerical Rating Scale NUMERICAL IT RISK RATING DEFINITIONS Level 0 - Functional control area is not relevant Color Range Risk Level 1 - Functional control area poses an insignificant risk: White 0 N/A the significance of a control failure is low or not relevant Level 2 - Functional control area poses a minimal risk potential: Green 1-2 Low the significance of a control failure is minor Level 3 - Functional control area poses a moderate risk potential: Yellow 3-4 Medium the significance of a control failure is considerable Level 4 - Functional control area poses an elevated risk potential: Red 5 High the significance of a control failure is extensive Level 5 - Functional control area poses a significant risk potential: the implications of a control failure is severe CICRAMTM IT Risk Assessment Methodology 26 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 27. TM CICRAM IT Risk Assessment Step #7: Assess “Baseline” High Level Risks Use Control Matrix and Apply Threat Analysis to Develop a Heat Map of Baseline IT Risks Heat Map of Baseline IT Risks External Network Security - Perimeter Defense Systems 5 4 4 3 5 3 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 5 4 Security Technical Virus and Malware Protection 4 4 4 4 3 4 Controls Backup / Recovery 2 0 5 2 5 3 Monitoring and Logging 3 3 2 2 2 1 CICRAMTM IT Risk Assessment Methodology 27 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 28. TM CICRAM IT Risk Assessment Step#8: Determine an IT Control Numerical Rating Scale IT CONTROL MATURITY RATING Stage 0 – Nonexistent Information Security Stage 1 - Initial/Ad Hoc Control Maturity Model- CMM Ratings are Stage 2 - Repeatable but Intuitive Based on Carnegie Stage 3 - Defined Process Mellon’s Process Improvement Model Stage 4 - Managed and Measurable Ratings Scale – CMMI. Stage 5 - Optimized www.sei.cmu.edu/cmmi/general/index.html CICRAMTM IT Risk Assessment Methodology 28 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 29. TM CICRAM IT Risk Assessment Step #9: Assess IT Control Effectiveness GAP Exists Control PROCESS FUNCTION HIGH LEVEL OBJECTIVE Control Objectives Ref # Comments Maturity Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of DMZ intrusion detection and vulnerability assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, External Deployment of Network intrusion detection and vulnerability Network FIREWALL assessments, exist and are used to prevent Security - unauthorized access. Perimeter Impl. Where network connectivity is used, IT.B.3.1 Defense appropriate controls, including firewalls, Systems Deployment of Network intrusion detection and vulnerability IDS/IPS assessments, exist and are used to prevent unauthorized access. Where network connectivity is used, IT.B.3.1 appropriate controls, including firewalls, Deployment of Wireless intrusion detection and vulnerability Encryption - Authentication assessments, exist and are used to prevent unauthorized access. CICRAMTM IT Risk Assessment Methodology 29 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 30. 9 TM CICRAM IT Risk Assessment Step#10: Adjust Baseline Risks for Control Effectiveness Use Control Effectiveness Ratings to Adjust Baseline IT Risks Heat Map of IT Risks Adjusted for Control Effectiveness External Network Security - Perimeter Defense Systems 3 3 3 2 2 2 Internal Network Security - Back Information Office User Authentication Systems 4 4 3 3 2 3 Security Technical Virus and Malware Protection 4 3 3 3 2 3 Controls Backup / Recovery 1 0 3 3 2 2 Physical Security / Environmental 3 2 3 2 2 1 CICRAMTM IT Risk Assessment Methodology 30 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 31. 9 TM CICRAM IT Risk Assessment Step#11: Generate Narrative IT Risk Report Document Develop a Written Report CICRAMTM IT Risk Assessment Methodology 31 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 32. 9 TM CICRAM IT Risk Assessment Step#12: Present Risk Report and Findings to Management Congratulations, You Get To Do This Again Next Year! CICRAMTM IT Risk Assessment Methodology 32 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved
  • 33. TM CICRAM IT Risk Assessment Methodology Paradigm Shift! Customer Information Centric IT Risk Assessments Questions ? Fernando A. Reiser freiser@bankitsecurity.com CICRAMTM IT Risk Assessment Methodology 33 © Copyright 2004-2009 Fernando Reiser, All Rights Reserved