Risk Assessment

InfoSec and Legal Aspects

• Risk assessment• Laws governing InfoSec• Privacy

Risk Assessment

• Assigns a risk rating for each asset• Likelihood refers to the probability of a

known vulnerability being attacked– Likelihood of fire forecast from actuarial data– Likelihood of virus estimated from volume of

email handled and number of servers in use– Likelihood of a network attack estimated from

the number of network addresses in use

Risk Assessment• How to assign value to information assets?

– NIST SP 800-30 contains parameters to check– Critical assets are assigned the value 100– Non-critical but essential asset gets the value 50– Least critical assets get the value 1

• What factors to look for in valuation?– Which threats present a danger?– Which threats present a significant danger?– Cost to recover from an attack– Threats that require maximum cost to prevent

Risk Assessment

• Risk determination:Risk = likelihood * value – risk percentage +

uncertaintyExample:

Asset A has vulnerability score 50Number of vulnerabilities 1Likelihood value 1 with no controlsData are 90% accurateHence, Risk = 1 * 50 – 0% + 10%

= 50 + 10% of (1 * 50) = 50 + 5 = 55

Risk AssessmentExample:

Asset B has vulnerability score 100Number of vulnerabilities 2Likelihood value 0.5 for 1st vulnerability which

addresses 50% of riskData are 80% accurateHence, Risk = 0.5 * 100 – 50% + 20%

= 50 – (50% of 50) + (20% of 50)= 50 – 25 + 10= 35

Risk AssessmentExample:

Asset B has vulnerability score 100Number of vulnerabilities 2Likelihood value 0.1 for 2nd vulnerability with no

controlsData are 80% accurateHence, Risk = 0.1 * 100 – 0% + 20%

= 10 – 0 + (20% of 10)= 10 + 2= 12

Risk Assessment

• The generic risks to the business are: – Loss of key assets

• Information• the network• skilled people

– Disruption of key processes• Revenue• regulatory reporting

Risk Factors

• Assess risk based on these factors:– Impact Size – Rate of Change – Business Impact – Complexity – Recoverability – Value – Management Team Focus

Definitions• Civil law addresses violations of rules that result in

monetary loss as well as other forms of damage caused to individuals or organizations

• Criminal law addresses violations that are harmful to society

• Tort law addresses violations by individuals that result in personal, physical, or financial injury to an individual

• Private law regulates relationships between an individual and an organization

• Public law regulates relationships between citizens

Definitions

• Ethics is defined as socially acceptable behavior

• Code of conduct is a set of rules that an organization defines as acceptable

Laws governing Information Security

• Computer Security Act• Communications Assistance to Law

Enforcement Act• Computer Fraud and Abuse Act• USA PATRIOT Act

Computer Security Act

• Passed in 1987. Official designation PL100-235• Law gave NIST the authority over unclassified

non-military government computer systems• NSA originally had this power• Main goals:

– Develop policies for federal agencies concerning computer security

– Develop procedures to identify vulnerabilities in computer security

Computer Security Act

• Provide mandatory security awareness training to all federal employees dealing with sensitive information

• Identify all computer systems that contain sensitive information

CALEA

• Passed in 1994• Works in conjunction with FCC regulations• Telephone companies to include hardware to

their switches that will facilitate tapping of conversations by law enforcement agencies

• Telcos are not responsible for decrypting any intercepted communication

• Telcos will be provided reasonable compensation for the addition of interception hardware to switches

Computer Fraud and Abuse Act

• Originally passed in 1994 and amended in 1996• PATRIOT Act amends this act further• CFAA’s main provisions relate to the following:

– having knowingly accessed a computer without authorization

– intentionally accesses a computer without authorization

– knowingly and with intent to defraud, accesses a protected computer without authorization

– Prison time of up to 10 years is possible for any violation

• If damage caused is below $5,000 then only criminal penalties apply and no civil penalties apply

USA PATRIOT Act• Uniting and Strengthening America by Providing

Appropriate Tools Required to Intercept and Obstruct Terrorism

• Passed in October 2001• Gives extensive powers to the federal

government to suspend notification provisions of existing laws

• Provides authorization for information search without knowledge of the individual

• Law expires in December 2004, unless renewed by Congress

Privacy and Ethics• Information privacy• Information privacy laws

– Federal Privacy Act of 1974– Electronic Communications Privacy Act of 1986– Communications Act of 1996– HIPAA of 1996– Computer Security Act of 1987– USA PATRIOT Act of 2001

• Ethical aspects of information handling

Information Privacy• Privacy refers to personally identifiable

information about an individual or an organization• Privacy does not mean absolute freedom from

observation• Privacy means “state of being free from

unsanctioned intrusion”• Financial and medical institutions treat privacy as

part of their compliance requirements• Information is collected by cookies and points of

sale

Information Privacy• Privacy is a risk management issue• Ability to collect information from

multiple sources and combine them in different ways have resulted in powerful databases that can shed more light than previously possible

Information Privacy Laws• Federal Privacy Act of 1974

– Requires all government agencies from protecting the privacy information of individuals and businesses

– Certain agencies have exemption to release aggregate data

• Census Bureau• National Archives• Congress• Comptroller General• Credit agencies

Information Privacy Laws• Electronic Communications Privacy Act

of 1986– Regulates interception of wire, electronic,

and oral communications– Works in conjunction with the Fourth

Amendment providing protection against unlawful search and seizure

Information Privacy Laws• Communications Act of 1996

– Regulates interstate and international communications

– Communications decency was part of this Act

Information Privacy Laws• Health Insurance Portability and

Accountability Act (HIPAA) of 1996– Protect confidentiality and security of

health care data– Electronic signatures are allowed– Patients have a right to know who have

access to their information and who accessed it

References

• NIST Risk Assessment Guide for Information Technology Systems, SP 800-30

• Mike Godwin, “When copying isn’t theft,” www.eff.org/IP/phrack_riggs_neidorf_godwin.article

• Michael Whitman, “Enemy at the Gates: Threats to Information Security,” Communications of ACM, 2003

References• Financial institutions:

http://www.fdic.gov/news/news/financial/1999/FIL9968a.HTML

• Risk Assessment Process: http://www.mc2consulting.com/riskart1.htm

• ISACA http://www.isaca.org/• Risk Assessment Guidelines

http://www.gao.gov/special.pubs/ai99139.pdf• Risk Assessment:

http://www.ffiec.gov/ffiecinfobase/booklets/information_security/02_info_security_%20risk_asst.htm