ISACA Charlotte Chapter September Event Information Security, IT Governance & Risk Management

Risk Assessment, Acceptance and

Exception with a Process View

Shawn Swartout

Leviathan Security Group

2 Shawn Swartout

Agenda

• Risk assessment drivers

• Developing an assessment framework that fits your size & complexity

• Integrating your risk assessment

Assessment

• Acceptance

• Ownership and accountability

Response

• Exception handling

Monitoring

3 Shawn Swartout

4 Shawn Swartout

Risk Assessment External Drivers

HIPAA A covered entity must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Federal Financial Institutions Examination Council (FFIEC) Risk Management of Remote Deposit Capture (RDC)

Risk Management: Risk Assessment Prior to implementing RDC, senior management should identify and assess the legal, compliance, reputation, and operational risks associated with the new system.

EXAMPLES

5 Shawn Swartout

Risk Assessment Internal Drivers

How Risk Management Can Turn into Competitive Advantage http://scholarworks.umb.edu/cgi/viewcontent.cgi?article=1006&context=management_wp

EXAMPLES

6 Shawn Swartout

7 Shawn Swartout

Assessment

Source: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

NIST Guide SP800-30 rev 1 includes: A taxonomy of threat sources, threat events, vulnerabilities, and inputs to your assessment of likelihood and impact calculations.

8 Shawn Swartout

Food for Thought

Alex Hutton RVAsec 2013: KEYNOTE: Towards A Modern Approach To Risk Management http://www.youtube.com/watch?v=icN40I3JJLY

Jet engine x peanut butter = shiny!

How awesome is your bridge?

– Wind has no motivation

– Rain does not evade defenses

– If system is faulty by design… reinforcement addresses only symptoms

“What our standards bodies do is typically do is enable us to justify our perspective by manipulating the inputs into a completely false model” –Alex Hutton http://newschoolsecurity.com/2011/04/what-is-risk-again/

9 Shawn Swartout

Assessment

Inherent risk – controls = residual risk

Lets at least agree on this for

the moment

10 Shawn Swartout

Assessment

Develop an assessment framework that fits your size & complexity

11 Shawn Swartout

Factor Analysis of Information Risk (FAIR)

Complexity Level: Moderate

FAIR provides :

• A taxonomy of the factors that make up information risk and a set of standard definitions for our terms.

• A method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss.

• A computational engine that derives risk by mathematically simulating the relationships between the measured factors.

• A simulation model that allows us to apply the taxonomy, measurement

http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf

12 Shawn Swartout

Factor Analysis of Information Risk (FAIR)

Assumptions about key aspects of the risk environment can seriously weaken the overall analysis.

Example: Bald Tire Scenario

As you proceed through each of the steps within the scenario below, ask yourself how much risk is associated with what’s being described.

• Picture in your mind a bald car tire. How much risk is there?

• Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?

• Next, imagine that the rope is frayed about halfway through. How much risk is there?

• Finally, imagine that the tire swing is suspended over an 80-foot cliff. How much risk is there?

13 Shawn Swartout

Factor Analysis of Information Risk (FAIR)

Example: Bald Tire Scenario

Risk Level – Low Most people believe the risk is ‘High’ at the last stage of the Bald Tire scenario. The answer, however, is that there is very little probability of significant loss given the scenario exactly as described.

Who cares if an empty, old bald tire falls to the rocks below?

14 Shawn Swartout

Binary Risk Analysis

Complexity Level: Easy

Binary Risk Assessment provides :

• A tool that provides risk analysis based exclusively on yes or no responses to ten questions, a binary response. By forcing the tool user to choose one of two mutually exclusive answers the tool ensures speed and simplicity in its approach.

http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf

15 Shawn Swartout

Binary Risk Analysis

The central tenant to this tool Risk analysis is based exclusively on yes or no responses to ten questions, a binary response. https://binary.protect.io/BRA_draft1.1.pdf

16 Shawn Swartout

Integrating your Assessment

• Organizational changes

• Product selection

• New service offering

• System development life cycle (SDLC)

– Requirements definition stage

– Development/Acquisition stage

Others?

17 Shawn Swartout

Risk Response

18 Shawn Swartout

Risk Response

Risk response (as described in) NIST Special Publication 800-39, organizations:

– analyze different courses of action

– conduct cost-benefit analyses

– examine the interactions/dependencies among risk mitigation approaches

– address schedule and performance issues

19 Shawn Swartout

Risk Response

• The methods available to mitigate risk

– application of appropriate controls

– acceptance of that risk

– transference of that risk (e.g. insurance)

– avoidance (e.g. product selection)

20 Shawn Swartout

Risk Treatment Plan

A Risk Treatment Plan (RTP) is used to identify each information asset flagged in the Risk Assessment report that has an unacceptable level of risk and shall state the method of treatment intended to mitigate that risk.

Asset(s) Container(s) Vulnerability Risk Risk

Treatment

Status

Customer

non-public

personal data.

Backup tapes

for File server

data, File

Server

Data

unencrypted at

rest

Medium Encrypt file

server files

and back-up

tapes.

Completion:

MM/DD/YY

Owner: CISO

Pending

On-hold

Complete

SAMPLE

21 Shawn Swartout

Risk Response

• Ownership and accountability

– Application owners/custodians

– Business owners

– Compliance

– Legal

– Audit

– Audit Committee

– Board of Directors

Show

me the

Risk!

22 Shawn Swartout

Monitoring Risk

23 Shawn Swartout

Monitoring Risk

Risk exception handling

• Exception often involves non-compliance with policies and standards (BUT THEY’RE OK!)

– Easily identified if policy requirements are clearly articulated

• Ownership and accountability

– Owner of the policy? Does materiality impact ownership?

• Review cycle

– Consider aligning with policy reviews

24 Shawn Swartout

Take away

• Risk is not a thing. We can’t see it, touch it, or measure it directly.

• It’s derived from the combination of threat event frequency, vulnerability, and asset value and liability characteristics.

Your organizations ability to “manage risk” may be exploited as a market differentiator.

Risk – The probable

frequency and

probable magnitude of

future loss

25 Shawn Swartout

Questions & Comments

Contact information: Shawn Swartout, CISSP, CISM, CAMS

Sr. Security Risk Management Consultant

Leviathan Security Group

shawn.swartout@leviathansecurity.com

Mobile: (509) 995-1083

http://www.leviathansecurity.com

Changing the face of information security and risk management.

Leviathan Security Group provides integrated Risk Management and Information Security solutions for our clients rather than patches, point fixes, or checking off little boxes with red ink pens. Our fortune one-hundred clients and governments rely on us to understand and mitigate their risks. We help them take the next steps in their evolution and help them maintain their stellar reputations.