Chapter 2: Assessing Risks Learning Objectives In this chapter, students understand risk elements as they relate to information assurance. At the end of this chapter, the student should be able to explain: The elements of risk assessment The role and purpose of risk assessment in information assurance The fundamentals of how to perform a risk assessment How the audit process serves to identify and track risks Preparing for Class Instructors should have a good understanding and knowledge of Information Assurance and Security in general. Instructors can bring in real world examples of Risk Management Policies in different industries. Also, guest speakers from Risk Management offices of large enterprises can bring a real world perspective to the students. Prerequisites for Class Ensure that the students are In a computer lab, if possible, for access to the Internet Arranged in the classroom advantageously to ensure maximum participation Fundamentally sound with information security basics Class Preparation Notes For this class the students will need 2-1 Information Assurance for the Enterprise Instructors Manual Chapter 2 Access to a working computer with Internet access A highlighter (its not mandatory if they can take good notes) Key Terms Acceptability Risk assessment level of acceptability in dollars Audit It assures the integrity of the security solution Audit conclusion When the audit report is reviewed with auditees upper management prior to release Audit Criteria A set of predefined controls to be audited Audit Documentation Audit activities at each stage are documented Audit Reporting Audit manager assumes the responsibility for audit reporting Auditee The organization being audited Checklist Checklist for performing the audit against different factors Client Organization Organization that mandates the audit Compliance Meeting the standards Confidentiality Keeping practices and procedures between the company and client private Contracts Agreements between the company and customer Control Objective These are focused behaviors with observable outcomes Corrective Action Documented action against perceived risk/threat Cost/Benefit Analyses the pros and cons of an action Countermeasures They are steps that will be taken to mitigate a given risk 2-2 Information Assurance for the Enterprise Instructors Manual Chapter 2 Estimate of the Consequences Harm caused against a threat Evidence Obtained by conducting interviews Event Logs Audit records are kept in event logs that are automatically maintained by the system Follow-up A follow-up is another audit to confirm compliance Gaps They are identified risks between ideal practice and the current operation Impartiality Objective, non-biased opinion Internal Audit The organization performs the audit within their own organization with their own people Interviews They are conducted to gather evidence Latent Threat A possible threat that only becomes active at a later time if one of the conditions changes Laws and Regulations These are the structure with which a company must be in compliance Lead Auditor The person who has the sole authority for the auditing process Likelihood The certainty of risk Noncompliances Areas where a plan is not fulfilling a law or regulation Nonconformances It is another term for noncompliances Operational Security Analysis It leads to the deployment of a concrete security solution Preventive Measures The strategy to reduce the likelihood of a risk occurrence 2-3 Information Assurance for the Enterprise Instructors Manual Chapter 2 Process Entropy It is the natural tendency for any organized system to degrade over time due to the changing conditions Probability of Occurrence A percentage indicating the likelihood of occurrence Proof of Compliance It is the audit evidence document Quantitative Factors Numerically measurable risk factors Reactive Measures The strategy to respond effectively if a risk becomes a direct threat Risk It is a possibility of a threat Risk Analysis The process by which the risk is understood Risk Analysis Report It is an operational response by identifying those threats that have to be managed Risk Assessment It is an operational process by which risks are identified and characterized Risk Estimation Determines the probability and impact of threats Risk Evaluation It is a function that is used to decide about the nature of emerging threats Risk Identification Documenting the characteristics of vulnerabilities Risk Management It ensures effective and up-to-date alignment between identified threats and the countermeasures deployed to mitigate them Risk Mitigation It determines how the risk will be handled Risk Mitigation Report It is the mechanism for communicating information about how risk is handled 2-4 Information Assurance for the Enterprise Instructors Manual Chapter 2 Risk Tolerance It is the minimum level of protection that management can reasonably afford in its day-to-day operations Risk Transfer It specifies how any foreseen impact can be reallocated so that the loss is not permanent or catastrophic Scope of the Assessment It should include the entire set of organizational and technical issues Standards Gap analysis must be based on universal standards such as ISO 27000, NIST, GASSP or COBIT Third Party Work Risk management plan must include work performed by entities outside the organization Threat A way of exploiting known weakness in an organization Threat Picture It is a comprehensive understanding of all threats Vulnerability Perceived weakness in an organization can be exploited Weakness A part of a system that can be exploited Lecture Outline I. Risks An Overview A. A risk is the possibility that a threat is capable of exploiting a known weakness B. Risk Assessment 1. It is an operational process by which risks are identified and characterized 2. It focuses on understanding the nature of all feasible risks 2-5 Information Assurance for the Enterprise Instructors Manual Chapter 2 3. It identifies and evaluates each relevant threat, determines its impact, and itemizes the safeguards that will be needed 4. It determines the preventive measures as well as reactive measures relevant to a threat 5. It provides specific information on the probability of occurrence and the estimate of the consequences 6. It maximizes operational deployment and resource use 7. It should reflect a commonly accepted and repeatable methodology, which will produce independently verifiable concrete evidence 8. To ensure the effectiveness and accuracy of risk assessment, the scope of the inquiry has to be defined precisely and be limited to a particular problem 9. The Risk Assessment should be an ongoing process that considers the following factors: i. The existence and interrelationships among all of the organizations information assets ii. The specific threats to each asset iii. The precise business, financial, and technological issues associated with each threat C. Making Threats Visible 1. Gap Analysis i. Identification of gaps between ideal practice and the current operation 2-6 Information Assurance for the Enterprise Instructors Manual Chapter 2 ii. Gaps are assumed to represent vulnerabilities that must be addressed by the security system iii. Refer to Figure 2-2 (Page 29) for Gap Analysis Illustration iv. Gap analysis drives the decisions about the actions that must be taken to alleviate that specific area of weakness v. Four major universal standards used to perform a gap analysis ISO 27000 series, NIST 800-18, GASSP model and COBIT model 2. Risk Classification i. Risk Identification a. It identifies potential harmful risks b. It documents the characteristics of every vulnerability c. Latent threats do not have immediate consequences and are ignored in developing security strategy ii. Risk Estimation a. It is a data-driven process b. It measures and quantitatively describes each potential risk c. It determines the probability and impact of all threats that have been identified through risk identification d. It includes quantitative factors such as assets affected, the potential duration of the threat, and the severity of adverse impact D. Strategy Formulation 2-7 Information Assurance for the Enterprise Instructors Manual Chapter 2 1. ROI Countermeasure should not cost more than the harm that the threat could cause 2. Trade-Offs i. Cost benefit and likelihood of occurrence have to be balanced when formulating a security response ii. There must be a trade-off between the frequency of occurrence and the unit cost of each occurrence 3. Practical Decision i. Decision can be based on annualized loss exposure (ALE) ii. If the expense is greater than any possible harm, then the countermeasure is not included in the security response iii. ALE = Annual Cost of Deployment (Annual Rate of Occurrence X Cost per Occurrence) 4. Certainty Factors i. The degree of certainty of the estimate should be expressed as a level of confidence from 0 to 100% ii. Knowing the probability of events will be beneficial in security response 5. Risk Mitigation Report i. The mechanism for communicating information about risk is the risk mitigation report ii. It specifies the steps selected for each risk and itemizes the countermeasures that will be implemented as well as the 2-8 Information Assurance for the Enterprise Instructors Manual Chapter 2 parties in the organization who will be responsible for accomplishing each task iii. It sets the security process in motion E. Security Solution 1. Operational Security Analysis i. It analyzes precisely the implications of the threat picture developed in the risk identification and estimation stage ii. Minimum levels of protection must be specified for risk- tolerance decision by the management iii. It provides the information needed to assign operational priorities iv. It allows for risk-mitigation decision about how to reduce the severity or affect of a known risk v. Risk-mitigation decisions also specify ways to recover from the risk including risk transfer vi. It must contain the needs, issues, and concerns of various organizational stakeholders vii. Organizational value of an asset can be obtained by the following methods: a. Applied Information Economics b. The Balanced Scorecard c. Economic Value Added d. Economic Value Sourced e. Portfolio Management 2-9 Information Assurance for the Enterprise Instructors Manual Chapter 2 f. Real Option Valuation F. Operational Risk Assessment 1. They are conducted as a part of the risk management process 2. It uses risk identification and estimation as the primary data- gathering mechanism 3. It uses risk evaluation function to decide the nature of emerging threats 4. They are used to fine-tune the security response overtime 5. It should provide explicit implementation advice about changes that must be made to countermeasures 6. Planning for Operational Risk Assessment i. Planning involves establishing a standard schedule for the performance of each assessment as well as defined processes for problem reporting and corrective action ii. It must have a defined set of performance criteria iii. Each countermeasure must have a set of observable criteria built into its specification 7. Implementing the Operational Risk Assessment Process i. Risk assessment must be flexible to meet the demands of a changing security environment ii. It should specify roles and responsibilities iii. It should ensure that a responsible party will always be in place to address any contingency 2-10 Information Assurance for the Enterprise Instructors Manual Chapter 2 iv. It ensures that adequate resources are available to support the assessment activities 8. Standard Measurement i. It should ensure that each assessment produces consistent data ii. Consistency is critical for understanding the precise nature of the threats G. Audit 1. It assures the integrity of the security solution from the pervasive influence of process entropy 2. It verifies that the necessary knowledge and accountability are in place to guarantee continuous performance 3. It confirms that the implemented security procedures are working as intended within the normal business setting 4. Refer to Figure 2-5 (Page 38) for the audit process illustration 5. They are done to determine something about the four Cs: i. Contract ii. Capability iii. Compliance iv. Certification 6. Aims of Audit i. Internal or External Audit ii. To identify non-compliances or non-conformances against specified audit criteria 2-11 Information Assurance for the Enterprise Instructors Manual Chapter 2 iii. To determine whether the auditee has achieved its stated objectives 7. Audit Framework i. The audit process maintains accountability for performance ii. Each element is termed a control objective, which are focused behaviors with observable outcomes iii. Audit maintains the status of all designated security procedures on an ongoing basis iv. Audits are always carried out based on a specific set of audit criteria as they involve legal considerations 8. Managing the Audit Process i. The audit process should be managed separately and independent of the organization being audited ii. The audit manager supervises, monitors and evaluates the activities of the audit team iii. Audit Planning a. There are four types of participants in an audit process b. Auditee The part or parts of the organization being audited c. Lead Auditor The chief auditor d. Auditor The audit team e. Client The organization that engaged the auditors 2-12 Information Assurance for the Enterprise Instructors Manual Chapter 2 iv. Performing the Audit a. The preparation, validation, and distribution of the audit forms and checklists is an important activity in the audit process b. Establishing a good checklist is a factor in successful information assurance audits c. Event logs which maintain records in information assurance must be identified and accounted for at the beginning of the process d. Electronic records must be audited using the same methodology and level of rigor that is applied to traditional body of audit evidence e. Outcomes and conclusions from electronic records must be fully integrated into the body of audit findings v. Authenticating Audit Evidence a. Evidence obtained must be authenticated b. All objective data and conclusions must be authenticated by means of a suitable analysis c. Refer to Figure 2-7 (Page 45) for Developing an Audit Evidence Illustration d. Ensuring confidentiality is important e. Audit should be terminated if confidentiality is breached f. Audit must be impartial by making sure that all findings are supported by unambiguous evidence 2-13 Information Assurance for the Enterprise Instructors Manual Chapter 2 vi. Preparing the Audit Report a. Auditors report preliminary conclusions, including problems encountered b. The final report contains observations, major and minor findings, and timing of follow-up activities vii. Importance of Validation a. Members of the organization must assist in validating the findings II. Certification and Accreditation (C&A) A. It is a federal government audit process B. It uses as product-oriented approach C. It generates a document that management can use to identify an accept the residual risk in any system D. It is a comprehensive evaluation of the technical and non-technical security features of the entity being tested E. Certification of a system is the outcome of an information assurance analysis in the following areas: 1. Physical 2. Personnel 3. Administrative 4. Information 5. Information Systems 6. Communications 2-14 Information Assurance for the Enterprise Instructors Manual Chapter 2 F. Accreditation establishes the risk tolerance levels of the system and allows the system administrator to prescribe the appropriate set of access controls G. DITSCAP 1. It is the Federal Governments DoD Information Technology Security Certification and Accreditation Process (DITSCAP) 2. It ensures that prospective customers know what all of the risks associated with a given system are 3. The following the phases of DITSCAP evaluation: i. Definition Key players agree on the intended systems mission, attendant security requirements, the scope of C&A boundary, the audit schedule, the level of effort, and resource commitment ii. Verification Certifiers determine the systems compliance with System Security Authorization Agreement (SSAA) requirements iii. Validation It validates compliance with the SSAA requirements iv. Post Accreditation Review of configuration and security management. Teaching Tip This chapter is about assessing risks. You may want to ask students about life cycle risks and how they are protecting themselves and their families. For example why do you take out life insurance? Ask students to itemize risks involved in their daily commute to the college. Which one has more probabilities and which one does not? Why? 2-15 Information Assurance for the Enterprise Instructors Manual Chapter 2 If you have access to the college/university risk management office, then tell students to analyze the current policies of information risk. 2-16 Information Assurance for the Enterprise Instructors Manual Chapter 2 Discussion point The essay questions at the end of the chapter are a good starting point for bringing discussion questions in the classrooms. Ask students how the information assets are secured in their own industry (depending on where they work). Key Terms Quiz Use the terms from the Key Terms list to complete the sentences that follow. Dont use the same term more than once. Not all terms will be used. 1. _____ provides probabilities that a risk will occur as well as the cost/benefit impacts if it does. 2. The least quantitative type of risk assessment is called a risk _____. 3. Decisions about the deployment of the security response are based on _____. 4. One mechanism for assessing whether to deploy countermeasures is the Balanced _____. 5. The only way to ensure accountability is through _____ of risk performance. 6. Measurement requires established _____. 7. The process that ensures that control objectives are being met is called _____. 8. There are essentially two types of risk assessments: _____ and _____. 9. The document that ensures that nonconformities are brought to managements attention is called a _____. 10. Audit conclusions are only based on _____. Answers 1. Risk Analysis provides probabilities that a risk will occur as well as the cost/benefit impacts if it does. 2-17 Information Assurance for the Enterprise Instructors Manual Chapter 2 2. The least quantitative type of risk assessment is called a risk identification. 3. Decisions about the deployment of the security response are based on countermeasures. 4. One mechanism for assessing whether to deploy countermeasures is the Balanced Scorecard. 5. The only way to ensure accountability is through audit of risk performance. 6. Measurement requires established standards. 7. The process that ensures that control objectives are being met is called gaps. 8. There are essentially two types of risk assessments: identification and estimation. 9. The document that ensures that nonconformities are brought to managements attention is called a risk mitigation report. 10. Audit conclusions are only based on impartiality. Multiple Choice Quiz 1. A control framework ensures that: A. defects are prevented B. vulnerabilities dont happen C. procedures are followed D. no risk is ignored 2. Confidentiality is important in all types of assessments because: A. it ensures cooperation 2-18 Information Assurance for the Enterprise Instructors Manual Chapter 2 B. it prevents leaks C. it identifies threats D. it reduces cost 2-19 Information Assurance for the Enterprise Instructors Manual Chapter 2 3. Continuous risk management is underwritten by: A. plans B. project management C. risk assessment D. procedures 4. Most risk assessments are conducted against: A. reference models of best practice B. gaps C. specified criteria D. the technology 5. Besides the effectiveness of security controls, audit can assure: A. security technologies B. security processes C. safety D. security work 6. A gap analysis looks at: A. the best practices B. the difference between current and ideal practice C. the presence of non-conformities D. the audit evidence 7. A likelihood estimate is important because: 2-20 Information Assurance for the Enterprise Instructors Manual Chapter 2 A. people like estimates B. knowledge of probability of occurrence supports decision making C. investment in security is easy to make D. likelihood drives cost 8. A risk estimation is different from an operational security analysis in that: A. risk estimations are quantitative and security analyses are not B. risk estimations deal with probability C. the aim of the security analysis is to determine whether the strategy is correct D. the aim of the security analysis is to determine ROI 9. Scope is essential to risk assessment because: A. it defines the range of things that will be examined B. it sets the security perimeter C. it establishes the types of analyses that will be needed D. it is a component of the risk mitigation strategy 10. Risk assessments are: A. basic countermeasures B. unnecessary because threats are always evolving C. features that are found in the security of operations function D. an essential precondition to planning the response Answers 1. C 2-21 Information Assurance for the Enterprise Instructors Manual Chapter 2 2. B 3. C 4. A 5. B 6. B 7. B 8. A 9. A 10. D Essay Quiz 1. It is important to validate audit interviews by other means. Why is that the case and what can happen if this is not done? 2. Risk assessments always embody some form of probability estimate. Why is that necessary and what does it prevent? 3. What is the role of Annualized Exposure Loss in security system formulation? What may happen if the ALE is ignored? 4. Forms and checklists are important in all types of assessments. Why is that the case and what do they essentially provide for the process? 5. Security audits are different from risk assessments in that they are regular and ongoing. What is the primary benefit of a continuous process? 6. Gap analyses are most easily accomplished if they are based on standards. Explain why? 2-22 Information Assurance for the Enterprise Instructors Manual Chapter 2 7. Certification is a very useful aspect of the risk process. Explain how certification can assure against risks. 8. One of the most important aspects of the practical security process is the risk mitigation report. Explain what purpose it serves and why it is a key element of security. 9. How does risk assessment relate to the information identification process? 10. What is the role of risk identification in the overall process? Why is risk identification a necessary step? Answers 1. It is important to validate audit interviews by other means. Why is that the case and what can happen if this is not done? Evidence obtained through interviews during the audit process must be authenticated to ensure consistent interpretation. The audit process must be confidential and impartial to validate all the findings. If confidentiality is breached then the audit must be terminated as the findings will not be impartial. 2. Risk assessments always embody some form of probability estimate. Why is that necessary and what does it prevent? Risk assessment identifies the potential threat against the organization. Probability estimation allows the organization to assess the level of acceptability of the risk in dollars and cents. Organizations can determine the Return on Investment (ROI) for a possible threat. 3. What is the role of Annualized Exposure Loss in security system formulation? What may happen if the ALE is ignored? 2-23 Information Assurance for the Enterprise Instructors Manual Chapter 2 Annualized Loss Exposure (ALE) allows the organization to estimate the expense of maintaining a countermeasure over one year. If the expense is greater than any possible harm, then there is no ROI to the organization. Thus, if organizations ignore ALE, then they will not be able to have a cost/benefit analysis. 4. Forms and checklists are important in all types of assessments. Why is that the case and what do they essentially provide for the process? Checklists allow an organization to determine if they are in compliance with all the standards and audited criteria. Thus, they are essential in the auditing process. 5. Security audits are different from risk assessments in that they are regular and ongoing. What is the primary benefit of a continuous process? A continuous security audit process will determine any latent threats that might be possible due to the changing conditions. 6. Gap analyses are most easily accomplished if they are based on standards. Explain why? Standards determine the ideal practice, thus identification of gaps between ideal practice and the current operation determines risks for an organization. Measuring the organizations operation against standards will assist in identifying potential risk. 7. Certification is a very useful aspect of the risk process. Explain how certification can assure against risks. 2-24 Information Assurance for the Enterprise Instructors Manual Chapter 2 Certification assures compliance against standards and auditing criteria. Thus, certification of an organization that meets the standards proves that organization to be at a lesser risk. 8. One of the most important aspects of the practical security process is the risk mitigation report. Explain what purpose it serves and why it is a key element of security. Risk Mitigation Report is the mechanism to communicate information about risk. This document specifies the steps selected for each risk and itemizes the countermeasures that will be implemented as well as the parties in the organization who will be responsible for accomplishing each task. Thus, it is a very important element of the security process. 2-25 Information Assurance for the Enterprise Instructors Manual Chapter 2 9. How does risk assessment relate to the information identification process? The identification process determines the precise area of threat as well as identifies the information assets affected during the risk assessment. Since identification documents the characteristics of every vulnerability, it is an important risk assessment tool. 10. What is the role of risk identification in the overall process? Why is risk identification a necessary step? Risk identification is the simplest form of risk classification. It identifies potential harmful risks. It documents the characteristics of every vulnerability including itemizing a list of all the threats that would be able to exploit it. It is a necessary step as it identifies every risk item through extensive interviews and detailed technical analysis. Case Exercise Complete the following case exercise as directed by your instructor: Heavy Metal Technologies (HMT) is a defense contractor headquartered in Huntsville, Alabama. HMT was recently contracted by the Army to upgrade the fire control system for the MH64-D Apache Longbow attack helicopter. Because the contracted enhancement is so important to the continuing success of the main ground attack helicopter program and thus because of its importance to national defense, the Army wants a total commitment from HMT that the integrity, confidentiality, and availability 2-26 Information Assurance for the Enterprise Instructors Manual Chapter 2 of project information will be assured. Therefore the Army would like HMT to address the following five organizational control concerns. Please provide a written solution for each of these. The Army requires a procedure that all security concerns will be identified and addressed. The Army requires a procedure to assure that performance of the security process will be continuous. The Army requires a procedure to assure that the control processes will be cost efficient. The Army requires a procedure to assure that the comp will be able to satisfy its contractual and legal obligations. The Army requires a procedure to assure that all third-party work will meet security criteria. 2-27