Professional Documents
Culture Documents
CONTENTS
4 Introduction
4 /Goal:AdoptanAttacker’sView
5 The Current State
5 /PracticalChallenges
6 /RegulatoryRequirements
7 Data Threat Modeling
7 /IdentifySubcomponents,
DependenciesandInteractionPoints
8 /Discover,InventoryandEvaluate
Threats
9 /MitigatetheRiskBroughtAboutby
Threats
9 Extending to Data Life Cycle
Management
9 /ScopeDefinition
1 0 /Mapping
1 1 /ExtensionofAnalysis
1 1 /AdaptationfortheSupplyChain
1 2 /ImplementationGuidance
13 Continuous Assurance
13 Specific Goals
1 4 /PuttingIntoPractice:Questionsto
Evaluate
15 Conclusion
16 Acknowledgments
ABSTRACT
Dataareanextremelyimportantcommodityforenterprises.Theyareafactorin
enterprisecompetitiveness,inregulatoryconsiderations,andtheyarereflectedin
capabilityplanning,forexample,maturityandresiliency.Inaddition,dataareakey
considerationinhowenterprisesmonitorandmanagetheirriskovertime.Somechanges
thathappenovertime—forexample,changesincontext,environmentalfactorsorthe
threatlandscape—impactthelevelofrisktowhichdataaresubject.Thesechanges
shouldbemonitoredandevaluatedtocontinuouslyassurethattheriskiskeptwithin
parametersthatareacceptabletomanagement.
Thechallengeistomovetheprocessofaccountingfordatainastructured,systematic
wayhigheronthelistofanenterprise’spriorities.Oneoptiontoaccomplishthischallenge
isbyapplyingapplicationthreatmodelingprinciplestodata(“datathreatmodeling”).
Applicationthreatmodelingprovidesvaluebyallowingapplicationsecurityspecialiststo
systematicallyevaluateanapplicationfromanattacker’sviewpoint.Bydoingthis,an
analystcanmethodicallyanalyzeanapplicationtoidentifyandmapthethreatsthatthe
applicationislikelytoencounterinpost-deploymentconditions.This,inturn,allows
applicationspecialiststoestablishmechanismstoaddressthosethreatsandtomonitor
conditionsthatcanimpacttheapplicationovertime.
Bylookingatdatainthiswayandfollowingaformalizedmethodology,enterprisescan
establishamodel—andbaseline—formonitoringtheirongoingdatariskovertime.By
havingamodelandbaseline,enterprisescanunderstandtheriskincontext,allowing
themtobettertrackchangesindatathatimpactrisk.Likewise,thistypeofapproach
helpstodevelopincreasingfocusonproblemareaswithrespecttodata.
Introduction
Ifsecurity,risk,governanceorassurancepractitionersare • How the data are used—Newbusinessprocesses,betteranalyticsand
askedtonamethemostimportantconsiderationfortheir anychangeinhowthedataareunderstoodandprocessed
“thedata.”Dataarethelifebloodofmodernenterprises. theoperation/effectiveness/performanceofexistingcontrolsand
Theyareafactorinenterprisecompetitiveness—data removalofcontrols
pursuitofnewmarkets;theyareafactorinregulatory toexistingthreats,etc.
regulation;andtheyarereflectedincapabilityplanning,for theydonotchangehowdataareused,changethesignificanceor
example,maturityandresiliency.Infact,dataareafactor impactifacompromiseorotherundesiredeventoccurs
inalmostanythingofsignificancethatanenterpriseseeks Notonlyisitimportanttoconsiderdataasdefense
toaccomplish. strategiesarerolledouttoday—andputmeasuresinplace
toaddressspecificriskatthispoint—butitisalso
Althoughitisatruismthatdataarecritical,theyare
importanttobecomeproactiveinhowthatriskis
criticalinafewveryspecificways.First,theyarecritical
monitored,measuredandevaluatedovertime.Thisis
asakeyconsiderationinhowprofessionalsassessand
importantbecauseallfactorspreviouslydiscussedcan
evaluatethecontrolstheydeploytokeeptheirenterprises
impactanenterprise’sriskequation(potentiallyrequiringit
protected.Fromanend-userpointofview,oneneedsonly
toimplementnewcontrolstokeepriskwithindefined
tolookattheheadlinestoseethemanynegative
thresholds),causetheenterprisetoquestionorre-
consequencesthatcanoccurasaresultofadatabreach.
evaluatebusinessdecisions,orimpacthowtheenterprise
Second,fromanattacker’spointofview,datacanbe
doesthingsinamyriadofdifferentways.
rapidlyconvertedintoprofit,forexample,bysellingstolen
dataorgatingaccesstothedataviaransomware.
Therefore,datashouldbeconsideredandanalyzedas Goal: Adopt an Attacker’s View
professionalsselect,plananddeploycontrols,andshould
Althoughitisfairlyeasytounderstandwhyitisvaluable
alsobepartofenterpriseevaluationoftheperformance
toadoptanattacker’sview,enterpriseswanttoknowhow
ofthosecontrols,relativetoriskthatimpactsthedata.
torealizethatvision.Onewayistotakean“attacker’s-eye
Whilethoseconsiderationsareimportant,thereare view”ofthedata,thatis,lookingatthedatathesameway
additionaldimensionstohowdataplayaroleinthe anattackerdoes:asatargettoacquirethatisaccessible
securitypostureandriskmanagementprofileofthe throughanumberofpotentialpathways.Aformalized
enterpriseasawhole.Forexample,dataareakey threatmodelingexercisecanaccomplishthisbyusinga
considerationinhowenterprisesmonitorandmanage methodologythatissimilartothemethodusedby
theirriskovertime.Changesincontext,environmental applicationsecurityspecialiststosystematicallyevaluate
factorsorthethreatlandscapemayimpactthelevelof anapplicationfromanattacker’spointofview.
risktowhichdataaresubject.Thesechangesshouldbe
Applicationthreatmodelingisadisciplinethathas
monitoredandevaluatedtocontinuouslyassurethatthe
developedasanapplicationsecuritystrategythatisin
riskiskeptwithinparametersthatareacceptableto
fairlybroadusewithinenterprisesthatwanttoensurethat
management.Examplesofchangesthatshouldbe
theapplicationstheydevelopandfieldarerobust,resilient
monitoredinclude:
andhardenedagainstattack.Applicationthreatmodeling modeltounderstandcontextualfactorsthatapplytodata
providesvaluebyallowingapplicationsecurityspecialists basedonwheretheyarestored,processedortransmitted.
tosystematicallyevaluateanapplicationfroman ISACAhaspartneredwithSecurityScorecardtoproduce
attacker’sviewpoint.Bydoingthis,ananalystcan thisguidance;thescoringmodel,describedinthe
methodicallyanalyzeanapplicationtoidentifyandmap document“ScoringMethodology,”1 outlinesawayto
thethreatsthattheapplicationislikelytoencounterin systematicallyunderstandthesecurityprofileofanentity
1
post-deploymentconditions.This,inturn,allows inthesupplychain.Modelingthreatscenariosasthey
applicationspecialiststoestablishmechanismsto applytodataallowsanalysisofthattypetohavemore
addressthosethreatsandtomonitorconditionsthatcan valueandmorecontextualrelevance,which,inturn,
impacttheapplicationovertime. enablesconcreteunderstandingofthepotentialthreatsto
whichdatacouldbesubjectwheninanother’scustodyor
Bylookingatdatainthiswayandfollowingaformalized
underanother’sstewardship.
methodology,enterprisescanestablishamodel—and
baseline—formonitoringtheirongoingdatariskovertime. Thiswhitepaperdiscusseshowtoadaptthreatmodeling
Byhavingamodelandbaseline,enterprisescan todataintransitanddataatrestasastrategytoputforth
understandtheriskincontext,allowingthemtobetter amoreholistic,comprehensiveandcontinuousmodelfor
trackchangesindatathatimpactrisk.Likewise,thistype understandingdatariskandforanalyzingpotentialriskin
ofapproachhelpstodevelopincreasingfocusonproblem thesupplychain.Itisnotexactlyaone-to-onemapping
areaswithrespecttodata.Onesuchproblemareaisdata betweentheprocessforcreatinganapplicationthreat
thatintersectwiththesupplychain—forexample,data modelandperformingthesameexercisewithdata,but—
thatareheldintrustbyaserviceproviderorthatare withafewtweaks—itisachievableanduseful.Afterthe
sharedwithbusinesspartnersorcustomers.Adoptingan modelisinplace,itcanbedirectlyincorporatedintoan
attacker’spointofviewhelpstohighlightpotentialareas ongoingcontinuousassuranceprogramthatensuresthat
ofconcerninthesupplychainandcanhelptofocus dataareoptimallyprotectedagainstchangingthreat
resourcesonareasthatneeditmost. conditions,changesinhowdataareused,changesin
businessprocessandanyotherfuturechanges.
Enterprisescanalsousetheinformationgainedfromthis
theyconsumeandsharedata.Thesecondtransformation dataprocessingmethodsandincreasedanalyticscapabilityare
1
1
SecurityScorecard,“ScoringMethodology,”August2017,https://explore.securityscorecard.com/rs/797-BFK-857/images/Scoring%20Methodology.pdf
causingdatastorestoconsolidateanddatatobecomemore Althoughthisisanaturalconsequenceofthefactthat
concentrated.Forexample,datalakesandotherlarge-scalebigdata dataaresoomnipresent,thisproblemtendstocompound
andbusinessintelligencetechniquesareincreasingtheamountofdata overtimeindifficult-to-anticipateways.Forexample,an
storedincertainlocations. enterpriseinvestsinenhancedanalyticscapabilitiesto
• Data ubiquity—Dataarebecomingmorepervasive,moreubiquitousin derivemoreandbetterinsightsfromexistingdata.Asit
theirspreadthroughouttheenterprise.Datamaybepresent(whether startstorealizevaluefromitsanalyticscapability,the
transientlyorotherwise)throughouttheentiretyoftheon-premise enterprisemight,forexample,investigatedatalake
technologysubstrateandincreasinglyatserviceprovidersandbusiness strategiesorothermethodsofconsolidatingand
partners. collectingexistingdata.Althoughthesemethodsof
• Data expansion—Dataarebecomingmoreplentiful.Increasing consolidatingandcollectingexistingdatacan,intheory,
amountsofdataarebeinggeneratedfromanincreasinglydiversearray offeranopportunitytobettermanagethedata,asa
ofsystems,processes,platformsandenvironments. practicalexercise,theyareoftencompoundingfactorsto
• Processing parallelization—Dataareincreasinglybeingprocessedin alreadyexistingchallengesinmanagingdata.Likewise,as
parallelasmultiplesystemssubscribetoandprocessinformationinan enterprisesbecomemoreexternalized,thatis,asthey
increasinglycomplexwebofapplication,systemandprocess incorporateexternalservices,suchascloudprovidersand
interdependency. otherparticipantsinthesupplychain,themanagement
Notethatthesearenottheonlychangesoccurring; challengesalsocompoundasnewparticipants(someof
individualenterprisesmaybeseeingother,relatedor whichmightbeoutsidetheenterprise)arenowincluded
unrelated,transformations,dependingonbusiness inthemixandneedtobetakenintoaccount.Thismeans
activities,industry,regulatoryconstraintsoranyother thatmultiple,potentiallyoverlappingresponsibleparties
numberoffactorsuniquetothem.Thelistedchangesare eachplayaroleintheoveralldataprotectionpicture,
highlightedbecausetheyimpactthecomplexityof whichservestomakethealready-complicatedpicture
ensuringrobustdataprotectionandarealsonear- morecomplex.
universaltomostenterprisesintheirapplicability.
geographicallybounded,suchastheGDPR,enterprises information,andgovernthedatastoredbyahealth
alsomustconsiderregulationsbasedontheindustryin insuranceorhealthcareprovider.
whichtheyoperateorthetypeofactivitiestheyperform.
Asnotedwiththepracticalchallengesofmanagingdata,
Forexample,thePaymentCardIndustryDataSecurity
theseregulatoryrequirementscombinetoformmultiple,
Standard(PCIDSS)governscardholderdatathat
potentiallyoverlappingrequirementsthataffectspecific
enterpriseshaveorretainaboutcustomers,whichismore
typesofdatabasedonwhattheyare,howtheyareused,
applicabletoamerchantorinaretailcontext.TheUS
theregiontowhichtheypertain,etc.Thus,theabilityto
HealthInsurancePortabilityandAccountabilityAct
understandthedataismoreimportant—andmore
(HIPAA)andHealthInformationTechnologyforEconomic
difficult—thanever.
andClinicalHealth(HITECH)Actapplytohealth
Threatmodelingisasystematicprocesstodecompose
Points
anapplicationintoitsvariouspartssothateachcanbe Toevaluatethethreatsthatanapplicationwillencounter
analyzedfromanattacker’spointofview.Asaquick inthefield,onefirstneedstounderstandhowthe
summary,thisisaccomplishedbyenumeratingthe applicationoperates.Typically,tothreatmodelan
varioussupportingelementsthatcomprisethe application,onestartsbydecomposingtheapplication
application,systematicallymappingtheexchangeofdata intoitscomponentelementsandmappingouthowthose
betweenthoseelementsandconductingathorough componentsinteractwitheachother.Duringthisprocess,
analysisofanythreatsthattheycanencounterateach anysupportingelementsareincluded,suchasexternal
interactionpointbetweenthoseelementsorcomponents. elements(e.g.,supportinglibraries),entrypoints,
Inbrief,thethreatmodelingprocessinvolvesthefollowing interactionpointsthatmightbeaccessibletoanattacker,
high-levelsteps: dependenciesoranyotherelementoftheapplicationto
bemodeledinfurtherdetail.Duringthisprocess,one
1 Identifysubcomponents,dependenciesandinteractionpoints.
typicallycreatesanartifact,suchasadataflowdiagram,
2 Discover,inventoryandevaluatethreats.
thatillustratesgraphicallyhowdataareexchanged
3 Mitigatetheriskbroughtaboutbythreats.
betweenelements.Figure 1 showsanexampledataflow
Therearemultiplesourcesofinformationaboutthethreat
diagramforasmall,shopping-cartstyleapplication.
Payment
information PAY M E N T
PROCESSING
Order
CUSTOMER
WEB SHOP Order
details
FULFILLMENT
FIGURE 1: DataFlowDiagramforaSmall,Shopping-CartStyleApplication
Thedataflowdiagramoutlinestheinteractionpoints STRIDEisanacronymthatstandsfor:2
betweenthemajorcomponents,includinghowandwhere • Spoofingidentity
dataaretransmittedbetweenthoseentities.Additional • T
amperingwithdata
2
informationcanbeaddedtothedataflowdiagram, • Repudiation
including,forexample,supportedbusinessprocesses, • Informationdisclosure
storageofinformationatrestandanyotherinformation • Denialofservice
thatispertinenttoanalyze. • Elevationofprivilege
Threats techniquethatanattackermightemploytomisusethat
application.
Aftertheflowismapped,thenextstepistosystematically
analyzethemapfromanattacker’spointofview.Todo DREADisanacronymfor:3
this,eachoftheinteractionpointsidentifiedduringphase
3
• Damage
oneisexamined,andpotentialavenuesofattackor • Reproducibility
exposureareevaluatedforeach.Typically,adefined, • Exploitability
knowntaxonomyofthreatsisusedtoensurethatthe • Affectedusers
completesetofpossiblethreatsisanalyzed;forexample, • Discoverability
theSTRIDEorDREADmodelsareoftenusedto
accomplish this.
2
Microsoft™,“TheSTRIDEThreatModel,”12November2009,https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
Openstack,“Security/OSSA-Metrics,”https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD
2
3
3
SimilarinnaturetoSTRIDE,DREADcategorizesthe
Mitigate the Risk Brought About
by Threats
vulnerabilityaccordingtoitscharacteristicsratherthan
specifictechnique.
Afterthespecificthreatsareidentified,thenextstepisto
Thesemodelscanbeusedeithertogetheronthesame
putinplacemechanismstoaddressthespecificareas
threatmodelorinparallel(oneusingSTRIDEandone
thatareidentifiedduringthemodelingprocess.Specific
usingDREAD)toprovideasetofpossiblethreattypesor
measurescanbebuiltintotheapplicationlogicitself,
characteristicsthatanapplicationmayencounter.
mitigatedthroughsomeothermeans(e.g.,anoperating
Typically,duringanapplicationthreatmodelingexercise,
systemornetworkcontrol),accepted,oraddressed
eachiteminthetaxonomyisevaluatedforitsapplicability,
throughnormativeriskmanagementactivities.The
impact,feasibility,etc.STRIDEandDREADarethemost
strategyemployedfortheapplicationthreatmodeling
popularapproachesusedinsystematicapplicationthreat
mitigationorresolutionactivityisthesameasputtingin
modeling,buttheyarenottheonlyapproaches.Any
placespecificmitigationcountermeasuresduringany
taxonomyorcategorizationsystemcanbeemployedas
otherriskmanagementexercise.
longasitiscomprehensiveandcanbeappliedtothe
task.
enterprise’sdataatonceisseldompracticable;however, Adaptationsarerequiredtodothis.Unlikeanapplication
byrestrictingthescopeoftheanalysistoasubsetofthe inwhichtheDFDaddressesspecificcomponentswithin
environment,thefeasibilitybecomesmuchmorerealistic. theapplicationscope,thefocusis,instead,onanywhere
Thiscanbedoneinaseveralways,butthegoalisto thedataarestored,processedortransmitted.Insteadof
selectanarrowlydefined,boundedandmanageable lookingatindividualobjectsorsubcomponentsofan
subsettowhichtoapplythisexercise.Thiscanbea application,another,alternativeunitisselectedandused
subsetbasedonageographicorlogicallocation(for forexamination,forexample,physicalorvirtualhosts.
example,adatacenterorspecificphysicallocation);itcan Dependingonthespecificenvironment,thiscanalsobe
beaspecificbusinessprocessandthecomponentsand applicationcontainers,components,processes,etc.Itis
systemsthatsupportit;oritcanbeanyothercriteriathat importanttoselectthemostgranularunitforsystematic
makesensefortheenterpriseenvironment. examinationofthreatsandensurethatitisgranular
enoughtoallowrigorousandthoroughexamination,but
Mapping notsogranularthatmappingisunmanageable.
Afterasubsettowhichtoapplytheprocessisselected, Next,themappingprocessisadaptedtoincludeother
thenextstepistoadaptthemodelingprocesstoallow databeyondjustthosethatareexchangedbetweenthe
theenterprisetodiscoverwherethedataarestored, atomicunitsselected;forexample,datathatarestored
processedortransmittedwithinthatscope.Thereare andtheirlocations.Whereandhowdataareexchanged
manywaystoaccomplishthis,butastraightforwardway betweenentitiesaremapped;wheredataarestoredis
istousethedataflowdiagram(DFD)asperthe includedinthemapping.Anexampleofthisadaptation,
applicationthreatmodel. usingtheapplicationDFDfromfigure 1 asanexample,is
illustratedinfigure 2.4 4
4
Notethatthisexampleisasimplifiedversionforillustrationpurposesonly.Therearemorecontextualapplicationsonthemarkettoshowdataflows;
see,forinstance,https://www.ibm.com/support/knowledgecenter/en/SS6RBX_11.4.2/com.ibm.sa.process.doc/topics/c_DFDYourdonDeMarco.htm.
4
Stored:
• PAN
• Name
• Expiry
Order Payment
information PAY M E N T
SERVER/S
Order Stored:
WEB SERVER details • Name
CUSTOMER
• UID
Stored: • Shipping
• Cached session data addres s
• Order
manifest
FULFILLMENT • Shipping
(REST API) date/status
FIGURE 2: AdaptedMapping
withamechanismtoassessthespecificcontrols,posture productively,hasamechanisminplacetomaximizethe
andperformance(fromasecurityperspective)ofthe efficiencyoftheworkdoneandappliesrigortoareasthat
partnerorserviceproviderinquestion. needitmost.Theseitemsarebestaddressedfroma
processstandpoint:whereandhowtheenterprise
Afewadditionalpiecesofinformationarerequiredto
integratesthetechniqueintoitsplanning,howit
supportthisforanalysisofthesupplychain.Specifically,
incorporatestheresults,andhowitprioritizestheareas
assessingthesupplychaininthiswayrequires:
onwhichitfocuses.Higher-impactorhigher-riskareas
• Aworkingunderstandingofthesuppliers,serviceproviders,vendorsor
shouldbetargetedfirst.
otherthirdpartiesthathaveaccesstodata
• Amechanismtoidentify,documentandultimatelyevaluatethesecurity
Also,thespecificwaytheenterpriseadaptsthetechnique
measuresandcontrolsemployedbythevendorsastheyapplytothe
shouldbedecidedaheadoftime.Forexample,ifan
enterprisedata
enterprisedecidestoadaptsomethinglikeSTRIDEor
• Iftheenterpriseintendstomonitortheriskstatusofthosepartiesover
DREAD,itshouldformalizetheadaptationsothatitis
time,amechanismtoperiodicallyre-evaluateandmonitor,inan
followingthesame(orasimilar)processacrossareas.
ongoingway,theitemsnotedintheprecedingbullet
Giventhetimeinvestmentinvolved,theenterprisewill
likelywanttodoanalysispiecemealacrossthe
Eachoftheseitemsshouldbeevaluatedaspartofthe
environment.Asscopeisselectedbasedonpriority,
initialroundofthreatanalysis.Thisevaluationcanbe
followingaconsistentprocessaseachareaisevaluated
combinedwithacommercialevaluationofsupplychain
meansthat,overtime,acompletepicturewilldevelop.If,
risk.Forexample,SecurityScorecard,ISACA’spartnerin
however,theprocessdeviatesfromscopetoscope,the
thiswhitepaper,outlinesanobjectivemethodology5 for
resultingpictureofthatanalysiswillbelesseasily
evaluatingvendorsand/orsuppliers.Byunderstanding
5
integratedintoasingle,consistentwholethatcanbe
howdatatraversetheseotherparties,anenterprisecan
easilyappliedandutilized.
buildamuchmorecompletepictureandsupplementthe
valuederivedfromtheseservices. Last,aswithanyproject,anenterpriseshouldplanout
optimaluseofresourcestoensureitisnotpullingstaff
5
5
Op cit SecurityScorecard
Continuous Assurance
Ascanbeseenfromtheprecedinginformation,athreat thedata,ratherthanonethatchanges(orhasthe
modelcanbeusedtoanalyzedata,but,althoughitcan potentialtochange)aftermeasuringstops.
successfullyanalyzedataforadefinedsubsetofthe
Whenappliedtoanauditcontext,continuousauditisan
environment,ideally,thegoalistomovetoacontinuous
ongoingverificationandvalidationofsomethingasit
assuranceunderstandingofthethreats.Thistechnique
occurs.Forexample,ifanenterprisewantstoextend
canbeavitaltoolinhelpingtorealizethatgoal,butitdoes
continuousauditingtofinancialreporting,itmightemploy
notautomaticallyhappenafterafewthreatmodelsare
amethodtocheckandvalidatetransactionsasthey
completedfordatainanenterpriseenvironment.Instead,
occur.Foritsgeneralledger,billingsystemorother
additionalplanningisneededtomakecontinuous
financialreportingsystem,theenterprisehasintegrity
assuranceunderstandingofthethreatsareality.
checksaseachtransactionisenteredthatvalidatethat
Continuousauditing,orcontinuousmonitoring,isaterm thetransactionsarewithindefinedpolicyboundaries,are
familiartomostauditandsecuritypractitioners.Inthis approved,operatewithinbusinessrules,etc.
context,“continuousassurance”isbeingusedalong
Thesameistrueofcontinuousmonitoringinasecurity
similarlines,butitisimportanttodifferentiatehowthe
context.Continuousmonitoringreferstomechanisms
definitionoftheterm“continuousauditing”differsfrom
thatallowtheenterprisetohavereal-time(ornearlyso)
otherrelatedterms.
informationaboutthestatusofparticularsecurity
Perhapsthebestwaytoexplainistostartby controlsandthesecuritystatusofentitiesinits
differentiatingacontinuousviewfromapoint-in-time environment.Insteadofevaluatingthepatchstatusofa
view.Apoint-in-timeviewisexactlyasitsounds:Itis hostatagivenpointintime,theenterprisemonitorsthe
one-timeassessmentorvalidationthatgivesasnapshot patchstatussothat,ifthathostdriftsoutofcompliance
ofwhatisbeingevaluatedattheexactmomentthatitis withexpectednorms,theenterpriseisalertedandcan
evaluated.Ifsomethingshouldhappensubsequently,the take(automatedormanual)actiontoaddressthedrift.
conditionswillhavechangedandthepoint-in-time
Withcontinuousassurance,anenterprisecanbenotified
measurementisnolongervalid.
aschangeshappenthatimpactitsunderstandingofthe
Inacontinuousview,themeasurementisupdated,either threats(and,consequently,risk)towhichitsdataare
inanongoingwayoratanintervalthatisfrequentenough subjected.
tohavenegligibleimpact.Itisacontinuousevaluationof
Specific Goals
Threatmodelingdatacansupportanenterprise’sgoalof Tosupportacontinuousviewofanything,twothingsare
continuousassuranceunderstandingofthethreats. needed:
Threatmodelingcanalsohelpanenterpriseestablish— • Somethingtomeasure
andtrack—keyriskindicators(KRIs)6 relatedtoitsdata.
6
• Awaytoperformthatmeasurementfrequentlyorinanongoingway
6
6
Keyriskindicators(KRIs)areasubsetofriskindicatorsthatarehighlyrelevantandpossessahighprobabilityofpredictingorindicatingimportantrisk.
Modelingthethreatstowhichdatamaybesubjecthelps employedcomparedtohowthatsamedatamaybe
toestablishtheKRIsthatareimportanttotheenterprise. collectedinternally.Forexample,internally,anenterprise
mayuseadatalosspreventiontooltomitigateagainst
ThespecificsofthoseKRIsvaryfromenterpriseto
exfiltration,butthatoptionmaynotbeavailableata
enterprise.AretailerinEurope,forexample,maybe
businesspartner.Instead,theenterprisemayemploya
interestedinmeasuringdifferentpotentialrisksthana
contractualstrategytoprovideanalogousinformation.
Japanesebank;however,havingawaytomodelthe
Likewise,dependingontheoperationalscopeoftheKRIs
threatsisthefirststeptodeterminingspecificallywhatto
beingestablished,anenterprisemayneedtohave
measure.Tohelptheenterpriseestablishthiscontinuous
differentpersonnelinvolved,monitordifferenttoolsor
view,mappingoutthethreatscanidentifythethreatsthat
adaptthemethodbywhichitisgatheringdata.
areofgreatestriskimpactandlikelihood.Then,the
Thespecificareastoincludeinthemeasurementsalso informationtotherightpeoplesotheycantakeaction?
needtobedetermined.Dependingonthemeasurements • Whatvaluableinformationcanberepurposedfromothersources?
theenterprisewantstoincludeinitscontinuous Whatisbeingcollectedandmeasurednowthatcouldcontributetoa
assuranceview,itmayneedtodevelopspecific morecontinuousviewofthethreatenvironmentorriskprofile?
approachestoincludethem.Forexample,regarding • Howcantheenterprisefuture-proofitselftoensurethatitisbuildingon
entitiesinasupplychain,anenterprisemayhavedata pasteffortsinthemeasurementscollectedinsteadofre-creatingthose
thataresharedwithbusinesspartners,suppliersorother efforts?
thirdparties.Dependingonthespecificcontextand • Whoisresponsibleformaintainingandmonitoringtheviewthatisput
circumstances,theenterprisemaywanttoensurethatit together?Whoisaccountabletomakesureitgetsdoneandfortaking
isobtainingKRIsorotherinformationaboutthedata therightactionsasneededtoensureitstaysrelevant?
whiletheyareheldbythosepartners.Acompletely • Whatistheamounttheenterpriseispreparedtoinvestin
Conclusion
Oneofthegoalsofcontinuousassuranceofdatathreats • Becausethismodelallowsacontinuousandmorereal-timeview,
istomakethejoboftheindividualsmakingriskdecisions practitionerscanhaveconfidencethattheirriskprofileaccountsfor
fortheenterpriseeasier.Thetemptationtobeoverly changingconditionsandevolutionsofwhattheydo—andevolutionsin
aggressiveinimplementationattheoutsetcan,overthe whatattackersdo.
longterm,undermineefforts.Itmaybebettertostart • Becausecontinuousassurancedatathreatmodelingiscustomizable,it
smallwithanarrowlydefinedscopeandbuildfromthere. isflexibleenoughtoworkinalmostanyenvironmentthatstores,
Thisallowspractitionerstogetafeelfortheapproachand processesortransmitsdata.
decideifitisrightforthem.Forenterprisesthatstruggle Continuousassuranceleveragesamodelwithwhich
withdataprotectionthatfeelsoutofcontrol,anapproach manyprofessionalsmayalreadybesomewhatfamiliar,
likethisonecanhelpbringclaritytothechaos: therefore,theskillsthatdevelopedwhileputtingitinto
• Becauseitissystematic,practitionerscanknowthatthereareno practicearedirectlytranslatabletootherareas,
hiddenproblemsthathavegoneunexamined. particularlyapplicationsecurity.
Acknowledgments
ISACAwouldliketorecognize:
OracleCorporation,USA ISACABoardChair,2014-2015
Ed Moyle
CRISC,CGEIT
PreludeInstitute Tracey Dedrick
XebiaLabs,Inc.,USA
Boston,MA,USA FormerChiefRiskOfficerwithHudson
CityBancorp,USA Marios Damianides, Governance
Expert Reviewers Committee Chair
Leonard Ong
Ian Cooke CISA,CISM
CISA,CRISC,CISM,CGEIT,COBIT5
CISA,CRISC,CGEIT,COBITAssessorand Ernst&Young,USA
ImplementerandAssessor,CFE,CIPM,
Implementer,CFE,CPTE,DipFM,ITIL CIPT,CISSP,CITBCM,CPP,CSSLP,GCFA, Matt Loeb
Foundation,SixSigmaGreenBelt GCIA,GCIH,GSNA,ISSMP-ISSAP,PMP CGEIT,CAE,FASAE
AnPost Merck&Co.,Inc.,Singapore ChiefExecutiveOfficer,ISACA,USA
Dublin,Ireland
R.V. Raghu
Joshua McDermott CISA,CRISC
CISA,CEH,CISSP,PMP VersatilistConsultingIndiaPvt.Ltd.,India
Jacksonville,FL,USA
Gabriela Reynaga
Jai Sisodia CISA,CGEIT,CRISC
CISA,ITILV3 HolisticsGRC,Mexico
Sr.ITConsultant-Global
BaxterInternationalInc., India Gregory Touhill
CISM,CISSP
CyxteraFederalGroup,USA
Ted Wolff
CISA
Vanguard,Inc.,USA
Tichaona Zororo
CISA,CRISC,CISM,CGEIT,COBIT5
CertifiedAssessor,CIA,CRMA
EGIT|EnterpriseGovernanceofIT(Pty)
Ltd,SouthAfrica
Theresa Grafenstine
ISACABoardChair,2017-2018
CISA,CRISC,CGEIT,CGAP,CGMA,CIA,
CISSP,CPA
Deloitte&ToucheLLP,USA
AboutISACA
1700E.GolfRoad,Suite400
Nearingits50thyear,ISACA® (isaca.org)isaglobalassociationhelping
Schaumburg,IL60173,USA
individualsandenterprisesachievethepositivepotentialoftechnology.
Technologypowerstoday’sworldandISACAequipsprofessionalswiththe
Phone: +1.847.660.5505
knowledge,credentials,educationandcommunitytoadvancetheircareers
andtransformtheirorganizations.ISACAleveragestheexpertiseofitshalf- Fax: +1.847.253.1755
millionengagedprofessionalsininformationandcybersecurity,governance,
assurance,riskandinnovation,aswellasitsenterpriseperformance Support: support.isaca.org
subsidiary,CMMI® Institute,tohelpadvanceinnovationthroughtechnology.
Website: www.isaca.org
ISACAhasapresenceinmorethan188countries,includingmorethan217
chaptersandofficesinboththeUnitedStatesandChina.
DISCLAIMER
Follow ISACA on Twitter:
ISACAhasdesignedandcreatedContinuous Assurance Using Data Threat
www.twitter.com/ISACANews
Modeling (the“Work”)primarilyasaneducationalresourceforprofessionals.
ISACAmakesnoclaimthatuseofanyoftheWorkwillassureasuccessful Join ISACA on LinkedIn:
outcome.TheWorkshouldnotbeconsideredinclusiveofallproper
www.linkd.in/ISACAOfficial
information,proceduresandtestsorexclusiveofotherinformation,
proceduresandteststhatarereasonablydirectedtoobtainingthesame
Like ISACA on Facebook:
results.Indeterminingtheproprietyofanyspecificinformation,procedureor
test,professionalsshouldapplytheirownprofessionaljudgmenttothe www.facebook.com/ISACAHQ
specificcircumstancespresentedbytheparticularsystemsorinformation
technologyenvironment.
RESERVATION OF RIGHTS
© 2018 ISACA. All rights reserved.