Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia.

Security Risk Management

Jamie Sharp CISSPSecurity AdvisorMicrosoft Australia

Session Overview

• Security Risk Management Concepts

• Security Risk Management Prerequisites

• Assessing Risk

• Conducting Decision Support

• Implementing Controls and Measuring Program Effectiveness

Agenda



• Assessing Risk



Why Develop a Security Risk Management Process?• Security risk management

– A process for identifying, prioritizing and managing risk to an acceptable level within the organization

• A formal security risk management process can address the following:– Threat response time– Regulatory compliance– Infrastructure management costs– Risk prioritization and management

Critical Success Factors

• Executive sponsorship

• Well defined list of stakeholders

• Organizational maturity

• Open communication and teamwork

• Holistic view of the organization

• Security risk management team authority

Risk Management Strategies

• Reactive– A process that responds to security events as

they occur

• Proactive– A process that reduces the risk of new

vulnerabilities in your organization

Risk Assessment MethodologiesBenefits Drawbacks

Quantitative

• Risks prioritized by financial impact; assets prioritized by their financial values

• Results facilitate management of risk by return on security investment

• Results can be expressed in management-specific terminology

• Impact values assigned to risks are based upon subjective opinions of the participants

• Very time-consuming

• Can be extremely costly

Qualitative

• Enables visibility and understanding of risk ranking

• Easier to reach consensus• Not necessary to quantify

threat frequency• Not necessary to determine

financial values of assets

• Insufficient granularity between important risks

• Difficult to justify investing in control as there is no basis for a cost-benefit analysis

• Results dependent upon the quality of the risk management team that is created

Microsoft Security Risk Management Process

Implementing Implementing ControlsControls


33

Conducting Conducting Decision SupportDecision Support


22

Measuring Measuring Program Program

EffectivenessEffectiveness



44 Assessing RiskAssessing RiskAssessing RiskAssessing Risk11

Agenda



• Assessing Risk



Risk Management vs. Risk Assessment

Risk Management Risk Assessment

Goal • Manage risks across

business to acceptable level• Identify and prioritize

risks

Cycle • Overall program across all

four phases

• Single phase of risk management program

Schedule • Scheduled activity• Continuous activity

Alignment • Aligned with budgeting

cycles• Not applicable

Communicating Risk

Well-Formed Risk Statement (Exposure)Well-Formed Risk Statement (Exposure)

ImpactImpactWhat is the impact to the What is the impact to the

business? business?

ProbabilityProbabilityHow likely is the threat How likely is the threat

given the controls?given the controls?

AssetAssetWhat are you What are you

trying to trying to protect?protect?

ThreatThreatWhat are you What are you

afraid of afraid of happening?happening?

VulnerabilityVulnerabilityHow could the How could the threat occur?threat occur?

MitigationMitigationWhat is What is currently currently

reducing the reducing the risk?risk?

Starting Points

• NIST http://www.nist.gov – Security Self-Assessment Guide for Information Technology Systems

(SP-800-26)

• IT Governance Institute http://www.isaca.org – Control Objectives for Information and Related Technology (CobiT)

• ISO http://www.iso.org – ISO 17799 - ISO Code of Practice for Information Security Management

• SAI Global http://www.standards.com.au – AS/NZS 4360:2004 - Risk Management – AS/NZS 7799.2:2003 - Information Security Management

• Microsoft Security Risk Management Guide– http://www.microsoft.com/technet/security/guidance/secrisk

http://www.nist.gov/

http://www.isaca.org/

http://www.iso.org/

http://www.standards.com.au/

http://www.microsoft.com/technet/security/guidance/secrisk

Risk Management Maturity Self-Assessment

Level State

0 Non-existent

1 Ad hoc

2 Repeatable

3 Defined process

4 Managed

5 Optimized

Executive Executive SponsorSponsor““What's What's important?”important?”

IT GroupIT Group““Best control solution”Best control solution”

InformationInformationSecurity GroupSecurity Group““Prioritize risks”Prioritize risks”

Roles and Responsibilities

Operate and Operate and support support security security solutionssolutions

Design and Design and build security build security

solutionssolutions

Define security Define security requirementsrequirements

Measure Measure security security solutionssolutions

Assess risksAssess risks

Determine Determine acceptable riskacceptable risk

Agenda



• Assessing Risk



Overview of the Assessing Risk Phase



33



22






• Plan risk data Plan risk data gatheringgathering

• Gather risk dataGather risk data• Prioritize risksPrioritize risks

Understanding the Planning Step• The primary tasks in the planning step include

the following:– Alignment– Scoping– Stakeholder acceptance– Setting expectations

Facilitated Data Gathering

• Elements collected during facilitated data gathering include:– Organizational assets– Asset description– Security threats– Vulnerabilities– Current control

environment– Proposed controls

• Keys to successful data gathering include:– Meet collaboratively with

stakeholders– Build support– Understand the

difference between discussing and interrogating

– Build goodwill– Be prepared

Identifying and Classifying Assets• An asset is anything of value to the

organization and can be classified as one of the following:– High business impact– Moderate business impact– Low business impact

Organizing Risk Information

• Use the following questions as an agenda during the facilitated discussions:– What asset are you protecting?

– How valuable is the asset to the organization?

– What are you trying to avoid happening to the asset?

– How might loss or exposures occur?

– What is the extent of potential exposure to the asset?

– What are you doing today to reduce the probability of the extent of damage to the asset?

– What are some actions that you can take to reduce the probability in the future?

Estimating Asset Exposure

• Exposure: The extent of potential damage to an asset

• Use the following guidelines to estimate asset exposure:– High exposure: severe or complete loss of the asset– Medium exposure: limited or moderate loss– Low exposure: minor or no loss

Estimating Threat Probability

• Use the following guidelines to estimate probability for each threat and vulnerability identified:– High threat: Likely—one or more impacts expected

within one year– Medium threat: Probable—impact expected within

two to three years– Low threat: Not probable—impact not expected to

occur within three years

Scenario 1: Facilitating a Risk Discussion at Woodgrove Bank• Woodgrove Bank is a consumer financial institution

in the process of conducting a Security Risk Management project– Task One: Determining Organizational Assets and

Scenarios• Interest Calculation Systems• Customer Personally Identifiable Information (PII)• Reputation• Consumer financial data—High Business Impact (HBI)


in the process of conducting a Security Risk Management project– Task Two: Identifying Threats

• Threat of a loss of integrity to consumer financial data


in the process of conducting a Security Risk Management project– Task Three: Identifying Vulnerabilities

• Theft of financial advisor credentials by trusted employee abuse using non-technical attacks, for example, social engineering or eavesdropping

• Theft of financial advisor credentials off local area network (LAN) hosts through the use of outdated security configurations

• Theft of financial advisor credentials off remote, or mobile, hosts as a result of outdated security configurations


in the process of conducting a Security Risk Management project– Task Four: Estimating Asset Exposure

• Breach of integrity through trusted employee abuse:– Damaging, but not severe. Each financial advisor can only access

customer data that he/she manages.

• Breach of integrity through credential theft on LAN hosts:– May result in a severe, or high, level of damage.

• Breach of integrity through credential theft on mobile hosts:– Could have a severe, or high, level of damage. The discussion group

notes that the security configurations on remote hosts often lag behind LAN systems.


in the process of conducting a Security Risk Management project– Task Five: Identifying Existing Controls and Probability of

Exploit• Agreement that their remote hosts, or mobile hosts, do not receive

the same level of management as those on the LAN.


in the process of conducting a Security Risk Management project– Task Six: Summarizing the Risk Discussion

• Risk Assessment Facilitator summarizes the discussion and highlights the assets, threats, and vulnerabilities discussed.


in the process of conducting a Security Risk Management project– Task One: Determining Organizational Assets and Threats– Task Two: Identifying Threats– Task Three: Identifying Vulnerabilities– Task Four: Identifying Asset Exposure– Task Five: Identifying Existing Controls and Probability of

Exploit– Task Six: Summarizing the Risk Discussion

Defining Impact Statements

• Impact data includes the following information:

Scenario 2: Defining an Impact Statement For Woodgrove Bank

Asset Name

Asset Class

DID Level

Threat Description

Vulnerability Description

ER (H,M,L)

IR(H,M,L)

Consumer financial

investment data

HBI Host

Unauthorized access to consumer data through theft of Financial Advisor credentials

Theft of credentials of managed LAN client via outdated security configurations

H H

Consumer financial

investment data

HBI Host


Theft of credentials off managed remote client via outdated security configurations

H H

Consumer financial

investment data

HBI Data


Theft of credentials by trusted employee abuse, via non-technical attacks

L M

Understanding Risk Prioritization

End of riskEnd of riskprioritizationprioritization

DetailedDetailedlevel risk level risk

prioritizationprioritization

Conduct Conduct detailed-detailed-level risk level risk


Review with Review with stakeholdersstakeholders

SummarySummarylevel risk level risk


Conduct Conduct summary-summary-level risk level risk


Start risk Start risk prioritizationprioritization

Conducting Summary-Level Risk Prioritization

• The summary-level prioritization includes the following:1. Determine impact level2. Estimate summary-level probability3. Complete the summary-level risk list4. Review with stakeholders

1

HighHigh. Likely—one or more impacts expected within one year. Likely—one or more impacts expected within one year MediumMedium. Probable—impact expected within two to three years. Probable—impact expected within two to three years LowLow. Not probable—impact not expected to occur within three years. Not probable—impact not expected to occur within three years

2 4

3

Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank• Task One: Determine Impact Level

– Trusted Employee Theft Impact• HBI asset class *Low Exposure = Moderate Impact

– LAN Host Compromise Impact• HBI asset class *High Exposure = High Impact

– Remote Host Compromise Impact• HBI asset class *High Exposure = High Impact

Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank• Task Two: Estimate Summary-Level Probability

– Trusted Employee Theft Probability• Low

– LAN Host Compromise Probability• Medium

– Remote Host Compromise Probability• High

Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank• Task Three: Complete the Summary-Level Risk List

– Trusted Employee Theft Risk• Moderate Impact *Low Probability = Low

– LAN Host Compromise Risk• High Impact *Medium Probability = High

– Remote Host Compromise Risk• High Impact *High Probability = High

– Enter Results in the Impact Statement Spreadsheet

Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank• Task Four: Review With Stakeholders

– Trusted Employee abuse risk is rated as Low in the summary level risk list and does not need to graduate to the detailed level risk prioritization step

– LAN and remote host compromise risks are both rated as high and so are then prioritized at the detailed level

Scenario Three: Summary-Level Risk Prioritization at Woodgrove Bank• Task One: Determine Impact Level• Task Two: Estimate Summary Level Probability• Task Three: Complete the Summary-Level Risk List• Task Four: Review With Stakeholders

Conducting Detailed-Level Risk Prioritization• The following four tasks outline the process

for building a detailed-level list of risks:1. Determine impact and exposure

2. Identify current controls

3. Determine probability of impact

4. Determine detailed risk level

• Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)

Scenario Four: Detailed-Level Risk Prioritization at Woodgrove Bank

• Task One: Determine Impact and Exposure– LAN Host Compromise Exposure Rating: 4 (80%)

• HBI = 10• Impact Rating: 10 *80% = 8

– Remote Host Compromise Exposure Rating: 4 (80%)• HBI = 10• Impact Rating: 10 *80% = 8

– Impact Range = Between 7-10 which compares to High


• Task Two: Identify Current Controls– Financial Advisors can only access accounts they own;

thus, the exposure is less than 100 percent.– E-mail notices to patch or update hosts are proactively

sent to all users.– Antivirus and patch updates are measured and enforced

on the LAN every few hours. This control reduces the time window when LAN hosts are vulnerable to attack.


• Task Three: Determine Probability of Impact– LAN and remote hosts: Likely that all vulnerability attributes

in the High category will be seen inside and outside Woodgrove’s LAN environment in the near future. Vulnerability value = 5 for both risks

– Control Effectiveness:• LAN: Result of Control Effectiveness Questions = 1• Remote: Result of Control Effectiveness Questions = 5

– Total Probability Rating: (Sum of Vulnerability and Control Effectiveness)

• LAN = 6• Remote = 10


• Task Four: Determine Detail Risk Level– Impact Rating *Probability Rating

• LAN: 8 *6 = 48• Remote Hosts: 8 *10 = 80• Both rate an overall risk of High


• Task One: Determine Impact and Exposure• Task Two: Identify Current Controls• Task Three: Determine Probability of Impact• Task Four: Determine Detail Risk Level

Quantifying Risk

• The following tasks outline the process for determining the quantitative value:– Assign a monetary value to each asset class– Input the asset value for each risk– Produce the single-loss expectancy value (SLE)– Determine the annual rate of occurrence (ARO)– Determine the annual loss expectancy (ALE)

Scenario Five: Quantifying Risk For Woodgrove Bank• Task One: Assign Monetary Values to Asset Classes

– Using 5% Materiality Guideline for valuing assets– Net Income: $200 Million annually– HBI Asset Class: $10 Million (200 *5%)– MBI Asset Class: $5 Million (based on past spending)– LBI Asset Class: $1 Million (based on past spending)

Scenario Five: Quantifying Risk For Woodgrove Bank

• Task Two: Identify the Asset Value– Consumer financial data = HBI Asset Class– HBI = $10 Million– Asset Value = $10 Million


• Task Three: Produce the Single Loss Expectancy Value (SLE)

80%

80%

Exposure Value

$8

$8

SLE

4

4

Exposure Rating

$10

$10

Asset Class Value

LAN Host Risk($ in millions)

Remote Host Risk($ in millions)

Risk Description

High Business Impact Value = $M Exposure Rating Exposure Factor %

5 100

Asset Class 4 80

HBI Value $ M 3 60

MBI Value $ M / 2 2 40

LBI Value $ M / 4 1 20

Estimated Risk Value = Asset Class Value * Exposure Factor % = SLE

Scenario Five: Quantifying Risk For Woodgrove Bank• Task Four: Determine the Annual Rate of Occurrence

(ARO)– LAN Host ARO: Based on the qualitative assessment of Medium probability, the

Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is 5.

– Remote Host ARO: Based on the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1.

Qualitative Rating

Description ARO range Description Examples

High Likely >=1Impact once or more per year

Medium Probable .99 to .33At least once every 1-3 years

LowNot probable

.33At least once greater than 3 years


• Task Five: Determine the Annual Loss Expectancy (ALE) (SLE *ARO)

Risk Description

Asset Class Value

Exposure Rating

Exposure Value

SLE ARO ALE

LAN Host Risk ($ in millions) $10 4 80% $8 0.5 $4

Remote Host Risk

($ in millions)$10 4 80% $8 1 $8

Scenario Five: Quantifying Risk For Woodgrove Bank• Task One: Assign Monetary Values to Asset Classes• Task Two: Identify the Asset Value• Task Three: Produce the Single Loss Expectancy

Value (SLE)• Task Four: Determine the Annual Rate of

Occurrence (ARO)• Task Five: Determine the Annual Loss Expectancy

(ALE) (SLE *ARO)

Assessing Risk: Best Practices

• Analyze risks during the data gathering process• Conduct research to build credibility for

estimating probability• Communicate risk in business terms• Reconcile new risks with previous risks

Agenda



• Assessing Risk



Overview of the Decision Support Phase



33



22






1.1. Define functional requirementsDefine functional requirements2.2. Identify control solutionsIdentify control solutions3.3. Review solution against Review solution against

requirementsrequirements4.4. Estimate degree of risk reductionEstimate degree of risk reduction5.5. Estimate cost of each solutionEstimate cost of each solution6.6. Select the risk mitigation Select the risk mitigation

strategystrategy

Identifying Output for the Decision Support Phase• Key elements to gather include:

– Decision on how to handle each risk– Functional requirements– Potential control solutions– Risk reduction of each control solution– Estimated cost of each control solution– List of control solutions to be implemented

Considering the Decision Support Options

• Options for handling risk: ATAM– Accept– Transfer– Avoid– Mitigate

Security riskSecurity riskmanagementmanagementteamteam

SecuritySecuritysteeringsteeringcommitteecommittee

Step 1: Define Functional Requirements

Select the risk Select the risk mitigationmitigationstrategystrategy

6

MitigationMitigationownerowner Identify control Identify control

solutionssolutions

22

DefineDefinefunctionalfunctional

requirementsrequirements

1

Estimate Estimate cost of cost of

each solutioneach solution

5

EstimateEstimatedegree of risk degree of risk

reductionreduction

4ReviewReviewsolutions solutions against against


3

Step 2: Identify Control Solutions




6

MitigationMitigationownerowner Identify Identify

control control solutionssolutions

2



1



5


reductionreduction



3

Step 3: Review Solutions Against Requirements




6



2



1



5


reductionreduction



3

Step 4: Estimate Degree of Risk Reduction




6



22



1



5


reductionreduction



3

Step 5: Estimate Cost of Each Solution




6



2



1



5


reductionreduction



3

Step 6: Select the Risk Mitigation Strategy



Select the Select the risk mitigationrisk mitigation

strategystrategy

6



2



1



5


reductionreduction



3

Conducting Decision Support: Best Practices• Assign a security technologist to each risk

• Set reasonable expectations

• Build team consensus

• Focus on the amount of risk after the mitigation solution

Agenda



• Assessing Risk





33



22






Implementing Controls

• Seek a holistic Seek a holistic approachapproach

• Organize by Defense-Organize by Defense-in-Depthin-Depth

Organizing the Control Solutions• Critical success determinants to organizing

control solutions include:– Communication– Team scheduling– Resource requirements

Organizing by Defense-in-Depth

NetworkNetwork

HostHost

ApplicationApplication

DataData

PhysicalPhysical



33



22






Measuring Program Effectiveness

• Develop scorecardDevelop scorecard• Measure control Measure control

effectivenesseffectiveness

Developing a Security Risk Scorecard for Your Organization

• A simple security risk scorecard organized by the Defense-in-Depth layers:

FY05 Q1 FY05 Q2 FY05 Q3 FY05 Q4

Physical H M

Network M M

Host M M

Application M H

Data L LRisk Levels (H, M, L)

Measuring Control Effectiveness

• Methods for measuring the effectiveness of implemented controls include:– Direct testing– Submitting periodic compliance reports– Evaluating widespread security incidents

Summary

• Decide on risk management methodology• Determine your maturity level• Conduct risk assessment

• Conduct decision support

• Implement controls & measure effectiveness

Next Steps

• Australia Security Portalhttp://www.microsoft.com/australia/security

• Microsoft Security Risk Management Guidehttp://www.microsoft.com/technet/security/guidance/secrisk

• MOF - Security Managementhttp://www.microsoft.com/technet/itsolutions/cits/mo/smf/mofsmsmf.mspx

• Additional security tools and contenthttp://www.microsoft.com/security/guidance

Date post:	22-Dec-2015
Category:	Documents
View:	219 times
Download:	2 times

Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia.

Documents