Computer Security: Principles and Practice Fourth Edition By: William

Computer Security: Principles and Practice Fourth Edition By: William Stallings and Lawrie Brown

Chapter 14 IT Security Management and Risk Assessment

IT Security Management Overview Is the formal process of answering the questions: What assets need to be protected How are those assets threatened What can be done to counter those threats Ensures that critical assets are sufficiently protected in a cost-effective manner Security risk assessment is needed for each asset in the organization that requires protection Provides the information necessary to decide what management, operational, and technical controls are needed to reduce the risks identified

Table 14.1 ISO/IEC 27000 Series of Standards on IT Security Techniques 27000:2016 27001:2013 27002:2013 27003:2010 27004:2009 27005:2011 27006:2015 “Information security management systems - Overview and vocabulary” provides an overview of information security management systems, and defines the vocabulary and definitions used in the 27000 family of standards. “Information security management systems – Requirements” specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System. “Code of practice for information security management” provides guidelines for information security management in an organization and contains a list of best-practice security controls. It was formerly known as ISO17799. “Information security management system implementation guidance” details the process from inception to the production of implementation plans of an Information Security Management System specification and design. “Information security management – Measurement” provides guidance to help organizations measure and report on the effectiveness of their information security management system processes and controls. “Information security risk management” provides guidelines on the information security risk management process. It supersedes ISO13335-3/4. “Requirements for bodies providing audit and certification of information security management systems” specifies requirements and provides guidance for these bodies.

IT Security Management IT SECURITY MANAGEMENT: A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability. IT security management functions include: Determining organizational IT security objectives, strategies, and policies Determining organizational IT security requirements Identifying and analyzing security threats to IT assets within the organization Identifying and analyzing risks Specifying appropriate safeguards Monitoring the implementation and operation of Developing safeguards that and are necessary in implementing order to cost a security effectively awareness protect the program information and services within the organization Detecting and reacting to incidents

Organizational Aspects IT Security Policy Risk Analysis Options Security Risk Analysis Baseline Informal Formal Combined Selection of Controls Development of Security Plan and Procedures Implementation Implement Controls Security Awareness & Training Follow-Up Maintenance Security Compliance Change Management Incident Handling Figure14.1 Overview of IT Security Management

Interested Parties Interested Parties Act Plan Information Security Needs Check Do Managed Security Figure14.2 ThePlan - Do - Check - Act Process Model

Organizational Context and Security Policy Maintained and updated regularly Using periodic security reviews Reflect changing technical/risk environments Examine role and importance of IT systems in organization First examine organization’s IT security: Objectives - wanted IT security outcomes Strategies - how to meet objectives Policies - identify what needs to be done

Security Policy Needs to address: Scope and purpose including relation of objectives to business, legal, regulatory requirements IT security requirements Assignment of responsibilities Risk management approach Security awareness and training General personnel issues and any legal sanctions Integration of security into systems development Information classification scheme Contingency and business continuity planning Incident detection and handling processes How and when policy reviewed, and change control to it

Management Support IT security policy must be supported by senior management Need IT security officer To provide consistent overall supervision Liaison with senior management Maintenance of IT security objectives, strategies, policies Handle incidents Management of IT security awareness and training programs Interaction with IT project security officers Large organizations need separate IT project security officers associated with major projects and systems Manage security policies within their area

Security Risk Assessment Critical component of process Ideally examine every organizational asset Not feasible in practice Approaches to identifying and mitigating risks to an organization’s IT infrastructure: Baseline Informal Detailed risk Combined

Baseline Approach Goal is to implement agreed controls to provide protection against the most common threats Forms a good base for further security measures Use “industry best practice” Easy, cheap, can be replicated Gives no special consideration to variations in risk exposure May give too much or too little security Generally recommended only for small organizations without the resources to implement more structured approaches

Informal Approach Involves conducting an informal, pragmatic risk analysis on organization’s IT systems Exploits knowledge and expertise of analyst Fairly quick and cheap Judgments can be made about vulnerabilities and risks that baseline approach would not address Some risks may be incorrectly assessed Skewed by analyst’s views, varies over time Suitable for small to medium sized organizations where IT systems are not necessarily essential

Detailed Risk Analysis Most comprehensive approach Significant cost in time, resources, expertise Assess using formal structured process Number of stages Identify threats and vulnerabilities to assets Identify likelihood of risk occurring and consequences May be a legal requirement to use Suitable for large organizations with IT systems critical to their business objectives

Combined Approach Combines elements of the baseline, informal, and detailed risk analysis approaches Aim is to provide reasonable levels of protection as quickly as possible then to examine and adjust the protection controls deployed on key systems over time Approach starts with the implementation of suitable baseline security recommendations on all systems Next, systems either exposed to high risk levels or critical to the organization's business objectives are identified in the high-level risk assessment A decision can then be made to possibly conduct an immediate informal risk assessment on key systems, with the aim of relatively quickly tailoring controls to more accurately reflect their requirements Lastly, an ordered process of performing detailed risk analyses of these systems can be instituted Over time, this can result in the most appropriate and cost-effective security controls being selected and implemented on these systems

Detailed Security Risk Analysis Provides the most accurate evaluation of an organization's IT system’s security risks Highest cost Initially focused on addressing defense security concerns Often mandated by government organizations and associated businesses

Step 1: Prepare for Assessment Derived fromOrganizational Aspects Step 2: Conduct Risk Analysis Step 3:Communicate Results Identify Vulnerabilities and Predisposing Conditions Determine Likelihood of Occurance Determine Magnitude of Impact Determine Risk Figure14.3 Risk Assessment Process Step 4: Maintain Assessment Identify Threat Sources and Events

Establishing the Context Initial step Identify the assets to be examined Explores political and social environment in which the organization operates Determine the basic parameters of the risk assessment Legal and regulatory constraints Provide baseline for organization’s risk exposure Risk appetite The level of risk the organization views as acceptable

Media Construction Retail Health Care Less Vulnerable Agriculture MoreVulnerable Communications E d u c a tio n Banking & Finance Utilities Transportation M a n u fa c tu rin g Figure14.4 Generic Organizational Risk Context Government

Asset Identification Last component is to identify assets to examine Draw on expertise of people in relevant areas of organization to identify key assets Identify and interview such personnel Asset “anything that needs to be protected” because it has value to the organization and contributes to the successful attainment of the organization’s objectives

Terminology Asset: A system resource or capability of owner that requires protection Threat: A potential for a threat source to exploit a vulnerability in some asset, which if it occurs may compromise the security of the asset and cause harm to the asset’s owner Vulnerability: A flaw or weakness in an asset’s design, implementation, or operation and management that could be exploited by some threat Risk: The potential for loss computed as the combination of the likelihood that a given threat exploits some vulnerability to an asset, and the magnitude of harmful consequence that results to the asset’s owner value to its

Threat Identification A threat is: Confidentiality Reliability Integrity Anything that might hinder or prevent an asset from providing appropriate levels of the key security services Authenticity Availability Accountability

Threat Sources Threats may be Natural “acts of God” Man-made Accidental or deliberate Evaluation of human threat sources should consider: Motivation Capability Resources Probability of attack Deterrence Any previous experience of attacks seen by the organization also needs to be considered

Vulnerability Identification Identify exploitable flaws or weaknesses in organization’s IT systems or processes Determines applicability and significance of threat to organization Need combination of threat and vulnerability to create a risk to an asset Outcome should be a list of threats and vulnerabilities with brief descriptions of how and why they might occur

Analyze Risks Specify likelihood of occurrence of each identified threat to asset given existing controls Specify consequence should threat occur Derive overall risk rating for each threat Risk probability threat occurs x cost to organization Hard to determine accurate probabilities and realistic cost consequences Use qualitative, not quantitative, ratings

Analyze Existing Controls Existing controls used to attempt to minimize threats need to be identified Security controls include: Management Operational Technical processes and procedures Use checklists of existing controls and interview key organizational staff to solicit information

Table 14.2 Risk Likelihood

Table 14.3 Risk Consequences (Table can be found on pages 476-477 in textbook)

Table 14.4 Risk Level Determination and Meaning

Table 14.5 Risk Register

Implement Treatment Risk Level Extreme J udgement Needed Uneconomic so accept Low Cost of Treatment Figure14.5 J udgment About Risk Treatment

Risk Treatment Alternatives Risk acceptance Choosing to accept a risk level greater than normal for business reasons Risk avoidance Not proceeding with the activity or system that creates this risk Risk transfer Sharing responsibility for the risk with a third party Reduce consequence Modifying the structure or use of the assets at risk to reduce the impact on the organization should the risk occur Reduce likelihood Implement suitable controls to lower the chance of the vulnerability being exploited

Case Study: Silver Star Mines Fictional operation of global mining company Large IT infrastructure Both common and specific software Some directly relates to health and safety Formerly isolated systems now networked Decided on combined approach Mining industry less risky end of spectrum Subject to legal/regulatory requirements Management accepts moderate or low risk

Assets Reliability and integrity of SCADA nodes and net Integrity of stored file and database information Availability, integrity and confidentiality of mail services Availability, integrity of maintenance/production system Availability, integrity of financial system Availability, integrity of procurement system

Table 14.6 Silver Star Mines Risk Register (Table is on page 482 in textbook)

Summary IT security management Organizational context and security policy Security risk assessment Baseline approach Informal approach Detailed risk analysis Combined approach Detailed security risk analysis Context and system characterization Identification of threats/risks/vulnerabilitie s Analyze risks Evaluate risks Risk treatment Case study: Silver Star Mines