Developing IT Security Risk Management Plan
Content
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Module I
Risk Management Plan
A Case Study
SerengetiGroup
IT Security Project Solution
www.serengetisys.com
Bedrock City University (BCU)
Secure Network Infrastructure Project
Developing IT Security Risk Management Plan
The Way Forward
Document History:
Date Version # Author(s) Description of Changes
Feb 02, 2008 BCU-RMP-001 BCU-ISESC,
SISC
Final Issue
A Global Open Versity Reading Room Academic Technical Publication
Permissions: A GOV Open Knowledge Academic Access License
Learn more, visit:
www.serengetisys.com
www.globalopenversity.org
Kefa Rabah
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 1 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Module I
Developing IT Security Risk Management Plan
Abstract
As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network
defense and entire enterprise risk management strategies. Security for that matter is not only about
protecting the network, but also the data. That requires a combination of tactics, from securing the
network perimeter to encrypting data on mobile and storage devices. Today, many enterprises look at
network as taking a layered approach. As security become more complex, businesses increasingly see a
need for enterprise security strategies, as well as ways to collate information from the various tools and
evaluate their performance. And they are grappling with new issues created by growing mobility and
anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall –
thus increasing risk to enterprise resources. In this respect, IT managers are currently focusing more and
more on getting end-to-end visibility. However, more importantly – the road to an enterprise security
strategy and risk management starts with consulting stakeholders to determine what level of risk is
acceptable. Then you can formulate a policy that lays out the controls that will achieve the goals via
implementing – a solid IT security risk management plan – geared towards organizations’ IT security
objectives driven by business requirements for improved performance.
1.0 INTRODUCTION
Risk management is a much talked about, but little understood area of the IT Security industry. While risk
management has been practiced by other industries for hundreds of years, little historical data exists to
support qualitative analysis in the IT environment.
The industry approach to-date has been to buy technology without really understanding the potential
underlying risks. To further complicate matters, new government regulations create additional pressure to
ensure sensitive data is protected from compromise and disclosure. Processes need to be developed that
not only identify the sensitive data, but also identify the level of risk posed due to noncompliance of
corporate security policies. Serengeti Information Security Consulting (SISC) at Bedrock City has
developed security procedures based on industry standards that evaluate and mitigate areas deemed not
compliant to internal security policies and standards. Through the use of quantitative analysis, AISC is
able to determine areas that present the greatest risk, which allows for identification and prioritization of
security investments.
1.1 OVERVIEW OF RISK MANAGEMENT IN IT SECURITY FIELD
The fundamental precept of information security is to support the mission of the organization. All
organizations are exposed to uncertainties, some of which impact the organization in a negative or positive
manner. In order to support the organization, IT security professionals must be able to help their
organizations’ management understand and manage these uncertainties.
Managing uncertainties is not an easy task. Limited resources and an ever-changing landscape of threats
and vulnerabilities make completely mitigating all risks impossible. Therefore, IT security
professionals must have a toolset to assist them in sharing a commonly understood view with IT and
business managers concerning the potential impact of various IT security related threats to the mission.
This toolset needs to be consistent, repeatable, cost-effective and reduce risks to a reasonable level.
However, due to the complex nature of the network infrastructure and its integrated information system, it
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 2 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
is important to present the reader with a clear picture of the risky business of protecting information
systems.
In this respect, risk assessment plays a vital role in any information-security program, ensuring that
resources are being allocated in the most effective way to support the business objectives. Because
resources are always limited, controls should be applied to areas that represent the biggest risks. It's
crucial that the risk-assessment process link security exposures to business needs; risks should be
measured against the potential impact to the confidentiality, integrity or availability of any critical
business process. Basically stated, every security control has an associated cost, and there must be a
business reason for it to be implemented. Risk-assessment methodologies should be used to provide
justification and prioritization for the implementation of security controls to mitigate risks.
1.2 Historical Perspective of Risks in the IT Security Field
A few years ago not many computers were connected to the Internet. Nowadays with the prices for
broadband falling and households joining the Internet, things changed. The same is happening with the
small to medium to corporate sector businesses. While email was not widely used, nowadays every
company needs that form of communication in some form. With these changing habits, the risk is
changing as well. A point to note here – you cannot eliminate risk – you can only reduce it!
Moreover, in the computing age of today, we have witnessed the growing popularity of the Internet and
networks in our society. With these tools at our fingertips, we are able to communicate and do business
even more quickly and efficiently than ever before. For example, businesses can market their products
online so customers do not have to leave their homes, and banks can conduct transfers and manage
accounts with more ease, speed, and functionality than with the paperwork of the past. Also, what is
probably the most popular means of communication, email, is used by just about everyone each and every
day.
Furthermore, today, the world continues to witness an explosion in mobile technology designed to help
people communicate faster and more easily. We carry powerful digital computers in our pockets,
exchange digital information in addition to voice data with our mobile phones, and surf the Web with
high-end PDAs. In the near future, especially the coming of age of 3G wireless devices, every type of
electronic data channel will be used to exchange every type of electronic information. This has become
even more challenging with the entry of “Incredible Hulk” of smart-phone family, the iPhone 2.0. One of
the great challenges of the ability to communicate digitally is securing the increased amount of electronic
information now exchanged over the network. To make the matter worse today, everyone wants to be
everywhere and anywhere and be reached via his tech-mobile system exchanging data with enterprise
network. And that makes mobile security risk management a top priority for many businesses that want to
offer high-end mobile customer application.
It is clear that these modern conveniences have made our lives much smoother. However, as we continue
to add these conveniences to our lives, we open the door to more numerous, possibly even more
dangerous, outlets for attacks ranging from malware to identity theft. With the prominence of identity
theft on the rise, we must all be weary of the security of online communication. Moreover, in today’s
network environment, and as every organization tries to deliver value from IT while managing an
increasingly complex range of IT-related risks, the effective use of best practice can help to avoid re-
inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks,
such as: Project failures, Wasted investments, Security breaches, System crashes, and Failures by service
providers to understand and meet customer requirements. See Fig. 1 for the evolution of IT threats.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 3 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
While a few years ago every network needed to have a firewall and then everything was good, things
changed here as well. Our society today, is based and relay on a free flow of information. That is, in real-
time, information is constantly and continuously moving around, leaving and entering inter-networks (the
Internet) around the world at any one instance. Today, therefore, IT professional’s main problem is, that
this information can not be protected by a simple firewall, because that information will not stay in one
place but “move around”. One could argue that we then should keep the information in one place where
we can protect them. But, as mentioned above, our society needs that flow of information to further evolve
and keep pace with ongoing industrial revolution and constantly ever changing innovative ideas being
fueled by the ever rapidly evolving cyber-space, the Internet, and on its wake the mighty and vicious
cyber-crime fueled by tech-savvy cybercriminals run by organized criminals looking upon the Web as a
new – and extremely lucrative – source of ill-gotten gain mainly via identity theft.
Back Doors
DDOS
Internet Worms
Boot Nets
Password
Guessing
1980
Password Cracking
Self Replication
code
1990 2000
2010
High
Technical Knowledge
Required
Exploiting Known
Vulnerabilities
Disabling Audits
Hijacking Sessions
Sniffers
Sweepers
Stealth Diagnostics
Packet Forging/Spoofing
Sophistication of
Hackers Tools
Script Kiddies
Viruses
Trojan Horses
Internet
SQL Injections Back Doors
DDOS
Internet Worms
Boot Nets
Password
Guessing
1980
Password Cracking
Self Replication
code
1990 2000
2010
High
Technical Knowledge
Required
Exploiting Known
Vulnerabilities
Disabling Audits
Hijacking Sessions
Sniffers
Sweepers
Stealth Diagnostics
Packet Forging/Spoofing
Sophistication of
Hackers Tools
Script Kiddies
Viruses
Trojan Horses
Internet
SQL Injections
Fig. 1: Threats are more dangerous; and easier to use
Moreover in today’s business partnership endeavors, IT has been helping business make connections with
partners via portals and Web applications – especially coming of age of Web 2.0 – it has been punching
holes in the process. Furthermore, it is not uncommon to find plenty of companies that still rely on older
network-centric technologies as their only protection. In some case, they aren’t even up date with the
technologies offered by this network-based based security approach. For example, insecure and outdated
legacy systems that weren’t made to be online are still very much alive and fully connected, giving more
individuals than ever access to critical data. On top of that, users have been increasingly utilizing mobile
devices, transporting data outside company walls. All this continues to contribute to heightened threat that
cannot be addressed by traditional signature-based antivirus software and old guard-firewall.
Moreover, today as we are constantly confronted with the ever dreaded identity theft epidemic; adding to
already endless pressures to IT tribulations. It is expected that government regulations, partners’
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 4 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
requirements and public outrage will eventually force a clampdown on sloppy physical security practices.
Today, the problem of identity theft – the loss of millions of individuals’ personal data around the world –
is on the rise and is expected to get worse. That means huge losses for consumers and organizations, and
tighter privacy regulations. IT organizations, however, don’t expect technical solutions will end the
security breaches any time soon; most say damage from viruses and computer worms will continue to rise
significantly over the next five years. Inadequate mobile security is emerging as a new nightmare. But the
biggest threat to security and identity is careless behavior: More IT executives say lost or stolen laptops or
computer media represent a significant security threat to their organization’s IT assets than attacks on
corporate networks; infected e-mails, downloads or web sites, or vulnerabilities in software or anti-virus
programs. Changing IT executives’ behavior continues to be notoriously difficulty, but organizations will
need to it to conform to business requirements.
Now that the laid-back-era of simply sticking a firewall at the edge of the network and relax is
disgracefully brought to an end by futuristic high-tech sophisticated threats – what next? Up next came
intrusion detection systems (IDS) to take charge where firewall failed. Intrusion detection systems broadly
rely on threat-based signature detection – i.e., they continuously check the network traffic against known
threat signatures – and have the ability stop or counter the as-detected threat.. Today, however, the
network attacks are increasingly so vicious and so quick, that by the time the information security analyst
goes to the IDS, it’s already happened and it’s too late – the organization’s network system has already
been compromised and hence the damage to the asset. So, in effect, the intrusion detection system,
because it didn’t block the anything, became a forensic tool that the forensic specialists went after the fact
to see exactly what happened and the level of damage done. Up on the heals of IDS, came intrusion
prevention systems (IPS) – designed not just to monitor network activity but to block suspicious traffic –
have largely supplanted IDS. But even they struggle to keep up with evolving threats and faster networks
that are now in the realm of gigabit speeds. Today gigabit connections between internal networks data
centers are giving way to 10-gigabit connections, compared to the external connections in the range of T1
speeds to 100 megabits per seconds – and this adds a further complexity in combating the threats and
attacks.
Today IPSs are spreading from the perimeter throughout the network to counter the increase in network
speeds and increased threats – and thereby help protect the core of the enterprise network. As a case in
point – e.g., infected laptops or memory sticks may accidentally introduce threats from inside – however,
strategically placed IPSs can help stop them from spreading. When properly and carefully configured –
i.e., not using the out-the-box OEM default – IPS secured enterprise networks are easier to keep up with
than the proliferations of the threats. Moreover, today’s attacks aren’t as likely to be known exploits as
threats never seen before keep appearing in the scene. In this respect, technologies which will be able to
protect enterprise networks against these kinds of attacks are those that are designed look for things are
known unknown – i.e., things that are out of the ordinary and are not based on signatures.
Currently malware writers have become very good at deploying frequent small modification to defeat
signature-based security – so many products now look not for code matching a specific signature but for
code that takes advantage of known vulnerability. To help counter these new trends of threats – most
security device vendors now use modified signature based devices coupled with vulnerability filters than
known malware signatures. Increasingly, also these modern security devices manufactures are expanding
their focus from network vulnerabilities to those at the operating system and application levels. Some of
these devices have the capability to decode network protocols thereby allowing them to understand and
address vulnerabilities in real time. The added ability of knowing what’s running on the network makes it
possible to turn filters on and off automatically, depending on what applications – and therefore what
known vulnerabilities – exists within enterprise network environment. What next – just incase our network
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 5 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
were to be breached due to poorly configured security devices – or that valuable laptop holding
confidential data just disappeared! Data loss gives rise to identity theft. Now, because the perimeter is so
open, the first thing we worry about is the data and how to protect it. One solution that can quickly come
to the aid of identity theft is via data encryption.
Until now, most businesses have focused their security attention on external attackers. But a quick glance
at recent headlines shows that the threat from internal sources is just as serious. Given the significant legal
and financial consequences of data security breaches – unwanted media attention, brand damage, stock
price drops, hefty fines, lawsuits and customer loss – it's clear that IT leaders must address both external
and internal threats in order to protect both their employees and their customers.
Encrypting networks and data is a necessary fallback. However, encryption isn’t magic bullet nor isn’t
invulnerable – criminal will always attempt to crack it – just as they do antivirus and anti-malware
programs. Still, encrypting data is the best last resort when lost or stolen data falls into malevolent hands,
it’s a technical solution IT departments and vendors can implement. About three-quarters of IT
organizations budgeted for encryption in 2007, that percentage is likely to rise – i.e., more company data
will be encrypted, in 2008 and beyond.
To add to IT security complexity and woes – Federal regulations are constantly and continuously forcing
many organizations in Healthcare, Finance, City Government or any publicly-traded company to comply
with the regulations and business partners’ requirements, i.e.,: Who has the access to your network? How
do you keep the bad guys out and let the good guys in? How do you control your supply chain and grant
access to independent contractors and still comply with rules?
Asset Customizations
Asset Owners
Contractors
Systems Admin
Application Developers
Employees
Physical Security
Application Dev.
Documentation
Identity Management
IT Operations
Security Operations
Anti-Virus
Authentication
Network Management
Help Desk
Encryption
Vulnerability
Access Controls
Patch Management
REQUIREMENTS
Asset Customizations
Asset Owners
Contractors
Systems Admin
Application Developers
Employees
Physical Security
Application Dev.
Documentation
Identity Management
IT Operations
Security Operations
Anti-Virus
Authentication
Network Management
Help Desk
Encryption
Vulnerability
Access Controls
Patch Management
REQUIREMENTS
Business
Driver
PCI
HIPAA
SOX
FFIEC
FISMA
PIPEDA
P
E
O
P
L
E
P
R
O
C
E
S
S
E
S
T
E
C
H
N
O
L
O
G
Y
COMPLIANCE
MANAGEMENT
SYSTEM
Fig. 2: Mapping compliance requirements and risk management technology solutions
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 6 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Moreover, constant changing government law & compliance requirements and business partners’
regulations have further deepen the IT industry risk management woos. With changing regulations, the
requirements a company must fulfill are changing as well, see Fig. 2. Some of the regulations and
requirements that are currently in effect are: Health Insurance Portability & Accountability Act (HIPAA);
Gram-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX) Act; Payment Card Industry (PCI) Data Security
Standards; and PIPEDA in Canada. Not meeting regulations can become a very big risk and can result in
big problems for a company and especially its executive board.
Moreover, as amount of businesses transacted across the Net increases, a corresponding rise in the amount
of personal information being stored on devices connected to it is being seen. With some of the woefully
uses of such data carried out by some retailers and vendors who have proven they simply don’t “get” what
effective privacy and security policies constitute, salivating criminals are often able to get their hands on
such data as easily as picking cherries off a tree. Take, for example, for the better part of 2007, retail giant
TJ X was raked over the coals for allowing hackers to penetrate its network over a three-year period and
pilfer more than 94 million credit card records – the worst security breach in the history of the Internet to
date. The record-breaking breach suffered by TJ X Companies didn’t just happen – it was the result of
conscious choices made by the retailer’s IT executives to risk not adopting security best practices (e.g.,
TJ X IT department willfully ignored not upgrading from the obsolete WEP encryption to the more secure
WPA encryption), and regulator’s decisions to treat the retailer with kid gloves.
Currently, as new regulations and legislation are imposed on businesses every day – IT organizations will
continue to suffer from onslaught of new requirements and struggle to identify concrete controls that can
be developed into policy and deployed successfully into their organizations. Adding to the trouble is that
the requirements of most regulations often overlap extensively, leaving IT organizations with the
challenge of sorting out which solutions meet which requirements of which regulations. We believe that it
will be increasingly important for business to find ways to manage the mapping and identification of
requirements into easily deployable security policy.
In the end, with authorities virtually powerless to stop much of the online criminal activity today taking
place, the best defense for companies is to employ stringent guidelines around generation, exchange and
storage of data. It is also imperative that employees be educated on the importance of such policies, and
the dangers of not following them, followed clear
guidelines risk management plan – that closely monitors
the security of the network and data encryption policies.
Fig. 3: The SerengetiSys Labs Defense-In-Depth
layered security model.
1.3 A Case for Multi-Layered Enterprise IT Security
Network Defense
In IT speak; security is a many-layered thing for most IT
managers. This is basically because attacks may target
network, workstation, server or application vulnerabilities.
Blended threats combine multiple attack vectors – Trojan
horses, spyware, worms and viruses, for example – in an
attempt to outflank an organization’s defenses. And over
the years, starting from the mid 80s and the birth of PCs,
the attack tools have been growing in sophistication,
which require almost no technical skills to use, as depicted
in Fig. 2. In response, enterprise erected a series of
barriers on the principle that an attack that beats one
security measure won’t get past other protections. This
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 7 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
approach goes by several names: layered security, defense-in-depth – but the underlying premise is the
same, see Fig. 3. The PKI Infrastructure will give you the ability secure your network via data encryption
to preserve confidentiality, data hashing to maintain data integrity, and digital signature for authentication
and digital certificate to secure your e-commerce network systems through secure data transfer over the
public network, the Internet. The SIEM tools would give us the power of network monitoring and threat
events management and reporting.
You may recall that the traditional thinking view of layered security places firewall at the outermost ring
of the protection – guarding the corporate network from public network (the Internet) borne incursions,
see Figs. 3 & 4. After the firewall, attention turns to network-based intrusion detection/prevention systems
that aim to snuff out attacks that sneak through the firewall. Antivirus software and host-based intrusion
detection/prevention systems protect servers and client PCs, providing still another layer.
Fig. 4 Typical Secure Internal Network Infrastructure
Firewall – via filter rules (TCP, UDP, & ports) must be the gateway for all communications between trusted and
untrusted and unknown networks (NWs). It is the choke point where all communication must pass through
Perimeter network (NW) or DMZ which is put in place using: firewalls & routers – on the NW edge, permits
secure communications between corporate NW and third-parties. It includes: DMZ, extranet, & intranets. Perimeter
network is the key that enables many mission-critical NW services. It also offers a layer of protection for the internal
NW in the event that one of Internet accessible servers is compromised
Bastion Hosts: cannot initiate, on its own, a session request back to the private NW. Implies it can only forward
packets that have already been requested by clients from internal private NW. To maintain secure communication
and Private network protection, bastion hosts should have all appropriate up-to-date service packs (SP), hot fixes,
and patches installed. System/network admins must also ensure that logging of all security-related events should
also be enabled and regularly reviewed/analyzed to track both successful and unsuccessful security events.
While emerging classes of tools may fend off attacks at multiple layers, there are pitfalls if the tools are
not properly configured, managed or integrated with existing systems. In effect, chief information and
security officers have to be jack of all trades to implement an effective layered security strategy. In
overall, a layered security strategy – built around numerous preventive controls – requires good perimeter
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 8 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
defenses – i.e., you need to have host- and network-based intrusion detection integrated with other
security solutions all the way down to the desktop level, also known as end-point. Current statistics
indicate that a typical enterprise spends more than 5% of its IT budget on security, with expected growth
in annual spending pegged at 9%, compared to 4% to 5% for IT overall.
Today, most IT network security strategists prefer to define layers in terms of critical security processes –
tasks such as vulnerability management and intrusion prevention. Process-based definitions like these
don’t commit IT managers to a specific technology approach and also guard against redundant technology.
For example, anti-spyware products entered the market a few years ago – as a product set distinct from
antivirus; however, both support the same process. In this respect, one may wonder “what is so different
about process of blocking spyware from the process of blocking viruses”. Currently, vendors such as
Symantec have since consolidated anti-spyware and antivirus on the same desktop. This new approach,
has given rise to increased emphasis on host security for so-called end-points such as servers and PCs so
that these devices can defend themselves. These technologies include host-based intrusion protection
systems (HIDS). And finally, of course, do not forget to have security policy in place.
1.3.1 A New Look at Layered Network IT Security Infrastructure
Other IT security school of thought – are challenging the layered model. They claim that the perimeter, for
example, has become clogged with security products designed to shore it up. One strategy in this segment,
aims to bolster perimeter security with fewer devices. They, for example, identify blurring of corporate
network boundaries as another issue affecting perimeter security. The “de-perimeterization” – a
description coined by the J ericho Forum, a technology consumer and vendor group based in San Francisco
that explores cross-sectional IT security – has caused some IT shops to revisit the perimeter. According
J ericho Forum, the traditional "firewalled" approach to securing a network boundary is at best flawed, and
at worst ineffective. In a fully deperimeterized network, every component will be independently secured,
requiring systems and data protection on multiple levels, using a mixture of: encryption, inherently-secure
computer protocols, inherently-secure computer systems, and data-level authentication.
Today, emerging deperimeterized technology categories such as network access control (NAC) seek to
address the dissolving perimeter, giving organizations greater control over the myriad devices clamoring
for network resources. NAC products are tasked with checking the health of computing devices attempting
to enter the corporate network. The NAC market has exploded in the last year with no signs of slowing
down. Moreover, the network access control has been portrayed by an increasingly desperate network
security market (growth is growing and innovation is scarce) as the cure to everything, including partner
requirements PCI DSS. The reality is quite different; at first glance, post-connection NAC can ensure only
authorized parties access front-end applications and only proper resources access back-end databases.
Based on the way most applications are architected, NAC isn't helping with customer data protection.
Why? Because there are few servers that are authorized to access the database, and those few servers need
to be able to do anything. For an attacker, the path of least resistance is to attack and compromise an
application. That means the data will be stolen from what is considered to be an "authorized" party. NAC
isn't going to help protect that customer data by itself.
In the new network security tiered architecture, the counterpart to NAC, are the security layers that let the
approved or authenticated users in. That’s the realm of identity and access management systems, which
provide a mechanism for authenticating users and steering them toward the network resources appropriate
to their organizational roles. This field includes technologies which house information on user identity and
access management products that may also enforce role-based policies that permit or restrict access to
specific networks, applications and data based on an employee’s job specification. Some IT departments
aim to make the access task easier, via single sign on (SSO), for users who may need multiple passwords
to sign on to different applications. For example, in some large corporation it is not uncommon for a
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 9 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
typical employee to use between six and 12-applications every day mapping to equivalent number of
passwords. While at some departments like sales – the sale’s personnel might end-up dealing with up to
10-20 computer systems with consequent dramatic increase in vulnerability to the systems. The ability to
provide enterprise-level authorization solution, meanwhile, would help the e.g., healthcare personnel to
maintain compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) patient data
security requirements; SOX Acts for business compliance, Canadian PIPEDA and etc.
With vulnerability management, both via controlled devices and users’ access, IT managers can tap on
array of software products and professional services that scour networks, servers and applications for
security gaps that external attackers or malicious insiders could exploit. Concerns over perimeters security
breaches and insider threats have intensified efforts to scour applications for security lapses. Penetration
testing and code scanning software are two approaches. Compliance Management System (CMS), which
works via People, Process and Technology – is an example of such software, see Fig. 5.
The backup process must
include offsite storage
Scans for SQL injections
Should be performed
CMS
Roles/People
System Administrators must
attend security training annually
Processes
System
Management
Access to critical database
tables should be monitored
Compliance Tools
Password must be
8 characters long
Applications
Accounts not accessed in
90 days should be disabled
Security Tools
The backup process must
include offsite storage
Scans for SQL injections
Should be performed
CMS
Roles/People
System Administrators must
attend security training annually
Processes
System
Management
Access to critical database
tables should be monitored
Compliance Tools
Password must be
8 characters long
Applications
Accounts not accessed in
90 days should be disabled
Security Tools
Fig. 5: Compliance Management System (CMS) should not only provide an aggregation
of compliance events but baseline policies, standards and controls
Finally, the security-minded organizations seek to pull together security layers into a unified whole.
Interfaces within and among layers have began to appear. The advent of security information and event
management systems promises to cull pertinent security data from a range of systems to provide a
comprehensive view of vulnerabilities and incidents. This mode of thinking has lead large organizations to
start pushing the vendors and technology towards a much more integrated system i.e., “you don’t need
layers of security; you need areas of security with integration.”
In reaction to those mounting lines of perimeter defense consolidation, some organizations, have began to
replace traditional, single-purpose devices with a hardware-software combination called a unified threat
management (UTM) appliance. The device combines the firewall typical of perimeter defenses with
intrusion prevention systems, anti-spam and antivirus software, and Web filtering. That is, implementing
UTM technology, is expected to lead to real benefits e.g., consolidated specialized devices thereby
reducing management complexity which in turn reduces support and upgrade costs. The negative side,
UTM is CPU intensive – for example – the “Web and spam filtering are the two greatest consumers of
CPU and memory resources, and hence, will definitely impact the hardware more than anything else.”
Therefore, for best practices, watch out for CPU-intensive appliances such as Web filtering. Solution: use
load balancing to achieve best performance and prevent one appliance from becoming a single point of
failure.
1.3.2 The Menace of Enterprise Wireless Network
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 10 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
As more users demand portable devices such as personal digital assistants (PDAs) and smart phones,
companies are facing additional hidden costs while IT mangers scramble to keep their wireless network
services secure and available to conform to the bedrock of IT security, i.e., confidential, integrity and
availability (CIA) in relation to government compliance regulations and business partners’ requirements.
Moreover, because today’s business professionals and students in colleges and universities demand –
anytime, anywhere – wireless e-mail and Internet access, business owners are faced with a sometimes
overwhelming number of variant wireless coverage options and requirements.
And today, with the pervasive adoption of wireless networking, organizations are facing greater risks from
a wide variety of sources. Neighboring networks, rogue access points, personal devices and misconfigured
infrastructure are now exploit vectors from which corporate security can be compromised. Current
existing enterprise firewalls and VPN security systems do not provide defense against these wireless
threats. No longer is having a "No Wi-Fi" policy a guarantee that your organization has mitigated the risk
associated with wireless LANs. If you have a wireless LAN, the security capabilities built into your
wireless infrastructure may not provide enough protection.
There are two particular security challenges worth mentioning: the broadcast nature of wireless networks
and an initial weak encryption standard. Wireless networks transmit data to anyone in the broadcast area
that has the right equipment to tune-in reception. This is a unique difference from wired networks and
poses security challenges that can expose an organization to significant transaction and reputation risks.
Managing the broadcast area involves controlling radio transmissions that can travel through walls,
windows, and doors. In addition, the initial encryption standard to protect data transmissions, named
"Wired Equivalent Privacy" (WEP), has well-known weaknesses and vulnerabilities. Experts have cracked
the WEP security standard, and tools are available to exploit WEP vulnerabilities. As such network must
implement the alternative security – the WiFi Privacy Access (WPA). The combination of uncontrolled
broadcast areas and use of a weak encryption standard creates an environment in which unauthorized
access to systems and information can occur. This combination increases the importance of an effective
security program and the quality of risk management.
For home wireless network it is sufficient to implement 128-bit WEP key, however, for better security
always use WPA security. While for enterprise level network, the wireless security issues can be remedied
via implementing user policies and procedures. Implementing effective policies and procedures for
wireless network installations and their usage reinforces the importance of system security. Wireless
policies usually restrict employees from establishing their own wireless networks without prior approval,
since wireless access points are relatively easy to install. Unauthorized wireless networks may present
high and potentially large risks to the security and integrity of enterprise networks, especially financial
institutions or credit card handling sales points. In addition, effective policies and procedures should
encourage employees using approved wireless networks to report unusual activities.
In a network compromise scenario, the only must-have for a successful attack? Access. Any security
expert or penetration tester will tell you that once he gets in a network – subverting IT is just a matter of
time. To make matters worse, once someone gains access to the remote or private network and obtains a
valid IP address, the intruder could appear, at least from a network perspective, to be an authorized
corporate user. Unless you have network access controls or core firewalling in place, the attacker may
well gain access to all local and WAN-connected corporate assets via branch-office connections. This is
one reason wireless is such a boon to attackers – network access is no longer confined to the physical
building in this era of on-demand anytime/anywhere network access. Moreover, with the advent of
enterprise-class 802.11n systems, the remote WLAN equation becomes even more complex with added
known-unknown risks. The upside is that the 802.11n will greatly increase the throughput rates of each
AP radio while enhancing IT’s ability to identify rogue devices. The downside – beside the enormous cost
premium that 11n gear commands – is that it will be even easier to saturate available WAN bandwidth.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 11 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Security methods such as wireless encryption keep private data private, but the most critical measure is
authenticating systems and users before granting access to the wireless LAN (WLAN). The same holds for
wired networks. While companies stressed over WEP’s weaknesses, they were letting contractors,
consultants, and other guests onto their networks with nary passing thought.
Enter in-bound network access control. Installed between access layer switches and distribution or cores
switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter, see
Fig. 5a. This is more than binary decision of grant/deny access. In-band NAC appliances granularly
regulate access to network servers and services. That’s a powerful tool for mitigating the problems of
wide-open entry rights that plague authentication-only access control systems.
Fig. 5a: General policy processing for computers and users accessing Wi-Fi networks.
Seamless roaming is SerengetiSys Labs’ vision – giving Serengeti-wireless users’ uninterrupted
connection to the Internet and enterprise networks as they move through their business day. Moreover,
today more incoming students are arriving on their respective campuses worldwide with at least one
mobile device: cellular phone, VOIP, laptop or Personal Digital Assistant (PDA). And for many
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 12 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
businesses, mobile devices have become a fact of life. The “anytime, anywhere” access to business needs,
family, friends and resources provided by mobile devices has become essential to their lives and their way
of operating in a world of incredible technological change.
1.4 Risk Domains Model
So how can IT professionals maintain the freedom of information flow, while at the same time
maintaining data security integrity from access by unauthorized entities? The current thinking is to divide
the IT network infrastructure into Risk domain model as depicted by overlaying inter-networks and the
interrelationships that can exist, as shown in Fig.6.
Fig. 6 Risk Domains Model
The first step of the analyzing risk management plan via using risk domain model includes reviewing all
network infrastructure architecture documentation and determining where attack surfaces reside, by
seeking to answer the following questions.
• Is the vulnerability internal to the corporate trusted infrastructure?
• Is it in the corporate DMZ?
• Does it reside in the public network (the Internet)?
• Is it located at an enterprise’s location or some combination of all of these?
Using Figs 4 and 6 we can easily identify the possible risk areas location. For example, the vulnerabilities
that reside in the DMZ are deemed to be at greater risk than the same vulnerability located in a private
trusted network.
The beauty of the Risk Domains model is that it can be used to determine where the primary attack
surfaces reside, as well as the source of the attacks, any secondary attack surfaces, and which domains
might be affected by secondary attacks. In the case of the Code Red Virus, for example, the Risk Exposure
(RE) was deemed to be only medium-to-low, but the secondary impact on the IP network was high. To
understand the relationship between the domains and the cause-and-effect an attack can have, it may be
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 13 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
necessary to break a single vulnerability into multiple scenarios and model each one separately in order to
understand the full impact.
1.5 Dealing or Not Dealing With Risks
Four major ways to deal with risks, and which we will elaborate later, are: (i) Avoidance; (ii) Transfer the
risk (insurance); (iii) Mitigate or reduce the risk, and (iv) Accept the risk as it is, and of course the residual
risk. Not taking the time to identify risks has these potential consequences, such as: Significant monetary
loss due to attacks; Regulatory Penalties; Civil Penalties (class action lawsuits by victims, as in the case of
TJ Max and Winners, and of course the famous Enron saga); Damage to Reputation; Intellectual Property
Loss; Customer Privacy Compromised; Physical Loss; Loss of Life in Critical; infrastructures
(Transportation, Health Care, Government, Utilities).
1.6 Information Security Risk Strategies
As was mentioned above, the ever evolving cyber use coupled with Internet users changing habits that
seeks unhindered secure access to network data anywhere/anytime, the risk to IT information security is
changing as well, leading to real and nightmarish challenges to network information providers via the
following requirements:
• Information & System Availability
• Complex Environments
• Connectivity Requirements (Work From Anywhere/Anytime)
• Fast Paced Growth (Acquisitions)
• Regulation Requirements
• Backup and data recovery
• Business change management and business continuity strategy
• Transitioning from Reactive to Proactive Practices
• Limited Resources (Biggest Challenge)
To help alleviate the above challenges, the main goal of the IT security professional, therefore, is to
reduce risk, reduce cost, and reduce complexity to network access. The current thinking and much more
realistic strategy gaining the support of major IT sector, is to model the information security risk
management in terms of network component with different/varying security level access policies, and a
matching security admin, as shown in Fig. 7 – allowing for IT security risk management to be modeled via
a simple pyramid risk management model, see Fig. 8.
Role-based ID Management as depicted in Fig. 7 has great advantages in securing enterprise network.
Today, security and privacy issues are increasing considerably with each passing day – and not to mention
the crosswinds coming from stricter regulatory environments, as well as an understanding that each new
technological enablement introduces the potential both for increased risk as well as enhanced security.
This is where role-based ID management comes into play – as it can offer organizations an umbrella
approach to securing their entire network infrastructure.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 14 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Internet
Perimeter
Network
Server/Application
Firewall
VPN
Authentication
Intrusion Prevention
Whitelisting
Identity Management
Access Control
Application Security
LAN
Storage
Basic Security
Physical Security
Storage
Network
Storage array
Storage tape
Workflow provisioning
System Admin
Security Officer Security Auditor
Recovery Officer
Fig 7: Network Security components required to protect LAN against attacks on stored/dynamic information
Policies, Procedure, Standards and Leadership Support
Assessments and Risk Management
Host, Application and Database Protection
Perimeter Protection
Access Control
Managing,
Monitoring,
Mitigation,
Auditing and
Incident Response
Policies, Procedure, Standards and Leadership Support
Assessments and Risk Management
Host, Application and Database Protection
Perimeter Protection
Access Control
Managing,
Monitoring,
Mitigation,
Auditing and
Incident Response
Fig. 8 The pyramid model for IT security risk management
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 15 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
The IT security risk management pyramid model depicted in Fig. 8 represents a holistic/integrated
approach to Security. It represents the key building blocks to a strong information security posture, as
developed by SerengetiSys Labs – a technique that closely follows similar security risk management
methods, much like Malsow’s Hierarchy of Needs or USDA’s Food Pyramid.
1.7 Terms and Definitions
In this section we are going to define some of the commonly used terms in Information security and risk
management strategy.
1.7.0 The Components of an Attack
The components of an attack include attack on:
• Asset,
• Threat agent (source);
• Threat,
• Vulnerability (weakness)
• Countermeasure
1.5.1 What is an Asset?
An asset is anything in your organization’s environment that might require some level of protection e.g.,
software, hardware and facilities. It can also include: data, people (core primary asset), and information. In
this respect, a key aspect of security risk management is to determine the value of each primary asset in
your organization, its value and how they relate to others in your environment.
1.7.2 What is a Threat?
A threat is the method of attack; while a threat agent is individual, a thing, or a place responsible for the
attack. Threats can originate from four primary sources: (i) Malicious attackers, (ii) Non-malicious
attackers, (iii) Mechanical failures and; (iv) Catastrophic events.
1.7.3 What is a Threat Agent (source)?
A threat agent (source) can be a person, place, or a thing that has the potential to access resources without
proper authorization and cause harm. For example, if Eddy tries to guess your password using password-
guessing tool, then he is malicious threat agent. The act of password guessing is the threat. Alternatively, a
farmer who accidentally damaged an underground cable is an example of non-malicious attack.
1.7.4 What is Vulnerability (or Weakness)?
Vulnerability – often called a weakness or a security compromise is an opportunity for an attacker to
launch a successful attack. In other words – it is a point at which an asset is susceptible to a threat. It can
originate from: technology, people, or processes. However, in most cases they are viewed as
technological flaws in the implementation of software or hardware, or in the way a system is designed.
Also poorly designed & communicated organizational policies & procedures are also a cause for
vulnerabilities. Vulnerabilities can also arise from weak points or loopholes in network security
configuration that a malicious attacker can exploit to gain access to the network or resources on the
network. Note: Vulnerability is not the attack itself – but rather the exploitable weak point in the
system or network.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 16 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
1.7.5 What is a Compromise?
A compromise is defined as a successful attack, therefore, as a security designer you must strife to prevent
compromises. It is important to note also that preventing vulnerability is not your ultimate goal as
information professional; however, you must always seek to mitigate, or reduce the effect of,
vulnerabilities to reduce the risk of a compromise. Alternatively, you might choose to address the threat or
threat agent directly to reduce the risk of a compromise – in this case then compromise is the problem.
In Security Lingo – if a threat attacks you but does not penetrate your defenses – you should say that you
were attacked. However, if the threat successfully penetrated your defenses – then you should say that you
were compromised.
1.7.6 What is a Countermeasure?
A countermeasure or safeguard – is preventive measure put in place to reduce the likelihood of a
compromise by making it more difficult for a threat to take advantage of vulnerability. In other words –
countermeasures help to mitigate the potential risk of an asset being compromised.
However, it is important to note that countermeasures are mainly designed to eliminate vulnerability or
reduce the risk of a threat compromising vulnerability in a computer environment. Examples of
countermeasures (see also Fig. 5) include:
• use of strong password mgt, a security guard
• access control mechanisms within an OS
• the implementation of BIOS passwords &
• security awareness training
• pre-testing of software & hardware updates – as they always contain some level of risk.
• you can also block the unwanted traffic via using ICF, IDS, NIDS & HIDS
It is also important to note that countermeasures never eliminate risks – they just reduce it. Firewalls and
software updates are example of preventive countermeasures – that is, they are designed to prevent a
threat from exploiting vulnerability.
However, it is also important to note that it is impossible to prevent all compromises – therefore you will
need to implement detective countermeasures and reactive countermeasures e.g., via use of IDS – which
can detect attack & alert you or even return fire. Reactive countermeasure like IDS – are today also used
after the compromise has occur for forensic purpose. For example, data backups are one of the most
important reactive countermeasures catastrophic database server failures. Similarly, disaster recovery &
business continuity plans are reactive countermeasure to catastrophic events. Antivirus is another crucial
countermeasure against virus attacks.
At times a poorly placed countermeasure can themselves introduce vulnerabilities. For example, just think
about a safeguard protecting a web server. That safeguard is managed via a web interface on the web server
itself. Although the safeguard is protecting all the web applications on the web server perfectly it opens up
a new risk: A weak authentication mechanism to access the management interface located on the same
machine as the web applications themselves.
The current enterprise network defense model is via Universal Threat Management – A UTM appliances
combines firewall with IDS, Antivirus & Anti-spam, and Web filtering solutions, see Fig. 9. A more
advance route to this unified view is a suite of security tools from a single vendor, designed to work with a
single console – but with a capability to support third-party security products and capability to correlate
data from multiple vendors’ security products. For example, Cisco touts the concept of “self-defending
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 17 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
network” with security provisions built into hardware. It’s Monitoring, Analysis and Response System
(MARS) pulls together information from multiple devices. When properly configured and appropriately
implemented, the Cisco Security MARS can empower you to locate, manage, and eliminate threats in real
time without adding more IT staff or outside resources. MARS also enables you to extend it far beyond its
basic capabilities to:
• Create a comprehensive, cost-effective, and easy-to-use security command and control solution
• Collect and analyze data from every device on your network, including third–party technologies
• Resolve and prioritize security threats
• Revolutionize your anomaly detection capabilities by capturing and analyzing NetFlow
• Provide quick and easy audit compliance reports
- Verisign
- Netegrity
- Encryption
- SAP
- Virsa
- ContigureSoft
- PeopleSoft
- UTM
- BladeLogic
- ArcSight
- eSecurity
- Native Operating System
- Database
- Web 2.0
- Develop and maintain secure
systems and applications
- Track and monitor all access to
network resources and cardholder
processes
- Restrict access to data by
business need-to-know
- Assign a unique ID to each
person with computer access
- Restrict physical access to
cardholder data
- Maintain a policy that addresses
information security
- NetQ SCM
- Trend Micro AV
- Symantec AV
- McAfee AV
- Firewalls
- HP Openview
- Remedy
- TriCipher
- Protect data stored data
- Encrypt transaction of cardholder
data and sensitive information
across public networks
- Use and regularly update
Anti-virus software
- Regularly test security system
and processes
- MS SMS
- Altiris
- Nessus
- ArcSight
- FoundScan
- Install and maintain a firewall
configuration to protect data
- Do not use vendor supplied
defaults for system passwords
and other security parameters
PCI Compliance
TECHNOLOGIES REQUIREMENTS REQUIREMENTS TECHNOLOGIES
- Verisign
- Netegrity
- Encryption
- SAP
- Virsa
- ContigureSoft
- PeopleSoft
- UTM
- BladeLogic
- ArcSight
- eSecurity
- Native Operating System
- Database
- Web 2.0
- Develop and maintain secure
systems and applications
- Track and monitor all access to
network resources and cardholder
processes
- Restrict access to data by
business need-to-know
- Assign a unique ID to each
person with computer access
- Restrict physical access to
cardholder data
- Maintain a policy that addresses
information security
- NetQ SCM
- Trend Micro AV
- Symantec AV
- McAfee AV
- Firewalls
- HP Openview
- Remedy
- TriCipher
- Protect data stored data
- Encrypt transaction of cardholder
data and sensitive information
across public networks
- Use and regularly update
Anti-virus software
- Regularly test security system
and processes
- Install and maintain a firewall
configuration to protect data
- Do not use vendor supplied
defaults for system passwords
and other security parameters
PCI Compliance
- MS SMS
- Altiris
- Nessus
- ArcSight
- FoundScan
Reports
Reports
Fig. 9: Mapping risk and vulnerability management to PCI compliance.
Next pertinent question is – with advance integrated multiple security tools and countermeasures in place
– how do you determine what’s working and what isn’t? And how do you justify the expenditure by
showing that every tool in your arsenal is doing its job? One solution to this, for instance, it’s important to
have clear goals and documented criteria for selecting tools. Alternatively, there is one very good indicator
of whether your security system is working: whether your systems get broken into or not. The question is,
“Was I impacted when my peers and colleagues were?” Monitoring the alerts the various tools generate is
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 18 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
another good way to see how many problems the integrated security tools are preventing – and log file are
invaluable for this purpose.
Figure 10 shows how components discussed above fit together. For example, if a threat agent gives rise to
a threat and exploits a vulnerability – then the attacks lead to a potential security compromise – and hence
damage on the assets by degrading its: confidentiality, integrity, and availability.
Weak
Security
policies may
let an attack
through
Non-
Malicious
Threat
Agent
Malicious
Threat
Agent
Cata-
strophic
Incident
Motives
and
Goals
Tools,
Techniques
and
Methods
Threat
Threat
Threat
Tools,
Techniques
and
Methods
Tools,
Techniques
and
Methods
Compro-
mise
Compro-
mise
Compro-
mise
Compro-
mise
Vulnerabilities
Vulnerabilities
Good security
practices can
prevent certain
attacks
Security Controls
and Policies
Assets
No security
Controls or
Policies
Weak
Security
policies may
let an attack
through
Non-
Malicious
Threat
Agent
Malicious
Threat
Agent
Cata-
strophic
Incident
Motives
and
Goals
Tools,
Techniques
and
Methods
Threat
Threat
Threat
Tools,
Techniques
and
Methods
Tools,
Techniques
and
Methods
Compro-
mise
Compro-
mise
Compro-
mise
Compro-
mise
Compro-
mise
Compro-
mise
Compro-
mise
Compro-
mise
Vulnerabilities
Vulnerabilities
Good security
practices can
prevent certain
attacks
Security Controls
and Policies
Assets
No security
Controls or
Policies
Fig. 10 Fitting threats, exposures, vulnerabilities, countermeasures, and assets
together when a compromise occurs.
1.7.7 Confidentiality, Integrity, and Availability
The ability of a security analyst to estimate risk is an important precursor to determining risk management
alternatives. In the case a risk reduction approach is chosen, the analyst must understand the tenets of
Confidentiality, Integrity, and Availability.
Confidentiality: The spirit of the confidentiality tenet revolves around protecting a system, and ultimately
the organization, from exposing information to unauthorized individuals. This may be information ranging
from business strategies, competitive secrets, personal information about employees or customers, or other
sensitive information. This is done by ensuring every system user can be identified. This cannot be
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 19 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
underscored enough. “A crucial aspect of confidentiality is user identification and authentication. Positive
identification of each user is essential to ensuring the effectiveness of policies that specify who is allowed
access to which data items.”
Integrity: Once the tenet of Confidentiality is identified, the tenet of Integrity may be addressed.
Understanding this tenet, allows the security analyst to emphasize the importance of accurate data.
Without accurate data, the system at best cannot provide direction for its business partners. At worst, the
system may lead to business partners or the organization to make poor decisions. Therefore, “Integrity is
the protection of system data from intentional or accidental unauthorized changes”. While identification
and authentication were paramount in respect to confidentiality, Integrity focuses on what the
authenticated principle is authorized to do.
Availability: The final tenet in the CIA model is Availability. This tenet is present to remind the security
analyst that no system adds value when users cannot access its resources. A system must be able to ensure
it can deliver information to business partners on demand.
1.7.8 What is Risk?
Risk should be viewed as a combination of threat, vulnerability, and asset value.
1.8 Developing Methodology for Analyzing Security Risk
Identifying the best ways to improve security risk is complicated – especially in large organizations.
Fortunately, you can use the security risk management process to identify the most efficient way to
improve an organization’s security. The project manager has an extremely important task of creating the
project schedule – and later assemble the Security Risk Management Team (SMRT) to complete the
process risk management – which is accomplished via three phases of SMRT processes: Assessment,
Implementation and Operations, as depicted in Fig. 11.
Phase 1:
Assessment
Step 1: Inventory security
policies
Step 2: Assess assets
Step 3: Assess threats
Step 4: Assess risks
Step 5: Create a Security
Action Plan
Phase 2:
Implementation
Step 1: Develop
countermeasures
Step 2: Test
countermeasures
Step 3: Implement
countermeasures
Phase 3:
Operations
Step 1: Maintain security
Step 2: Respond to
incidents
Step 3: Assess new risks
Step 4: Deploy new
countermeasures
Phase 1:
Assessment
Step 1: Inventory security
policies
Step 2: Assess assets
Step 3: Assess threats
Step 4: Assess risks
Step 5: Create a Security
Action Plan
Phase 2:
Implementation
Step 1: Develop
countermeasures
Step 2: Test
countermeasures
Step 3: Implement
countermeasures
Phase 3:
Operations
Step 1: Maintain security
Step 2: Respond to
incidents
Step 3: Assess new risks
Step 4: Deploy new
countermeasures
Fig. 11: the security risk mgt process to optimize your organization’s security
1.8.1 Assessment Phase
Assessment phase involves gathering relevant information from the company’s environment to perform a
security assessment. In this phase, you first must gather existing security policies and asses the importance
of each company’s assets. Next you must determine – which threats are likely to attack those assets, and
finally you create a “Security Action Plan” – that identifies countermeasures to reduce risk in
implementation phase.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 20 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
1.8.2 Implementation
Implementation phase focuses on: developing, testing, & deploying countermeasures identified in the
Security Action Plan. In this phase you also assemble an: Incident response team and draft security
policies. “Here, a security policy defines a guideline or directive that indicates a concise decision to
follow a path towards a specific objective.” For example, security policies may institute, empower
resources, or direct action by providing procedures or actions to be carried out in the event a compromise
occurs.
1.8.3 Operations
Operations phase involves making – modifications & updates to your environment as needed to keep it
secure. Contingence plans are carried out as needed during this phase. You also need to deploy auditing &
monitoring to keep the infrastructure intact and secure because network infrastructure, threats &
vulnerabilities change regularly, the operation phase is ongoing.
1.7 Example: The Four Phases of the Microsoft Security Risk Management Process
According Microsoft security risk management strategy, risk management is defined as an ongoing
process with four primary phases:
1. Assessing Risk: Identify and prioritize risks to the business.
2. Conducting Decision Support. Identify and evaluate control solutions based on a defined cost-
benefit analysis process.
3. Implementing Controls. Deploy and operate control solutions to reduce risk to the business.
4. Measuring Program Effectiveness. Analyze the risk management process for effectiveness and
verify that controls are providing the expected degree of protection.
Before defining specific practices within the Microsoft security risk management process, however, it is
important to understand the larger risk management process and its components. Each phase of the cycle
contains multiple, detailed steps. The following list outlines each step to help you understand the
importance of each one in the guide as a whole guide:
• Assessing Risk Phase
o Plan data gathering. Discuss keys to success and preparation guidance
o Gather risk data. Outline the data collection process and analysis
o Prioritize risks. Outline perspective steps to qualify and quantify risks
• Conducting Decision Support phase
o Define functional requirements. Define functional requirements to mitigate risks
o Selective possible control solutions. Outline approach to identify mitigation solutions
o Review solution. Evaluate proposed controls against functional requirements
o Estimate solution cost. Evaluate direct and indirect costs associated with mitigation
o Select mitigation strategy. Complete the cost-benefit analysis to identify the most cost
effective mitigation solution
• Implementing Controls phase
o Seek holistic approach. Incorporate people, process, and technology in mitigation solution
o Organize by defense-in-depth. Organize mitigation solutions across the business.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 21 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
• Measuring Program Effectiveness phase
o Develop risk scorecard. Understand risk posture and progress
o Measure program effectiveness. Evaluate the risk management program fro opportunities to
improve.
Figure 12 illustrates each phase and its associated steps.
Fig. 11: The Microsoft Security Risk Management Process
1.9 Risk Management vs. Risk Assessment
The terms risk management and risk assessment, are not interchangeable. For example, the Microsoft
security risk management process defines risk management as the overall process to manage risk to an
acceptable level across the business. Risk assessment is defined as the process to identify and prioritize
risks to the business. As outlined in the Fig. 11, risk management is comprised of four primary phases:
Assessing Risk, Conducting Decision Support, Implementing Controls, and Measuring Program
Effectiveness. Risk assessment, in the context of the Microsoft security risk management process, refers
only to the Assessing Risk phase within the larger risk management cycle.
Another distinction between risk management and risk assessment is the frequency of initiation of each
process. Risk management is defined as an ongoing cycle, but it is typically re-started at regular intervals
to refresh the data in each stage of the management process. The risk management process is normally
aligned with an organization's fiscal accounting cycle to align budget requests for controls with normal
business processes. An annual interval is most common for the risk management process to align new
control solutions with annual budgeting cycles.
Although risk assessment is a required, discrete phase of the risk management process, the Information
Security Group may conduct multiple risk assessments independent of the current risk management phase
or budgeting cycle. The Information Security Group may initiate them anytime a potentially security-
related change occurs within the business, such as the introduction of new business practices, or
discovered vulnerabilities or changes to the infrastructure. These frequent risk assessments are often
referred to as ad-hoc risk assessments, or limited scope risk assessments, and should be viewed as
complementary to the formal risk management process. Ad-hoc assessments usually focus on one area of
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 22 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 23 OF 59 Bright Future
risk within the business and do not require the same amount of resources as the risk management process
as a whole, see Table 1 for comparison of risk management versus risk assessment.
Table 1: Risk Management vs. Risk Assessment
Risk Management Risk Assessment
Goal Manage risks across business to
acceptable level
Identify and prioritize risks
Cycle Overall program across all four phases Single phase of risk management program
Schedule Ongoing As needed
Alignment Aligned with budgeting cycles N/A
2.0 INFORMATION SECURITY RISK MANAGEMENT
Today, there are many tools and techniques available for managing organizational risks relating to
information security systems. There are even a number of tools and techniques that focus on managing risks
to information systems. This document explores the issue of risk management with respect to information
systems and seeks to answer the following questions:
• What is risk with respect to information systems?
• Why is it important to understand risk?
• How is risk assessed?
• How is risk managed?
• What are some common risk assessment/management methodologies and tools?
2.1 What is Risk with Respect to Information Systems?
Risk is the potential harm that may arise from some current process or from some future event ranging
from known-unknowns to unknown-unknowns. Risk is present in every aspect of our lives and many
different disciplines focus on risk as it applies to them. From the IT security perspective, risk
management is the process of understanding and responding to factors that may lead to a failure in the
confidentiality, integrity or availability of an information system. IT security risk is the harm to a process or
the related information resulting from some purposeful or accidental event that negatively or
positively impacts the process or the related information.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability,
and the resulting impact of that adverse event on the organization asset, which in general can be defined
as:
Risk
(to effort, organization, or object)
=Threat x Vulnerability
(of the threat)
x Impact
(asset value)
More definitively we can define risk in terms of monetary value as follows:
(cf. )
2 2
$ I Risk = mc E =
Where I is the impact, and $ defines the dollar value associated with the level of impact brought about by
the compromise.
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
2.2 Threats
One of the most widely used definitions of threat and threat-source can be found in the National Institute of
Standards and Technology’s (NIST) Special Publication (SP) 800-30, Risk Management Guide for
Information Technology Systems. NIST SP 800-30 provides the following definitions.
The threat is merely the potential for the exercise of a particular vulnerability. Threats in
themselves are not actions. Threats must be coupled with threat-sources to become dangerous. This is
an important distinction when assessing and managing risks, since each threat-source may be associated
with a different likelihood, which, as will be demonstrated, affects risk assessment and risk management.
It is often expedient to incorporate threat sources into threats. The list in Table 2 shows some (but not
all) of the possible threats to information systems.
Table 2: Partial list of Threats with Threat Sources taken into consideration
Threat (Including Threat
Source)
Description
Accidental Disclosure The unauthorized or accidental release of classified, personal, or sensitive information.
Acts of Nature All types of natural occurrences (e.g., earthquakes, hurricanes, tornadoes) that may
damage or affect the system/application. Any of these potential threats could lead to a
partial or total outage, thus affecting availability.
Alteration of Software
An intentional modification, insertion, deletion of operating system or application system
programs, whether by an authorized user or not, which compromises the confidentiality,
availability, or integrity of data, programs, system, or resources controlled by the system. This
includes malicious code, such as logic bombs, Trojan horses, trapdoors, and viruses.
Bandwidth Usage The accidental or intentional use of communications bandwidth for other then intended
purposes.
Electrical
Interference/ Disruption
An interference or fluctuation may occur as the result of a commercial power failure. This
may cause denial of service to authorized users (failure) or a modification of data
(fluctuation).
Intentional Alteration of
Data
An intentional modification, insertion, or deletion of data, whether by authorized user or
not, which compromises confidentiality, availability, or integrity of the data produced,
processed, controlled, or stored by data processing systems.
System Configuration Error
(Accidental)
An accidental configuration error during the initial installation or upgrade of hardware,
software, communication equipment or operational environment.
Telecommunication
Malfunction/ Interruption
Any communications link, unit or component failure sufficient to cause interruptions in the
data transfer via telecommunications between computer terminals, remote or distributed
processors, and host computing facility.
2.3 Vulnerabilities
Recall that vulnerability can arise as a result of a flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited)
and result in a security breach or a violation of the system’s security policy [4], i.e., vulnerability can be a
flaw or weakness in any aspect of the system.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 24 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Significant vulnerabilities are often contained in the standard operating procedures that systems administrators
perform; the process that the helpdesk uses to reset passwords or inadequate log review. Another area where
vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security
testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/disaster recovery in
information security:
• Not having clearly defined contingency directives and procedures
• Lack of a clearly defined, tested contingency plan
• The absence of adequate formal contingency training
• Lack of information (data and operating system) backups, and software patch management
• Inadequate information system recovery procedures, for all processing areas (including networks)
• Not having alternate off-site processing or storage sites
• Not having alternate communication services
3 WHY IS IT IMPORTANT TO MANAGE RISK?
The principle reason for managing risk in an organization is to protect the mission-critical and assets of the
organization. Therefore, risk management must be a management function rather than a technical function.
It is, therefore, vital for security admins and auditors to manage risks to systems. Understanding risk, and in
particular, understanding the specific risks to a system – allow the system owner to protect the
information system commensurate with its value to the organization. The fact is that all organizations have
limited resources and risk can never be reduced to zero. So, understanding risk, especially the magnitude of
the risk, allows organizations to prioritize scarce resources, see Fig. 12 above for various processes of risk
management
3.1 Tasks and Outputs
The matrix depicted in Table 3, shows the two main process tasks, the four subtasks, and all of the
deliverables associated with project risk management.
Table 3: Tasks and Output Matrix
Process Tasks Task Outputs (deliverables)
Risk management planning Risk management plan
Risk identification
Project risk list
Qualitative risk analysis
Prioritized list of risks classified as high,
moderate, or low.
Quantitative risk analysis
(Onl y i f the proj ect
includes Value Analysis)
An analysis of the project’s likelihood of
achieving its cost and time objectives
Risk response planning Risk response plan, including one or more of the
following: residual risks, secondary risks, change
control, contingency reserve (amounts of time or
budget needed), and inputs to a revised project
plan
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 25 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Risk monitoring and control
Workaround plans, corrective actions, project
change requests (PCR), and updates to the risk
response plan and to risk identification checklists
for future projects
No
What type of
environmental document
is expected
What type of
environmental document
is expected Risk Management Plan is optional
Risk Management Plan is optional
Step 1: Risk Management Planning
The PDT members assign project team members
to create a project risk management
Step 1: Risk Management Planning
The PDT members assign project team members
to create a project risk management
Step 2: Risk Identification
The assigned project team members identify risks
and create a project risk list through
brainstorming, interviews, and sample risk lists.
Step 2: Risk Identification
The assigned project team members identify risks
and create a project risk list through
brainstorming, interviews, and sample risk lists.
Step 3: Qualitative Risk Analysis
The assigned project team members assess the
importance of the identified risks and probability
Of occurrence
Step 3: Qualitative Risk Analysis
The assigned project team members assess the
importance of the identified risks and probability
Of occurrence
Project has
only a
Categorical
Exception
or
Categorical
Education
Project has environmental
document (SANS, IEEE, FIPS, NIST)
Is Value Analysis
required for the
project?
Is Value Analysis
required for the
project?
Yes
Step 4: Quantitative Risk Analysis
The Value Analysis team, assisted by an expert,
develops statistical data on the probability and
impact or major risks.
Step 4: Quantitative Risk Analysis
The Value Analysis team, assisted by an expert,
develops statistical data on the probability and
impact or major risks.
Step 5: Risk Response Plan
For each identified risk, the PDT decides whether to
avoid the risk, mitigate the risk, or accept the risk.
Step 5: Risk Response Plan
For each identified risk, the PDT decides whether to
avoid the risk, mitigate the risk, or accept the risk.
Step 6: Risk Monitoring and Control
Risk Monitoring and control is an ongoing process
for the life of the project. Assigned team members
monitor the risks as the project matures, new risks
develop, or anticipated risks appear.
Step 6: Risk Monitoring and Control
Risk Monitoring and control is an ongoing process
for the life of the project. Assigned team members
monitor the risks as the project matures, new risks
develop, or anticipated risks appear.
No
What type of
environmental document
is expected
What type of
environmental document
is expected Risk Management Plan is optional
Risk Management Plan is optional
Step 1: Risk Management Planning
The PDT members assign project team members
to create a project risk management
Step 1: Risk Management Planning
The PDT members assign project team members
to create a project risk management
Step 2: Risk Identification
The assigned project team members identify risks
and create a project risk list through
brainstorming, interviews, and sample risk lists.
Step 2: Risk Identification
The assigned project team members identify risks
and create a project risk list through
brainstorming, interviews, and sample risk lists.
Step 3: Qualitative Risk Analysis
The assigned project team members assess the
importance of the identified risks and probability
Of occurrence
Step 3: Qualitative Risk Analysis
The assigned project team members assess the
importance of the identified risks and probability
Of occurrence
Project has
only a
Categorical
Exception
or
Categorical
Education
Project has environmental
document (SANS, IEEE, FIPS, NIST)
Is Value Analysis
required for the
project?
Is Value Analysis
required for the
project?
Yes
Step 4: Quantitative Risk Analysis
The Value Analysis team, assisted by an expert,
develops statistical data on the probability and
impact or major risks.
Step 4: Quantitative Risk Analysis
The Value Analysis team, assisted by an expert,
develops statistical data on the probability and
impact or major risks.
Step 5: Risk Response Plan
For each identified risk, the PDT decides whether to
avoid the risk, mitigate the risk, or accept the risk.
Step 5: Risk Response Plan
For each identified risk, the PDT decides whether to
avoid the risk, mitigate the risk, or accept the risk.
Step 6: Risk Monitoring and Control
Risk Monitoring and control is an ongoing process
for the life of the project. Assigned team members
monitor the risks as the project matures, new risks
develop, or anticipated risks appear.
Step 6: Risk Monitoring and Control
Risk Monitoring and control is an ongoing process
for the life of the project. Assigned team members
monitor the risks as the project matures, new risks
develop, or anticipated risks appear.
Fi g. 12: Risk management process flowchart
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 26 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
3.2 Key Responsibilities
This matrix (Table 4) shows the six process tasks and the responsibilities of the project manager and
stakeholders.
Tabl e 4: Key Responsibilities Matrix
Role
Process Tasks
Sponsor Di stri ct
Division Chief
for Program
and Proj ect
Management
Proj ect
Manager
Assistant
Project
Manager/
Proj ect
Management
Support Unit
Functional
Manager
Task
Manager
Risk management
planning
I I S I I I
Risk identification I I S I A A
Qualitative risk
analysis
A I I I
Quantitative risk
analysis (Performed
only as part of Value
Analysis)
S I A A
Risk response
planning
I I A, S I
Risk monitoring and
control
A A A, S I A A
Legend:: R =Review I = Input P = Participate S = Signature A =Accountable
4.0 HOW IS RISK ASSESSED?
Risk is assessed by identifying threats and vulnerabilities, then determining the likelihood and impact for
each risk. It’s easy, right? Unfortunately, risk assessment is a complex undertaking, usually based on
imperfect information. There are many methodologies aimed at allowing risk assessment to be repeatable
and give consistent results.
The specific risk-assessment process you may opt to use may vary according to your particular needs and
skills, or the particular risk-assessment product you're deploying. In theory, the most simplified risk-
assessment process must answer the questions: What can go wrong? What is the probability that it would
go wrong? What are the consequences in the event the risk becomes a reality? However, a real-life risk-
assessment process goes beyond merely answering those questions.
Risk-assessment processes require the definition and inventory of systems and the business processes they
support; an assessment of potential vulnerability and threat; a decision to act or not; evaluation of the
effectiveness of the action; and communication about decisions made. Once these steps are completed, the
process should be repeated on a regular basis to ensure that the decisions made and controls implemented
remain effective in reducing risk and meeting business needs and goals. The risk assessment
methodologies can summarized via five phases, see Fig. 13:
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 27 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
• Phase I: Systems inventory and definition. To accurately measure the potential impact of a risk,
you must determine the assets (network components, servers, data, people and so forth) that are
involved in support of critical business processes. It's important that the inventory be exhaustive
enough to ensure that a given business process is fully included in the assessment, while not being
so inclusive that the assessment becomes unmanageable. For example, if you're trying to make
sure that an order-fulfillment process is properly protected and secured, you would include all
systems and network components that are involved in fulfilling an order.
Once business-related systems have been
identified, their value must be assigned.
This is one of the most critical pieces of
the risk-assessment puzzle; without
proper assignment of business value, the
decision-making process supported by
risk assessment will be flawed. In the
"garbage in, garbage out" tradition, it's
worth the effort to make sure your
inventory and definitions are as close to
reality as possible.
Following our order-fulfillment example
above, the questions to ask are: What is
the monetary impact if critical systems
are removed from service due to denial of
service or failure? What is the monetary
impact if data integrity or confidentiality
is compromised as the result of a virus or cracker attack? If, say, 10 devices are involved in
processing an average of $350,000 worth of transactions per day, what would the total impact be
if they were removed from service for three hours by a denial-of-service attack? What would be
the impact to customer loyalty and future transactions if this occurred?
System
inventory and
definition
System
inventory and
definition
Vulnerability
and threat
assessment
Vulnerability
and threat
assessment
Communication
and monitoring
Communication
and monitoring
Decision
Decision
Risk-Assessment Process
Evaluation
of controls
Evaluation
of controls
System
inventory and
definition
System
inventory and
definition
Vulnerability
and threat
assessment
Vulnerability
and threat
assessment
Communication
and monitoring
Communication
and monitoring
Decision
Decision
Risk-Assessment Process
Evaluation
of controls
Evaluation
of controls
Fig. 13
Business-process owners should be involved at this early stage because these people business-
process owner will be able to answer those questions more accurately than a system administrator
would. Unless you're in a very small company, much of the data you'll need to produce an
accurate risk assessment will be provided by someone not in IT or security. Additionally,
engaging the appropriate business-process owners in the risk assessment will let you demonstrate
how serious you are about making sure the business is well-supported.
• Phase II: Vulnerability and threat assessment. Now it's time to get technical. The aim of this
phase is to examine your systems for weaknesses that could be exploited, and to determine the
chances of someone attacking any of those weaknesses.
Numerous types of vulnerabilities, both physical and electronic, are possible. Each should be
examined and documented. It doesn't do much good to control all the risks associated with
electronic access to your systems if someone could physically touch them and modify or walk
away with data.
Many tools exist for evaluating electronic vulnerabilities e.g., Metasploit, Nessus, ArcSight,
MARS etc. The primary value of these tools lies in automation and detection; that is, typically
they'll scan your systems for configurations and services, compare the results with a database of
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 28 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
known exploits, and produce a report. This saves you the laborious task of examining systems
manually and researching the latest exploits. It also provides a method of easily obtaining
consistent data on your system vulnerabilities.
A list of vulnerabilities should start with host- and network-level exploits that could have an
impact on the processes outlined in Phase One. Be sure to include exploits that could occur with
physical access as well as electronically. Also, examine scripts and applications on systems for
potential vulnerabilities. This ensures that all vectors for attack are included in the assessment, so
your efforts at reducing risk are based on real threats, not just those that are technical or well-
advertised. Continuing our order-fulfillment example, one would point up-to-date versions of
network and system scanners at the components that are responsible for completion of the
fulfillment process.
Once a list of vulnerabilities per system is compiled; each-vulnerability should be classified
according to the probability that it could be exploited. This probability is the threat associated
with vulnerability, and methods for determining this threat level abound. They can be as
complicated as completing a tree analysis, which documents the different series of conditions that
could lead to exploitation of vulnerability, or as simple as relying on reports about the frequency
of exploits in the wild. CERT (Computer Emergency Response Team), the SANS (System
Administration, Networking, and Security) Institute and other such groups routinely publish
listings of exploits that are being seen frequently and thus are high-threat areas.
The combination of vulnerabilities and threats provides a measure of where your exposures are,
and what the chance is that a motivated attacker might exploit them. This is your level of inherent
risk, or the risk that exists in the absence of any control measures or countermeasures.
• Phase III: Evaluation of controls. Phases One and Two provide the framework for risk
assessment. Moving forward, you'll link the results of the assessment back to a risk-management
strategy. As you begin this stage, you'll have a measure of your risk and how it's mapped to
potential business impact. All your hard work up to this point has been aimed at providing a
business case for or against the implementation of security controls. A perfect control – in the
form of, for example, a firewall, a proxy gateway or an authentication system – would reduce the
vulnerability/threat measure to zero. In reality, however, there is always some residual risk
because of imperfections in the controls that are available. The risk-analysis process lets you not
only control risk, but define your residual risk.
Controls are aimed at reducing your risk to levels that are acceptable to the business. The
implementation of a control is always a risk/value proposition because all controls have an
associated cost. But the cost of a control is more than the cost of acquisition and implementation;
there are also the usual costs associated with operations and maintenance, and those related to
usability, scalability and performance. All these costs need to be considered when balancing cost
of controls versus inherent risk. Evaluating controls based on business risk lets you establish a
coherent plan for risk mitigation as opposed to point solutions aimed at technical challenges. This
provides a broader view of security, which enables you to maximize the return on your
investment.
Once control evaluation is complete, you should have a good set of options that will reduce risk at
a given price and provide the business intelligence necessary to support a sound decision.
• Phase IV: Decision. Risk assessment: – is primarily a process that provides information to
support business decisions. What to do about the risk associated with a given business process is
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 29 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
the primary goal of a risk-assessment exercise. As in Phase One, it's important that business-
process owners are involved in this phase of the risk-assessment process; together with IT or
security personnel, informed decisions can be made around risk management with a focus on
protecting business-critical assets and processes. At this point, you'll have all the information
necessary to evaluate the risks to your business. The question now is what to do.
In deciding how to manage risk, you have four options: You can choose whether to accept the risk
(do nothing), mitigate the risk (implement controls), transfer the risk (buy insurance) or risk
avoidance.
The decision phase pulls together all the data gathered and allows IT and business professionals to
come to a consensus regarding the most effective way to manage a security program based on
sound risk-assessment procedures. This phase also provides a formal method for implementing
and documenting the decision process, as well as an avenue to obtain buy-in from business
management. During the decision phase, you'll be able to evaluate the cost of a set of controls
versus the value of the processes, systems and information you're protecting. Clearly, it makes no
sense to implement a control that's more expensive than the revenue generated by the business
processes it's meant to protect.
A decision to implement a control is based on the business value it adds, since most companies
are not in the business of protecting information. Risk management is not a goal in itself;
therefore, information should be protected only in support of a business need or requirement. Such
requirements should be spelled out in your information-security policies, with risk management
providing input into the policy process.
Formal risk assessment ensures that a linkage exists between business needs and the security
program. This formalization is important because a decision that can result in a negative impact
on the business is best made in an informed manner and then documented and communicated.
• Phase V: Communication and monitoring. User awareness and management buy-in are critical
to successful implementation of controls. Users cannot be expected to comply with policies and
controls unless they understand the decision-making process that has led to their implementation.
This theme of engaging the business in the analysis of technical risk is carried through to the final
stages of the process by making sure that risk-assessment results are communicated to business-
process owners as well as end users.
You should communicate openly regarding risk management so relevant information about risk is
shared. This is important because your mitigation strategy may cause risk in another area of the
company. In addition, other risks are often understood by individuals that don't have the resources
to deal with them. Communicating actions based on a risk assessment may open new areas for
investigation that otherwise would have gone unnoticed.
Ongoing monitoring of controls is critical to any successful information-security program,
including risk assessment. Over time, a given risk assessment will lose relevancy because of
changes in threats or operational procedures, or deterioration in the degree of compliance. Keep
an eye on those factors that can change the risk profile. When changes have occurred that call for
a re-evaluation of risk, it's time to start the risk-assessment process from the beginning. It's also
wise to include risk assessment as part of any project that might have an impact on security. This
allows security requirements to be captured up front, and risks to be evaluated so they don't cause
unnecessary delays later. It pays to keep the process well-documented so that future risk
assessments will be easier.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 30 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Some of the leading methodologies for risk assessment are discussed in greater detail in Section 9. The
general process of risk assessment can be performed via two options (i) Qualitative Risk Analysis, and
Quantitative Risk Analysis.
4.1 Quantitative Risk Assessment
Quantitative risk assessment draws upon methodologies used by financial institutions and insurance
companies. By assigning values to information, systems, business processes, recovery costs, etc., impact,
and therefore risk, can be measured in terms of direct and indirect costs.
Mathematically, quantitative risk can be expressed as Annualized Loss Expectancy (ALE). ALE is the
expected monetary loss that can be expected for an asset due to a risk being realized over a one-year period.
ALE =SLE ∗ ARO
Where:
• SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may or may
not be the entire asset. This is the impact of the loss.
• ARO (Annualized Rate of Occurrence) is how often the loss occurs. This is the likelihood.
Mathematically, this gets complicated very quickly, involving high level statistical techniques e.g., Monte
Carlo simulation method.
While utilizing quantitative risk assessment seems straightforward and logical, there are issues with using
this approach with information systems. While the cost of a system may be easy to define, the indirect
costs, such as value of the information, lost production activity and the cost to recover is imperfectly
known at best. Moreover, the other major element of risk, likelihood, is often even less perfectly known.
For example, what is the likelihood that someone will use social engineering to gain access to a user account
on the accounting system?
Therefore, a large margin of error is typically inherent in quantitative risk assessments for information
systems. This might not always be the case in the future. As the body of statistical evidence becomes
available, trends can be extrapolated on past experience. Insurance companies and financial institutions
make excellent use of such statistics to ensure that their quantitative risk assessments are meaningful,
repeatable and consistent.
Typically, it is not cost-effective to perform a quantitative risk assessment for an IT system, due to the
relative difficulty of obtaining accurate and complete information. However, if the information is deemed
reliable, a qualitative risk assessment is an extremely powerful tool to communicate risk to all level of
management.
Quantitative risk measurement is the standard way of measuring risk in many fields, such as
insurance, but it is not commonly used to measure risk in information systems. Two of the reasons
claimed for this are: (i) the difficulties in identifying and assigning a value to assets, and (ii) the lack of
statistical information that would make it possible to determine frequency. Thus, most of the risk
assessment tools that are used today for information systems are measurements of qualitative risk [5].
5.0 IDENTIFYING THREATS
Recall that both threat-sources and threats must be identified. Threats should include the threat-source to
ensure accurate assessment. Some common threat-sources include:
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 31 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
• Natural Threats—floods, earthquakes, hurricanes
• Human Threats—threats caused by human beings, including both unintentional (inadvertent data
entry) and deliberate actions (network based attacks, virus infection, unauthorized access)
• Environmental Threats—power failure, pollution, chemicals, water damage
Some common threats were illustrated in Table 1 – Partial List of Threats with Threat Sources Taken into
Consideration.
Individuals who understand the organization, industry or type of system (or better yet all three) are main
key in identifying threats. Once the general list of threats has been compiled, review it with those most
knowledgeable about the system, organization or industry to gain a list of threats that applies to the
system. It is valuable to compile a list of threats that are present across the organization and use this list
as the basis for all risk management activities. As a major consideration of risk management is to ensure
consistency and repeatability, an organizational threat list is invaluable.
5.1 Identifying Vulnerabilities
Vulnerabilities can be identified by numerous means. Different risk management schemes offer different
methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or
control areas. Then, working with the system owners or other individuals with knowledge of the
system or organization, start to identify the vulnerabilities that apply to the system. Specific
vulnerabilities can be found by reviewing vendor web sites and public vul nerabi l i ty archi ves, such as
Common Vul nerabi l i ti es and Exposures (CVE - http://cve.mitre.org) or the National
Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit
reports are the best place to start.
Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of
controls, they can also be used to identify vulnerabilities:
• Vulnerability Scanners – Software that can examine an operating system, network application or
code for known flaws by comparing the system (or system responses to known stimuli) to a database
of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system.
This includes operational vulnerabilities, such as social engineering.
• Audit of Operational and Management Controls – A thorough review of operational and
management controls by comparing the current documentation to best practices (such as ISO 17799)
and by comparing actual practices against current documented processes.
It is invaluable to have a baseline list of vulnerabilities that are always considered during every risk assessment
in the organization. This practice ensures at least a minimum level of consistency between risk assessments.
Moreover, vulnerabilities discovered during past assessments of the system should be included in all future
assessments. Doing this allows management to understand that past risk management activities have been
effective.
5.2 Relating Threats to Vulnerabilities
One of the more difficult activities in the risk management process is to relate a threat to vulnerability.
Nonetheless, establishing these relationships is a mandatory activity, since risk is defined as the exercise of a
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 32 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 33 OF 59 Bright Future
threat against vulnerability (weakness). This is often called threat-vulnerability (T-V) pairing. Once again,
there are many techniques to perform this task. Not every threat-action/threat can be exercised against all
possible vulnerability. For instance, a threat of “flood” obviously applies to a vulnerability of “lack of
contingency planning”, but not to a vulnerability of “failure to change default authenticators.”
While logically it seems that a standard set of T-V pairs would be widely available and used; currently
there are none readily available. This may be due to the fact that threats and especially vulnerabilities are
constantly being discovered and that the T-V pairs would change fairly often. Nonetheless, an
organizational standard list of T-V pairs should be established and used as a baseline. Developing the T-V
pair list can be accomplished by reviewing the vulnerability list and pairing vulnerability with every threat
that applies, then by reviewing the threat list and ensuring that all the vulnerabilities that the threat-action/threat
can act against have been identified. For each system, the standard T-V pair list should then be tailored to
suit the local environment.
5.3 Defining Likelihood
Determining likelihood is fairly straightforward. It is the probability that a threat caused by a threat-source
will occur against vulnerability. In order to ensure that risk assessments are consistent, it is an excellent idea
to utilize a standard definition of likelihood on all risk assessments and the consequent impact to the
enterprise resources.
5.3.1 Defining Impact
In order to ensure repeatability, impact is best defined in terms of impact upon availability, impact
upon integrity and impact upon confidentiality. Table 5 shows a Sample Impact Definitions, which illustrates
a workable approach to evaluating impact by focusing attention on the three aspects of information security.
However, in order to be meaningful, reusable and easily communicated, specific ratings should be
produced for the entire organization. Table 6 shows an Examples of Organizational Effect on these
specific values.
Tabl e 5: Sample Impact Definitions
Confidentiality Integrity Availability
Low Loss of confidentiality leads to a
limited effect on the
organization.
Loss of integrity leads to a
limited effect on the
organization.
Loss of availability leads to a
limited effect on the
organization.
Moderate Loss of confidentiality leads to a
serious effect on the
organization.
Loss of integrity leads to a
serious effect on the
organization.
Loss of availability leads to a
serious effect on the
organization.
High Loss of confidentiality leads
to a severe effect on the
organization.
Loss of integrity leads to a
severe effect on the
organization.
Loss of availability leads to a
severe effect on the
organization.
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Tabl e 6: Examples of Organizational Effect
Effect Type Effect on Mission
Capability
Financial Loss/ Damage
to Organizational Assets
Effect on Human Life
Limited Effect
Temporary loss of one
or more minor mission
capabilities
Under $5,000 Minor harm (e.g., cuts and scrapes)
Serious Effect
Long term loss of one or
more minor or temporary
loss of one or more
pri mary mission
capabilities
$5,000-$100,000 Significant harm, but not life
threatening
Severe Effect
Long term loss of one or
more pri mary mission
capabilities
Over $100,000 Loss of life or life threatening injury
5.4 Assessing Risk via Impact & Likelihood Technique
Assessing risk is the process of determining the likelihood of the threat being exercised against the
vulnerability and the resulting impact from a successful compromise. When assessing likelihood and
impact, it is crucial to take into consideration the current threat environment and controls in play. Likelihood
and impact are assessed on the system as it is operating at the time of the assessment. Do not take any
planned controls into consideration. Table 7 shows a Sample Risk Determination Matrix that can be
used to evaluate the risk when using a three level rating system.
Table 7: Sample Risk Determination Matrix
Impact
High High High Moderate
Moderate Low Moderate Low Likelihood
Low Moderate Low Low
Low Moderate High
One may also opt to use probability analysis, then in this case the impact analysis procedures uses non-
linear allowing for a range of percentage or predefined scaling range, defined as follows:
Table 8: Probability Analysis
Likelihood of
Risk Event
Risk Event
Probability
Response Planning Difficulty
5 – Very High >80%
Risk event is expected to occur. No strategy is
available to counteract the risk event occurring
4 – High 60-80%
Risk event is likely to occur. Limited resources or
strategies are available that will influence the
occurrence of or contain the risk event. A high level of
management attention is necessary
3 – Moderate 40-60%
Risk event may or may not occur. A higher level of
management attention is required to control the results
of the risk.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 34 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
2 – Low 20-40%
Risk event is less likely to occur. With attention, normal
management strategies should produce an acceptable
outcome.
1 – Very Low <20%
Risk event is not expected to occur. Normal
management strategies should produce an acceptable
outcome.
With the result of the qualitative analysis presented as shown in Table 9:
Table 9: Risk Determination Analysis using Non-linear Probability
5-Very High 5 10 15 20 25
4-High 4 8 12 16 20
3-Moderate 3 6 9
12 15
2-Low 2 4 6
8 10
L
i
k
e
l
i
h
o
o
d
(
P
r
o
b
a
b
i
l
i
t
y
)
1-Very Low 1 2 3
4 5
1
V Low
2
Low
3
Moderate
4
High
5
V High
Impact
In a qualitative risk assessment, it is best not to use numbers when assessing risk. Managers, especially the
senior level managers who make decisions concerning resource allocation, often assume more accuracy than
is actually conveyed when reviewing a risk assessment report containing numerical values. Recall that in a
qualitative risk assessment, the likelihood and impact values are based on the best available information,
which is not typically well grounded in documented past occurrences.
The concept of not providing any more granularity in risk assessment reports than was available during the
assessment process is roughly analogous to the use of significant digits in physics and chemistry. Roughly
speaking, significant digits are the digits in a measurement that are reliable. Therefore, it is impossible to get
any more accuracy from the result than was available from the source data. Following this logic, if
likelihood and impact were evaluated on a Low, Moderate, High basis, Risk would also be Low, Moderate
or High.
If the risk assessment report does not clearly communicate the proper level of granularity, the number of
impact and likelihood rating levels should be increased. Some organizations prefer to use a four or even five
level rating for impact and likelihood. However, understand that the individual impact and likelihood levels
must still be concisely defined.
5.5 Qualitative Assessing Threat & Vulnerability in IT Security Risk Management
Phase 1: Assessment
In this phase, you determine what your assets are worth, identify risks, & calculate the potential damage if
an asset is exploited via 5-steps:
• Step 1: Inventory Security Policies
The first step in risk management process (RMP) – is to create an inventory of existing security
policies – and make sure you obtain printed copies of each policy.
• Step 2: Asses Assets
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 35 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Assess assets via creating a list of every significant asset in your organization. Recall that asset is
anything in your organization environment that might require some level of protection. This
requires that you first assess the assets via assigning them a qualitative and quantitative asset
value. You start this by assigning them a qualitative value, say from level 1-4, as a rough estimate
– which you convert later into quantitative dollar value.
Note: qualitative valuing Assets
Asset valuation – is how much it cost to maintain an asset, and what it would cost if it were lost
or destroyed, or what benefit would be gained if another party obtained this info. Asset value
should reflect all identifiable costs that would arise if the asset were completely destroyed.
Qualitative values are of four levels, based on the impact on the company if the asset is
compromised:
Table 10: Assigning Assets Qualitative Value Analysis
Level Impact Description
1
Catastrophic
If asset were lost or damaged it would have a catastrophic
on the organization i.e., it might never recover
2
Very serious
the damage the asset would severely affect the organization
ability to do business or cost significant amount of money
3
Moderate serious
It cost some money & employee time to recover – but
business goes on as normal
4
Not serious
A successful attack would have minimal impact.
Note: For best practices asses asset value via: Critical, Important, Not important
5.5.1 Quantitative Valuing Assets in IT Security Risk Management
Recall that quantitative analysis – has the advantage of being more precise than qualitative analysis. Its
disadvantage is overhead – it takes more time to access assets accurately to assign a value to an asset
appropriately via calculating the annual value, direct impact, & annual indirect impact, as shown in
Table 11:
Table 11: Assigning Assets Quantitative Value Analysis via Impact Levels
Impact Levels Description
Value This is the overall value of an asset to your organization, and requires you to calculate
or estimate the asset’s value in direct financial terms.
Direct impact This is the immediate financial impact of losing the asset including the cost of
replacement if the asset is entirely destroyed.
Indirect impact It is the indirect business impact of losing the asset as an example of your company
sales website services – e.g., a compromise to your Web site will tarnish your
reputation – and could end up losing some customers & revenue
5.5.2 Assess Threat via Threat Modeling
Threat modeling can be undertaken via asking the following questions:
• “What type of attacks do I defend against?” or
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 36 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
• “What conditions might lead to an attacker successfully compromising my network?”
When undertaking threat modeling, consider the following partial list of common threat agents & threats,
to get you started:
• Threat agents – is theindividual (i.e., human) responsible, e.g.,:
− Script kiddies
− Sophisticated attacker with financial motivation’
− Employees or Competitors
• Threats – is themethod of attack, e.g.,:
− Virus, Worms, Fire, Natural disaster, Acts of war, hardware failure, software failure or
network failure
Note: after identifying the potential threats – you must asses the vulnerability level for each asset-and-
threat pair i.e., T-V pair as was done earlier. If you used qualitative approach during asset valuation you
also will use qualitative approach here. Alternatively, if you used the more detailed quantitative approach
– you will use the values generated during the asset assessment phase to estimate the damage in dollars –
that threat could do to your assets.
Note: use a test or lab environment to clarify your damage
A test lab environment which could include:
o a simulation of an e-mail virus attack and its effect
o a test to determine whether employees are susceptible to social engineering attacks
o a drill or simulation of a data center disaster via determining the productivity loss etc.
o a simulation of a virus attack via determining the time required to recover etc.
For best practices, it is a good idea to involve the incident response team in this process.
5.5.3 Assessing Threat & Vulnerability using Existing Security Policies & Countermeasures
The final stage of vulnerability and threat assessment – requires that you must test the vulnerabilities each
threat poses to your assets given your current security policies and countermeasures.
To determine vulnerability – consider both likelihood of a successful compromise & the potential damage
to the asset – and use the same number of levels to asses both value and vulnerability via the following
four levels, as shown in Table 12, and Fig. 14:
Table 12: Assigning vulnerability level via likelihood of a successful compromise and
the Potential Damage to the Asset
Levels Exposure Description
A
Extremely High
If left unattended – it is almost certain that the asset will be
compromised by the threat and the damage will be severe,
e.g., a Web server with default Admin account with no
assigned password!
B
Very high
It is very likely that the threat will compromise the asset in
the next year if no countermeasures are added – and the
threat will cause significant damage.
C
Moderately high
The asset probably will not be exploited by the threat in the
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 37 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
next year or the threat is not capable of causing significant
damage- however the risk exists.
D
Low
The asset is not likely to be compromised & damaged by the
threat.
Example: it is very likely that a Web server will be compromised by a worm in a given year.
However – the worm is not likely to do irreversible damage to the Web server – so the total
risk posed is relatively low.
Example: Data stored in a server that has never been backed up – if, for example, a fire breaks out –
the vulnerability of fire damage to the data has EF of 100%.
4D 3D 2D 1D D. Low
4C
4B
4A
4. Not
Serious
3C 2C 1C C. Moderately High
3B 2B 1B B. Very High
3A 2A 1A A. Extremely High
3. Moderately
Serious
2. Very
Serious
1. Catastrophic
4D 3D 2D 1D D. Low
4C
4B
4A
4. Not
Serious
3C 2C 1C C. Moderately High
3B 2B 1B B. Very High
3A 2A 1A A. Extremely High
3. Moderately
Serious
2. Very
Serious
1. Catastrophic
V
u
l
n
e
r
a
b
i
l
i
t
y
a
s
s
e
s
s
m
e
n
t
s
Qualitatively asset value
Fig. 14 Assess risk by combining value & vulnerability assessments.
5.5.4 Quantitatively Assessing Threats & Vulnerabilities in IT Risk Management
In this case you must determine the Exposure Factor (EF). The EF is the amount of damage (expressed
in %) a threat could cause to an asset - if the asset is compromised.
5.5.5 Security Risk Analysis
The final stage is to perform security risk analysis, which in general, is via three main goals:
1. Prioritize risks
2. Quantify the impact of potential threats and
3. Provide an economic balance between the risks and the cost of the countermeasure
Finally, use the information created in the previous steps to estimate the level of risk of each threat –
which is then used to prioritize threats – which allows you to effectively commit resources to address the
most critical security issues. It is important to note, that when properly undertaken, security risk analysis
helps integrate the security program objectives with the company’s business objective and requirements –
and helps you to get funding from the top executive management.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 38 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
6.0 HOW IS RISK MANAGED?
Recall that the purpose of assessing risk is to assist management in determining where to direct resources to
defend against attack. Recall that there are four basic strategies for managing risk: mitigation, transference,
acceptance and avoidance. Each will be discussed in detail in the following sections.
For each risk in the risk assessment report, a risk management strategy must be devised that reduces the
risk to an acceptable level for an acceptable cost. For each risk management strategy, the cost associated
with the strategy and the basic steps for achieving the strategy (known as the Plan Of Action &
Milestones or POAM) – must also be determined, and these are divided into four categories: Risk
Avoidance, Risk Transfer, Risk Mitigation, and Risk Acceptance, and of course Residual risk.
6.1 Risk Avoidance
Risk Avoidance is the practice of removing the vulnerable aspect of the system or even the system itself
altogether. For instance, during a risk assessment, a website was uncovered that let vendors view their
invoices, using a vendor ID embedded in the HTML file name as the identification and no authentication or
authorization per vendor was in place. When notified about the web pages and the risk to the organization,
management decided to remove the web pages and provided vendor invoices via another mechanism. In
this case, the risk was avoided by removing the vulnerable web pages.
6.2 Risk Transference
Risk Transference is the process of allowing another party to accept the risk on your behalf. This is not
widely done for IT systems, but everyone does it all the time in their personal lives. Car, health and life
insurance are all ways to transfer risk. In these cases, risk is transferred from the individual to a pool of
insurance holders, including the insurance company. Note that this does not decrease the likelihood or fix
any flaws, but it does reduce the overall impact (primarily financial burden) on the organization or an
individual.
6.3 Risk Mitigation
Risk Mitigation is the most commonly considered risk management strategy. Mitigation involves fixing
the flaw or providing some type of compensatory control to reduce the likelihood or impact associated
with the flaw. A common mitigation for a technical security flaw is to install a patch provided by the
vendor e.g., patching an OS or hardware drivers. Sometimes the process of determining mitigation
strategies is called control analysis (also see Fig. 1).
Although, installing a firewall on a computer can reduce the risk of being attacked. But the firewall could
be wrongly configured and opening up new vulnerabilities which then could be exploited. Or the firewall –
although correctly installed and configured – could not be running and therefore not protecting our asset at
all.
Therefore, it is important to always be aware that reducing risk does not mean that it has to go away.
Furthermore, it is also important to always be aware that installing safeguards can open new vulnerabilities
or not protect from the vulnerability in the first hand, e.g., in the case of misconfigured NAC ad firewall.
6.4 Risk Acceptance
Risk Acceptance is the practice of simply allowing the system to operate with a known risk. Many
low risks are simply accepted. Risks that have an extremely high cost to mitigate are also often accepted.
Beware of high risks being accepted by the management. Ensure that this strategy is in writing and accepted
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 39 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
by the manager(s) making the decision. Often risks are accepted that should not have been accepted, and then
when the penetration (compromise) occurs, the IT security personnel are held responsible. Typically, business
managers, not IT security personnel, are the ones authorized to accept risk on behalf of an organization,
Table 13 shows an example of security action plan implemented for a database server.
Table 13: Sample security action plan for a database server
Disk redundancy
On-site backups
Mitigate
React to
HW failure Dbase server
Fire suppression system
Off-site backups
Fire insurance
Mitigate
React to
Transfer
Fire Dbase server
HIDS
Least privilege permissions
Signed computer use
policies
On-site backups
Security auditing
Legal prosecution
Mitigate
React to
Employee Dbase server
NW firewall, HIDS,
Antivirus SW,
On-site backups
Mitigate
React to
Worm Dbase server
Countermeasure Response Threat Asset
Disk redundancy
On-site backups
Mitigate
React to
HW failure Dbase server
Fire suppression system
Off-site backups
Fire insurance
Mitigate
React to
Transfer
Fire Dbase server
HIDS
Least privilege permissions
Signed computer use
policies
On-site backups
Security auditing
Legal prosecution
Mitigate
React to
Employee Dbase server
NW firewall, HIDS,
Antivirus SW,
On-site backups
Mitigate
React to
Worm Dbase server
Countermeasure Response Threat Asset
6.5 Residual Risk
When managing risk, your main goal is to remove or lower risk. Residual risk is the risk which could
not be removed (or which was accepted). It is important to stress again that having residual risk is
nothing bad but actually the basis of the risk management process. It is normally too cost intensive to
minimize every single risk and there is no need to mitigate risk which does not hurt a company.
Managing the residual risk is what the whole risk management process is about: Deciding on which
risk to take, which to remove and, finally what to do with the residual risk. However, it is very much
crucial that when talking about residual risk, it is important to write down when and how the residual
risk was accepted – and to have the board signs that piece of paper so that there exist some evidence
when something bad happens in the future.
7.0 COMPARING THE TWO APPROACHES: Qualitative or Quantitative Analysis?
Both qualitative and quantitative approaches to security risk management have their advantages and
disadvantages. Certain situations may call for organizations to adopt the quantitative approach.
Alternatively, organizations of small size or with limited resources will probably find the qualitative
approach much more to their liking. Table 14 summarizes the benefits and drawbacks of each approach:
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 40 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Table 14: Benefits and Drawbacks of Each Risk Management Approach
Quantitative Qualitative
Benefits • Risks are prioritized by financial impact;
assets are prioritized by financial values.
• Results facilitate management of risk by
return on security investment.
• Results can be expressed in
management-specific terminology (for
example, monetary values and
probability expressed as a specific
percentage).
• Accuracy tends to increase over time as
the organization builds historic record of
data while gaining experience.
• Enables visibility and understanding
of risk ranking.
• Easier to reach consensus.
• Not necessary to quantify threat
frequency.
• Not necessary to determine financial
values of assets.
• Easier to involve people who are not
experts on security or computers.
Drawbacks • Impact values assigned to risks are
based on subjective opinions of
participants.
• Process to reach credible results and
consensus is very time consuming.
• Calculations can be complex and time
consuming.
• Results are presented in monetary terms
only, and they may be difficult for non-
technical people to interpret.
• Process requires expertise, so
participants cannot be easily coached
through it.
• Insufficient differentiation between
important risks.
• Difficult to justify investing in control
implementation because there is no
basis for a cost-benefit analysis.
• Results are dependent upon the
quality of the risk management team
that is created.
In years past, the quantitative approaches seemed to dominate IT security risk management; however, that
has changed recently as more and more practitioners have admitted that strictly following quantitative risk
management processes typically results in difficult, long-running projects that see few tangible benefits.
7.1 Limitations of Risk Management
So where does the risk management end, and what can not be managed in risk management? The risk
management can become quite time consuming (and therefore expensive) when it is the goal to remove
every risk. Spending too much time on analyzing unlikely or small risk (which easily can be taken) can
easily become very expensive.
Although risk management is about managing risk, it does not have a silver bullet on what risk to-take and
what risk to-mitigate. While the management process offers some tools and helps – it also requires one to
have some know-how and some experience in this field. Therefore it is always a good idea to start the risk
management process with some expert.
8.0 INTERNAL CONTROL
Internal Control is about checking the facts and figures of a company. It helps in avoiding misuse of any
assets of an organization (e.g., financial assets). But Internal Controls can also be used as evidence in an
external assessment or evaluation of the company.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 41 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
The following list contains some of the reasons why Information Security is a part of the Internal
Control:
• Data Classification.
• Change Management.
• Document Management
9.0 COMMUNICATING RISKS AND RISK MANAGEMENT STRATEGIES
Risk must also be communicated. Once risk is understood, risks and risk management strategies must be
clearly communicated to organizational management in terms easily understandable to the organizational
management. Managers are used to managing risk, they do it every day. So presenting risk in a way that they
will understand is the key to the successful security risk management. That is, you must ensure not to try to
use “fear, uncertainty and doubt in your presentation.” Instead, present risk in terms of likelihood and
impact. The more concrete the terms are – the more likely organizational management – will understand
and accept the findings and recommendations, and therefore the approval of final risk management action
plan document, see Table 14.
Tabl e 14: Sample Risk Management
Risk Risk Description Impact Likelihood Risk Mgmt Cost Residual Risk
Strategy After Implementing
Risk Mgt Strategy
Failure in Failure in Past data Implement a $250,000 L
M *
environmental environmental indicates hot spare at
systems (e.g. air controls could cause this happens the alternate
conditioning)
leaves
systems
system to become
unavailable for more
than 48 hours.
1-2 times
annually
site
*Moderate
Recall that with a quantitative risk assessment methodology, risk management decisions are typically
based on comparing the costs of the risk against the costs of risk management strategy. A return on
investment (ROI) analysis is a powerful tool to include in the quantitative risk assessment report. This is
a tool commonly used in business world to justify taking or not taking a certain action. Managers are
very familiar with using ROI to make decisions.
Furthermore, with a qualitative risk assessment methodology, the task is somewhat more difficult. While
the cost of the strategies is usually well known, the cost of not implementing the strategies is not, which is
why a qualitative and not a quantitative risk assessment is usually performed. This includes a management-
friendly description of the impact and likelihood with each risk and risk management strategy, and is
considered to be extremely effective. Another effective strategic is showing the residual risk that would be
in-effect after the risk management strategy was enacted.
10.0 IMPLEMENTING RISK MANAGEMENT STRATEGIES
Recall that a Plan Of Action & Milestones (POAM) should be part of the risk assessment report
presented to management. The POAM is a tool to communicate to management on the proposed and actual
completion of the implementation of the risk management strategies.
The first step in implementing risk management strategies is to get management to approve the POAM.
Afterwards, the various individuals and teams report upon their progress. This in turn is reported to
management and tracked as part of the ongoing process of risk management.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 42 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Table 15 shows a Sample POAM that illustrates a typical POAM. The POAM contains the risk, the risk
management strategy, the Point Of Contact (POC) responsible for implementing the strategy, the resources
required and the various milestones that comprise the implementation. For each milestone, a target
completion date and an actual completion date is listed. Note that the POAM is a tool to communicate to
management, rather than a project management plan.
Tabl e 15 Sample POAM
Risk Risk
Mgmt
Strategy
POC Resources
Required
Milestones Target
Completion
Date
Actual
Completion
Date
Failure in Implement TL1 $200,000 Procure hardware & software 7/1
environmental
systems (e.g.
air
conditioning)
leaves
systems
unavailable.
a hot spare
at the
al ternate
site
TL2 hardware,
$60,000
software,
$120,000
labor
4 99
Install hardware
Install software
Configure system
7/15
8/1
8/15
Test system 9/1
11.0 WHAT ARE SOME COMMON RISK ASSESSMENT/MANAGEMENT
METHODOLOGIES AND TOOLS?
There are numerous risk assessment/management methodologies and tools. The following methodologies and
tools were developed for managing risks in information systems.
• National Institute of Standards & Technology (NIST) Methodology
• OCTAVE®
• FRAP
• COBRA
• Risk Watch
11.1 National Institute of Standards & Technology (NIST) Methodology
NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems is the
US Federal Government’s standard. This methodology is primarily designed to be qualitative and is based
upon skilled security analysts working with system owners and technical experts to thoroughly identify,
evaluate, and manage risk in IT systems. The process is extremely comprehensive, covering everything from
threat-source identification to ongoing evaluation and assessment.
The NIST methodology consists of 9 steps:
• Step 1: System Characterization
• Step 2: Threat Identification
• Step 3: Vulnerability Identification
• Step 4: Control Analysis
• Step 5: Likelihood Determination
• Step 6: Impact Analysis
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 43 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
• Step 7: Risk Determination
• Step 8: Control Recommendations
• Step 9: Results Documentation
11.2 OCTAVE®
The Software Engineering Institute (SEI) at Carnegie Mellon University developed the Operationally
Critical, Threat, Asset and Vulnerability Evaluation (OCTAVE) process. The main goal in developing
OCTAVE is to help organizations improve their ability to manage and protect themselves from information
security risks. OCTAVE is workshop-based rather than tool based. This means that rather than including
extensive security expertise in a tool, the participants in the risk assessment need to understand the risk and
its components. The workshop-based approach espouses the principle that the organization will understand
the risk better than a tool and that the decisions will be made by the organization rather than by a tool.
There are three phases of workshops. Phase 1 gathers knowledge about important assets, threats, and
protection strategies from senior managers. Phase 1 consists of the following processes:
• Process 1: Identify Senior Management Knowledge
• Process 2: (multiple) Identify Operational Area Management Knowledge
• Process 3: (multiple) Identify Staff Knowledge
• Process 4: Create Threat Profiles
Phase 2 gathers knowledge from operational area managers. Phase 2 consists of the following processes:
• Process 5: Identify Key Components
• Process 6: Evaluate Selected Components
Phase 3 gathers knowledge from staff. Phase 3 consists of the following processes:
• Process 7: Conduct Risk Analysis
• Process 8: Develop Protection Strategy via two workshops:
o Workshop A: strategy development)
o Workshop B: strategy review, revision, approval
These activities produce a view of risk that takes the entire organization’s viewpoints into
account, while minimizing the time of the individual participants. The outputs of the OC process
are:
• Protection Strategy
• Mitigation Plan
• Action List
11. 3 FRAP
The Facilitated Risk Assessment Process (FRAP) is the creation of Thomas Peltier. It is based upon
implementing risk management techniques in a highly cost-effective way. FRAP uses formal
qualitative risk analysis methodologies using Vulnerability Analysis, Hazard Impact Analysis, Threat
Analysis and Questionnaires. Moreover, FRAP stresses pre-screening systems and only performing formal
risk assessments on systems when warranted. Lastly, FRAP ties risk to impact using the Business Impact
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 44 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Analysis as a basis for determining impact. Thomas Peltier has written a book on FRAP and several
consulting companies, including RSA and Peltier Associates, teach FRAP.
11. 4 COBRA
The Consultative, Objective and Bi-functional Risk Analysis (COBRA) process was originally created by C
& A Systems Security Ltd. in 1991. It takes the approach that risk assessment is a business issue rather than
a technical issue. It consists of tools that can be purchased and then utilized to perform self-assessments of
risk, while drawing on the expert knowledge embedded in the tools. These summaries acknowledge bases
are:
• IT Security (or default)
• Operational Risk
• 'Quick Risk' or 'high level risk'
• e-Security
There are two primary products, Risk Consultant and ISO Compliance. Risk Consultant is a tool with
knowledge bases and built in templates that allow the user to create questionnaires to gather the
information about the types of assets, vulnerabilities, threats, and controls. From this information, Risk
Consultant can create reports and make recommendations, which can then be customized. ISO Compliance is
similar, only this product is focused on ISO_17799 compliance.
11.4 Risk Watch
Risk Watch is another tool that uses an expert knowledge database to walk the user through a risk
assessment and provide reports on compliance as well as advice on managing the risks. Risk Watch includes
statistical information to support quantitative risk assessment, allowing the user to show ROI for various
strategies. Risk Watch has several products, each focused along different compliance needs. There are
products based on NIST Standards (U.S. government), ISO_17799, HIPAA and Financial Institution
standards (Gramm Leach Bliley Act, California SB 1386 (Identify Theft standards), Facilities Access
Standards and the FFIEC Standards for Information Systems).
12.0 EFFECTIVE RISK MITIGATION PROCESSES IN INFORMATION SECURITY
The Risk Mitigation Process (RMP) is a part of risk management that addresses how to reduce exposure to
an identified risk. A solution to mitigate the risk is developed and modeled to determine the level of
reduced risk versus the cost to implement it. If the solution provides an acceptable level of reduction in
risk for the associated cost, then it is considered successful and the process is complete.
The RMP can be thought of as a spiral model that allows a user to complete the process and then review
the results. If the risk mitigation process was successful, then the process stops at the end of the post-
mitigation task. If the risk or cost is not acceptable, then the entire process is repeated to determine if it
can be improved. Each time the process cycles through the model, the overall procedure can be adjusted to
incorporate lessons-learned. Figure 15 shows the four steps of this process: Risk Analysis, Pre-Mitigation,
Review Solution, and Post Mitigation. If the level of Risk Exposure (RE) is reduced to a low level on the
Risk Assessment model at an acceptable cost (see also Fig. 16), then the mitigation can be considered
successful and the process is terminated. If the RE still ranks in the high to medium range, then a new
technical solution will have to be developed and the cycle repeated.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 45 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
12.1 Risk Exposure (RE)
As was mentioned above, the RE process is used to
determine the RE, defined as the criticality of the
system in relationship to the likelihood an attack
could occur against known system vulnerability. This
analysis is fairly complex and is based on five
categories that identify:
• Potential exploit threat
• Skill level required by the attacker
• Probability of occurring
• Level of risk to asset
• Value of asset(s) to the business.
The RE provides a weighted analysis that calculates
the risk exposure for a given threat or known
vulnerability.
This differs from the standard risk model that only
attempts to take into consideration the Threat × Vulnerability × Cost, and does not consider the critical
impact of the at-risk system. The resulting risk exposure analysis provides a category rating of high,
medium, or low based on the severity of the exploit, the probability of it occurring, and the value of the
asset as depicted in Fig. 16.
Risk Mitigation
Process
R
i
s
k
A
n
a
l
y
s
i
s
P
r
e
-
M
i
t
i
g
a
t
i
o
n
R
e
v
i
e
w
S
o
l
u
t
i
o
n
P
o
s
t
M
i
t
i
g
a
t
i
o
n
Risk Mitigation
Process
R
i
s
k
A
n
a
l
y
s
i
s
P
r
e
-
M
i
t
i
g
a
t
i
o
n
R
e
v
i
e
w
S
o
l
u
t
i
o
n
P
o
s
t
M
i
t
i
g
a
t
i
o
n
Fig. 15: Risk Mitigation Process
Fig. 16 Risk Exposure Analysis
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 46 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
12.2 Risk Analysis in Information Security in Relation to ROSI
To meet corporate and regulatory requirements, a process needs to be implemented that allows for
mitigation based on available solutions, financial exposure, and value to mitigate. After analyzing the
problem, a detailed-level process is developed that provides an end-to-end method for risk mitigation,
determines the financial exposure, and evaluates the mitigation solution to aid in reducing the financial
exposure, see Fig. 17.
The process depicted in Fig. 17 provides an end-to-end view of the flow and relationship of each of the
individual RMP sub-processes. The process begins with Risk Analysis where all the requested documents
are reviewed. The Risk Domains (see Fig. 6) are evaluated along with the Threat Source/Actions, Threat
Impact Trees, and Threat Probability from both industry and internal sources [7-9].
In the process, Asset Value (AV), RE, and Annualized Rate of Occurrence (ARO) are parallel processes.
The RE is determined for the pre-mitigation scenario and is used with the AV to compute the Single Loss
Exposure (SLE). The SLE is used with the ARO to determine Annualized Loss Expectancy (ALE) [10].
Other factors included in the SLE are impacts to business processes, customers, revenue, and other
financial impacts [11].
While the initial RE is being analyzed, the search for the existence of an Off-the-Shelf Technical Solution
(OTSTS) is employed. If one is discovered, then the process flows into the post-mitigation analysis with
the RE calculation based on this OTSTS. This is used to calculate ALE (Post) – Post-Mitigation – which is
then compared to ALE (Pre) – Pre-Mitigation – to provide the Return on Security Investment (ROSI). If
an OTSTS does not exist, then a Mitigation Plan (MP) that provides a custom, technical solution is
required. Afterward, the MP is used to calculate the ROSI using the previously described process. If the
MP does not produce an acceptable ROSI, the MP is rejected. At that point, the determination to repeat the
process in hopes of finding a better solution must be made. If a better solution is technically impossible,
then a business decision must be made either to accept the risk or remove it from the network.
Risk Analysis
Risk Analysis
Pre Mitigation
Revenue/Productivity
Cost to
Remediate Exploit
Secondary Costs
Pre Mitigation
Revenue/Productivity
Cost to
Remediate Exploit
Secondary Costs
Pre Mitigation
Risk Exposure
SLE
ALE
ARO
Pre Mitigation
Risk Exposure
SLE
ALE
ARO
Pre Mitigation
Risk Exposure
Cost to Mitigate
SLE
ALE
ARO
Pre Mitigation
Risk Exposure
Cost to Mitigate
SLE
ALE
ARO
Return on Security I nvestment (ROSI)
Return on Security I nvestment (ROSI)
Fig. 15: Risk Management Process
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 47 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
12.3 Return on Security Investment (ROSI)
The ROSI process provides the basis for meaningful cost-benefit analysis of the risk reduction measures.
ROSI is computed by subtracting the delta of ALE (PRE) and ALE (POST) cost exposures from the initial
cost of the countermeasure (including annual recurring costs). This provides a measure that shows how
effective mitigation was in respect to the cost versus the reduction in financial exposure. If the cost to
mitigate exceeds the financial exposure, then the mitigation motivation becomes business-driven or
regulatory in nature.
In information security risk management, quantitative analysis method is used to determine risk versus
cost and benefit of pending security enhancements. The risk, ROSI, and financial exposure are used to
determine the security cost-benefit for proposed security upgrades. While no single area gives an overall
assessment of the risk, when viewed collectively they provide an interpretation that gauges the overall risk
assessment. To support this analytical approach, a third variable is modeled along with the traditional two-
dimensional X and Y axis (see Fig. 18). This allows for the financial exposure to be compared to the risk
and ROSI of mitigation. This not only depicts the comparison and prioritization of exceptions, but
provides a quick analysis to show where the best return on corporate resources can be achieved.
Fig. 18: Risk vs. ROSI Analysis Chart
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 48 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Example of Quantitatively Assessing Risk
• to quantitatively assess the risk – of any given threat
- you determine the averages annual damage threat will do to the asset
Example: if a dbase (the asset) is worth $250,000, and a particular threat would
cost $100,000, and there is a 10% (EF) chance of a compromise occurring in the
next year
⇒ the risk is $100,000 – 10% of the damage the threat would do.
Note: follow these steps to perform quantitative risk analysis:
1. Determine the single loss expectancy (SLE)
• SLE – is the total amount of revenue that is lost from a single security compromise
where :
SLE = AV x EF where: Av = asset value, EF = exposure factor
For example, if an asset has value of $100,000 and a security compromise would
Destroy half the asset’s value, we have:
SLE = AV x EF = $100,000 x 0.50 = $50,000
2. Determining the annual rate of occurrence (ARO)
the ARO – is expressed in terms of percents – is the chance of a security
compromise in any given year – use historical data to calculate it.
- it ranges from 0%(never) to 100%(once per year)
you can use a value greater than 100%- if the compromise would
occur more than once per year – e.g., when analyzing worms or virus
threats.
3. Determining the annual loss expectancy (ALE)
the ALE – is the average amount of money that your organization will
lose – if nothing is done to mitigate the risk.
its determined as follows:
ALE = SLE x ARO
Example: if you have identified an SLE $50,000 and the ARO is 15%,
then:
ALE = SLE x ARO = $50,000 x 0.15 = $7,500
13.0 RISK LOG (RISK REGISTER)
A risk register is the backlog of all the information gathered from every risk analysis done. Such a risk
register helps in compiling reports on tendencies, implemented safeguards and the effectiveness of the
whole risk management process in general.
A risk register or risk log is a useful tool to identify, quantify and value the extent of risk and uncertainty
relating to a proposal. A risk register/log can be used to identify the bearer of each risk and uncertainty
associated with the project being appraised, provide an assessment of the likelihood of each risk occurring,
and estimate its impact on project outcomes.
The risk log is set up during the start up of the project, ready to record project risks, including any noted in
the Project Brief. It is an important component of the organization’s risk management framework. This is
a management tool whereby a review and updating process identifies, assesses and manages down the risk
to acceptable levels. It provides a framework in which problems that may arise and adversely affect the
delivery of the anticipated benefits are captured and actions instigated to reduce the probability and the
impact of that particular risk.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 49 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
13.1 Purpose of Risk Register
The Risk log, in relation to a specific activity or plan (e.g. project), lists all the identified risks and the
results of their analysis and evaluation. Information on the status of the risk is also included. The risk
register should be continuously updated and reviewed throughout the course of a project. Risk log is the
PRINCE2™ term but this may also be known as a risk register. These details can then be used to track and
monitor their successful management as part of the activity to deliver the required, anticipated benefits.
Fitness for purpose checklist:
• Is the Risk log part of a framework for managing risk?
• Does the status indicate whether action has been taken or is in a contingency plan?
• Are the risks uniquely identified (including to which project they refer if the risk relates to a
program)?
• Has each risk been allocated an owner?
• Is access to the Risk log controlled?
• Are activities to review the Risk log in the stage plans?
• Have costs been identified for each risk as a 'risk allowance'?
Suggested content:
• Risk identification number (unique within the log)
• Risk type (where indication helps in planning responses)
• Risk Owner Raised by (person)
• Date identified
• Date last updated
• Description
• Cost if it materializes
• Probability
• Impact
• Proximity
• Possible response actions
• Chosen action
• Target date
• Action owner/custodian (if differs from risk owner)
• Closure date
• Cross references to plans and associated risks and may also include
• Risk status and Risk Action Status
Source information: Issues and risks can be raised by anyone involved in the project or its stakeholders
throughout its lifecycle.
Notes: Where suppliers and/or partners are involved, it is essential to have a shared understanding of risks
and agreed plans for managing them. The risk register builds the basis for risk communication between the
security department and the rest of a company (and beyond).
Standards such as International Standard’s ISO_17799, Control Objectives for Information and related
Technology (COBIT) and ITIL for best practices are useful frameworks for building a security and risk
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 50 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
management strategies. Furthermore, it is important to define the roles and responsibilities of every one
who is part of your security risk management plan, i.e., everyone from the chief security office to every
user who has access to enterprise network.
14.0 VULNERABILITY MANAGEMENT TECHNIQUES
Recall that integrated layered network lines of defense and access controls are helpful, but it doesn’t hurt
to make the target smaller. Vulnerability management tools offer the potential to do just that. While
network access controls is focused on PCs and laptops, vulnerability assessment products cover a broader
territory, scanning PCs, servers and network devices for missing security patches or botched configuration
settings that could lead to an attack. The tools may be installed on PCs, servers, and are available as
bundled hardware/software appliance. Vulnerability assessment can also be purchased as a service. Code
scanners review lines of software code identity flaws an attacker could exploit.
Automated code analyzers let organizations build security into the software development process.
Products from vendors such as Ounce Labs and Fortify Software look for design flaws in an application’s
source code, while vendors like Veracode analyze compiled binary code. The main objective of code
analysis is to reduce the attack surface of the application itself, since in reality, you can’t strip 100% of the
risk out of an application – there is not enough time or money to do it. But you can strip out the vast
majority of risk and give perimeter defense a fighting chance.
Another component of vulnerability management: software for automating penetration tests. This
technology gives organizations a view of enterprise networks and applications from an assailant’s
perspective. Penetration testing can help an organization identify weakness in application design and
security processes. You can also use penetration testing to check for weaknesses in the security products
before purchasing them. Vendors offering automated penetration testing products include Cenzic, Core
Security and Mu-Security. The open-source Metasploit Project offers Metasploit Framework, for
penetration testing. Other products like, Core Security’s Core Impact software, is excellent for penetration
testing. The product can also gather information about the network to be tested, scans for TCP/IP port
vulnerability, and catalogs the operating systems and services running on host systems. For example, Core
Impact launches attacks, using information gleaned during the discovery phase. Organizations tend to use
penetration testing sparingly, typically once a year, due to cost – outside consultants may charge $100,
000 per tests – and the potential for network disruption is high.
Automated testing is considered faster than hiring a third party. Core Impact’s annual licensing fee, for
example, is $25,000. Manual testing, however, may be used to supplement tool-based reviews because it
has the potential to identify flaws in business logic that automated scanners are usually incapable of
findings. However, the use of automated test provides organization the extra leverages – the ability to
increase the frequency of penetration testing for a broader set of line-of-business applications such as e-
commerce Web sites.
Moreover, implementing in-house tests, using the Core Impact tools, leverage insider information. Testers
will consult data flow and systems interconnect diagrams to target particular applications. In this kind of
scenario, the main objective is to determine whether a weakness in one application can be exploited to
infiltrate another system. Tests of this type simulate a malicious insider or an outsider with administrative-
level access. As a case in point, you might discover an application that contains poorly designed user
authentication mechanism – which if left unchecked – and if that interface were exploited, the
compromised system could be used to breach an application that contained data about highly confidential
corporate info or thousands of customers’ personal data like credit or health history in case of hospitals.
Finally, it is important that after every penetration test run – organization should involve all the stake
holders to scrutinize the test reports. Figure 19 shows an example of security assessment for PCI
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 51 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
compliance. Today, the mistake that many organizations make is to conduct a penetration test and then
only focus on report generation. It is important to note that a report, presented without discussion and,
without the representation of all the stake holders involved in network security, may end up on a shelf –
and this is not the main purpose of a penetration test.
Event Management Tool
- Configured to gather event logs from
firewall
- Rule to identify SQL injection attacks
- Rule to identify password brute force
attacks
- Rule to identity DoS attacks
- Rule identity improper access
attempts
- Develop and maintain secure
systems and applications
- Track and monitor all access to
network resources and cardholder
processes
- Restrict access to data by
business need-to-know
- Assign a unique ID to each
person with computer access
- Restrict physical access to
cardholder data
- Maintain a policy that addresses
information security
Network Scanning
- Scan for open ports
- Scan for SQL injection vulnerability
- Scan for vulnerable network services
- Protect data stored data
- Encrypt transaction of cardholder
data and sensitive information
across public networks
- Use and regularly update
Anti-virus software
- Regularly test security system
and processes
Compliance Assessment Tools
- Check for default user IDs
- Check for password expiration
- Check for password complexity
- Check for access rights on sensitive
files
- Install and maintain a firewall
configuration to protect data
- Do not use vendor supplied
defaults for system passwords
and other security parameters
PCI Compliance
TECHNOLOGIES REQUIREMENTS REQUIREMENTS TECHNOLOGIES
Event Management Tool
- Configured to gather event logs from
firewall
- Rule to identify SQL injection attacks
- Rule to identify password brute force
attacks
- Rule to identity DoS attacks
- Rule identity improper access
attempts
- Develop and maintain secure
systems and applications
- Track and monitor all access to
network resources and cardholder
processes
- Restrict access to data by
business need-to-know
- Assign a unique ID to each
person with computer access
- Restrict physical access to
cardholder data
- Maintain a policy that addresses
information security
Network Scanning
- Scan for open ports
- Scan for SQL injection vulnerability
- Scan for vulnerable network services
- Protect data stored data
- Encrypt transaction of cardholder
data and sensitive information
across public networks
- Use and regularly update
Anti-virus software
- Regularly test security system
and processes
Compliance Assessment Tools
- Check for default user IDs
- Check for password expiration
- Check for password complexity
- Check for access rights on sensitive
files
- Install and maintain a firewall
configuration to protect data
- Do not use vendor supplied
defaults for system passwords
and other security parameters
PCI Compliance
Reports
Reports
Mgmt System
Network Based
Host Based
Reports
Reports
Reports
Reports
Fig, 19: shows an example of security assessment for PCI compliance.
14.1 Different IT Security Vulnerability Scanning and Testing Techniques
• Security testing service can provide different levels of security assurance as shown in Fig. 20.
• Vulnerability scanning typically uses automated systems. It requires minimal hands-on intervention in
the qualification and assessment of vulnerabilities. This is a fast and inexpensive way to ensure that no
obvious vulnerabilities exist, but it doesn’t provide the granular analysis found in a full manual test.
• Network security assessment sits between vulnerability assessment and full penetration testing and
utilizes an effective blend of tools. It requires qualified and trained security analysts.
• Full penetration testing involves multiple attack vectors to compromise the target environment. Within
the security community penetration testing is considered an ‘art’
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 52 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 53 OF 59 Bright Future
Penetration Testing
Network Assessment
Vulnerability Scanning
Cost/Time
Assessment
Depth
Internal
Network
DMZ
Internet
- Border routers
- Firewalls
- IDS (Intrusion Detection System)
- IPS (Intrusion Prevention System)
- VPN devices
- Software architecture
- DMZs and screened subnets
- Hosts
Network Security Areas
- Border routers
- Firewalls
- IDS (Intrusion Detection System)
- IPS (Intrusion Prevention System)
- VPN devices
- Software architecture
- DMZs and screened subnets
- Hosts
Network Security Areas
Fig. 20: Cost of performing network vulnerability testing
14.2 Network Penetration Testing Methods
Enterprise security analyst should perform penetration testing and vulnerability assessments based on
proven security methodologies (e.g., ISSAF and OSSTMM) and industry recognized best practices e.g.,
ITIL and ISO_17799. There are three types of approaches to penetration testing:
• zero-knowledge test
• full knowledge test
• partial knowledge test
The target organization must decide what type of test is the best according to their IT security needs.
1) Zero-knowledge attack (black box): the penetration team has no real information about the
target environment and must generally begin with information gathering. This type of test is
obviously designed to provide the most realistic penetration test possible.
2) Partial knowledge test (partial black box): the target organization provides the penetration test
team with the type of information a motivated attacker could be expected to find, and saves time
and expense. To conduct a partial knowledge test, the penetration team is provided with such
documents as policy and network topology documents, asset inventory, and other valuable
information.
3) Full-knowledge attack (white box): the penetration team has as much information about the
target environment as possible. This approach is designed to simulate an attacker who has intimate
knowledge of the target organization’s systems, such as a current or former employee.
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
14.4 Information Systems Security Assessment Framework (ISSAF)
The ISSAF is intended to comprehensively report on the implementation of existing controls to support
IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX-404, COBIT, SAS70 and COSO, thus adding value
to the operational aspects of IT related business transformation programs.
Rationale: It provides a useful framework and comes with a detailed documentation for penetration
testing. In particular, in reference to section S - Web Server Security Assessment , section T - Web
Application Security Assessment, section U – Web Application Security Assessment - SQL injections,
section V - Source Code Auditing.
14.5 IT Risk & Vulnerability Testing Tools
There are two very powerful open source tools that can be used for IT Risk & Vulnerability Assessments,
these are: Metasploit Framework, Nessus, and FoundScan (see also Fig. 1).
13.5.1 Metasploit Framework
What is it?
The Metasploit Framework is a development platform for creating security tools and exploits. The
framework is used by network security professionals to perform penetration tests, system administrators to
verify patch installations, product vendors to perform regression testing, and security researchers world-
wide. The framework is written in the Ruby programming language and includes components written in C
and assembler.
What does it do?
The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic function of
the framework is a module launcher, allowing the user to configure an exploit module and launch it at a
target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a
shell to interact with the payload.
13.5.2 Nessus
Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and
Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the
Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and
potential attacks.
Nessus has a modular architecture consisting of centralized servers that conduct scanning, and remote
clients that allow for administrator interaction. Administrators can include NASL descriptions of all
suspected vulnerabilities to develop customized scans. Significant capabilities of Nessus include:
• Compatibility with computers and servers of all sizes.
• Detection of security holes in local or remote hosts.
• Detection of missing security updates and patches.
• Simulated attacks to pinpoint vulnerabilities.
• Execution of security tests in a contained environment.
• Scheduled security audits.
The Nessus server is currently available for UNIX, Linux and FreeBSD. The client is available for UNIX-
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 54 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
or Windows-based operating systems.
13.5.3 FoundScan
Single-system and network scanning sites and utilities abound, but none will do the really important work
for you. Cheap scanners report weaknesses with no useful fix information. The better ones find
weaknesses and recommend remedies that sometimes work. Good luck tracking such problems and their
solutions in a corporation with hundreds of seats.
Enter Foundstone, FoundScan. FoundScan Managed Security Services is more than just a scanner. The
service has the capability to manage the repair of detected vulnerabilities. Companies that have used the
tool have objectively reported on how their network security had improved by using a FoundScore – an
easy-to-understand rating from 0 to 100. Now, that technology is provided as software in the impressive
FoundScan 2.5.
For its customers, Foundstone installs the software on two dedicated servers and provides a couple of
days' training and assistance in footprinting, or finding all the domains and IP addresses (internal and
external) associated with a company. FoundScan is both easy to use and wonderfully feature-rich. It uses a
unique methodology to discover and resolve vulnerabilities. The entire process is controlled through a
powerful administrative utility that lets you tweak settings to massage a network gently or move up to a
full-hammer assault.
First the program detects live hosts using not only ICMP but also TCP-ping and UDP-ping of popular
ports. Administrators can set the number of such passes to allow for highest accuracy. One can also ran
FoundScan against entire address ranges of your network. For example, a single such ran on control
groups, FoundScan discovered all 10 live hosts in an array of 31 IP addresses – on the first pass. In the
larger scans, about 90 percent of hosts were discovered with one pass. The second scan usually identified
another 5 percent, and the third typically caught almost all the rest. (In general scanning technique is still
not a perfect science; for example, systems may go temporarily off-line.)
After identifying live hosts, FoundScan then discovers services that are running. To save time,
administrators can use a well-thought-out preset to scan only specific ports known to run both safe and
dangerous TCP and UDP services. This is fully customizable, however, and if you have the time, you can
run scans on all 65,536 ports.
FoundScan also comes with most powerful features, which create amazing topologies of all facets of a
network, showing nodes and the machines that orbit them. The system is still not foolproof in finding all
wireless access points, but it did identify about 80 percent during a test run. We expect future versions to
improve on this, which is important, considering that a rogue access point can provide far too much access
indeed. The topology maps that come up in the report show IP addresses on a mouse-over.
The report also lists the core benefit of FoundScan: the detailed analyses of discovered vulnerabilities,
along with accurate explanations and fixes. You can view vulnerabilities by severity, IP address, and other
search parameters. A manager can parse, search, and present reports in flexible ways, providing valuable
data to both executives who want an overview and techies who want to drill down.
You can also use FoundScan's Web interface, which provides access to the reports, to manage the features
in the standalone utility. More important, the Web interface lets an administrator use VulnTrak – the
tracking system that assigns tickets to vulnerabilities. Administrators can pick employees for performing
fixes, assign due dates, and check to see whether the tickets have been resolved.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 55 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Thanks to the FoundScore, you can compare a report of network conditions on a given day with future
scans to see how vulnerability fixes have improved network conditions. Compared with the other available
solutions, some of which are limited to scanning only external addresses, FoundScan is almost perfect.
With a few minor improvements, its next version just may be.
In Summary: Proper implementation of vulnerability technology e.g., penetration testing, vulnerability
assessment and code scanning tools would greatly provide organizations the extra leverages – the ability
to sniff out problems that may not have surfaced otherwise; and helps meet internal audit and compliance
requirements. It can also help to strip out the vast majority of risk and thereby give perimeter defense a
fighting chance. For best practices: vary testing approaches to cast a bigger vulnerability net and; work
with business units to discuss test results and define remediation plans.
15.0 RISK REVIEW
15.1 Regular review
Risk should be reviewed on a regular basis. The risk management life cycle should be restarted at least
once a year to every 18 months. Factors in the decision how often to do a risk analysis are:
• Changing assets.
• Changing environment.
• Implementation of Safeguards.
• Status of Safeguards.
• External events (Exploits, disasters, trends, ...).
Based on these factors, the security officer should decide on a regular review cycle.
15.2 Incident Management
The incident management is the process of planning and preparing for any unwanted occurrence. It is
about what to do e.g., when a web site is defaced. The incident management prepares detailed
instructions in how to proceed with incident response, secure evidence, get the intelligence on how
things happened and then return to the normal state.
15.3 Crisis Management
The crisis management is planning and managing the time between an event (it needs to be a huge
event, sinking ship, people’s life threatened as example. Otherwise the incident management will
suffice) and the recovery. The crisis management is about analysis of a crisis situation and deciding a
response. It is important to note that risk management is not crisis management. But managing risk
successfully means also to manage an incident or a crisis.
15.3.1 Crisis-management Plan
This should be triggered if sensitive employee or customer data is lost, stolen, or acquired electronically. It
should include instructions to prevent identity if social security numbers and/or financial account numbers
are obtained illegitimately.
16.0 GUIDELINES FOR CREATING A CONTINGENCY PLAN & INCIDENCE RESPONSE
PLAN
If you choose to mitigate/react to a security compromise of an asset – then you must create a contingency
plan and incidence response plan.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 56 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
Contingency plans should have five steps:
• Limit the damage
• Assess the damage
• Determine the cause of the damage
• Repair the damage
• Perform a postmortem preview.
16.1. Limit the Damage
Containing the damage caused during the attack limits the amount of further damage. For example, if you
get a virus in your network environment – you try to limit the damage as soon as possible – e.g., via
disconnecting the servers from the network immediately – and which should be done as swiftly as
possible.
16.2. Assess the Damage
To assess the damage – you must determine what resources were compromised e.g., was a single
computer compromise – or did the attacker gain privileges that enabled him access other computers on
your network? You must also identify critical resources that are offline as a result of the attack.
Note: Gathering Evidence – if you need to gather legal evidence about the attack – it is important to take
computers offline and back up their hard disks and other storage before analyzing the logs.
16.3. Determine the Cause of the Damage
To determine the cause of the damage – it is necessary to understand at what resources the attack was
aimed at – and what vulnerabilities were exploited to gain access to or disrupt services via reviewing
systems logs, audit logs, and audit trails – which often help in discovering the where the attack originated
in the system and what other resources were affected.
16.4. Repair the damage
It is important that the damage be repaired as quickly as possible to restore the normal business operations
and any data lost during the attack. The incident response team should be available to handle the restore-
and recovery process and to provide guidance on the recovery process. During this process – contingency
procedures should be executed to limit further spread of the damage and to isolate it.
16.5. Perform a Postmortem Review
After a compromise has been contained – you must review the cause of the compromise – and hopefully,
identify a countermeasure to prevent the compromise occurring again in the future. During this stage –
you should take time to examine the success of the contingency plan – and should endeavor to make any
adjustment necessary to better prepare yourself for the next compromise. It is also important to remember
that you must practice contingency plans before a compromise occurs – i.e., just be in the ready just
incase!!
17. 0 SUMMARY
In summary, successful and effective risk management is the basis of successful and effective IT security
management. Due to the reality of limited resources and nearly unlimited threats, a reasonable
decision must be made concerning the allocation of resources to protect systems. Risk management
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 57 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
practices allow the organization to protect information and business process commensurate with their value.
To ensure the maximum value of risk management, it must be consistent and repeatable, while focusing
on measurable reductions in risk. Establishing and utilizing an effective, high quality risk management
process and basing the information security activities of the organization on this process will lead to an
effective information security program in the organization.
18.0 CONCLUSION
The risk management process discussed in this document builds on industry-accepted practices to identify
and capture the different elements that represent the total risk model for any system or network threat. The
objective is to address not just traditional IT security systems, but to include IT development that has
extended to provide innovated solutions to business needs. These non-traditional IT systems are least
understood and present the biggest challenge when trying to quantify financial exposure. Other
considerations are the type of data processed, data stored, or data transported by the compromised systems
and what impact(s) a threat could present. From preliminary reviews, this model addresses the
fundamental risk elements as they are known. The complicated part of the analysis may be identifying
multi-level risks as an exploit propagates through a network creating various cause-and-effect
circumstances. In some cases, the secondary effect may be greater than the primary effect (e.g., the Code
Red attack).
When considering the source of potential attacks, keep in mind that approximately 50 percent of all
attacks originate from within the enterprise. According to the CSI/FBI Computer Crime and Security
Survey, this is a continuing trend that has been reported over the last several years [12]. The adaptation of
the IT Security Risk Analysis model has resulted in a better understanding of the financial exposure
associated with a given security risk. Through this process, Serengeti Information Security Consulting
(SISC) is able to help customers understand the risks presented in this new “cyberworld.” SISC is an
industry leader in the quantitative analysis of security risks, and SISC’s client's can depend on our
Flintstonian and world-class security team to provide secure solutions in a cyber-world that is not secure.
19.0 REFERENCE:
1. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for
Information Technology Systems (J uly 2002) – page 8
2. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for
Information Technology Systems (J uly 2002) – page 12
3. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for
Information Technology Systems (J uly 2002) – page 12
4. National Institute of Standards and Technology Special Publication 800-3 0, Risk Management Guide for
Information Technology Systems (J uly 2002) – page 15
5. Horton, Thomas. “Managing Information Security Risks”
6. Bob, B., Ellen, M., & Dan, G. (2001). Information security is information risk management.
Proceedings of the 2001 workshop on new security paradigms. Cloudcroft: ACM Press.
7. Microsoft Corporation. (2004, February 2). Identifying and managing security risks—understanding
the security risk management discipline.
8. Boltz, J ., Doring, E., & Gilmore, M. (1999, November). Information security risk assessment practices
of leading organizations. General Accounting Office/Accounting and Information Management
Division.
9. Stoneburner, G., Goguen, A., & Feringa, A. (2002, J uly). Risk management guide for information
technology systems. National Institute of Standards Technology.
10. Tipon, H., Krause, H., & Ozier, W. Risk analysis and assessment. Information Security Management
Handbook (4th ed.). Newport Beach: Auerbach Publication.
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 58 OF 59 Bright Future
Module I Kefa Rabah IT Risk Management Plan – The Way Forward
CIS300: IT Risk Mgmt & Compliance Strategies PAGE 59 OF 59 Bright Future
11. Halper, A. (2003). Quantifying the financial impact of IT security breaches. Information Management
& Computer Security, 11(2), 74-83.
12. Gordon, L., Loeb, M., Lucyshn, W., & Richardson, R. (2004). CSI/FBI Computer Crime and Security
Survey.
