Course : 7083M - IS RISK MANAGEMENT

Managing Information Security Session 1

What Is Information Security?Information security is more than setting up a firewall, applying patches to fix newly discovered vulnerabilities in your system software, or locking the cabinet with your backup tapes. Information security is determining what needs to be protected and why, what it needs to be protected from, and how to protect it for as long as it exists.Information Security

Vulnerability Assessment

A vulnerability assessment is a systematic, point-in-time examination of an organization's technology base, policies, and procedures. It includes a complete analysis of the security of an internal computing environment and its vulnerability to internal and external attack. These technology-driven assessments generallyUse standards for specific IT security activities (such as hardening specific types of platforms)Assess the entire computing infrastructureUse (sometimes proprietary) software tools to analyze the infrastructure and all of its componentsProvide a detailed analysis showing the detected technological vulnerabilities and possibly recommending specific steps to address those vulnerabilities

Information Systems Audit

Information systems audits are independent appraisals of a company's internal controls to assure management, regulatory authorities, and company shareholders that information is accurate and valid. Audits will typically leverage industry-specific process models, benchmarks, standards of due care, or established best practices. They look at both financial and operational performance. An audit may also be based on proprietary business process risk control and analysis methods and tools. Audits are generally performed by licensed or certified auditors and have legal implications and liabilities. During an audit, the business records of a company are reviewed for accuracy and integrity.

Information Security Risk Evaluation

Security risk evaluations expand upon the vulnerability assessment to look at the security-related risks within a company, including internal and external sources of risk as well as electronic-based and people-based risks.

These multifaceted evaluations attempt to align the risk evaluation with business drivers or goals and usually focus on the following four aspects of security:They examine the corporate practices relating to security to identify strengths and weaknesses that could create or mitigate security risks. This procedure may include a comparative analysis that ranks this information against industry standards and best practices.They include a technological examination of systems, reviews of policy, and an inspection of physical security.They examine the IT infrastructure to determine technological vulner abilities. Such vulnerabilities include susceptibility to any of the following situations:The introduction of malicious codeCorruption or destruction of dataExfiltration of informationDenial of serviceUnauthorized change of access rights and privilegesThey help decision makers examine trade-offs to select cost-effective countermeasures.

Managed Service Providers

Managed security services providers rely on human expertise to manage a company's systems and networks. They use their own or another vendor's security software and devices to protect your infrastructure. Usually, a managed security service will proactively monitor and protect an organization's computing infrastructures from attacks and misuse. The solutions tend to be customized for each client's unique business requirements and to use proprietary technology. They can either actively respond to intrusions or notify you after they occur. Some employ automated, computer-based learning and analysis, promising decreased response time and increased accuracy.

Information Security Risk Evaluation and Management

Think about how much you rely upon access to information and systems to do your job. Today, information systems are essential to most organizations, because virtually all information is captured, stored, and accessed in digital form. We rely on digital data that are accessible, dependable, and protected from misuse. Systems are interconnected in ways that could not have been imagined ten years ago. Networked systems have enabled unprecedented access to information. Unfortunately, they have also exposed our information to a variety of new threats. Organizations today have implemented a wide variety of complex computing infrastructures. They need flexible approaches that enable them to understand their information-specific security risks and then to create strategies to address those risks.

An organization that wishes to improve its security posture must be prepared to take the following steps:Change from a reactive, problem-based approach to proactive prevention of problems.Consider security from multiple perspectives.Establish a flexible infrastructure at all levels of the organization capable of responding rapidly to changing technology and security needs.Initiate an ongoing, continual effort to maintain and improve its security posture.

Evaluation Activities

Consider what happens during an evaluation. When an organization conducts an information security risk evaluation, it performs activities toIdentify information security risksAnalyze the risks to determine prioritiesPlan for improvement by developing a protection strategy for organizational improvement and risk mitigation plans to reduce the risk to critical organizational assets

The evaluation only provides a direction for an organization's information security activities; it does not necessarily lead to meaningful improvement. No evaluation, no matter how detailed or how expert, will improve an organization's security posture unless the organization follows through by implementing the results. After the evaluation, the organization should take the following steps:

- Plan how to implement the protection strategy and risk mitigation plans from the evaluation by developing detailed action plans. This activity can include a detailed cost-benefit analysis among strategies and actions.-Implement the selected detailed action plans.-Monitor the plans for progress and effectiveness. This activity includes monitoring risks for any changes.-Control variations in plan execution by taking appropriate corrective actions.

Risk evaluation is only the first step of risk management. Illustrates an information security risk management framework and the "slice" that an evaluation provides. The framework highlights the operations that organizations can use to identify and address their information security risks.

An Approach to Information Security Risk Evaluations An information security risk evaluation must identify both organizational and technological issues to be effective. It must address both the computing infrastructure and the way in which people use it as they perform their jobs. Thus, an evaluation needs to incorporate the context in which people use the infrastructure to meet the business objectives of the organization as well as technological security issues related to the infrastructure. It must consider what makes the organization succeed and what makes it fail.

OCTAVE Approach

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) enables an organization to sort through the complex web of organizational and technological issues to understand and address its information security risks. OCTAVE defines an approach to information security risk evaluations that is comprehensive, systematic, context driven, and self-directed.

Three PhasesThe organizational, technological, and analysis aspects of an information security risk evaluation lend themselves to a three-stage approach. OCTAVE is built around these three phases to enable organizational personnel to assemble a comprehensive picture of the organization's information security needs.

Phase 1: Build Asset-Based Threat Profiles. This is an evaluation of organizational aspects. Staff members from the organization contribute their perspectives on what is important to the organization (information-related assets) and what is currently being done to protect those assets. The analysis team consolidates the information, selects the assets that are most important to the organization (critical assets), and identifies the threats to these assets.

Phase 2: Identify Infrastructure Vulnerabilities. This is an evaluation of the computing infrastructure. The analysis team identifies key information technology systems and components related to each critical asset. The team then examines the key components for weaknesses (technology vulnerabilities) that can lead to unauthorized action against critical assets.

Phase 3: Develop Security Strategy and Plans. During this part of the evaluation, the analysis team identifies risks to the organization's critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered.

OCTAVE Variations

The specific ways in which business practices (e.g., planning, budgeting) are implemented in different organizations vary according to the characteristics of the organizations. Consider the differences between management practices at a small start-up company and those required in a large established organization. Both organizations require a set of similar management practices for planning and budgeting, but the practices are implemented differently. Similarly, the OCTAVE approach defines an information security risk as a management practice. We have found that the ways in which organizations implement information security risk evaluations differ based on a variety of organizational factors. OCTAVE implemented in a large multinational corporation is different from OCTAVE in a small start-up. However, some common principles, attributes, and outputs hold across organizational types.

Common Elements

The common elements of the OCTAVE approach are embodied in a set of criteria that define the principles, attributes, and outputs of the OCTAVE approach. Many methods can be consistent with these criteria, but there is only one set of OCTAVE criteria. The Software Engineering Institute (SEI) has developed one method consistent with the criteria, the OCTAVE Method, which was designed with large organizations (more than 300 employees) in mind. The institute is presently developing a method for small organizations (fewer than 100 employees).