23 january 2003© all rights reserved, 2002 understanding facilitated risk analysis process (frap)...

23 January 2003 © All rights Reserved, 2002

Understanding Facilitated Risk Understanding Facilitated Risk Analysis Process (FRAP) Analysis Process (FRAP)

and and Security Policies for OrganizationsSecurity Policies for Organizations

Infocomm Security

and

Computer Security Institute

23 January 2003 © All Rights Reserved

ABSTRACT

Facilitated Risk Analysis Process (FRAP)

The dictionary defines RISK as "someone or something that creates or suggests a hazard". In today's environment, it is one of the many costs of doing business or providing a service. Information security professionals know and understand that nothing ever runs smoothly for very long. Any manner of internal or external hazard or risk can cause a well running organization to lose competitive advantage, miss deadline and/or suffer embarrassment. As security professionals, management is looking to us to provide a process that allows for the systematic review of risk, threats, hazards and concerns and provide cost-effective measures to lower risk to an acceptable level. This session will review the current practical application of cost-effective risk analysis.


AGENDA

Risk Analysis Basics Difficulties and Pitfalls Making the FRAP a Business

Process Key FRAP Issues


Effective Risk Analysis

Frequently Asked Questions Why should a risk analysis be conducted? When should a risk analysis be conducted? Who should conduct the risk analysis? How long should a risk analysis take? What can a risk analysis analyze? What can the results of a risk analysis tell an organization? Who should review the results of a risk analysis? How is the success of the risk analysis measured?



ISO 17799 Information Security Standard 1. Scope

This standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization.

It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.

Recommendations from this standard should be selected and used in accordance with applicable laws and regulations.



ISO 17799 Information Security Standard 2. Terms and definitions

2.1 Information Security Confidentiality Integrity Availability

2.2 Risk Assessment Assessment of threats to, impacts on and vulnerabilities of

information and information processing facilities and the likelihood of their occurrences

2.3 Risk Management Process of identifying, controlling and minimizing or eliminating

risks that may affect information systems, for an acceptable cost.



ISO 17799 Information Security Standard 3. Security Policy

provide management direction and support 4. Asset Classification and Control

maintain appropriate protection of corporate assets 5. Computer and Network Management

ensure the correct and secure operation of information processing facilities

minimize risk of system failures protect integrity of software and information



ISO 17799 Information Security Standard 5. Communications and Network Management

maintain integrity and availability of information processing and communications

ensure the safeguarding of information networks and protection of the supporting infrastructure

prevent damage to assets and interruptions to business activities prevent loss, modification or misuse exchanged between

organizations



ISO 17799 Information Security Standard 6. Security Organization

to manage information security within the enterprise maintain security of enterprise information processing facilities and

information assets by third parties maintain the security of information when the responsibility for

information processing has been outsourced to another organization



ISO 17799 Information Security Standard 7. Personnel Security

to reduce risks of human error, theft, fraud or misuse of facilities ensure user are aware of information security threats and concerns

and are equipped to support the enterprise security policy minimize the damage from security incidents and malfunctions



ISO 17799 Information Security Standard 8. Compliance

to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements

ensure compliance of systems with enterprise security policy and standards

maximize the effectiveness of and to minimize interference to/from system audit process



ISO 17799 Information Security Standard 9. Physical and Environmental Security

to prevent unauthorized access, damage and interference to business premises and information

prevent loss, damage or compromise of assets and interruption to business activities

prevent compromise or theft of information and information processing facilities.



ISO 17799 Information Security Standard 10. System Development and Maintenance

ensure security is built into operational systems prevent loss, modification or misuse of user data in application

systems protect the confidentiality, authenticity and integrity of information ensure IT projects and support activities are conducted in a secure

manner maintain the security of application system software and data.



ISO 17799 Information Security Standard 11. System Access Control

control access to information prevent unauthorized access to information systems ensure the protection of networked services prevent unauthorized system access detect unauthorized activities ensure information security when using mobile computing and

networking facilities



ISO 17799 Information Security Standard 12. Business Continuity Planning

counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.


Effective Risk Analysis The United States National Institute of Standards and

Technology (NIST) has published valuable information security documents that can be obtained by accessing their web site at csrc.nist.gov/publications/nistpubs/. SP 800-12An Introduction to Computer Security: The NIST Handbook SP 800-18Guide for Developing Security Plans for Information

Technology Systems SP 800-26Security Self-Assessment Guide for Information Technology

Systems SP 800-30Risk Management Guide for Information Technology Systems SP 800-47Security Guide for Interconnecting Information Technology

Systems



Information protection in quality assurance works with three key elements: Integrity - the information is as intended without inappropriate

modification or corruption Confidentiality - the information is protected from unauthorized or

accidental disclosure Availability - authorized users can access applications and systems

when required to do their job



No matter what risk analysis process is used, the method is always the same: Identify the asset Ascertain the risk Determine the probability Identify the corrective action

Remember - sometimes accepting the risk is the appropriate corrective action.



Definitions Threat - an undesirable event Impact - Effect on the business objectives or mission of the

enterprise Probability - Likelihood that the risk may occur Losses - these include direct and indirect loss

disclosure integrity denial of service



Accreditation - formal acceptance of system’s overall security by management

Certification - process of assessing security mechanisms and controls and evaluating their effectiveness.

Vulnerability - a condition of a missing or ineffectively administered safeguard or control that allows a threat to occur with a greater impact or frequency or both.



Definitions Safeguard/Control - a countermeasure that acts to prevent, detect,

or minimize the consequences of threat occurrence. Exposure Factor - how much impact or loss of asset value is

incurred from 0% to 100%

Single-time Loss Algorithm (SLA) - when a threat occurs, how much the loss of asset value is expected to be in monetary terms

Annualized Rate of Occurrence (ARO) - how often a threat might be expected to happen in a one year period.



Risk Analysis Objectives Identify potential undesirable or unauthorized events, “RISKS”,

that could have a negative impact on the business objectives or mission of the enterprise.

Identify potential “CONTROLS” to reduce or eliminate the impact of RISK events determined to be of MAJOR concern.



Threats

Potential Damage

Systems/ApplicationsSupporting Enterprise

Operations

Attempts toaccess privateinformation

Fraud

Malicious attacks

Pranks

Natural disasters

Sabotage

User error

Customer loss of confidence

Critical operations halted

Sensitive information disclosed

Services and benefits interrupted

Failure to meet contractual obligations

Assets lostIntegrity of data and reports compromised



Maintain customer, constituent, stockholder, or taxpayer confidence in the organization

Protect confidentiality of sensitive information (personal, financial, trade secret, etc.)

Protect sensitive operational data for inappropriate disclosure

Avoid third-party liability for illegal or malicious acts committed with the organization’s systems

Ensure that organization computer, network, and data are not misused or wasted

Avoid fraud Avoid expensive and disruptive

incidents Comply with pertinent laws and

regulations Avoid a hostile workplace

atmosphere

Information Security Objectives

Source GAO/AIMD 98-68



Risk Management Principles Assess risk and determine needs Establish a central management focal point Implement appropriate policies and related controls Promote awareness Monitor and evaluate policy and control effectiveness




Risk Management Cycle

Central FocalPoint

PromoteAwareness

ImplementPolicies &Controls

Monitor &Evaluate

Assess Risk& Determine

Needs




1. Assess Risk and

Determine Needs

1. Recognize information resources as essential organizational assets

2. Develop practical risk assessment procedures that link security to business needs

3. Hold program and business managers accountable

4. Manage risk on a continuing basis

Sixteen Practices Employed by Leading Organizationsto Implement the Risk Management Cycle

Principle Practices



2. Establish a Central

Management Focal Point

5. Designate a central group to carry out key activities

6. Provide the central group ready and independent access to senior executives

7. Designate dedicated funding and staff

8. Enhance staff professionalism and technical skills


Principle Practices



3. Implement Appropriate

Policies and Related Controls

9. Link policies to business risks

10. Distinguish between policies and guidelines

11. Support policies through central security group


Principle Practices



4. Promote Awareness 12. Continually educate users and others on the risks and related policies

13. Use attention-getting and user-friendly techniques


Principle Practices



5. Monitor and Evaluate

Policy and Control

Effectiveness

14. Monitor factors that affect risk and indicate security effectiveness

15. Use results to direct future efforts and hold managers accountable

16. Be alert to new monitoring tools and techniques


Principle Practices



Assess Risk and Determine Needs Risk considerations and related cost-benefit trade-off are the

primary focus of a security program. Security is not an end in itself Controls and safeguards are identifies and implemented to address

specific business risks

Understanding the business risks associated with information security is the starting point of an effective risk analysis and management program



Organizations that are most satisfied with their risk analysis procedures are those that have defined a relatively simple process that can be adapted to various organizational units and involved a mix of individuals with knowledge of business operations and technical aspects of the enterprise’s systems and security controls.*

*Source GAO/AIMD 98-68



Facilitated Risk Analysis Process (FRAP) FRAP analyzes one system, application or segment of business

process at a time Team of individuals that include business managers and support

groups is convened Team brainstorms potential threats, vulnerabilities and resultant

negative impacts to data integrity, confidentiality and availability Impacts are analyzed to business operations Threats and risks are prioritized



Facilitated Risk Analysis Process (FRAP) The FRAP users believe that additional effort to develop precisely

quantified risks are not cost effective because: such estimates are time consuming risk documentation becomes too voluminous for practical use specific loss estimates are generally not needed to determine if

controls are needed



Facilitated Risk Analysis Process (FRAP) After identifying and categorizing risks, the Team identifies

controls that could mitigate the risk A common group of controls are used as a starting point

The decision for what controls are needed lies with the business manager

The Team’s conclusions as to what risks exist and what controls are needed are documented along with a related action plan for control implementation



Facilitated Risk Analysis Process (FRAP) Each risk analysis session takes approximately 4 hours Includes 7 to 15 people Additional time is required to develop the action plan Results remain on file for same time as Audit papers



Facilitated Risk Analysis Process (FRAP) Team does not attempt to obtain or develop specific numbers for

threat likelihood or annual loss estimates It is the team’s experience that sets priorities After identifying and categorizing risks, the groups identifies

controls that can be implemented to reduce the risk focusing on cost-effective



Business managers bear the primary responsibility for determining the level of protection needed for information resources that support business operations.

Security professionals must play a strong role in educating and advising management on exposures and possible controls.

23 January 2003 © All rights Reserved, 2002

Understanding Facilitated Risk Understanding Facilitated Risk Analysis Process (FRAP) Analysis Process (FRAP)

and and Security Policies for OrganizationsSecurity Policies for Organizations

Infocomm Security

and

Computer Security Institute

23 january 2003© all rights reserved, 2002 understanding facilitated risk analysis process (frap)...

Documents

risk analysis process

lower risk

risk management process

effective risk analysis

information security

systematic review of

risk of system failures

security policies