Risk Management a Risk Management a Case StudyCase Study

DATALAWSInformation Technology Law Consultants

Presented by F. F Akinsuyi (MSc, LLM)MBCS

Anatomy of a Risk Anatomy of a Risk Assessment Assessment

UK Government Case studyUK Government Case study UK government services have gone onlineUK government services have gone online Personal and sensitive data being propagated Personal and sensitive data being propagated

and populated by government departments to and populated by government departments to provide these servicesprovide these services

Online services targeted by hackers, fraudsters, Online services targeted by hackers, fraudsters, espionageespionage

Old and new risks, threats and vulnerabilities Old and new risks, threats and vulnerabilities threaten servicesthreaten services

Departments need to identify and mitigate these Departments need to identify and mitigate these risksrisks

Anatomy of Risk Anatomy of Risk ManagementManagement

UK Case studyUK Case study UK government policy is that any government UK government policy is that any government

information system used to store, process or information system used to store, process or forward any official information must be accredited forward any official information must be accredited before usebefore use

Objective of accreditation is to show that all Objective of accreditation is to show that all relevant risks to the system have been identified relevant risks to the system have been identified and will be managed by appropriate and will be managed by appropriate configuration, configuration, use, maintenance, evolution and disposaluse, maintenance, evolution and disposal

RMADS methodology applied to government RMADS methodology applied to government systemssystems

RMADS Documents and RMADS Documents and ProcessProcess

RMADS StagesRMADS Stages

Determine the Business Impact Level of the Determine the Business Impact Level of the information that is held on the information information that is held on the information system to be accredited. (Most Important)system to be accredited. (Most Important)

Impacts are assessed against confidentiality, Impacts are assessed against confidentiality, integrity and availability integrity and availability

Depending on the findings of that, it may be Depending on the findings of that, it may be sufficient to simply comply with ISO27001.sufficient to simply comply with ISO27001.

For higher levels of impact level, an For higher levels of impact level, an RMADS is mandatory.RMADS is mandatory.

Impact SamplesImpact Samples

Impacts measured against the Impacts measured against the government department and the data government department and the data subjectsubject

Financial Loss due to FraudFinancial Loss due to Fraud Reputational Loss due to service not Reputational Loss due to service not

being available.being available. Criminal Charges due to breach of Data Criminal Charges due to breach of Data

Protection.Protection.

Business Impact AssessmentBusiness Impact Assessment

Business Impact levels range from 0-8Business Impact levels range from 0-8 Level 1 Trivial: No further actions takenLevel 1 Trivial: No further actions taken Levels 2 and 3 Minor: No further actions takenLevels 2 and 3 Minor: No further actions taken Level 4: Significant: Some negative effects: Level 4: Significant: Some negative effects:

Acceptable risks: actions may need to be takenAcceptable risks: actions may need to be taken Level 5: Significant: Significant negative effects: Level 5: Significant: Significant negative effects:

actions to be taken on case by case basisactions to be taken on case by case basis Levels 6,7: Major risks need to be reduced or treatedLevels 6,7: Major risks need to be reduced or treated Level 8: Catastrophic: Disastrous: Dealt with and Level 8: Catastrophic: Disastrous: Dealt with and

reduced under all circumtancesreduced under all circumtances

Business Impact AssessmentBusiness Impact Assessment

Confidentiality Impact Level Markings Confidentiality Impact Level Markings For Confidentiality, the Impact Levels For Confidentiality, the Impact Levels

relate directly to protective markings: relate directly to protective markings: Impact Levels 1 and 2 – PROTECT, Impact Levels 1 and 2 – PROTECT, Impact Level 3 – RESTRICTED, Impact Level 3 – RESTRICTED, Impact Level 4 – CONFIDENTIAL, Impact Level 4 – CONFIDENTIAL, Impact Level 5 – SECRET Impact Level 5 – SECRET Impact Level 6 - TOP SECRET Impact Level 6 - TOP SECRET

RMADS RMADS

First Phase in developing an RMADS. First Phase in developing an RMADS. Conduct Standard 1 Technical Risk Assessment.Conduct Standard 1 Technical Risk Assessment. Catalogue the information system and generate a Catalogue the information system and generate a

scope diagram.scope diagram. Verify minimum assumptions to ensure that the Verify minimum assumptions to ensure that the

risk assessment is accurate.risk assessment is accurate. Perform Privacy Impact AssessmentPerform Privacy Impact Assessment Perform threat assessment to produce a Perform threat assessment to produce a

“Prioritised Risk Catalogue” that must be “Prioritised Risk Catalogue” that must be documented within the RMADS.documented within the RMADS.

Identify ThreatsIdentify Threats

Asset List: What the system is made ofAsset List: What the system is made of Threat Sources: Where is the threat Threat Sources: Where is the threat

coming fromcoming from Focus of Interest: The system being Focus of Interest: The system being

accreditedaccredited Threat Actors: Principle parties involved Threat Actors: Principle parties involved

in constituting the threatin constituting the threat

Asset ListAsset List

DataBaseDataBase Application Application Development and Test EnvironmentsDevelopment and Test Environments DesktopDesktop Government OfficesGovernment Offices Inter connecting systemsInter connecting systems Data CentreData Centre Third Party LocationThird Party Location

Threat Source SamplesThreat Source Samples

Organised CrimeOrganised Crime Pressure GroupsPressure Groups Investigative JournalistsInvestigative Journalists Terrorist OrganisationsTerrorist Organisations

Threat Actor SamplesThreat Actor Samples

Hacker: Altering website, Denial of Hacker: Altering website, Denial of serviceservice

Third Party: Inappropriate Access, Third Party: Inappropriate Access, Privacy Breach Privacy Breach

Normal User: Accidental Data LossNormal User: Accidental Data Loss Privileged User: Data Confidentiality Privileged User: Data Confidentiality

CompromiseCompromise Data Handler: Data Loss Data Handler: Data Loss

RMADSRMADS

Second PartSecond Part Create the RMADS Create the RMADS Perform an ISO 27001 Benchmarking Perform an ISO 27001 Benchmarking

Review to determine that there are Review to determine that there are suitable commercial countermeasures suitable commercial countermeasures already in existence.already in existence.

Develop the Security Case and Risk Develop the Security Case and Risk Treatment Plan to ensure that proposed Treatment Plan to ensure that proposed solutions meet with the requirements of solutions meet with the requirements of the organisation and their risk appetite.the organisation and their risk appetite.

ISO 27001 BenchmarkingISO 27001 Benchmarking

ISO 27001 Information Security StandardISO 27001 Information Security Standard Covers: Security Policy, Security Organisation, Covers: Security Policy, Security Organisation,

Asset Classification, Personnel Security, Physical Asset Classification, Personnel Security, Physical Security, Communications and Operations Security, Communications and Operations Management, Access Control, Systems Management, Access Control, Systems Development and Maintenance, Business Development and Maintenance, Business Continuity Management, ComplianceContinuity Management, Compliance

Benchmarking involves conducting face to face Benchmarking involves conducting face to face review with System Architects, Administrators, review with System Architects, Administrators, Security Teams to verify compliance with the areas Security Teams to verify compliance with the areas aboveabove

Risk Treatment PlanRisk Treatment Plan

Risk Treatment Plan identifies what steps Risk Treatment Plan identifies what steps will be taken to resolve identified riskswill be taken to resolve identified risks

It highlights who will be responsible for It highlights who will be responsible for riskrisk

Date for resolving riskDate for resolving risk StatusStatus

Penetration TestPenetration Test

Network and Application testsNetwork and Application tests Round up to identify if there is any Round up to identify if there is any

exposure to known vulnerabilities by exposure to known vulnerabilities by conducting a penetration and application conducting a penetration and application test.test.

Review outcomeReview outcome Accredit systemAccredit system

Application Vulnerability Application Vulnerability TestsTests

Cross Site ScriptingCross Site Scripting Failure to Restrict URL AccessFailure to Restrict URL Access

End Of SessionEnd Of Session