Embed Size (px)
Citation preview
Security Risk Management
Paula Kiernan
Ward Solutions
Session Prerequisites
Basic understanding of network security fundamentals
Basic understanding of security risk management concepts
Level 300
Target Audience
This session is primarily intended for:This session is primarily intended for:
Systems architects and planners Systems architects and planners
Members of the information security team Members of the information security team
Security and IT auditors Security and IT auditors
Senior executives, business analysts, and business decision makers
Senior executives, business analysts, and business decision makers
Consultants and partners Consultants and partners
Session Overview
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program Effectiveness
Security Risk Management Concepts
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program Effectiveness
Why Develop a Security Risk Management Process?
Developing a formal security risk management process can address the following: Developing a formal security risk management process can address the following:
Threat response time
Regulatory compliance
Infrastructure management costs
Risk prioritization and management
Threat response time
Regulatory compliance
Infrastructure management costs
Risk prioritization and management
Security risk management: A process for identifying, prioritizing, and managing risk to an acceptable level within the organization
Key factors to implementing a successful security risk management program include:Key factors to implementing a successful security risk management program include:
An atmosphere of open communication and teamworkAn atmosphere of open communication and teamwork
Organizational maturity in terms of risk managementOrganizational maturity in terms of risk management
Executive sponsorship Executive sponsorship
Well-defined list of risk management stakeholders Well-defined list of risk management stakeholders
A holistic view of the organizationA holistic view of the organization
Security risk management team authoritySecurity risk management team authority
Identifying Success Factors That Are Critical to Security Risk Management
Comparing Approaches to Risk Management
Many organizations have approached security risk management by adopting the following:Many organizations have approached security risk management by adopting the following:
The adoption of a process that reduces the risk of new vulnerabilities in your organization
The adoption of a process that reduces the risk of new vulnerabilities in your organization
Proactive approach
A process that responds to security events as they occur
A process that responds to security events as they occur
Reactive approach
Comparing Approaches to Risk Prioritization
Approach Benefits Drawbacks
Quantitative
Risks prioritized by financial impact; assets prioritized by their financial valuesResults facilitate management of risk by return on security investmentResults can be expressed in management-specific terminology
Impact values assigned to risks are based upon subjective opinions of the participantsVery time-consumingCan be extremely costly
Qualitative
Enables visibility and understanding of risk rankingEasier to reach consensusNot necessary to quantify threat frequencyNot necessary to determine financial values of assets
Insufficient granularity between important risksDifficult to justify investing in control as there is no basis for a cost-benefit analysisResults dependent upon the quality of the risk management team that is created
Introducing the Microsoft Security Risk Management Process
Implementing Controls
Implementing Controls
33
Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44 Assessing RiskAssessing Risk11
Identifying Security Risk Management Prerequisites
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program Effectiveness
Risk Management vs. Risk Assessment
Risk Management Risk Assessment
Goal Manage risks across business to acceptable level
Identify and prioritize risks
Cycle Overall program across all four phases
Single phase of risk management program
Schedule Scheduled activity Continuous activity
Alignment Aligned with budgeting cycles Not applicable
Communicating Risk
Well-Formed Risk Statement Well-Formed Risk Statement
ImpactWhat is the impact to the
business?
ProbabilityHow likely is the threat given the
controls?
AssetWhat are you
trying to protect?
AssetWhat are you
trying to protect?
ThreatWhat are you
afraid of happening?
ThreatWhat are you
afraid of happening?
VulnerabilityHow could the threat occur?
VulnerabilityHow could the threat occur?
MitigationWhat is currently
reducing the risk?
MitigationWhat is currently
reducing the risk?
Determining Your Organization’s Risk Management Maturity Level
Publications to help you determine your organization’s risk management maturity level include:Publications to help you determine your organization’s risk management maturity level include:
ISO Code of Practice for Information Security Management (ISO 17799)
ISO Code of Practice for Information Security Management (ISO 17799)
International Standards Organization
Control Objectives for Information and Related Technology (CobiT)
Control Objectives for Information and Related Technology (CobiT)
IT Governance Institute
Security Self-Assessment Guide for Information Technology Systems (SP-800-26)
Security Self-Assessment Guide for Information Technology Systems (SP-800-26)
National Institute of Standards and Technology
Performing a Risk Management Maturity Self-Assessment
Level State
0 Non-existent
1 Ad hoc
2 Repeatable
3 Defined process
4 Managed
5 Optimized
Executive Sponsor“What's important?”
Executive Sponsor“What's important?”
IT Group“Best control solution”IT Group“Best control solution”
InformationSecurity Group“Prioritize risks”
InformationSecurity Group“Prioritize risks”
Defining Roles and Responsibilities
Operate and support security
solutions
Operate and support security
solutions
Design and build security solutionsDesign and build security solutions
Define security requirements
Define security requirements
Assess risks Assess risks
Determine acceptable risk
Determine acceptable risk
Measure security solutions
Measure security solutions
Assessing Risk
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program Effectiveness
Overview of the Assessing Risk Phase
Implementing Controls
Implementing Controls
33 Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44Assessing RiskAssessing Risk
11
• Plan risk data gathering• Gather risk data• Prioritize risks
• Plan risk data gathering• Gather risk data• Prioritize risks
Understanding the Planning Step
The primary tasks in the planning step include the following:The primary tasks in the planning step include the following:
Alignment Alignment
Scoping Scoping
Stakeholder acceptance Stakeholder acceptance
Setting expectations Setting expectations
Understanding Facilitated Data Gathering
Keys to successful data gathering include:Keys to successful data gathering include:
Meet collaboratively with stakeholders
Build support
Understand the difference between discussing and interrogating
Build goodwill
Be prepared
Meet collaboratively with stakeholders
Build support
Understand the difference between discussing and interrogating
Build goodwill
Be prepared
Elements collected during facilitated data gathering include:
Elements collected during facilitated data gathering include:
Organizational assets
Asset description
Security threats
Vulnerabilities
Current control environment
Proposed controls
Organizational assets
Asset description
Security threats
Vulnerabilities
Current control environment
Proposed controls
Identifying and Classifying Assets
An asset is anything of value to the organization and can be classified as one of the following:An asset is anything of value to the organization and can be classified as one of the following:
High business impact High business impact
Moderate business impact Moderate business impact
Low business impact Low business impact
Organizing Risk Information
Use the following questions as an agenda during facilitated discussions:Use the following questions as an agenda during facilitated discussions:
What asset are you protecting?
How valuable is the asset to the organization?
What are you trying to avoid happening to the asset?
How might loss or exposures occur?
What is the extent of potential exposure to the asset?
What are you doing today to reduce the probability or the extent of damage to the asset?
What are some actions that you can take to reduce the probability in the future?
What asset are you protecting?
How valuable is the asset to the organization?
What are you trying to avoid happening to the asset?
How might loss or exposures occur?
What is the extent of potential exposure to the asset?
What are you doing today to reduce the probability or the extent of damage to the asset?
What are some actions that you can take to reduce the probability in the future?
Estimating Asset Exposure
Use the following guidelines to estimate asset exposure:Use the following guidelines to estimate asset exposure:
Minor or no loss Minor or no loss Low
exposure
Limited or moderate loss Limited or moderate loss Medium
exposure
Severe or complete loss of the asset Severe or complete loss of the asset High
exposure
Exposure: The extent of potential damage to an asset
Estimating Probability of Threats
Use the following guidelines to estimate probability for each threat and vulnerability identified:Use the following guidelines to estimate probability for each threat and vulnerability identified:
Not probable—impact not expected to occur within three years Not probable—impact not expected to occur within three years
Low threat
Probable—impact expected within two to three years
Probable—impact expected within two to three years
Medium threat
Likely—one or more impacts expected within one year
Likely—one or more impacts expected within one year
High threat
Facilitating Risk Discussions
The facilitated risk discussion meeting is divided into the following sections:The facilitated risk discussion meeting is divided into the following sections:
Determining Organizational Assets and Scenarios
Identifying Threats
Identifying Vulnerabilities
Estimating Asset Exposure
Estimating Probability of Exploit and Identifying Existing Controls
Meeting Summary and Next Steps
Determining Organizational Assets and Scenarios
Identifying Threats
Identifying Vulnerabilities
Estimating Asset Exposure
Estimating Probability of Exploit and Identifying Existing Controls
Meeting Summary and Next Steps
11
22
33
44
55
66
Defining Impact Statements
Impact data includes the following information:Impact data includes the following information:
Understanding Risk Prioritization
End of riskprioritizationEnd of risk
prioritization
Detailedlevel risk
prioritization
Detailedlevel risk
prioritization
Conduct detailed-level
risk prioritization
Conduct detailed-level
risk prioritization
Review with stakeholdersReview with stakeholders
Summarylevel risk
prioritization
Summarylevel risk
prioritization
Conduct summary-level risk
prioritization
Conduct summary-level risk
prioritization
Start risk prioritization
Start risk prioritization
Conducting Summary-Level Risk Prioritization
11
High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years
High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years
22 44
33
The summary-level prioritization process includes the following:The summary-level prioritization process includes the following:
Determine impact level
Estimate summary-level probability
Complete the summary-level risk list
Review with stakeholders
Determine impact level
Estimate summary-level probability
Complete the summary-level risk list
Review with stakeholders
11223344
Conducting Detailed Level Risk Prioritization
The following four tasks outline the process to build a detailed-level list of risks:The following four tasks outline the process to build a detailed-level list of risks:
Determine impact and exposureDetermine impact and exposure11
Identify current controlsIdentify current controls22
Determine probability of impactDetermine probability of impact33
Determine detailed risk levelDetermine detailed risk level44
Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls) Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)
Quantifying Risk
The following tasks outline the process to determine the quantitative value:The following tasks outline the process to determine the quantitative value:
Input the asset value for each riskInput the asset value for each risk
Produce the single-loss expectancy value (SLE)Produce the single-loss expectancy value (SLE)
Determine the annual rate of occurrence (ARO)Determine the annual rate of occurrence (ARO)
Determine the annual loss expectancy (ALE)Determine the annual loss expectancy (ALE)
Assign a monetary value to each asset classAssign a monetary value to each asset class11
22
33
44
55
Assessing Risk: Best Practices
Analyze risks during the data gathering process Analyze risks during the data gathering process
Conduct research to build credibility for estimating probability Conduct research to build credibility for estimating probability
Communicate risk in business terms Communicate risk in business terms
Reconcile new risks with previous risks Reconcile new risks with previous risks
Conducting Decision Support
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program Effectiveness
Overview of the Decision Support Phase
Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44Assessing RiskAssessing Risk
11
1. Define functional requirements2. Identify control solutions3. Review solution against requirements4. Estimate degree of risk reduction5. Estimate cost of each solution6. Select the risk mitigation strategy
1. Define functional requirements2. Identify control solutions3. Review solution against requirements4. Estimate degree of risk reduction5. Estimate cost of each solution6. Select the risk mitigation strategy
Implementing Controls
Implementing Controls
33
Identifying Output for the Decision Support Phase
Key elements to gather include:Key elements to gather include:
Decision on how to handle each risk
Functional requirements
Potential control solutions
Risk reduction of each control solution
Estimated cost of each control solution
List of control solutions to be implemented
Decision on how to handle each risk
Functional requirements
Potential control solutions
Risk reduction of each control solution
Estimated cost of each control solution
List of control solutions to be implemented
Considering the Decision Support Options
Options for handling risk:Options for handling risk:
Accepting the current risk Accepting the current risk
Implementing controls to reduce risk Implementing controls to reduce risk
Overview of the Identifying and Comparing Controls Process
Security steering committee
Security steering committee
Mitigation ownerMitigation owner
Security risk management team
Security risk management team
Identifies potential control solutions
Determines types of costs
Estimates level of risk reduction
Final list of control solutions
Security riskmanagementteam
Security riskmanagementteam
Securitysteeringcommittee
Securitysteeringcommittee
Step 1: Define Functional Requirements
Select the risk mitigationstrategy
Select the risk mitigationstrategy
66
MitigationownerMitigationowner Identify control
solutions Identify control
solutions
22
Definefunctional
requirements
Definefunctional
requirements
11
Estimate cost of
each solution
Estimate cost of
each solution
55
Estimatedegree of risk
reduction
Estimatedegree of risk
reduction
44Reviewsolutions against
requirements
Reviewsolutions against
requirements
33
Step 2: Identify Control Solutions
Security riskmanagementteam
Security riskmanagementteam
Securitysteeringcommittee
Securitysteeringcommittee
Select the risk mitigationstrategy
Select the risk mitigationstrategy
66
MitigationownerMitigationowner Identify control
solutions Identify control
solutions
22
Definefunctional
requirements
Definefunctional
requirements
11
Estimate cost of
each solution
Estimate cost of
each solution
55
Estimatedegree of risk
reduction
Estimatedegree of risk
reduction
44Reviewsolutions against
requirements
Reviewsolutions against
requirements
33
Step 3: Review Solutions Against Requirements
Security riskmanagementteam
Security riskmanagementteam
Securitysteeringcommittee
Securitysteeringcommittee
Select the risk mitigationstrategy
Select the risk mitigationstrategy
66
MitigationownerMitigationowner Identify control
solutions Identify control
solutions
22
Definefunctional
requirements
Definefunctional
requirements
11
Estimate cost of
each solution
Estimate cost of
each solution
55
Estimatedegree of risk
reduction
Estimatedegree of risk
reduction
44Reviewsolutions against
requirements
Reviewsolutions against
requirements
33
Step 4: Estimate Degree of Risk Reduction
Security riskmanagementteam
Security riskmanagementteam
Securitysteeringcommittee
Securitysteeringcommittee
Select the risk mitigationstrategy
Select the risk mitigationstrategy
66
MitigationownerMitigationowner Identify control
solutions Identify control
solutions
22
Definefunctional
requirements
Definefunctional
requirements
11
Estimate cost of
each solution
Estimate cost of
each solution
55
Estimatedegree of risk
reduction
Estimatedegree of risk
reduction
44Reviewsolutions against
requirements
Reviewsolutions against
requirements
33
Step 5: Estimate Cost of Each Solution
Security riskmanagementteam
Security riskmanagementteam
Securitysteeringcommittee
Securitysteeringcommittee
Select the risk mitigationstrategy
Select the risk mitigationstrategy
MitigationownerMitigationowner Identify control
solutions Identify control
solutions
22
66
Definefunctional
requirements
Definefunctional
requirements
11
Estimate cost of
each solution
Estimate cost of
each solution
55
Estimatedegree of risk
reduction
Estimatedegree of risk
reduction
44Reviewsolutions against
requirements
Reviewsolutions against
requirements
33
Step 6: Select the Risk Mitigation Strategy
Security riskmanagementteam
Security riskmanagementteam
Securitysteeringcommittee
Securitysteeringcommittee
Select the risk mitigation strategy
Select the risk mitigation strategy
MitigationownerMitigationowner Identify control
solutions Identify control
solutions
22
66
Definefunctional
requirements
Definefunctional
requirements
11
Estimate cost of
each solution
Estimate cost of
each solution
55
Estimatedegree of risk
reduction
Estimatedegree of risk
reduction
44Reviewsolutions against
requirements
Reviewsolutions against
requirements
33
Conducting Decision Support: Best Practices
Consider assigning a security technologist to each identified risk Consider assigning a security technologist to each identified risk
Set reasonable expectations Set reasonable expectations
Build team consensus Build team consensus
Focus on the amount of risk after the mitigation solution Focus on the amount of risk after the mitigation solution
Implementing Controls and Measuring Program Effectiveness
Security Risk Management Concepts
Identifying Security Risk Management Prerequisites
Assessing Risk
Conducting Decision Support
Implementing Controls and Measuring Program Effectiveness
Implementing Controls
Implementing Controls
Implementing Controls
33 Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44Assessing RiskAssessing Risk
11
• Seek a holistic approach• Organize by defense-in-depth• Seek a holistic approach• Organize by defense-in-depth
Organizing the Control Solutions
Critical success determinants to organizing control solutions include:Critical success determinants to organizing control solutions include:
Communication Communication
Team scheduling Team scheduling
Resource requirementsResource requirements
Organizing by Defense-in-Depth
Network
Host
Application
Data
Physical
Measuring Program Effectiveness
Implementing Controls
Implementing Controls
33 Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44Assessing RiskAssessing Risk
11
• Develop scorecard• Measure control effectiveness• Develop scorecard• Measure control effectiveness
Developing Your Organization’s Security Risk Scorecard
A simple security risk scorecard organized by the defense-in-depth layers might look like this: A simple security risk scorecard organized by the defense-in-depth layers might look like this:
FY05 Q1 FY05 Q2 FY05 Q3 FY05 Q4
Physical H M
Network M M
Host M M
Application M H
Data L L
Risk Levels (H, M, L)
Measuring Control Effectiveness
Methods to measure the effectiveness of implemented controls include:Methods to measure the effectiveness of implemented controls include:
Direct testing Direct testing
Submitting periodic compliance reports Submitting periodic compliance reports
Evaluating widespread security incidentsEvaluating widespread security incidents
Session Summary
One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two
One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two
Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks
Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks
The Microsoft Security Risk Management Guide provides a number of tools and templates to assist with the entire risk management processThe Microsoft Security Risk Management Guide provides a number of tools and templates to assist with the entire risk management process
The Microsoft defense-in-depth approach organizes controls into several broad layers that make up the defense-in-depth modelThe Microsoft defense-in-depth approach organizes controls into several broad layers that make up the defense-in-depth model
Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy
Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance
Questions and Answers
