identification is at the basis of COSOs (Committee of Sponsoring Organizations of the Treadway Commission).
?
Scenario-based risk identification: In scenario analysis different scenarios are created. The scenarios may be the alternative ways of achieving an objective or an analysis of the interaction of forces. Any event that triggers an undesired scenario alternative is identified as risk.
? ?
Taxonomy-based risk identification: A breakdown of possible risk sources. Based on the knowledge of best practices, this methodology is questionnaire oriented.
Common-risk checking: In industries with known risks. Each risk in the list can be checked for application to a particular situation.
Risk Analysis Standards
Once identity information professionals get a firm grasp of the elements of risk, they must become familiar with the standards against which their efforts and activities will be measured. Many formulas and processes are designed to help provide some certainty when answering these questions. However, not every possibility can be considered, because life and nature are constantly evolving and changing. Risk analysis tries as much as possible to anticipate the future and to lower the possibility of a threat's impact on companies.
Risk is a measure of the frequency or probability of a negative event and the associated consequences. You do not have to plan for events with zero probability or events that have no consequences. The probability of a threat is a measure of the capabilities, impact, intentions, and past activities of potential miscreants. The capability of perpetrating a terrorist act depends the ability to manufacture or acquire a weapon and to carry out the terrorist act. The impact is the consequence of the act, including casualties, property damage, and business interruption. Intentions are the motivations of a terrorist or terrorist organization to perpetrate acts of terror. In the physical domain, a nuclear or radiological incident could involve the detonation of a thermonuclear device, explosion of a \of radioactive material from an attack on a facility that uses or stores radioactive materials (e.g., bomb, aircraft, or missile attack on a nuclear power plant). An attack with biological agents could include the intentional dispersal or distribution of biological agents such as anthrax, smallpox, botulism, and the plague. Anthrax can be sent through the mail system, and food can be contaminated with salmonella. Smallpox and plague are infectious diseases that could spread widely. A vulnerability assessment is the process of identifying weaknesses in perimeter security, buildings, utility systems, personnel protection systems, or computer systems that can be exploited. In this context, the role of information risk management is to optimize outcomes such as profit objectives, return on investment, and performance measures, which results in value creation.
Common Vulnerabilities
?
Domain name servers: The domain name service architecture should be evaluated to avoid creating a single point of failure that could result in an extended loss of connectivity. Cyber attacks by definition strike computer systems that are connected via local and wide area net — works to computer networks outside the building, including, and especially, the Internet.
?
Software vulnerabilities: These account for the majority of successful attacks, simply because attackers are opportunistic and take the easiest and most convenient route. Attackers exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for vulnerable systems.
?
Default installs of operating systems and applications: Most software packages, including operating systems and applications, come with installation scripts or programs. The goal of these installation programs is to get the systems installed as quickly as possible, with the most useful functions enabled and the least amount of work by the system administrator. To accomplish this goal, the scripts typically install more components than most users need. this opens an avenue of attack to miscreants.
?
Accounts with no password or a weak password: Most systems are configured to use pass — words as the first, and only, line of defense. User IDs are fairly easy to acquire, and most companies have dial-up access that bypasses the firewall. therefore, if an attacker can determine an account name and password, he or she can log on to the network.
?
Nonexistent or incomplete backups: When an incident occurs, recovery from it requires up-to-date backups and proven methods of restoring the data. Some
organizations make daily backups but never verify that the backups are actually working. Others construct backup policies and procedures but do not create restoration policies and procedures.
?
Large number of open ports: Both legitimate users and attackers connect to systems via open ports. The more ports that are open, the more possible ways that someone can connect to your system. therefore, it is important to keep the least number of necessary ports open on a system. All other ports must be closed.
?
Not filtering packets for correct incoming and outgoing addresses: Spoofing IP addresses is a common method used by attackers to hide their tracks when they attack a victim. For example, the very popular smurf attack uses a feature of routers to send a stream of packets to thousands of machines. Each packet contains a spoofed source address of a victim. The computers to which the spoofed packets are sent flood the victim's computer.
?
Nonexistent or incomplete logging: You cannot detect an attack if you do not know what is occurring on your network. Logs provide the details of what is occurring, what systems are being attacked, and what systems have been compromised. Without logs you have little chance of discovering what the attackers did.
When applying risk management, the regional circumstances dictate the model that must be used to express the risk. Australia, New Zealand, Canada, the United Kingdom, Germany, South Africa, the United States, and the United Nations through the International Standards Organization
have all devised risk analysis standards designed to assist in the risk mitigation process and protect shareholders within their populations.
Australia/New Zealand Standard 4360:1795, 1799, and 1800
AS/NZS 4360 was developed in response to a perceived need for practical assistance in applying risk management in public sector and private sector organizations. The reason AS/NZS 4360 has been so widely accepted in Australia, New Zealand, and globally may lie in the way standards were developed and approved there. The process started in 1992 when a Standards Australia questionnaire was submitted on behalf of the Association of Risk and Insurance Managers of Austral-asia (ARIMA). this led to the distribution of a further questionnaire to a wide range of industry and professional organizations to determine both need and interest. Satisfied of the need and the availability of a representative range of potential members, Standards Australia and Standards New Zealand established a Joint Technical Committee composed of 27 members representing 22 industry, professional, and government (federal, state, and local) organizations. The committee first gathered all available information. All submissions and documents were copied and supplied to the members. After several drafts, the committee produced one for public comment. To ensure maximum exposure, the representative organizations were asked to encourage responses from their membership, advertisements were placed in the daily press seeking input from the general public, and copies were supplied to all member organizations of the International Federation of Risk and Insurance Management Associations (IFRIMA). The
committee received 326 specific comments from 55 individuals or organizations. Each comment was addressed, resulting in many changes to the draft. The final document received unanimous approval and was published in November 1995.
AS/NZS 4360 was prepared by the Joint Standards Australia/ Standards New Zealand Committee OB-007, Risk Management, as a revision of AS/NZS 4360:1999, Risk Management. AS/NZS 4360 provides a generic framework for establishing the context and identifying, analyzing, evaluating, treating, monitoring, and communicating risk. this handbook states in clause 4.2 that \objective of this standard is to provide guidance to enable public, private, or community enterprises, groups, and individuals to achieve the following:
? ? ? ? ? ? ? ?
A more confident and rigorous basis for decision making and planning Better identification of opportunities and threats Gaining value from uncertainty and variability Proactive rather than reactive management More effective allocation and use of resources
Improved incident management and reduction in loss and the cost of risk, including commercial insurance premiums
Improved stakeholder confidence and trust Improved compliance with relevant legislation
?
Better corporate governance
The model of the risk management process AS/NZS 4360 consists of three major elements: the risk management workflow, monitor and review, and, finally, communication and consult. The latter two continuously interact with the steps of risk management workflow. AS/NZS 4360 defines risk management as \management of potential opportunities and adverse effects.\chance of something happening that will have an impact upon objectives. It is measured in terms of likelihood and consequences.\
Figure 1.1 illustrates the bidirectional flow from context and risk to communication and consultation in parallel with monitoring and reviewing activities. These serve as a logical check on the risk analysis process, where risk is evaluated, mitigated, or accepted in sequential steps as follows:
? ? ? ? ? ?
Establish the context: It is necessary to fully understand the external and internal aspects of the organization or organizational part, which is subject to risk management. Identify risks: This step uncovers risks, their location, time frame, root causes, and scenarios.
Analyze risks: The output of risk analysis is the likelihood of a risk and the consequences of risk occurrence.
Evaluate risks: Risk analysis provides an outcome, which is the basis for deciding which risks need treatment and in what priority.
Treat risks: Treatments are responses to risks. Alternative treatments need to be identified, assessed, selected, planned, and implemented.
Monitor and review: The purpose of this step is to ensure that the risk management plan remains relevant and all input data, including likelihood and consequence, are up to date.
Monitor and review relates to all of the five elements of risk management workflow mentioned previously.
?
Communication and consult : Successful risk management relies on communication with all stakeholders. Communication will improve the level of understanding and reating risks.Communication is important throughout the entire risk management cycle.
Figure 1.1: The AS/NZS 4360 risk analysis process.
The risk management process flow consists of the following elements:
? ? ? ? ? ?
The organization's strategic objectives : Ensure that risk management activities meet the strategy of the organization. Risk identification: Uncover and list risks.
Risk description: Display the identified risks in a structured format.
Risk estimation: Provide values for probability of a risk and consequence in case of risk occurrence.
Risk evaluation : Compare against risk criteria to analyze whether the risk is accepted or requires any treatment.
Risk reporting : Report the risks identified. there are different requirements on reporting depending on the level inside (internal reporting) or outside (external reporting) the organization.
? ? ? ?
Decision : Make a decision about whether and how to respond to a risk. Risk treatment : Select and implement treatments against risks.
Residual risk reporting : Report the progress made by mitigating the risk. Monitoring: Check results. The monitoring step loops back to the previous steps of improvement and update.
British Standard BS 6079 3:1800 and PD-6668:2000
Lord Berkeley stated the course of empire was westward. The course of risk management standards, however, appears to be in reverse. The first national standard was created in Oceania by the Kiwis and Aussies in 1995 (ANZ Standard 4360:1995 and 1999). The Canadians followed in 1997 (CSA-Q850-97) with their version. Eastward, the British published BS 6079-3:2000 after a revision of ISO/IEC 17799 led to a modification in the controls, which triggered a change to Annex A of BS 7799 Part 2 to keep it in line with the new Part 1. this resulted in the creation of BS 6079 as a method to quantify risk in the security audit process. In the British standard, BS 6079, risk is defined as \the prospects of achieving business or project goals.\