ISO/IEC 13335-3 identifies three sources for establishing the organization's information security requirements: the risks that the organization faces, risks arising from compliance, and contractual requirements.
The first step is to determine the assets within the scope. The next step is to identify the threats or potential events that can \high-level steps: understanding the adversary's view, characterizing the security of the system, and determining threats. External threats originate from outside sources, either targeted at the company or randomly spread to the network through users or the Internet. External threats can range from Web site defacement and attacks targeting a business to nasty viruses and worms that tunnel their way into any network and destroy or alter data and applications or monopolize system resources (denial of services) by duplicating and spreading themselves. Internal threats are varied and range from unprivileged local access to administrative abuse of privileges. The developers of kernel-level rootkits are orchestrating very complicated and effective schemes for compromising a system and remaining undetected. Malicious software worms spread faster than systems can be patched; however, they can be detected because most leave some type of imprint. The next step is to determine the vulnerabilities. These are events that leave a system open to attack by a threat or allow an attack to have some success or greater impact.
The next step in the process is to determine the impacts. These are the successful exploitation of a vulnerability by a threat, thereby impacting the asset's availability, confidentiality, or integrity. The impacts are then identified and assigned a monetary value. this effort constitutes risk assessment in which risks are assessed in light of the true harm they pose. From this point, an assessment of the likelihood of the system failure ensues. In remediation, the controls in place against the risks are activated. Controls are the countermeasures for vulnerabilities. Apart from knowingly accepting risks that fall within the criteria of acceptability or transferring the risk (through contract or insurance) to others, there are four types of risk mitigation controls:
? ? ? ?
Deterrent controls reduce the likelihood of a deliberate attack.
Preventative controls protect vulnerabilities and make an attack unsuccessful or reduces its impact.
Corrective controls reduce the effect of an attack.
Detective controls discover attacks and trigger preventative or corrective controls.
Countermeasures or controls must be cost effective. In the best interest of the business, the cost of implementing and maintaining a control must be less than the cost of the impact. Total security is not possible, but it is possible to provide effective security against known risks provided periodic reevaluation practices are in place.
The process for assessing risk builds on the scoping document, is focused on critical systems and information assets, and can be broken down into clearly defined steps:
? ?
Identify the boundaries of what is to be protected.
Identify systems necessary for the reception, storage, manipulation, and transmission of information within those boundaries and the information assets within those systems.
? ? ? ?
Identify relationships between these systems, the information assets, and the organizational objectives and tasks.
Identify systems and information assets that are critical to the organizational objectives and rank them in order of priority.
Identify the potential threats to those critical systems and assets. Identify the potential vulnerabilities of those critical systems and assets.
With the key objectives clearly identified, the systems that are most important to their delivery are identified. It is possible that some objectives will have more than one system, and these interdependencies should also all be noted. The resulting report is a schedule that shows prioritized critical systems as dependencies of key organizational objectives, which is then reviewed and agreed upon by the senior management. The final step in this exercise is to transfer the risk-level assessment for each impact to the asset and risk log.
Academia: Octave? Method from Carnegie Mellon
For an organization looking to understand its information security needs, OCTAVE is a risk-based strategic assessment and planning technique for security. OCTAVE is self-directed, meaning that people from an organization assume responsibility for setting the organization's security strategy. The technique leverages people's knowledge of their organization's security-related practices and processes to capture the current state of security practice within the organization. Risks to the most critical assets are used to prioritize areas of improvement and set the security strategy for the organization. The Operationally Critical Treat, Asset, and Vulnerability Evaluation (OCTAVE) defines the essential components of a comprehensive, systematic, context-driven information security risk evaluation. OCTAVE is a risk-based strategic assessment and planning technique for security. Octave leverages people's knowledge of their organization's security-related practices and processes to capture the current state of security practice within the organization. Risks to the most critical assets are used to prioritize areas of improvement and set the security strategy for the organization. OCTAVE is self-directed, meaning that people from an organization assume responsibility for setting the organization's security strategy. The OCTAVE approach is driven by two of the aspects: operational risk and security practices. Technology is examined only in relation to security practices, enabling an organization to refine the view of its current security practices. OCTAVE distinguishes itself in organization evaluation, security practices, strategic issues, and self-direction. OCTAVE phases of technical, organizational strategy are illustrated in Figure 1.6.
Figure 1.6: Phase 1, 2, and 3 of OCTAVE risk management. Founding philosophy of OCTAVE:
? ? ? ?
One cannot mitigate all information security risks. The enterprise budget is limited. So are other resources. One cannot prevent all determined, skilled incursions.
The enterprise needs to recognize, resist, and recover from incidents.
The enterprise needs to determine the best use of limited resources to ensure the survivability of its view and focus on critical issues. Analysis teams must do the following:
? ? ? ? ?
Identify information-related assets that are important.
Focus risk analysis activities on those assets judged to be most critical to the organization.
Consider the relationships among critical assets, the threats to those assets, and vulnerabilities that can expose assets to threats.
Evaluate risks in an operational context—how they are used to conduct an
organization's business and how those assets are at risk on account of security threats. Create a practice-based protection strategy for organizational improvement as well as create risk mitigation plans to reduce the risk to the organization's critical assets.
OCTAVE drivers:
? ?
Risk-based—to prioritize effective use of minimum resources Practice-based—serves as a platform for improving security
OCTAVE is part of a continuum:
? ? ?
Identify the organization's information security risks. Analyze the risks to determine priorities.
Plan for improvement by developing a protection strategy for organizational improvement.
Academia: McCumber Cube Methodology
In 1991, John McCumber created one of the first risk models for a general architectural description of computer information security, now known as the McCumber Cube. this risk model is depicted as a three-dimensional cube-like grid in Figure 1.7. It provides a structured
methodology that functions independently of technology evolution. Its dimensions and attributes are as follows:
?
Desired goals
o o o
Confidentiality Integrity Availability
?
Information states
o o o
?
o o o
Storage: in memory Transmission: over network Processing: in execution
Reaction states
Policy: directives from management or IT department Education: of users in process and procedure Technology:software and hardware enablers
Figure 1.7: The McCumber Cube.
The 27 individual cubes created by the model can be extracted and examined individually. this key aspect can be useful in categorizing and analyzing countermeasures. It is also a tool for defining organizational responsibility for information security. By considering all 27 cubes, the analyst is assured of a complete perspective of all available security measures. Unlike other computer security standards and criteria, this model connotes a true systems viewpoint. The McCumber cube was originally published as \Model,\
Telecommunications and Information Systems Security Committee (NSTISSC) and was published in National Security Telecommunications and Information Systems Security Instruction's (NSTISSI) National Information Systems Security (INFOSEC) Glossary.
Basel II
International Convergence of Capital Measurement and Capital Standards—A Revised
Frame-work is the second Basel Accord and represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision (BCBS) to revise the international standards for measuring the adequacy of a bank's capital. It was created to promote greater consistency in the way banks and banking regulators approach risk
management across national borders. Basel II uses a \—(1) minimum capital requirements, (2) supervisory review, and (3) market discipline—to promote greater stability in the financial system:
?
The first pillar: The first pillar provides improved risk sensitivity in the way that capital requirements are calculated for three major components of risk that a bank faces: credit risk, operational risk, and market risk. In turn, each of these components can be calculated in three ways of varying sophistication. Terms defining market risk include VaR (value at risk) and EL (expected loss, more commonly known as loss function) whose components are PD (probability of default), LGD (loss given default), and EAD (exposure at default). Calculation of these components requires advanced data collection and sophisticated risk management techniques.
?
The second pillar: The second pillar deals with the regulatory response to the first pillar, giving regulators improved measures to help them implement the accord. It also provides a frame-work for dealing with financial risk, including name risk, liquidity risk, and legal risk, which the accord combines under the title of residual risk.
?
The third pillar: The third pillar greatly increases the disclosures that the bank must make. this is designed to allow the market to have a better picture of the overall risk position of the bank and to allow the counterparties of the bank to price and deal appropriately.
Summary
We are at the precipice of a new risk management frontier with operational risks, and clearly, there is still much further to go. Because operational losses today are more intensely scrutinized, and therefore visible, operational performance demands are greater than ever.
In addition to modeling operational risk, there is much to be said for simply improving on the availability of information about operational risk information for management decision making. Technology will be the essential mortar needed to aggregate, cement, and simplify all the pieces in place, thereby linking all of the functional areas, initiatives, and data sets, both hard and soft, firmwide. Aggregated operational risk reporting will become commonplace, much as portfolio market and credit risk reports have. Because of the softer issues involved, such as the vagaries of human behavior (i.e., people risk), a mix of tools will be needed to represent operational risk fully. The risk complexities also require more effective risk management programs to link initiatives and variables together, not just periodically but continuously.
Chapter 2: Compliance Frameworks
Overview