23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security and Computer Security Institute

23 January 2003© All Rights Reserved ABSTRACT n Facilitated Risk Analysis Process (FRAP) n The dictionary defines RISK as "someone or something that creates or suggests a hazard". In today's environment, it is one of the many costs of doing business or providing a service. Information security professionals know and understand that nothing ever runs smoothly for very long. Any manner of internal or external hazard or risk can cause a well running organization to lose competitive advantage, miss deadline and/or suffer embarrassment. As security professionals, management is looking to us to provide a process that allows for the systematic review of risk, threats, hazards and concerns and provide cost- effective measures to lower risk to an acceptable level. This session will review the current practical application of cost-effective risk analysis.

23 January 2003© All Rights Reserved AGENDA  Risk Analysis Basics  Difficulties and Pitfalls  Making the FRAP a Business Process  Key FRAP Issues

23 January 2003© All Rights Reserved Effective Risk Analysis n Frequently Asked Questions  Why should a risk analysis be conducted?  When should a risk analysis be conducted?  Who should conduct the risk analysis?  How long should a risk analysis take?  What can a risk analysis analyze?  What can the results of a risk analysis tell an organization?  Who should review the results of a risk analysis?  How is the success of the risk analysis measured?

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  1. Scope  This standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization.  It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.  Recommendations from this standard should be selected and used in accordance with applicable laws and regulations.

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  2. Terms and definitions  2.1 Information Security  Confidentiality  Integrity  Availability  2.2 Risk Assessment  Assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrences  2.3 Risk Management  Process of identifying, controlling and minimizing or eliminating risks that may affect information systems, for an acceptable cost.

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  3. Security Policy  provide management direction and support  4. Asset Classification and Control  maintain appropriate protection of corporate assets  5. Computer and Network Management  ensure the correct and secure operation of information processing facilities  minimize risk of system failures  protect integrity of software and information

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  5. Communications and Network Management  maintain integrity and availability of information processing and communications  ensure the safeguarding of information networks and protection of the supporting infrastructure  prevent damage to assets and interruptions to business activities  prevent loss, modification or misuse exchanged between organizations

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  6. Security Organization  to manage information security within the enterprise  maintain security of enterprise information processing facilities and information assets by third parties  maintain the security of information when the responsibility for information processing has been outsourced to another organization

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  7. Personnel Security  to reduce risks of human error, theft, fraud or misuse of facilities  ensure user are aware of information security threats and concerns and are equipped to support the enterprise security policy  minimize the damage from security incidents and malfunctions

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  8. Compliance  to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements  ensure compliance of systems with enterprise security policy and standards  maximize the effectiveness of and to minimize interference to/from system audit process

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  9. Physical and Environmental Security  to prevent unauthorized access, damage and interference to business premises and information  prevent loss, damage or compromise of assets and interruption to business activities  prevent compromise or theft of information and information processing facilities.

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  10. System Development and Maintenance  ensure security is built into operational systems  prevent loss, modification or misuse of user data in application systems  protect the confidentiality, authenticity and integrity of information  ensure IT projects and support activities are conducted in a secure manner  maintain the security of application system software and data.

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  11. System Access Control  control access to information  prevent unauthorized access to information systems  ensure the protection of networked services  prevent unauthorized system access  detect unauthorized activities  ensure information security when using mobile computing and networking facilities

23 January 2003© All Rights Reserved Effective Risk Analysis n ISO Information Security Standard  12. Business Continuity Planning  counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

23 January 2003© All Rights Reserved Effective Risk Analysis n The United States National Institute of Standards and Technology (NIST) has published valuable information security documents that can be obtained by accessing their web site at csrc.nist.gov/publications/nistpubs/.  SP An Introduction to Computer Security: The NIST Handbook  SP Guide for Developing Security Plans for Information Technology Systems  SP Security Self-Assessment Guide for Information Technology Systems  SP Risk Management Guide for Information Technology Systems  SP Security Guide for Interconnecting Information Technology Systems

23 January 2003© All Rights Reserved Effective Risk Analysis n Information protection in quality assurance works with three key elements:  Integrity - the information is as intended without inappropriate modification or corruption  Confidentiality - the information is protected from unauthorized or accidental disclosure  Availability - authorized users can access applications and systems when required to do their job

23 January 2003© All Rights Reserved Effective Risk Analysis n No matter what risk analysis process is used, the method is always the same:  Identify the asset  Ascertain the risk  Determine the probability  Identify the corrective action n Remember - sometimes accepting the risk is the appropriate corrective action.

23 January 2003© All Rights Reserved Effective Risk Analysis

23 January 2003© All Rights Reserved Effective Risk Analysis n Definitions  Threat - an undesirable event  Impact - Effect on the business objectives or mission of the enterprise  Probability - Likelihood that the risk may occur  Losses - these include direct and indirect loss  disclosure  integrity  denial of service

23 January 2003© All Rights Reserved Effective Risk Analysis n Accreditation - formal acceptance of system’s overall security by management n Certification - process of assessing security mechanisms and controls and evaluating their effectiveness. n Vulnerability - a condition of a missing or ineffectively administered safeguard or control that allows a threat to occur with a greater impact or frequency or both.

23 January 2003© All Rights Reserved Effective Risk Analysis n Definitions  Safeguard/Control - a countermeasure that acts to prevent, detect, or minimize the consequences of threat occurrence.  Exposure Factor - how much impact or loss of asset value is incurred  from 0% to 100%  Single-time Loss Algorithm (SLA) - when a threat occurs, how much the loss of asset value is expected to be in monetary terms  Annualized Rate of Occurrence (ARO) - how often a threat might be expected to happen in a one year period.

23 January 2003© All Rights Reserved Effective Risk Analysis n Risk Analysis Objectives  Identify potential undesirable or unauthorized events, “RISKS”, that could have a negative impact on the business objectives or mission of the enterprise.  Identify potential “CONTROLS” to reduce or eliminate the impact of RISK events determined to be of MAJOR concern.

23 January 2003© All Rights Reserved Effective Risk Analysis Threats Potential Damage Systems/Applications Supporting Enterprise Operations Attempts to access private information Fraud Malicious attacks Pranks Natural disasters Sabotage User error Customer loss of confidence Critical operations halted Sensitive information disclosed Services and benefits interrupted Failure to meet contractual obligations Assets lost Integrity of data and reports compromised

23 January 2003© All Rights Reserved Effective Risk Analysis n Maintain customer, constituent, stockholder, or taxpayer confidence in the organization n Protect confidentiality of sensitive information (personal, financial, trade secret, etc.) n Protect sensitive operational data for inappropriate disclosure n Avoid third-party liability for illegal or malicious acts committed with the organization’s systems n Ensure that organization computer, network, and data are not misused or wasted n Avoid fraud n Avoid expensive and disruptive incidents n Comply with pertinent laws and regulations n Avoid a hostile workplace atmosphere Information Security Objectives Source GAO/AIMD 98-68

23 January 2003© All Rights Reserved Effective Risk Analysis n Risk Management Principles  Assess risk and determine needs  Establish a central management focal point  Implement appropriate policies and related controls  Promote awareness  Monitor and evaluate policy and control effectiveness Source GAO/AIMD 98-68

23 January 2003© All Rights Reserved Effective Risk Analysis Risk Management Cycle Central Focal Point Promote Awareness Implement Policies & Controls Monitor & Evaluate Assess Risk & Determine Needs Source GAO/AIMD 98-68

23 January 2003© All Rights Reserved Effective Risk Analysis 1. Assess Risk and Determine Needs 1. Recognize information resources as essential organizational assets 2. Develop practical risk assessment procedures that link security to business needs 3. Hold program and business managers accountable 4. Manage risk on a continuing basis Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle Practices

23 January 2003© All Rights Reserved Effective Risk Analysis 2. Establish a Central Management Focal Point 5. Designate a central group to carry out key activities 6. Provide the central group ready and independent access to senior executives 7. Designate dedicated funding and staff 8. Enhance staff professionalism and technical skills Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle Practices

23 January 2003© All Rights Reserved Effective Risk Analysis 3. Implement Appropriate Policies and Related Controls 9. Link policies to business risks 10. Distinguish between policies and guidelines 11. Support policies through central security group Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle PrinciplePractices

23 January 2003© All Rights Reserved Effective Risk Analysis 4. Promote Awareness12. Continually educate users and others on the risks and related policies 13. Use attention-getting and user- friendly techniques Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle Practices

23 January 2003© All Rights Reserved Effective Risk Analysis 5. Monitor and Evaluate Policy and Control Effectiveness 14. Monitor factors that affect risk and indicate security effectiveness 15. Use results to direct future efforts and hold managers accountable 16. Be alert to new monitoring tools and techniques Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle Principle Practices

23 January 2003© All Rights Reserved Effective Risk Analysis n Assess Risk and Determine Needs  Risk considerations and related cost-benefit trade-off are the primary focus of a security program.  Security is not an end in itself  Controls and safeguards are identifies and implemented to address specific business risks n Understanding the business risks associated with information security is the starting point of an effective risk analysis and management program

23 January 2003© All Rights Reserved Effective Risk Analysis n Organizations that are most satisfied with their risk analysis procedures are those that have defined a relatively simple process that can be adapted to various organizational units and involved a mix of individuals with knowledge of business operations and technical aspects of the enterprise’s systems and security controls.* *Source GAO/AIMD 98-68

23 January 2003© All Rights Reserved Effective Risk Analysis n Facilitated Risk Analysis Process (FRAP)  FRAP analyzes one system, application or segment of business process at a time  Team of individuals that include business managers and support groups is convened  Team brainstorms potential threats, vulnerabilities and resultant negative impacts to data integrity, confidentiality and availability  Impacts are analyzed to business operations  Threats and risks are prioritized

23 January 2003© All Rights Reserved Effective Risk Analysis n Facilitated Risk Analysis Process (FRAP)  The FRAP users believe that additional effort to develop precisely quantified risks are not cost effective because:  such estimates are time consuming  risk documentation becomes too voluminous for practical use  specific loss estimates are generally not needed to determine if controls are needed

23 January 2003© All Rights Reserved Effective Risk Analysis n Facilitated Risk Analysis Process (FRAP)  After identifying and categorizing risks, the Team identifies controls that could mitigate the risk  A common group of controls are used as a starting point  The decision for what controls are needed lies with the business manager  The Team’s conclusions as to what risks exist and what controls are needed are documented along with a related action plan for control implementation

23 January 2003© All Rights Reserved Effective Risk Analysis n Facilitated Risk Analysis Process (FRAP)  Each risk analysis session takes approximately 4 hours  Includes 7 to 15 people  Additional time is required to develop the action plan  Results remain on file for same time as Audit papers

23 January 2003© All Rights Reserved Effective Risk Analysis n Facilitated Risk Analysis Process (FRAP)  Team does not attempt to obtain or develop specific numbers for threat likelihood or annual loss estimates  It is the team’s experience that sets priorities  After identifying and categorizing risks, the groups identifies controls that can be implemented to reduce the risk  focusing on cost-effective

23 January 2003© All Rights Reserved Effective Risk Analysis n Business managers bear the primary responsibility for determining the level of protection needed for information resources that support business operations. n Security professionals must play a strong role in educating and advising management on exposures and possible controls.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security and Computer Security Institute