Risk Assessment

InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy

Risk Assessment Assigns a risk rating for each asset Likelihood refers to the probability of a known vulnerability being attacked –Likelihood of fire forecast from actuarial data –Likelihood of virus estimated from volume of handled and number of servers in use –Likelihood of a network attack estimated from the number of network addresses in use

Risk Assessment How to assign value to information assets? –NIST SP contains parameters to check –Critical assets are assigned the value 100 –Non-critical but essential asset gets the value 50 –Least critical assets get the value 1 What factors to look for in valuation? –Which threats present a danger? –Which threats present a significant danger? –Cost to recover from an attack –Threats that require maximum cost to prevent

Risk Assessment Risk determination:  Risk = likelihood * value – risk percentage + uncertainty  Example: Asset A has vulnerability score 50 Number of vulnerabilities 1 Likelihood value 1 with no controls Data are 90% accurate Hence, Risk = 1 * 50 – 0% + 10% = % of (1 * 50) = = 55

Risk Assessment  Example: Asset B has vulnerability score 100 Number of vulnerabilities 2 Likelihood value 0.5 for 1 st vulnerability which addresses 50% of risk Data are 80% accurate Hence, Risk = 0.5 * 100 – 50% + 20% = 50 – (50% of 50) + (20% of 50) = 50 – = 35

Risk Assessment  Example: Asset B has vulnerability score 100 Number of vulnerabilities 2 Likelihood value 0.1 for 2 nd vulnerability with no controls Data are 80% accurate Hence, Risk = 0.1 * 100 – 0% + 20% = 10 – 0 + (20% of 10) = = 12

Risk Assessment The generic risks to the business are: –Loss of key assets Information the network skilled people –Disruption of key processes Revenue regulatory reporting

Risk Factors Assess risk based on these factors: –Impact Size –Rate of Change –Business Impact –Complexity –Recoverability –Value –Management Team Focus

Definitions Civil law addresses violations of rules that result in monetary loss as well as other forms of damage caused to individuals or organizations Criminal law addresses violations that are harmful to society Tort law addresses violations by individuals that result in personal, physical, or financial injury to an individual Private law regulates relationships between an individual and an organization Public law regulates relationships between citizens

Definitions Ethics is defined as socially acceptable behavior Code of conduct is a set of rules that an organization defines as acceptable

Laws governing Information Security Computer Security Act Communications Assistance to Law Enforcement Act Computer Fraud and Abuse Act USA PATRIOT Act

Computer Security Act Passed in Official designation PL Law gave NIST the authority over unclassified non-military government computer systems NSA originally had this power Main goals: –Develop policies for federal agencies concerning computer security –Develop procedures to identify vulnerabilities in computer security

Computer Security Act Provide mandatory security awareness training to all federal employees dealing with sensitive information Identify all computer systems that contain sensitive information

CALEA Passed in 1994 Works in conjunction with FCC regulations Telephone companies to include hardware to their switches that will facilitate tapping of conversations by law enforcement agencies Telcos are not responsible for decrypting any intercepted communication Telcos will be provided reasonable compensation for the addition of interception hardware to switches

Computer Fraud and Abuse Act Originally passed in 1994 and amended in 1996 PATRIOT Act amends this act further CFAA’s main provisions relate to the following: –having knowingly accessed a computer without authorization –intentionally accesses a computer without authorization –knowingly and with intent to defraud, accesses a protected computer without authorization –Prison time of up to 10 years is possible for any violation If damage caused is below $5,000 then only criminal penalties apply and no civil penalties apply

USA PATRIOT Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Passed in October 2001 Gives extensive powers to the federal government to suspend notification provisions of existing laws Provides authorization for information search without knowledge of the individual Law expires in December 2004, unless renewed by Congress

Privacy and Ethics Information privacy Information privacy laws –Federal Privacy Act of 1974 –Electronic Communications Privacy Act of 1986 –Communications Act of 1996 –HIPAA of 1996 –Computer Security Act of 1987 –USA PATRIOT Act of 2001 Ethical aspects of information handling

Information Privacy Privacy refers to personally identifiable information about an individual or an organization Privacy does not mean absolute freedom from observation Privacy means “state of being free from unsanctioned intrusion” Financial and medical institutions treat privacy as part of their compliance requirements Information is collected by cookies and points of sale

Information Privacy Privacy is a risk management issue Ability to collect information from multiple sources and combine them in different ways have resulted in powerful databases that can shed more light than previously possible

Information Privacy Laws Federal Privacy Act of 1974 –Requires all government agencies from protecting the privacy information of individuals and businesses –Certain agencies have exemption to release aggregate data Census Bureau National Archives Congress Comptroller General Credit agencies

Information Privacy Laws Electronic Communications Privacy Act of 1986 –Regulates interception of wire, electronic, and oral communications –Works in conjunction with the Fourth Amendment providing protection against unlawful search and seizure

Information Privacy Laws Communications Act of 1996 –Regulates interstate and international communications –Communications decency was part of this Act

Information Privacy Laws Health Insurance Portability and Accountability Act (HIPAA) of 1996 –Protect confidentiality and security of health care data –Electronic signatures are allowed –Patients have a right to know who have access to their information and who accessed it

References NIST Risk Assessment Guide for Information Technology Systems, SP Mike Godwin, “When copying isn’t theft,” win.article Michael Whitman, “Enemy at the Gates: Threats to Information Security,” Communications of ACM, 2003

References Financial institutions: HTML HTML Risk Assessment Process: ISACA Risk Assessment Guidelines Risk Assessment: ecurity/02_info_security_%20risk_asst.htm ecurity/02_info_security_%20risk_asst.htm