Full file at http://testbank360.eu/solutionmanualinformationassuranceforthe enterprise1steditionschou
Chapter 2: Assessing Risks Learning Objectives In this chapter, students understand risk elements as they relate to information assurance. At the end of this chapter, the student should be able to explain:
The elements of risk assessment
The role and purpose of risk assessment in information assurance
The fundamentals of how to perform a risk assessment
How the audit process serves to identify and track risks
Preparing for Class Instructors should have a good understanding and knowledge of Information Assurance and Security in general. Instructors can bring in real world examples of Risk Management Policies in different industries. Also, guest speakers from Risk Management offices of large enterprises can bring a real world perspective to the students.
Prerequisites for Class Ensure that the students are
In a computer lab, if possible, for access to the Internet
Arranged in the classroom advantageously to ensure maximum participation
Fundamentally sound with information security basics
Class Preparation Notes For this class the students will need
Full file at http://testbank360.eu/solutionmanualinformationassuranceforthe enterprise1steditionschou
Access to a working computer with Internet access
A highlighter (it’s not mandatory if they can take good notes)
Key Terms Acceptability – Risk assessment level of acceptability in dollars Audit – It assures the integrity of the security solution Audit conclusion – When the audit report is reviewed with auditee’s upper management prior to release Audit Criteria – A set of predefined controls to be audited Audit Documentation –Audit activities at each stage are documented Audit Reporting – Audit manager assumes the responsibility for audit reporting Auditee – The organization being audited Checklist – Checklist for performing the audit against different factors Client Organization – Organization that mandates the audit Compliance – Meeting the standards Confidentiality – Keeping practices and procedures between the company and client private Contracts – Agreements between the company and customer Control Objective – These are focused behaviors with observable outcomes Corrective Action – Documented action against perceived risk/threat Cost/Benefit – Analyses the pros and cons of an action Countermeasures – They are steps that will be taken to mitigate a given risk Estimate of the Consequences – Harm caused against a threat 22
Full file at http://testbank360.eu/solutionmanualinformationassuranceforthe enterprise1steditionschou
Evidence – Obtained by conducting interviews Event Logs – Audit records are kept in event logs that are automatically maintained by the system Followup – A followup is another audit to confirm compliance Gaps – They are identified risks between ideal practice and the current operation Impartiality – Objective, nonbiased opinion Internal Audit – The organization performs the audit within their own organization with their own people Interviews – They are conducted to gather evidence Latent Threat – A possible threat that only becomes active at a later time if one of the conditions changes Laws and Regulations – These are the structure with which a company must be in compliance Lead Auditor – The person who has the sole authority for the auditing process Likelihood – The certainty of risk Noncompliances – Areas where a plan is not fulfilling a law or regulation Nonconformances – It is another term for noncompliances Operational Security Analysis – It leads to the deployment of a concrete security solution Preventive Measures – The strategy to reduce the likelihood of a risk occurrence Process Entropy – It is the natural tendency for any organized system to degrade over time due to the changing conditions
Probability of Occurrence – A percentage indicating the likelihood of occurrence Proof of Compliance – It is the audit evidence document Quantitative Factors – Numerically measurable risk factors Reactive Measures – The strategy to respond effectively if a risk becomes a direct threat Risk – It is a possibility of a threat Risk Analysis – The process by which the risk is understood Risk Analysis Report – It is an operational response by identifying those threats that have to be managed Risk Assessment – It is an operational process by which risks are identified and characterized Risk Estimation – Determines the probability and impact of threats Risk Evaluation – It is a function that is used to decide about the nature of emerging threats Risk Identification – Documenting the characteristics of vulnerabilities Risk Management – It ensures effective and uptodate alignment between identified threats and the countermeasures deployed to mitigate them Risk Mitigation – It determines how the risk will be handled Risk Mitigation Report – It is the mechanism for communicating information about how risk is handled Risk Tolerance – It is the minimum level of protection that management can reasonably afford in its daytoday operations
Risk Transfer – It specifies how any foreseen impact can be reallocated so that the loss is not permanent or catastrophic Scope of the Assessment – It should include the entire set of organizational and technical issues Standards – Gap analysis must be based on universal standards such as ISO 27000, NIST, GASSP or COBIT Third Party Work – Risk management plan must include work performed by entities outside the organization Threat – A way of exploiting known weakness in an organization Threat Picture – It is a comprehensive understanding of all threats Vulnerability – Perceived weakness in an organization can be exploited Weakness – A part of a system that can be exploited
Lecture Outline I. Risks – An Overview A. A risk is the possibility that a threat is capable of exploiting a known weakness B. Risk Assessment 1. It is an operational process by which risks are identified and characterized 2. It focuses on understanding the nature of all feasible risks 3. It identifies and evaluates each relevant threat, determines its impact, and itemizes the safeguards that will be needed
4. It determines the preventive measures as well as reactive measures relevant to a threat 5. It provides specific information on the probability of occurrence and the estimate of the consequences 6. It maximizes operational deployment and resource use 7. It should reflect a commonly accepted and repeatable methodology, which will produce independently verifiable concrete evidence 8. To ensure the effectiveness and accuracy of risk assessment, the scope of the inquiry has to be defined precisely and be limited to a particular problem 9. The Risk Assessment should be an ongoing process that considers the following factors: i.
The existence and interrelationships among all of the organization’s information assets
The specific threats to each asset
The precise business, financial, and technological issues associated with each threat
C. Making Threats Visible 1. Gap Analysis i.
Identification of gaps between ideal practice and the current operation
Gaps are assumed to represent vulnerabilities that must be addressed by the security system
Refer to Figure 22 (Page 29) for Gap Analysis Illustration
Gap analysis drives the decisions about the actions that must be taken to alleviate that specific area of weakness
Four major universal standards used to perform a gap analysis – ISO 27000 series, NIST 80018, GASSP model and COBIT model
2. Risk Classification i.
Risk Identification a. It identifies potential harmful risks b. It documents the characteristics of every vulnerability c. Latent threats do not have immediate consequences and are ignored in developing security strategy
Risk Estimation a. It is a datadriven process b. It measures and quantitatively describes each potential risk c. It determines the probability and impact of all threats that have been identified through risk identification d. It includes quantitative factors such as assets affected, the potential duration of the threat, and the severity of adverse impact
D. Strategy Formulation 1. ROI – Countermeasure should not cost more than the harm that the threat could cause
2. TradeOffs i.
Cost benefit and likelihood of occurrence have to be balanced when formulating a security response
There must be a tradeoff between the frequency of occurrence and the unit cost of each occurrence
3. Practical Decision i.
Decision can be based on annualized loss exposure (ALE)
If the expense is greater than any possible harm, then the countermeasure is not included in the security response
ALE = Annual Cost of Deployment – (Annual Rate of Occurrence X Cost per Occurrence)
4. Certainty Factors i.
The degree of certainty of the estimate should be expressed as a level of confidence from 0 to 100%
Knowing the probability of events will be beneficial in security response
5. Risk Mitigation Report i.
The mechanism for communicating information about risk is the risk mitigation report
It specifies the steps selected for each risk and itemizes the countermeasures that will be implemented as well as the parties in the organization who will be responsible for accomplishing each task
It sets the security process in motion
E. Security Solution 1. Operational Security Analysis i.
It analyzes precisely the implications of the threat picture developed in the risk identification and estimation stage
Minimum levels of protection must be specified for risk tolerance decision by the management
It provides the information needed to assign operational priorities
It allows for riskmitigation decision about how to reduce the severity or affect of a known risk
Riskmitigation decisions also specify ways to recover from the risk including risk transfer
It must contain the needs, issues, and concerns of various organizational stakeholders
Organizational value of an asset can be obtained by the following methods: a. Applied Information Economics b. The Balanced Scorecard c. Economic Value Added d. Economic Value Sourced e. Portfolio Management f. Real Option Valuation
F. Operational Risk Assessment 1. They are conducted as a part of the risk management process 29
2. It uses risk identification and estimation as the primary data gathering mechanism 3. It uses risk evaluation function to decide the nature of emerging threats 4. They are used to finetune the security response overtime 5. It should provide explicit implementation advice about changes that must be made to countermeasures 6. Planning for Operational Risk Assessment i.
Planning involves establishing a standard schedule for the performance of each assessment as well as defined processes for problem reporting and corrective action
It must have a defined set of performance criteria
Each countermeasure must have a set of observable criteria built into its specification
7. Implementing the Operational Risk Assessment Process i.
Risk assessment must be flexible to meet the demands of a changing security environment
It should specify roles and responsibilities
It should ensure that a responsible party will always be in place to address any contingency
It ensures that adequate resources are available to support the assessment activities
8. Standard Measurement
It should ensure that each assessment produces consistent data
Consistency is critical for understanding the precise nature of the threats
G. Audit 1. It assures the integrity of the security solution from the pervasive influence of process entropy 2. It verifies that the necessary knowledge and accountability are in place to guarantee continuous performance 3. It confirms that the implemented security procedures are working as intended within the normal business setting 4. Refer to Figure 25 (Page 38) for the audit process illustration 5. They are done to determine something about the four “Cs”: i.
6. Aims of Audit i.
Internal or External Audit
To identify noncompliances or nonconformances against specified audit criteria
To determine whether the auditee has achieved its stated objectives
7. Audit Framework 211
The audit process maintains accountability for performance
Each element is termed a control objective, which are focused behaviors with observable outcomes
Audit maintains the status of all designated security procedures on an ongoing basis
Audits are always carried out based on a specific set of audit criteria as they involve legal considerations
8. Managing the Audit Process i.
The audit process should be managed separately and independent of the organization being audited
The audit manager supervises, monitors and evaluates the activities of the audit team
Audit Planning a. There are four types of participants in an audit process b. Auditee – The part or parts of the organization being audited c. Lead Auditor – The chief auditor d. Auditor – The audit team e. Client – The organization that engaged the auditors
Performing the Audit a. The preparation, validation, and distribution of the audit forms and checklists is an important activity in the audit process b. Establishing a good checklist is a factor in successful information assurance audits c. Event logs which maintain records in information assurance must be identified and accounted for at the beginning of the process d. Electronic records must be audited using the same methodology and level of rigor that is applied to traditional body of audit evidence e. Outcomes and conclusions from electronic records must be fully integrated into the body of audit findings
Authenticating Audit Evidence a. Evidence obtained must be authenticated b. All objective data and conclusions must be authenticated by means of a suitable analysis c. Refer to Figure 27 (Page 45) for Developing an Audit Evidence Illustration d. Ensuring confidentiality is important e. Audit should be terminated if confidentiality is breached f. Audit must be impartial by making sure that all findings are supported by unambiguous evidence 213
Preparing the Audit Report a. Auditors report preliminary conclusions, including problems encountered b. The final report contains observations, major and minor findings, and timing of followup activities
Importance of Validation a. Members of the organization must assist in validating the findings
II. Certification and Accreditation (C&A) A. It is a federal government audit process B. It uses as productoriented approach C. It generates a document that management can use to identify an accept the residual risk in any system D. It is a comprehensive evaluation of the technical and nontechnical security features of the entity being tested E. Certification of a system is the outcome of an information assurance analysis in the following areas: 1. Physical 2. Personnel 3. Administrative 4. Information 5. Information Systems 6. Communications
F. Accreditation establishes the risk tolerance levels of the system and allows the system administrator to prescribe the appropriate set of access controls G. DITSCAP 1. It is the Federal Government’s DoD Information Technology Security Certification and Accreditation Process (DITSCAP) 2. It ensures that prospective customers know what all of the risks associated with a given system are 3. The following the phases of DITSCAP evaluation: i.
Definition – Key players agree on the intended system’s mission, attendant security requirements, the scope of C&A boundary, the audit schedule, the level of effort, and resource commitment
Verification – Certifiers determine the system’s compliance with System Security Authorization Agreement (SSAA) requirements
Validation – It validates compliance with the SSAA requirements
Post Accreditation – Review of configuration and security management.
Teaching Tip This chapter is about assessing risks. You may want to ask students about life cycle risks and how they are protecting themselves and their families. For example – why do you take out life insurance? Ask students to itemize risks involved in their daily commute to the college. Which one has more probabilities and which one does not? Why?
If you have access to the college/university risk management office, then tell students to analyze the current policies of information risk.
Discussion point The essay questions at the end of the chapter are a good starting point for bringing discussion questions in the classrooms. Ask students how the information assets are secured in their own industry (depending on where they work).
Key Terms Quiz Use the terms from the Key Terms list to complete the sentences that follow. Don’t use the same term more than once. Not all terms will be used. 1. _____ provides probabilities that a risk will occur as well as the cost/benefit impacts if it does. 2. The least quantitative type of risk assessment is called a risk _____. 3. Decisions about the deployment of the security response are based on _____. 4. One mechanism for assessing whether to deploy countermeasures is the Balanced _____. 5. The only way to ensure accountability is through _____ of risk performance. 6. Measurement requires established _____. 7. The process that ensures that control objectives are being met is called _____. 8. There are essentially two types of risk assessments: _____ and _____. 9. The document that ensures that nonconformities are brought to management’s attention is called a _____. 10. Audit conclusions are only based on _____.
Answers 1. Risk Analysis provides probabilities that a risk will occur as well as the cost/benefit impacts if it does.
2. The least quantitative type of risk assessment is called a risk identification. 3. Decisions about the deployment of the security response are based on countermeasures. 4. One mechanism for assessing whether to deploy countermeasures is the Balanced Scorecard. 5. The only way to ensure accountability is through audit of risk performance. 6. Measurement requires established standards. 7. The process that ensures that control objectives are being met is called gaps. 8. There are essentially two types of risk assessments: identification and estimation. 9. The document that ensures that nonconformities are brought to management’s attention is called a risk mitigation report. 10. Audit conclusions are only based on impartiality.
Multiple Choice Quiz 1. A control framework ensures that: A. defects are prevented B. vulnerabilities don’t happen C. procedures are followed D. no risk is ignored 2. Confidentiality is important in all types of assessments because: A. it ensures cooperation
B. it prevents leaks C. it identifies threats D. it reduces cost
3. Continuous risk management is underwritten by: A. plans B. project management C. risk assessment D. procedures 4. Most risk assessments are conducted against: A. reference models of best practice B. gaps C. specified criteria D. the technology 5. Besides the effectiveness of security controls, audit can assure: A. security technologies B. security processes C. safety D. security work 6. A gap analysis looks at: A. the best practices B. the difference between current and ideal practice C. the presence of nonconformities D. the audit evidence 7. A likelihood estimate is important because: 220
A. people like estimates B. knowledge of probability of occurrence supports decision making C. investment in security is easy to make D. likelihood drives cost 8. A risk estimation is different from an operational security analysis in that: A. risk estimations are quantitative and security analyses are not B. risk estimations deal with probability C. the aim of the security analysis is to determine whether the strategy is correct D. the aim of the security analysis is to determine ROI 9. Scope is essential to risk assessment because: A. it defines the range of things that will be examined B. it sets the security perimeter C. it establishes the types of analyses that will be needed D. it is a component of the risk mitigation strategy 10. Risk assessments are: A. basic countermeasures B. unnecessary because threats are always evolving C. features that are found in the security of operations function D. an essential precondition to planning the response
Answers 1. C
2. B 3. C 4. A 5. B 6. B 7. B 8. A 9. A 10. D
Essay Quiz 1. It is important to validate audit interviews by other means. Why is that the case and what can happen if this is not done? 2. Risk assessments always embody some form of probability estimate. Why is that necessary and what does it prevent? 3. What is the role of Annualized Exposure Loss in security system formulation? What may happen if the ALE is ignored? 4. Forms and checklists are important in all types of assessments. Why is that the case and what do they essentially provide for the process? 5. Security audits are different from risk assessments in that they are regular and ongoing. What is the primary benefit of a continuous process? 6. Gap analyses are most easily accomplished if they are based on standards. Explain why?
7. Certification is a very useful aspect of the risk process. Explain how certification can assure against risks. 8. One of the most important aspects of the practical security process is the risk mitigation report. Explain what purpose it serves and why it is a key element of security. 9. How does risk assessment relate to the information identification process? 10. What is the role of risk identification in the overall process? Why is risk identification a necessary step?
Answers 1. It is important to validate audit interviews by other means. Why is that the case and what can happen if this is not done? Evidence obtained through interviews during the audit process must be authenticated to ensure consistent interpretation. The audit process must be confidential and impartial to validate all the findings. If confidentiality is breached then the audit must be terminated as the findings will not be impartial.
2. Risk assessments always embody some form of probability estimate. Why is that necessary and what does it prevent? Risk assessment identifies the potential threat against the organization. Probability estimation allows the organization to assess the level of acceptability of the risk in dollars and cents. Organizations can determine the Return on Investment (ROI) for a possible threat.
3. What is the role of Annualized Exposure Loss in security system formulation? What may happen if the ALE is ignored?
Annualized Loss Exposure (ALE) allows the organization to estimate the expense of maintaining a countermeasure over one year. If the expense is greater than any possible harm, then there is no ROI to the organization. Thus, if organizations ignore ALE, then they will not be able to have a cost/benefit analysis.
4. Forms and checklists are important in all types of assessments. Why is that the case and what do they essentially provide for the process? Checklists allow an organization to determine if they are in compliance with all the standards and audited criteria. Thus, they are essential in the auditing process.
5. Security audits are different from risk assessments in that they are regular and ongoing. What is the primary benefit of a continuous process? A continuous security audit process will determine any latent threats that might be possible due to the changing conditions.
6. Gap analyses are most easily accomplished if they are based on standards. Explain why? Standards determine the ideal practice, thus identification of gaps between ideal practice and the current operation determines risks for an organization. Measuring the organization’s operation against standards will assist in identifying potential risk.
7. Certification is a very useful aspect of the risk process. Explain how certification can assure against risks.
Certification assures compliance against standards and auditing criteria. Thus, certification of an organization that meets the standards proves that organization to be at a lesser risk.
8. One of the most important aspects of the practical security process is the risk mitigation report. Explain what purpose it serves and why it is a key element of security. Risk Mitigation Report is the mechanism to communicate information about risk. This document specifies the steps selected for each risk and itemizes the countermeasures that will be implemented as well as the parties in the organization who will be responsible for accomplishing each task. Thus, it is a very important element of the security process.
9. How does risk assessment relate to the information identification process? The identification process determines the precise area of threat as well as identifies the information assets affected during the risk assessment. Since identification documents the characteristics of every vulnerability, it is an important risk assessment tool.
10. What is the role of risk identification in the overall process? Why is risk identification a necessary step? Risk identification is the simplest form of risk classification. It identifies potential harmful risks. It documents the characteristics of every vulnerability including itemizing a list of all the threats that would be able to exploit it. It is a necessary step as it identifies every risk item through extensive interviews and detailed technical analysis.
Case Exercise Complete the following case exercise as directed by your instructor: Heavy Metal Technologies (HMT) is a defense contractor headquartered in Huntsville, Alabama. HMT was recently contracted by the Army to upgrade the fire control system for the MH64D Apache Longbow attack helicopter. Because the contracted enhancement is so important to the continuing success of the main ground attack helicopter program and thus because of its importance to national defense, the Army wants a total commitment from HMT that the integrity, confidentiality, and availability
of project information will be assured. Therefore the Army would like HMT to address the following five organizational control concerns. Please provide a written solution for each of these.
The Army requires a procedure that all security concerns will be identified and addressed.
The Army requires a procedure to assure that performance of the security process will be continuous.
The Army requires a procedure to assure that the control processes will be cost efficient.
The Army requires a procedure to assure that the comp will be able to satisfy its contractual and legal obligations.
The Army requires a procedure to assure that all thirdparty work will meet security criteria.