Risk Management
(Risk Identification)
Principles of Information Security
Chapter 4 Part 1
Class discussion: is this true? Provide
examples and counterexamples.
References
1.
NIST Risk Management Guide for Information Technology
Systems
◦ http://csrc.nist.gov/publications/nistpubs/800-30/sp80030.pdf#search=%22risk%20management%20phases%22
2.
SANS Overview of Threat and Risk Assessment
◦ http://www.sans.org/rr/whitepapers/auditing/76.php
3.
SANS Introduction to Information Risk Assessment
◦ http://www.sans.org/rr/whitepapers/auditing/1204.php
2
Chapter Objectives (Part 1)
Upon completion of this chapter, you should be
able to:

Define risk management, risk identification, and risk
control

Understand how risk is identified and assessed

Assess risk based on probability of occurrence and
impact on an organization

Grasp the fundamental aspects of documenting risk
through the creation of a risk assessment
Principles of Information Security,
3rd Edition
3
Introduction

Risk Management
◦ The process of identifying and controlling risks facing
an organization

Risk Identification
◦ The process of examining an organization’s current
information technology security situation

Risk Control (next week)
◦ Applying controls to reduce risks to an
organization’s data and information systems
Principles of Information Security,
3rd Edition
4
An Overview of Risk Management
Sun Tzu - Chinese General, The Art of War

Know yourself
◦ Identify, examine, and understand the information and
systems currently in place.

Know the enemy
◦ Identify, examine, and understand threats facing the
organization

Responsibility of each community of interest
within an organization:
◦ To manage risks that are encountered
Principles of Information Security,
3rd Edition
5
Roles of the Communities of Interest

Information security, management and users,
and information technology all must work
together

Management review:
◦ Verify completeness/accuracy of asset inventory
◦ Review and verify threats as well as controls and
mitigation strategies
◦ Review cost effectiveness of each control
◦ Verify effectiveness of controls deployed
Principles of Information Security,
3rd Edition
6
Risk Identification

Assets are targets of various threats and
threat agents.

Risk management involves identifying
organization’s assets and identifying
threats/vulnerabilities to/of those assets.

Risk identification begins with identifying
organization’s assets and assessing their value.
Principles of Information Security,
3rd Edition
7
Principles of Information Security,
3rd Edition
8
Asset
Identification,Valuation, and Prioritization

Iterative process
◦ begins with identification of assets, including all
elements of an organization’s system (people,
procedures, data and information, software, hardware,
networking)

Assets are then classified and categorized
Principles of Information Security,
3rd Edition
9
Table 4-1 - Categorizing Components
Principles of Information Security,
3rd Edition
10
People, Procedures, and Data Asset
Identification

Human resources, documentation, and data
information assets
◦ More difficult to identify than hardware assets

People with knowledge, experience, and good
judgment should be assigned this task

These assets should be recorded using reliable
data-handling process
Principles of Information Security,
3rd Edition
11
People, Procedures, and Data Asset
Identification (continued)

Asset attributes for People:
◦ Position name/number/ID; Supervisor; Security clearance level;
Special skills

Asset attributes for Procedures
◦ Description; intended purpose; what elements it is tied to; storage
location for reference; storage location for update

Asset attributes for Data:
◦ Classification; owner/creator/ manager; data structure size; data
structure used; online/offline; location; backup procedures
employed
Principles of Information Security,
3rd Edition
12
Hardware, Software, and Network
Asset Identification

What information attributes to track depends on:
◦ Needs of organization/risk management efforts
◦ Management needs of information security/information
technology communities

Asset attributes to be considered are:
◦ name; IP address; MAC address; element type; serial number;
manufacturer name; model/part number; software version;
physical or logical location; controlling entity
Principles of Information Security,
3rd Edition
13
Information Asset
Classification

Many organizations use data classification
schemes (e.g., confidential, internal, public data)

Classification of components must be specific to
allow determination of priority levels

Categories must be comprehensive and mutually
exclusive
◦ An asset cannot belong to two categories at the same
time --- must belong to only 1 category
Principles of Information Security,
3rd Edition
14
Information Asset
Valuation

Questions help develop criteria for asset
valuation

Which information asset:
◦ Is most critical to organization’s success?
◦ Generates the most revenue/profitability?
◦ Would be most expensive to replace or protect?
◦ Would be the most embarrassing or cause greatest
liability if revealed?
Principles of Information Security,
3rd Edition
15
Figure 4-3 – Example Worksheet
Principles of Information Security,
3rd Edition
16
Information Asset
Prioritization

Create weighting for each category based on
the answers to questions

Calculate relative importance of each asset
using weighted factor analysis

List the assets in order of importance using a
weighted factor analysis worksheet
Principles of Information Security,
3rd Edition
17
Table 4-2 – Example Weighted Factor Analysis
Principles of Information Security,
3rd Edition
18
Data Classification and Management

Variety of classification schemes used by corporate and
military organizations

Information owners are responsible for classifying their
information assets

Information classifications must be reviewed periodically
◦ At least annually

Most organizations do not need the detailed level of
classification used by military or federal agencies;
however, organizations may need to classify data to
provide protection
Principles of Information Security,
3rd Edition
19
Personnel Security Clearances


In addition to data classification, personnel security
clearances are also used.
Security clearance structure
◦ Each data user assigned a single level of authorization indicating
classification level authorized to view.


Before accessing specific set of data, employee must
meet need-to-know requirement.
This extra level of protection ensures information
confidentiality is maintained.
◦ Information is only released to employees with verified need-toknow.
Principles of Information Security,
3rd Edition
20
Management of Classified Data

Includes storage, distribution, portability, and
destruction of classified data.

Information that is not unclassified or public must
be clearly marked as such.

Clean desk policy requires all information be
stored in appropriate storage container daily
◦ Unneeded copies of classified information are
destroyed.

Dumpster diving can compromise information
security.
Principles of Information Security,
3rd Edition
21
Threat Identification

Realistic threats need investigation; unimportant
threats are set aside.

Threat assessment:
◦ Which threats present danger to assets?
◦ Which threats represent the most danger to
information?
◦ How much would it cost to recover from attack?
◦ Which threat requires greatest expenditure to
prevent?
Principles of Information Security,
3rd Edition
22
Vulnerability Identification

Specific avenues threat agents can exploit to attack
an information asset are called vulnerabilities.

Examine how each threat could be perpetrated and
list organization’s assets and vulnerabilities.

Process works best when people with diverse
backgrounds within organization work iteratively in
a series of brainstorming sessions.

At the end of the risk identification process, a list of
assets and their vulnerabilities is achieved.
(Deliverable for Risk Identification Process)
Principles of Information Security,
3rd Edition
23
Risk Assessment

Risk assessment evaluates the relative risk
for each vulnerability.

Assigns a risk rating or score to each
information asset.
Principles of Information Security,
3rd Edition
24
Likelihood

The probability that a specific vulnerability will be the
object of a successful attack.

Assign numeric value between 0.1 (low) and 1.0 (high),
or a number between 1 and 100 (this is the rating model)

Zero is not used since vulnerabilities with zero likelihood
removed from asset/vulnerability list.

Use the selected rating model consistently.

Use external references for values that have been
reviewed/adjusted for your circumstances.
◦ Insurance charts, other references assigning ratings.
Principles of Information Security,
3rd Edition
25
Risk Determination

For the purpose of relative risk assessment, risk equals:
[ Asset value TIMES Likelihood of occurrence(%) ]
TIMES
[ 100% MINUS %risk already controlled PLUS %uncertainty ]
Principles of Information Security,
3rd Edition
26
Example

Asset A
◦ value = 50
◦ Vulnerability 1


Asset B
◦ value = 100
◦ Vulnerability 2
 Likelihood = .5
 Current control = 50%
◦ Vulnerability 3
 Likelihood 1.0
 No current controls
 Likelihood = 0.1
 No current controls
◦ Estimate 90% accurate
◦ Estimate 80% accurate
Calculations:

Asset A - Vulnerability 1
Risk
= (50 * 1.0) * (100% - 0% + 10%)
= 50 * 110% = 55 Relative Risk Rating

Asset B - Vulnerability 2
Risk
= (100 * 0.5) * (100% - 50% + 20%)
= 50 * (70%) = 35 Relative Risk Rating

Asset B - Vulnerability 3
Risk
= (100 * 0.1) * (100% - 0% + 20%)
= 10 * (120%) = 12 Relative Risk Rating
27
Identify Possible Controls
For each threat and associated vulnerabilities that
have residual risk, create preliminary list of control
ideas.
 Residual risk

◦ The risk that remains to information asset even after
existing control has been applied.

3 general categories of controls
◦ policies - documents that specify approach to security
◦ programs - activities performed to improved security
◦ technologies - technical implementations of policies
Principles of Information Security,
3rd Edition
28
Access Controls

Specifically address admission of a user into a
trusted area of organization.

Access controls can be:
◦ Mandatory access controls (MAC): give users and data
owners limited control over access to information.
◦ Nondiscretionary controls: managed by central authority
in organization; can be role-based or task-based.
◦ Discretionary access controls (DAC): implemented at
discretion or option of data user.
Principles of Information Security,
3rd Edition
29
Documenting the Results of Risk Assessment

Final summary given in a ranked vulnerability risk
worksheet.

Worksheet details
◦ asset, asset impact, vulnerability, vulnerability
likelihood, and risk-rating factor

Ranked vulnerability risk worksheet is initial working
document for next step in risk management process:
assessing and controlling risk.
Principles of Information Security,
3rd Edition
30
Principles of Information Security,
3rd Edition
31