How to get best value out of risk assessment? Raini Mihkelson, CISSP Head of Information Security at Danske Bank Estonia Friday 6 September, Security & Audit 2013, Copenhagen My background I have studied Informatics at Tallinn University of Technology and hold Bachelor degree in Computer Science (BSc). I am also Certified Information Systems Security Professional (CISSP). I have been working in information security field over 8 years from now. I started as security analyst and now work as Head of Information Security department at Danske Bank Estonia. 2 Agenda 1. Risk assessment in general 2. How we have managed assessment 3. What is our experience and what are the challenges 3 Risk assessment – what it is and how to use it? Source: Internet 4 General objective of risk assessment ISF: The Standard of Good Practice for Information Security (June 2013): “To enable individuals who are responsible for target environments to identify key information risks and determine the controls required to keep those risks within acceptable limits” Think of outcome - what you want to achieve? 1. Create common understanding of risks (threats, weaknesses, impacts) with levels 2. Prioritize (and group) possible mitigation actions and controls 3. Gain management support for implementing controls 5 Different levels of risk assessments Operational risks (annually) IT and info security risks (twice a year) Project or every-day operations based risks (weekly/monthly) Level of detail 6 Building blocks of risk management Assets & services Security Classification & Business Importance Risk Assessment Risk Treatment Risk assessment is one part of risk management process it requires input and gives output to next phase 7 We started with defining our assets Information asset – important piece of information system, data or applications Assets & services Information system was divided into information assets. Main focus on data used in business processes. Result: 1. Information asset owner = data owner 2. Information asset security classification – asset values assessed by business owner and info security data value (will continue at slide nr 12) 3. Information asset register managed by Info security 8 Information asset register Asset owners Information assets 9 Define your IT services IT services – An IT Service is made up from a combination of people, Processes and technology and should be defined in a Service Level Agreement (ITILv3)* Assets & services IT operations started mapping important IT services based on ITIL framework. Main focus on IT services needed for business processes. SLA’s with business side. Result: 1. Identified business area/process owner “visible” client for IT 2. IT services have owners IT service managers 3. IT service register managed by IT operation * http://www.knowledgetransfer.net/dictionary/ITIL/en/IT_Service.htm 10 Business areas with IT Services 11 Assess asset values security classification Security Classification & Business Importance Information assets where assessed based on ISKE methodology (ISKE is based on German BSI standard: ITGrundschutz) Security classification was assessed by asset owner (business) and info security Data: K – Availability, 4 levels (0-3) T – Integrity, 4 levels (0-3) S – Confidentiality, 4 levels (0-3) R – data latency impact, 4 levels (0-3) 12 Information asset register Security classification 13 Assess business service IT service business importance (BI) Business Importance of IT service assessed by business process owner and IT operation manager. Security Classification & Business Importance Business process importance (BI) – assessed by process owner on scale 1 to 10 IT service impact to business process – assessed by IT process owner : 1– there are 1:1 mapping, if IT service fails business process fails completely 0,5 – business process depend on IT service, but can be replaced with other activities in short time period (1 day) 0,1 – business process depend on IT service, but can be replaced with other activities in long time period (1 week) IT service BI = sum ( business process importance (BI) value x IT service impact to business process) 14 IT service business importance (BI) Business Business areas & processes importance (BI) IT services 15 Layers and relations Business Data security Business process Information asset Information asset IT service IT service Business process Business process Information asset Information asset IT service IT service IT IT infrastructure services Infra Core infra (power, HVAC, facilities, etc) Business Importance (BI) 16 IT and info security risk assessment Template from Information Security Forum (ISF) Information Risk Analysis Methodology (IRAM) Risk Assessment IT and info security risk assessment team: - Information security - IT systems - IT operations - IT management Frequency: twice a year 17 Risk assessment - raitings Risk rating table Risk Assessment Likelihood Rating Likelihood 1 Very Low 2 Low 1 Rare 2 Unlikely Once in 10 years 3 Medium 4 High 3 Possible Once in 5 years 4 Likely Once in 3 years 5 Very High 5 5 M H H H H Business 4 M M H H H Impact 3 L L M H H Rating 2 L L L M M 1 Almost certan Once in a year Business Impact Raiting 1 Expected or actual frequency experienced Once in 10+ years Impact examples - IT service or asset security Very Low 2 Low 3 Medium IT services or asset security (level 0-1) affected 1 critical IT service or asset security (level 1-2) affected 3-5 critical IT services or asset security (level 1-2) affected L L L L M 4 High Over 5 critical IT services or asset security (level 2-3) affected 1 2 3 4 5 5 Very High Over 10 critical IT services or assets security (level 3) affected Likelihood Rating 1-5 ratings with custom defined likelihood and impact descriptions More ratings and likelihood / impact definitions can be chosen considering level of assessment 18 Risk assessment – set up Every participant brings his/her own addition to existing template, listing possible threats or weaknesses to asset or service. Risk Assessment Things considered during assessment: - Occurred incidents - New threat trends -Information asset security classification -IT service BI Impact/likelihood – think of impact/likelihood without security controls and with existing controls assess residual (remaining) risk Impact to IT infrastructure service = impact to all IT serviced / business process 19 Risk assessment - examples External Threat examples: Risk Assessment Successful phishing (social engineering) against employees Employees react on phishing - links and attachments are being opened Employees mobile solutions successfully attacked Employee mobile device (BYOD) infected with malware - device used for remote connection is infected with malware Successful e-service (application level and/or business logic) hacking Internet bank or livegate or mobile bank is successfully modified or other methods used to steal data or manipulate (client) sessions from server side. Known or unknown vulnerabilities exist in e-services. Vulnerability examples: Unauthorized software in LIVE New software (functionality) are being deployed without authorization - changes are not discovered. Confidential information disclosure via partner Confidential or personal information are leaked (bank business (outsourcing) partner or other methods) 20 Risk assessment – table with risk scores 21 Risk treatment – assigned risk owner 1. Every risk has owner 2. Risk owner role is to analyze different risk mitigation methods - risk owner has to plan preliminary analyze work for finding best methods or alternatives Risk Treatment 3. Risk owner role is propose risk mitigation methods Risk name Category #### #### #### External Threat Vulnerability User errors and mistakes Raiting 15 15 12 Risk owner Mitigation methods Action plan InfoSec (Raini) IT Operations (Guido) BusDevel (Reet) #### #### #### #### #### #### 22 Risk treatment – management decisions Risk assessment results with possible mitigation methods will be presented to management Risk Treatment High Accept Medium Avoid Low Transfer Mitigate 23 Risk treatment – final result Approved mitigation methods and security controls will be applied through: Risk Treatment 1. 2. IT roadmap and Info security road map Depending on risk type also 1. Business Development plans 2. HR (training) plans Key success element is budgeting process, where risk treatment competes with other development plans. 24 Risk assessment challenges 25 How to measure an apple? With stopwatch? Risk assessment is like measuring an apple: 1. Fist determine for what you need measuring for 2. And when choose correct measuring tools But do not go to extreme – prioritizing risks have more value than risk ratings itself Pictures source: Internet 26 Owners – processes are managed by people Owners are needed for 1. Assets 2. Services 3. Risks 4. Mitigation Owner roles include: -Address possible issues -Follow up on progress Owners are key element of successful risk management! 27 How to choose best mitigation methods? Challenge nr 1: if there are different solution plans for risk mitigation – which one is the shortest and the cheapest one? Risk owner should involve necessary recources for assessing possible mitigation solutions. Challenge nr 2: assessment is easy task compared to mitigation work ahead. Mitigation might take years. Use project slicing. You should have some results between risk assessment cycles. 28 Subjectivity of risk assessment We are human beings not oracles. To know everything is impossible. There are things You … … don’t know that … know You don’t know … don’t know 29 Presumption for risk mitigation Quality IT operation Managed (service) quality IT security Critical compliance level Unmanaged IT security Time 30 Thank You! [email protected] 31
© Copyright 2024 Paperzz