How to get best value out of risk
assessment?
Raini Mihkelson, CISSP
Head of Information Security at Danske Bank Estonia
Friday 6 September, Security & Audit 2013, Copenhagen
My background
I have studied Informatics at Tallinn University of Technology and hold Bachelor degree in
Computer Science (BSc). I am also Certified Information Systems Security Professional
(CISSP).
I have been working in information security field over 8 years from now. I started as security
analyst and now work as Head of Information Security department at Danske Bank Estonia.
2
Agenda
1.
Risk assessment in general
2.
How we have managed assessment
3.
What is our experience and what are the challenges
3
Risk assessment – what it is and how to use it?
Source: Internet
4
General objective of risk assessment
ISF: The Standard of Good Practice for Information Security (June 2013):
“To enable individuals who are responsible for target environments to identify key information
risks and determine the controls required to keep those risks within acceptable limits”
Think of outcome - what you want to achieve?
1. Create common understanding of risks (threats, weaknesses, impacts) with levels
2. Prioritize (and group) possible mitigation actions and controls
3. Gain management support for implementing controls
5
Different levels of risk assessments
Operational
risks
(annually)
IT and info security risks
(twice a year)
Project or every-day operations based risks
(weekly/monthly)
Level of detail
6
Building blocks of risk management
Assets
&
services
Security
Classification
&
Business
Importance
Risk
Assessment
Risk
Treatment
Risk assessment is one part of risk management process it requires input and gives
output to next phase
7
We started with defining our assets
Information asset – important piece of information system, data or
applications
Assets
&
services
Information system was divided into information assets. Main
focus on data used in business processes.
Result:
1. Information asset owner = data owner
2. Information asset security classification – asset values
assessed by business owner and info security data value (will
continue at slide nr 12)
3. Information asset register managed by Info security
8
Information asset register
Asset owners
Information
assets
9
Define your IT services
IT services – An IT Service is made up from a combination of
people, Processes and technology and should be defined in a
Service Level Agreement (ITILv3)*
Assets
&
services
IT operations started mapping important IT services based on ITIL
framework. Main focus on IT services needed for business
processes. SLA’s with business side.
Result:
1. Identified business area/process owner “visible” client for IT
2.
IT services have owners IT service managers
3.
IT service register managed by IT operation
* http://www.knowledgetransfer.net/dictionary/ITIL/en/IT_Service.htm
10
Business areas with IT Services
11
Assess asset values security classification
Security
Classification
&
Business
Importance
Information assets where assessed based on ISKE
methodology (ISKE is based on German BSI standard: ITGrundschutz)
Security classification was assessed by asset owner (business)
and info security
Data:
K – Availability, 4 levels (0-3)
T – Integrity, 4 levels (0-3)
S – Confidentiality, 4 levels (0-3)
R – data latency impact, 4 levels (0-3)
12
Information asset register
Security
classification
13
Assess business service IT service business importance
(BI)
Business Importance of IT service assessed by business process
owner and IT operation manager.
Security
Classification
&
Business
Importance
Business process importance (BI) – assessed by process owner
on scale 1 to 10
IT service impact to business process – assessed by IT process
owner :
1–
there are 1:1 mapping, if IT service fails business process fails completely
0,5 –
business process depend on IT service, but
can be replaced with other activities in
short time period (1 day)
0,1 –
business process depend on IT service, but
can be replaced with other activities in
long time period (1 week)
IT service BI = sum ( business process importance (BI) value x
IT service impact to business process)
14
IT service business importance (BI)
Business
Business areas & processes
importance (BI)
IT services
15
Layers and relations
Business
Data security
Business
process
Information
asset
Information
asset
IT service
IT service
Business
process
Business
process
Information
asset
Information
asset
IT
service
IT
service
IT
IT infrastructure services
Infra
Core infra (power, HVAC, facilities, etc)
Business Importance (BI)
16
IT and info security risk assessment
Template from Information Security Forum (ISF) Information
Risk Analysis Methodology (IRAM)
Risk
Assessment
IT and info security risk assessment team:
- Information security
- IT systems
- IT operations
- IT management
Frequency: twice a year
17
Risk assessment - raitings
Risk rating table
Risk
Assessment
Likelihood Rating
Likelihood
1 Very Low
2 Low
1
Rare
2
Unlikely
Once in 10 years
3 Medium
4 High
3
Possible
Once in 5 years
4
Likely
Once in 3 years
5 Very High
5
5 M H
H
H
H
Business 4 M M H H H
Impact 3 L L M H H
Rating 2 L L L M M
1
Almost certan Once in a year
Business Impact Raiting
1
Expected or actual frequency experienced
Once in 10+ years
Impact examples - IT service or asset security
Very Low
2
Low
3
Medium
IT services or asset security (level 0-1) affected
1 critical IT service or asset security (level 1-2) affected
3-5 critical IT services or asset security (level 1-2) affected
L
L
L
L
M
4
High
Over 5 critical IT services or asset security (level 2-3) affected
1
2
3
4
5
5
Very High
Over 10 critical IT services or assets security (level 3) affected
Likelihood Rating
1-5 ratings with custom defined likelihood and impact
descriptions
More ratings and likelihood / impact definitions can be
chosen considering level of assessment
18
Risk assessment – set up
Every participant brings his/her own addition to existing
template, listing possible threats or weaknesses to asset or
service.
Risk
Assessment
Things considered during assessment:
- Occurred incidents
- New threat trends
-Information asset security classification
-IT service BI
Impact/likelihood – think of impact/likelihood without security
controls and with existing controls assess residual
(remaining) risk
Impact to IT infrastructure service = impact to all IT serviced
/ business process
19
Risk assessment - examples
External Threat examples:
Risk
Assessment
Successful phishing (social engineering)
against employees
Employees react on phishing - links and attachments
are being opened
Employees mobile solutions successfully
attacked
Employee mobile device (BYOD) infected with malware
- device used for remote connection is infected with
malware
Successful e-service (application level
and/or business logic) hacking
Internet bank or livegate or mobile bank is successfully
modified or other methods used to steal data or
manipulate (client) sessions from server side. Known or
unknown vulnerabilities exist in e-services.
Vulnerability examples:
Unauthorized software in LIVE
New software (functionality) are being deployed
without authorization - changes are not discovered.
Confidential information disclosure via
partner
Confidential or personal information are leaked (bank
business (outsourcing) partner or other methods)
20
Risk assessment – table with risk scores
21
Risk treatment – assigned risk owner
1. Every risk has owner
2. Risk owner role is to analyze different risk mitigation methods
- risk owner has to plan preliminary analyze work for finding best
methods or alternatives
Risk
Treatment
3. Risk owner role is propose risk mitigation methods
Risk name
Category
####
####
####
External Threat
Vulnerability
User errors and mistakes
Raiting
15
15
12
Risk owner
Mitigation methods
Action plan
InfoSec (Raini)
IT Operations (Guido)
BusDevel (Reet)
####
####
####
####
####
####
22
Risk treatment – management decisions
Risk assessment results with possible mitigation methods will be
presented to management
Risk
Treatment
High
Accept
Medium
Avoid
Low
Transfer
Mitigate
23
Risk treatment – final result
Approved mitigation methods and security
controls will be applied through:
Risk
Treatment
1.
2.
IT roadmap and
Info security road map
Depending on risk type also
1. Business Development plans
2. HR (training) plans
Key success element is budgeting
process, where risk treatment competes
with other development plans.
24
Risk assessment challenges
25
How to measure an apple?
With stopwatch?
Risk assessment is like measuring an apple:
1.
Fist determine for what you need measuring for
2.
And when choose correct measuring tools
But do not go to extreme – prioritizing risks have more
value than risk ratings itself
Pictures source: Internet
26
Owners – processes are managed by people
Owners are needed for
1. Assets
2. Services
3. Risks
4. Mitigation
Owner roles include:
-Address possible issues
-Follow up on progress
Owners are key element of successful risk management!
27
How to choose best mitigation methods?
Challenge nr 1: if there are different solution plans for risk
mitigation – which one is the shortest and the cheapest
one?
Risk owner should involve necessary recources for
assessing possible mitigation solutions.
Challenge nr 2: assessment is easy task compared to
mitigation work ahead. Mitigation might take years.
Use project slicing. You should have some results
between risk assessment cycles.
28
Subjectivity of risk assessment
We are human beings not oracles. To know everything is impossible.
There are things You …
… don’t
know
that
… know
You don’t
know
… don’t know
29
Presumption for risk mitigation
Quality
IT operation
Managed
(service) quality
IT security
Critical
compliance level
Unmanaged
IT security
Time
30
Thank You!
[email protected]
31