Risk Management and Risk
Assessment
Nathan Singleton
Computer Science / www.isec.utulsa.edu
Risk Management is…
“Risk management is the process that allows IT
managers to balance the operational and
economic costs of protective measures and
achieve gains in mission capability by protecting
the IT systems and data that support their
organizations’ missions.”
-NIST SP 800-30
Guidance and Policies
• NIST SP 800-30
– Risk Management Guide for Information Technology Systems
• ISO 17799/27002
– A comprehensive set of controls compromising best practices.
Intended to serve as single reference point for identifying
range of controls needed for “most” situations
• Other Guidance
–
–
–
–
–
HIPPA
PCI-DSS
Sarbanes-Oxley
FERC/NERC CIP
etc.
Risk Management Goals
• Enhance mission capabilities of an enterprise
by protecting IT systems that support
operations
– Minimize impact of an “event”
– Avoid “event’’
• Balance operational and economic costs of
protecting IT systems
– This process will produce “Residual Risk”
3 Processes of Risk Management
• Risk Assessment
– Identification and evaluation of risks and risk impact
– Recommendations of risk-reducing measures
• Risk Mitigation
– Prioritizing, implementing, and maintaining
appropriate risk-reducing measures
• Evaluation and Assessment
– Evaluation and Assessment are continuous
activities
Key Roles
• Senior Management
– Ultimately responsible for mission accomplishment
• Chief Information Officer (CIO)
– Agency / Corporate individual responsible for planning,
budgeting, and IT performance
• System and Information Owners
– Responsible for ensure controls in place to ensure CIA
of IT system and data they “own”
• Business and Functional Managers
– Responsible for business operations and IT
procurement. Ultimately will determine trade-offs
required to accomplish mission objectives
Key Roles
• ISSO
– IT security managers and computer security offices
responsible for security programs. They introduce
methodologies and requirements
• IT Security Practitioners
– Administrators (network, database, etc.) and other
security professionals responsible for proper
implementation
• Security Awareness Trainers
– Employees are the result of more security violations
than any other source
Risk Assessment
• This is the first part of Risk Management
– Used to determine extent of potential threat and
associated risk
• “Risk is a function of the likelihood of a given
threat-source’s exercising a particular
potential vulnerability, and the resulting
impact of that adverse event on the
organization.”
Quick Definitions
• Likelihood:
– Determined by analyzing the threats combined with
potential vulnerabilities and the controls in place
• Impact:
– The amount of harm potentially caused by
exercising a vulnerability. Levels are determined by
potential impact on the mission
• Threat:
– The potential for a threat-source to exercise
(accidentally trigger or intentionally exploit) a
specific vulnerability
Quick Definitions
• Threat-Source:
– (1) There is an intent and method targeting with the intention
of exploiting a vulnerability or
– (2) There exists a situation and method that may accidentally
trigger a vulnerability
– Generally speaking threat-sources are anything that can
cause harm to the IT system
• Vulnerability:
– A flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised
(accidentally triggered or intentionally exploited) and result in
a security breach or a violation of the system’s security policy
9 Step Process
1.
2.
3.
4.
5.
6.
7.
8.
9.
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
– 2, 3, 4, and 6 can be conducted in parallel after Step 1 has
been completed
Risk Assessment Process Graph
Computer Science / www.isec.utulsa.edu
Risk Assessment Process Graph
Computer Science / www.isec.utulsa.edu
Risk Mitigation
• Second process of Risk Management
–
–
–
–
Prioritize controls
Evaluate controls
Implement controls
Prioritization and Evaluation Basis
• Least-cost approach
• Most appropriate controls to reduce risk to acceptable level
• Minimal adverse impact
• Precedence should be given to threat
vulnerability pairs which have the greatest
impact
Risk Mitigation Options
• Risk Assumption
– Accept potential risk, or implement controls to lower risk
• Risk Avoidance
– Avoid risk by eliminating the cause and or consequence
• Risk Limitation
– Controls to minimized impact
• Risk Planning
– Develop risk mitigation plan to prioritize, implement, & maintain
controls
• Research and Acknowledgement
– Lower risk by acknowledging vulnerability and researching controls
• Risk Transference
– Transfer risk (e.g. purchase insurance)
Evaluation and Assessment
• Systems must be continuously reevaluated
– As new equipment is inserted into the system
– As new software and applications are installed
– Continuously since new vulnerabilities are regularly
found
• Full assessments should be performed in
accordance with appropriate governance
– NIST SP 800-30 states at least every three years
for government agencies
Questions