Protect Your Bits

Introduction

Risk is a factor that has the potential to have a negative influence on an organization.  There are several ways to view risk when relating it to concerns that should be considered and addressed for an organization.

A structured approach to addressing the concerns of risk for an organization is to implement a risk management program.  This program is an ongoing effort that is analyzed, adjusted and audited to ensure the risk profile is reduced to an acceptable level for the organizations risk tolerance.

This ongoing effort is referred to the Risk Management Lifecycle and understanding it is critical to implementing a successful form of it.

Overview

The risk management lifecycle at an abstract level is parsed into the following phases: identify assets, assess risk to assets, develop appropriate ways to manage risk and audit implemented controls.  Several methodologies have been developed to assist practitioners in executing a risk management program for an organization.  These methodologies include the NSA Information Assurance Methodology (NSA IAM), the McCumber Cube and Operationally Critical Threat Asset Vulnerabilities Evaluation (OCTAVE).

The NSA IAM provides a structured approach to defining an organization’s critical information assets, the organizations security needs for those assets and the organizations current security posture to secure the assets.  This approach involves parties from the information security team and management of the organization.  If followed correctly, this methodology produces an accurate assessment of an organization’s security needs and a road-map on addressing gaps.  This methodology was developed by the National Security Agency to meet the demand for information security assessments.  The NSA IAM is a repeatable process and is endorsed and recognized by the information security industry.

The McCumber Cube methodology offers a structured approach to assessing and managing security risk in IT systems.  The methodology relies on the implementer to identify information assets and then think of risk management in a deconstructed view across the all-too-familiar confidentiality, integrity and availability critical information characteristics.

OCTAVE is an asset-centric methodology for information risk assessment leveraging a workshop approach.  It is executed through 3 phases: an organizational, a technological, and a strategy and plan development.  This methodology is extremely document heavy and easy to follow for any professional despite background.  It has different versions to fit different sized organizations, and has a high transparency for the employee community.

The most significant drawback, and likely the reason it is not implemented by default, is the amount of time required for the program.  Time equals money in business, and often management and key players are interested in the financials then the quality and thoroughness of a risk assessment methodology.

Regardless of methodology selected, the phases are generally the same.  Each phase is discussed in greater detail, revealing the risk management lifecycle.

Identify

The first phase of the risk management lifecycle is the identification phase.  The organization must compile a list of all assets under control.  This list includes both non-tangible assets, such as informational assets, and tangible assets, such as hardware and human resources.

In addition to defining the assets under control for an organization, the identify phase identifies the risks present to each asset.  These risks can be environmental, natural or man-made.  Leveraging members from various departments provides useful insight and subject matter expertise on what risks are present.  The defined assets and risks provide input into phase two of the risk management lifecycle.

During the identification phase it is critical for a cross section of stakeholders to be represented.  Members from human resources, research, finance & accounting, marketing, IT and IS should all be present.  Including members from various departments will provide comprehensive coverage on asset and risk identification, and the process will provide exposure and awareness to various departments, enforcing the principal: risk is an integral part of the business.

A detailed list of critical assets and associated risks should be documented and maintained.  A list of this nature provides multiple benefits.  It gives the employee base, including management, an understanding of the assets under control for the organization and associated risk, some of which management may have been unaware of its existence or importance to the success of the organization.  This list can act as an input into several key processes including business continuity and disaster recovery plans to make recovery faster and more efficient.  Additionally, this list provides a starting point for the risk management lifecycle when it begins again.  Time and money does not need to be spent exhaustively listing assets and considering possible risks, instead the list can be used as a baseline and modifications can be accordingly.

Analyze Risk

The second phase of the risk management lifecycle is the analyze phase.  This phase reviews each risk and determines the impact an occurrence would have on the organization and its assets.  Impact is determined by evaluating what how negative effect would it have on the organization if the risk were to occur.  The impact for each risk can be evaluated using a scale of Low, Medium, and High.

[NOTE: The scale used to measure impact is relative to itself.  Industry commonly uses the 2 scales [Low, Medium, and High] and [1, 2, 3, 4, 5] as measurements.  It is the practitioner’s decision to determine the scale.  Regardless of the scale, it is important that the scale be used consistently and that each value has a clear, objective definition. ]

Once the risks are defined, relative to their impact, the probability of their occurrence must be determined.  Historical data, subject matter experts and industry predictions can be leveraged to determine the likelihood of an occurrence.  This probability and impact make up a matrix which yields the risk profile for each risk defined.  An example of a risk probability/impact matrix is shown.

An organization is now equipped to address these risks in an orderly and clear method.  For example a risk with a low impact and low probability can be ignored or pushed to the bottom of a priority list, where a high impact and high probability risk should be addressed as soon as possible.

Probability and Impact are the key elements to determing risk score

Addressing Risk

The third phase of the risk management lifecycle is addressing the risks defined in phase two.  There are four approaches with which an organization can address each risk.  These approaches are:

1. Avoidance –This is the method of eliminating the risk altogether.  Physically moving an air conditioner that’s hanging above a server avoids the risk of it leaking liquids onto the server hardware.
2. Reduction – This is the commonly thought of form of addressing risk.  Risk reduction is the mitigation of the risk.  The risk cannot be avoided, but controls can be put in place to reduce the impact and/or probability of occurrence.  This effectively changes the risk profile for the risk and moves it to an acceptable level.
3. Transfer – Some risk cannot be mitigated, but it is inherently present due to the organizations business model.  Risk can be outsourced or insured to make the risk level acceptable.  Drivers have insurance on their vehicles because they cannot avoid the act of driving nor can they mitigate the risk of being hit by a bad driver.
4. Retention – Some risks are at acceptable levels for an organization without requiring intervention.  A low impact and low probability risk is an acceptable risk for many organizations.

An organization has many variables to consider when addressing identified risk including determining what options are available to address each risk, what the cost-benefit is for each option, the current budget constraints and the cost for the occurrence of the risk.  A budget might dictate that the optimal solution is too expensive, and a more affordable, less risk-mitigating solution needs to be implemented.  This may reduce the risk to a level that is not acceptable, but reduces it enough to not be an urgent issue.

Organizations need to look at addressing risks from a technology perspective, through policies and procedures, and by valuing the human factors.  Policies and procedures should be defined to meet the objectives of the organization and to address risk.  The policies and procedures will dictate how technology will be implemented to mitigate risk and educate the user population in secure practices.  Without appropriate, comprehensive policies, the implementation of controls and the actions of the user community are unlikely to be optimal for risk management.

The decisions on how risks will be addressed provide a risk mitigation implementation roadmap.  This roadmap can be projected to provide management with a clear understanding of what the organizations risk profile is today and what it is likely going to be in the future.  The future state can be projected but not predicted.  This is a key reason why risk management is a program and not a project.  This lifecycle must be repeated to assess, address, and handle the constantly changing risk environment.

Monitor/Audit

The final phase of risk management is the compliance and monitor phase.  Once controls have been put in place and policies developed, audits should be conducted to ensure they are being executed as expected.  A control is worthless to mitigating risk if it is not in place or being followed.

The risk must continue to be monitored.  Mitigating steps have been put in place, but the risk may occur and/or escalate in probability or impact.  For example, a server must not overheat, so an air conditioner is placed in the server room.  This addresses the risk of overheating, but the temperature must be monitored and an alert must be generated if the temperature reaches a threshold.  The air conditioner could fail (a newly created risk) or additional servers could be added and overwhelm the air conditioner.

Documentation of control compliance should be captured to provide feedback of how the control performs relative to its function of mitigating risk.  Controls that are deprecated or are no longer effective will result in risk reaching levels that must be addressed by an organization.  These findings provide an input into the first phase of the risk management lifecycle.

Conclusion

A strong risk management program cannot be implemented quickly, but must be implemented and mature through iterations of the lifecycle.  The environment, assets and risks are changing with laws, business objectives and technology advances.  This makes the risk profile a dynamic entity which must be constantly reevaluated to ensure an organization understands its risks and is addressing them to their risk tolerance levels.

Bibliography

Barcia, N. (2005, October 7). The 3 M’s of Risk Management – Monitor, Measure, Manage. Retrieved November 17, 2009, from Toomre Capital Markets LLC: http://www.toomre.com/node/126

CERT. (2008, September 17). OCTAVE Information Security Risk Evaluation. Retrieved November 14, 2009, from CERT.ORG: http://www.cert.org/octave/

McCumber, J. (2005). Assessing and managing security Risk in IT Systems; a structured methodology. Florida: Auerbach Publications.

MindTools. (n.d.). Risk Impact/Probability Chart. Retrieved November 17, 2009, from Mindtools: http://www.mindtools.com/pages/article/newPPM_78.htm

National Institute of Standards and Technology. (2002, July). Risk Management Guide for Information Technology Systems. Retrieved November 14, 2009, from NIST.Gov: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf