RISK MANAGEMENT An Overview: NIPC Model

1
RISK MANAGEMENTAn Overview NIPC Model
IT Security Workshop for Higher Education April
2, 2004
2
Movement from Risk Avoidance to Risk Management

• Risk Avoidance Model
• Focus on preventing loss or damage without
  reference to the degree of risk
• Risk Management
• Systematic and analytical process by which an
  organization identifies, reduces, and controls
  its potential risks and losses

3
What are some drivers?

• IT is intertwined and interdependent with
  critical institutional business processes
• Regulatory Imperatives
• State and federal (GLB, FERPA, HIPAA, SOX, ECPA,
  CFAA, USA Patriot Act, Teach Act, etc)
• Pace of Technological Change
• Centuries, decades (automobiles), now continuous
• Increasing sophistication of attack methods and
  attackers
• Enabling the integration and managing the risks
  of introducing emerging technologies

4
What is risk?

• Risk is a function of
• Assets, threats, and vulnerabilities
• Risk is the potential for an
• unwanted event to occur
• The higher the probability and the greater the
  consequences, the greater the risk

5
Risk Management Approaches

• Due Diligence Process
• Probabilistic Risk Assessment
• Expert-facilitated Risk Assessment
• Scenario-based Risk Assessment
• Game Theory Approaches
• Systems Analysis
• High-level Business Impact Analysis / Protection
  Posture Assessments

6
Risk Analysis Terms

• Threat
• Capability and intention of an adversary to take
  actions that are detrimental to an organization
• Vulnerability
• Any weakness in a control or a countermeasure
  that can be exploited by an adversary
• Asset
• Anything of value such as people, information,
  hardware, software, facilities, reputation,
  activities, and operations

7
Reassessing Risk and Risk Management Decisions

• High-Threat, High-Consequence
• Almost continuous assessment with weekly updates
  to top management
• Medium-Threat, Medium-Consequence
• 3 to 9-month reassessment with quarterly updates
  to top management
• Low-Threat, Medium Consequence
• Annual reassessment and annual updates to top
  management

8
Some Common Errors in Risk Management

• Too much trust in existing systems and protection
• Downplaying insider and B2B threats
• Lack of attention to business risks
• Underestimating interdependencies and
  complexities
• Misinterpretation of statistical data
• Underestimating the impact of incremental changes
• Adopting a reactive approach to risk mgmt

9
A Five Step Risk Assessment Model - NIPC

• Asset assessment
• Threat assessment
• Vulnerability assessment
• Risk assessment
• Risk Consequence X (Threat X Vulnerability)
• Countermeasures or controls identification

10
Risk Assessment - OCTAVE

• Operationally Critical Threat, Asset, and
  Vulnerability Evaluation
• Eight Processes
• Organizational and Technological Views

11
Risk AssessmentThreat Examples

• Key personnel Injury, death
• File Servers DOS attack
• Student data Unauthorized insider access
• Production facility Natural disaster

12
Risk AssessmentVulnerability Examples

• Key personnel No access controls
• File Servers Ineffective patch management
• Student data Unchecked 3rd party
• Production facility Weak physical access
  controls

13
What are some benefits?

• Cost Justification
• Enhanced Productivity
• Self Analysis Organizational Integration
• Targeted Security
• Increased Security Awareness
• Baseline Security and Policy
• Consistency
• Communication

14
References / Contact Information

• Risk Management An Essential Guide to
  Protecting Critical Assets, NIPC, 11/2002
• suresh_at_usmd.edu