Information Technology Risk Management

1
Information Technology Risk Management

• Training for JIRDC Risk Management Committee
  September 12, 2007

2
Risk

• Take calculated risks. That is quite different
  from being rash. General George S. Patton
• Only those who risk going too far can possibly
  find out how far they can go T.S. Elliot
• Of course you have to go out on a limb
  sometimes thats where the fruit is Unknown

3
What is Risk?

• Risk is the net mission impact considering both
  the likelihood that a particular threat-source
  will exercise (accidentally trigger or
  intentionally exploit) a particular information
  system vulnerability, and the resulting impact on
  the organization if this should occur.
  NIST (National Institute of Standards and
  Technology)

4
What is Risk Management?

• The total process of identifying, controlling,
  and minimizing information system related risks
  to a level commensurate with the value of the
  assets protected
• The goal of a risk management program is to
  protect the organization and its ability to
  perform its mission from IT-related risk

5
Golden and Silver Rules of RM
All risk is owned!
Risk that is not assigned is owned by the JIRDCs
Director
6
Why are we doing this?

• Why do we do risk management?
• Why does a car have brakes?

A car has brakes so it can go fast
We do risk management so we can take risks
An organization that can take advantage of
opportunities (and the inherent risks) will
outlast an organization which cannot
7
What Assets are we Protecting?

• Servers
• Desktop Computers
• Laptops and PDAs
• Switches and Routers
• Application software
• Development Tools
• Source Code
• VPN Access
• Backup Tapes

• Email
• Data Integrity
• All Files on the Server
• Consumer Information
• Network Infrastructure
• DHCP
• Web Site Availability
• Reputation
• Employee Morale

8
Protecting From What Threats?

• Human Threats Carelessness, Shoulder Surfing,
  User Abuse, Sabotage, Arson, Data Entry Errors,
  Intentional and Unintentional Procedure
  Violations
• Technical Threats Takeover of authorized
  session, Intrusion, Keystroke Eavesdropping,
  System Failure, Saturation of Resources
• Environmental Threats Fire, Earthquake,
  Hurricane, Tornado, Cable Cuts, Power
  Fluctuation, Hazardous Material Accident,
  Overheating

9
Threats to What Vulnerabilities?

• Unlocked doors
• Unlocked windows
• Misconfigured systems
• Missing patches
• Antivirus out-of-date
• Poorly written apps
• Vendor backdoors
• Spyware

• Software Configuration
• Systems not monitored
• Unnecessary protocols
• Poorly defined procedures
• Stolen credentials
• Poor password protection
• Poor Disaster Recovery
• Violations not reported

10
Vulnerabilities Protected by What Security
Controls?
Controls Physical Technical Administrative
Preventive Key-card access to enter area System Network Monitoring Security Awareness Training for staff
Detective Seals on archive file cabinets Admin message on 3 incorrect logins Audit of employee exit procedures
Deterrent Closed-circuit camera monitor Account lockout after 3 attempts Data owner approval of rights
Corrective Physical Isolation of servers Firewall changes from past events Arranging for day time cleaning
Recovery Electronic records recreate physical Netwares file Salvage option Contact police after security breach
11
NIST SaysIts a Management Function

• The goal of Risk Management is to protect the
  organization and its ability to perform its
  mission
• The focus is the mission not IT assets
• Risk Management, therefore, is an essential
  management function of the organization

12
NIST SaysRisk Management has Three Parts

• Risk Assessment - Determining where risks lie,
  and how big they are
• Risk Mitigation - Prioritizing, evaluating, and
  implementing appropriate risk-reducing controls
• Evaluation and Assessment Since Risk Management
  is continuous and evolving, the past years Risk
  Management efforts should be assessed and
  evaluated prior to beginning the cycle again

13
NIST SaysGood Risk Management Depends Upon

1. Senior managements commitment
2. Support of the IT Team
3. Competence of the Risk Management Committee
4. The cooperation of the users
5. Ongoing assessment of IT-related mission risks

14
Risk Mitigation

• Risk Mitigation is the process of identifying
  areas of risk that are unacceptable and
  estimating countermeasures, costs and resources
  to be implemented as a measure to reduce the
  level of risk
• Determining appropriate risk-reducing controls
  is a job for the Risk Management Committee

15
Cost-Benefit Analysis

• If control reduces risk more than needed, see if
  a less expensive alternative exists
• If control would cost more than the risk
  reduction provided, then find something else
• If control does not reduce risk sufficiently,
  look for more controls or a different control
• If control provides enough risk reduction and is
  cost-effective, then use it

16
What is Acceptable Risk?

• Setting JIRDCs risk appetite is up to JIRDCs
  Director and Senior Management
• Because elimination of all risk is impossible, we
  must use the least-cost approach and implement
  the most appropriate controls to decrease mission
  risk to an acceptable level, with minimal adverse
  impact on the organizations resources and mission

17
Risk Mitigation Options

• Assume the Risk Accept the risk and continue
  operating (how big is your appetite?)
• Avoid the Risk Stop running the program or
  sharing the data
• Transfer the Risk Use options to compensate for
  the loss, such as insurance
• Lessen the Risk Implement controls that lessen
  the impact or lower the likelihood

18
Residual Risk

• The risk remaining after the implementation of
  new or enhanced controls is the residual risk
• If the residual risk has not been reduced to an
  acceptable level, the risk management cycle must
  be repeated to identify a way of lowering the
  residual risk to an acceptable level
• Understand that no IT system can be risk-free