Embed Size (px)
Citation preview
INFORMATION SECURITY RISK ASSESSMENTTurning Project in Process: Segmentation, Prioritization and Iteration
Cornell University: Steve Schuster ([email protected]) Interim Executive Director for Cornell Information
Technologies
Illumant, LLC: Matija Siljak ([email protected])Director, Advisory Services
WHY RISK ASSESSMENT?To answer these questions: What constitutes sensitive information? Where is it? How much of it is there? How effectively is it protected? What are the vulnerabilities that could lead to
compromise? What is the likelihood of compromise? What is the potential impact? What is the most effective use of protection resources?
PROBLEMS WITH RISK ASSESSMENTTraditional risk assessment: One-offs
project not process = limited ongoing benefit Breach response
reactive not proactive = skewed expectations Big endeavor
expensive and effort-intensive = risky project Questionable value
predictable results and imbalanced cost-benefit = dissatisfaction
SOLUTIONSModified risk assessment: One-offs
segment into small, independent components and iterate Breach response
minimize time to partial results Big endeavor
segment into small, independent components and iterate start at a high level, drill down later based on interim results
Questionable value minimize cost and effort and time to results, balance cost and
benefit
The formula remains the same:RISK = THREAT x VULNERABILITY x IMPACT
Change is to administration and expectations Divide up the data gathering into segments Use interim results to prioritize further tasks and where to
drill down Tolerate incompleteness, omission – circle back
Analogy: mainframe vs. linux cluster
WHAT IS DIFFERENT?
RISK ASSESSMENT METHODOLOGY OVERVIEWStep ExplanationData Classification Which data is considered sensitive?
Data and Asset Inventory Where is the sensitive data located and which systems are used to manage it?
Exposure Analysis Which units/departments and systems handle the most sensitive and highest quantities of data?
Threat Analysis What are the various scenarios in which data may be compromised?
Vulnerability Assessment Analysis of vulnerabilities that could facilitate threats and expose assets?
Controls Analysis How is the data currently protected from threats? How are vulnerabilities mitigated?
Cost-benefit Analysis How should improvements be prioritized?
RISK ASSESSMENT PROCESS SUMMARY
Data Classification
Data Types
Exposure Analysis
Assets (Apps, DBs, etc.)
Departments and Units
MAP TO
MAP TO
MAP TO
=
DATA CLASSIFICATION Start with the data classification policy. Consider other
potentially sensitive data, for example:Student Info SSN/ Financial Info Credit Card Info Driver’s License Protected Health
Info Academic Records
Employee / Faculty (HR) Info SSN Payroll Info Driver’s License Bank Account Info Protected Health Info
Alumni and Donor Info SSN Credit Card Info Driver’s License Bank Account Info
Financial Data University
Finances
Point-of-Sale Customer Credit
Card Data
Physical Plant Buildings,
Facilities, Utilities Grounds
Cyber Infrastructure Access Info, Logs,
LDAP
Other PII Human Subject
Research Key Performance
Indicators
Protected Health Info (PHI) Info in Non-medical
Systems
Intellectual Property Courseware, Research,
Papers, Books, Code
Library Citation DB Digital Full Text Circulation
DATA AND ASSET INVENTORY Map the assets to data types and locations
and attempt to roughly quantify the data
EXPOSURE ANALYSIS After completing the inventory exercise,
identify the key assets and departments on which to focus.
Vulnerabilities
RISK ASSESSMENT PROCESS SUMMARY
Controls Assessment
Controls
Threats
Assets (Apps, DBs, etc.)
Departments and Units
MAP TO
MAP TO
=
Regulations
MAP TO
MAP TO
MAP TO
THREAT ANALYSIS Select an appropriate threat model:
Malicious activity Malfunction Human error Environmental
CONTROLS ANALYSIS Using best practice frameworks, standards,
and regulations, we evaluate departmental and university controls EDUCAUSE Risk Management Framework
Look for: Existence Effectiveness Compliance
New York Information
Security Breach and Notification
Act 2005
CONTROLS ANALYSIS Start at a high level and drill down. For example, we examine:
Access Control Encryption Backup /
RestorePhysical /
Environmental Control
Monitoring Documentation Anti-Virus Assessment
Practices
CONTROL MATURITY MODEL
•Lack of any recognizable control process Stage 0: Nonexistent
•Some control exists but it is not formalized or documentedStage 1: Initial/Ad
Hoc•Controls exist, but they are not a formal part of a
programStage 2: Repeatable but Intuitive
•Controls and related policies and procedures are in place and adequately documented.Stage 3: Defined
Process
•Controls and related policies and procedures are in place, adequately documented, and measure for effectiveness.
Stage 4: Managed and Measurable
•Technology is leveraged to its fullest extent to document and implement processes, control objectives and activities.
Stage 5: Optimized
Risk Assessment
Exposure Analysis
RISK ASSESSMENT PROCESS SUMMARY
Security Roadmap
Controls Assessment+
COST-BENEFIT ANALYSIS Review exposures, vulnerabilities and potential impact Create list of remediation options Estimate costs and compare with benefits Outline security roadmap
Identify long-range plans Highlight action items
Quick wins High priority exposures
Determine on-going risk assessment schedule to revisit units and departments Visit new units and departments drill down on areas that need further investigation and more
detail
