Upload
trankhue
View
229
Download
2
Embed Size (px)
Citation preview
IT Governance and Risk Management Transforming UPPCL into digitally secure organization meeting world standards
© 2016 NTPC Ltd.
Bodh Raj , CISSP,CCSP,CISA,PMP
Additional General ManagerNTPC IT Department, Corporate Center
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Agenda
Introduction: IT Governance
Fundamental Principles of IT Security
IT Security: Definitions & Control Types
IT Security Governance : Enterprise Security
IT Security Governance : Enterprise Security Frameworks
Introduction to IT Risk Management
© 2016 NTPC Ltd.2
Risk Assessment & Analysis Techniques
Policies, Standards, Baselines, Guidelines & Procedures
Information Classification in an Enterprise
Security: Layers of Responsibility
Introduction to Malicious Software
Anti Virus Software
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Increasingly, Business Depends on IT for Competitive Advantage
© 2016 NTPC Ltd.3
BUSINESSBUSINESS ITBUSINESS IT
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Increasingly, Business Depends on IT for Competitive Advantage
Bu
sin
ess
Va
lue
Engine for Competitive Advantage
Service
© 2016 NTPC Ltd.4
BUSINESS IT
Bu
sin
ess
Va
lue
Maturity
ServiceProvider
Support Function
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
The CIO Imperative
EXECS CUSTOMERS
IT SERVICESStrategy Access
Is IT doing the right things?
© 2016 NTPC Ltd.5
EXECS CUSTOMERS
Alignment Quality & Cost
Is IT doing things right?
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
The Problem: IT Complexity
IT SERVICES
EXECS
Services Applications Collaboration
Business Application Application CUSTOMERSEXECS
Services Collaboration
Business Application Application CUSTOMERS
© 2016 NTPC Ltd.6
EXECS Business Intelligence/Analytical Applications
Application Integration
Application Development Tools
Database OS Hardware Platform
CUSTOMERSEXECS Business Intelligence/Analytical Applications
Application Integration
Application Development Tools
Database OS Hardware Platform
CUSTOMERS
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Managing IT in Silos Compounds the Problem
Services Applications Collaboration
Business Application Application EXECS
NE
TW
OR
KS
SY
ST
EM
S
HE
LP
DE
SK
AP
PLIC
AT
ION
S
DA
TA
BA
SE
S
SE
CU
RIT
YCUSTOMERS
NE
TW
OR
KS
SY
ST
EM
S
HE
LP
DE
SK
AP
PLIC
AT
ION
S
DA
TA
BA
SE
S
SE
CU
RIT
YEXECS CUSTOMERS
© 2016 NTPC Ltd.7
Business Intelligence/Analytical Applications
Application Integration
Application Development Tools
Database OS Hardware Platform
EXECS
AP
PLIC
AT
ION
S CUSTOMERS
AP
PLIC
AT
ION
SEXECS CUSTOMERS
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
An Integrated Approach Unifies and Simplifies IT Management
EXECS
IT SERVICESStrategy Access
CUSTOMERS
© 2016 NTPC Ltd.8
EXECS
Alignment Quality & Cost
CUSTOMERS
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
An Integrated Approach Unifies and Simplifies IT Management
IT SERVICESStrategy
GOVERNANCE to make better decisions about IT investments and risk
EXECS CUSTOMERS
© 2016 NTPC Ltd.9
Alignment
EXECS CUSTOMERS
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
An Integrated Approach Unifies and Simplifies IT Management
CUSTOME
IT SERVICESAccess
EXECS MANAGEMENT to
GOVERNANCE to make better decisions about IT investments and risk
CUSTOMERS
© 2016 NTPC Ltd.10
CUSTOMERS
Quality & Cost
EXECS MANAGEMENT to ensure the right services are delivered at the right cost and quality
CUSTOMERS
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
An Integrated Approach Unifies and Simplifies IT Management
EXECS USERS
IT SERVICESStrategy Access
GOVERNANCE to make better decisions about IT investments and risk
MANAGEMENT to EXECS CUSTOMERS
© 2016 NTPC Ltd.11
EXECS USERS
Alignment
Quality & Cost
MANAGEMENT to ensure the right services are delivered at the right cost and quality
SECURITY to provide secure access to enable the business
EXECS CUSTOMERS
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise IT Management
GOVERNANCE to make better decisions about IT investments and risk
MANAGEMENT to
© 2016 NTPC Ltd.12
MANAGEMENT to ensure the right services are delivered at the right cost and quality
SECURITY to provide secure access to enable the business
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise IT Management Changing the Economics of IT
Overcome IT Management Complexity
By Integrating IT Governance, Management and Security
Make better decisions about
IT investment and risk
Ensure the right services
Integrating the Disciplines of
IT Governance, UNIFIED UNIFIED
© 2016 NTPC Ltd.13
Ensure the right services are delivered at the
right cost and quality
Provide secure access to enable
the business
IT Governance, Management and Security
By Providing a Common View
of a Service
UNIFIED
SERVICE
MODEL
UNIFIED
SERVICE
MODEL
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
EITM: Transforming IT Management
Governance,
Management
(Infrastructure
and Service) and
EITM
Automated
Marketing, Sales
Force
Inventory,
Payroll, GL
Accounts
Payable, Components
CRMERPCategory
© 2016 NTPC Ltd.14
CIO
and Service) and
Security
of IT
EVP, SalesCFOChampion
Force
Automation,
Customer Service
Payable,
Accounts
Receivables
Components
Common View of a Service
Common View of
a Customer
Common
Financial ViewPivotal Insight
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise IT Management Vision
UNIFIED
GOVERN
MANAGE
GOVERN
Enterprise IT
© 2016 NTPC Ltd.15
UNIFIED
SERVICE
MODEL
MANAGEMANAGE
SECURE
Enterprise ITManagement
EITMEITM
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standardsUPPCL
Enterprise IT Management Focus Segments
ApplicationPerformance Management
Service Management
ApplicationPerformance Management
Service Management
© 2016 NTPC Ltd.16
IT Security Management
Data CenterAutomation
ITGovernance
Infrastructure Management
EITMIT Security
Management
Data CenterAutomation
ITGovernance
Infrastructure Management
EITM
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Business exists to make money
No business existed to specifically deploy and maintain firewalls, IDS , IPS & SIEM devices
Organizations have many other thighs to do than practice security
Reality……
© 2016 NTPC Ltd.
than practice security
No business really wanted to develop hundreds of security policies, deploy antimalware products and have to comply to security regulations , IT Act , SOX, HIPPA, PCI-DSS
Business owners make products, sold products and happily go home every day
17
But the fact is ……….
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Today’s business risk comes in many forms
Changing environment
– Increased global and regional interdependencies
– Supply chain disruption
– Expanding risk exposures
Greater impact of business disruption
© 2016 NTPC Ltd.
Greater impact of business disruption
– Greater financial implications of downtime
– Brand vulnerabilities
– Data integrity requirements
More complex regulations
– Changing industry and regulatory standards
– Geographic dispersal requirements
– Varying regulations per country
18
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Today’s business risk comes in many forms
Attackers stealing business’s customer data
– Carryout identity thefts banking fraud
– Steal company’s secrets involving corporate espionage
– Systems being hijacked with botnets
– Company funds being secretly siphoned off
© 2016 NTPC Ltd.
– Company funds being secretly siphoned off
– Company systems being used as zombies for terrorist activities
– Company systems are rendered offline by competitors using DDOS attacks
The entire scenario of doing business has changed in recent times….. There is ongoing war between IT security team and the bad
guys, each trying to outwit each other with latest tools & techniques
19
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
CSO,CIO,CISO are having tough time equipping organizations with best safeguards in place
What should I do ……. ?
Where do I start …… ?
What are the best practices …. ?
How do I continuously monitor these efforts …. ?
How do I evaluate the safeguard effectiveness…..?
How do I put up to the management for allocation of funds for safeguards …?
© 2016 NTPC Ltd.
safeguards …?
How do I justify my new requirement ….. ?
………………….
………………………………..
……………………………………….
…………………………………………….
There are many questions that may arise in the minds of C level executives in the organization …
Have a strong IT Security Implementation across the enterprise ……
20
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Lets look at fundamentals of …. IT Security
Information Security TRIAD
© 2016 NTPC Ltd.21
Purpose of information security (IT security) is to protect an organization's valuable resources, such as information, hardware and software.
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Fundamental Principles of IT Security
Availability– The protection ensures reliability and timely access to data and
resources– Common Threats to availability : Power Supply, Virus Attacks , Floods etc
Integrity– It is assurance of accuracy and reliability of information.
© 2016 NTPC Ltd.
– It is assurance of accuracy and reliability of information. Prevention of any unauthorized modification in data.
– Common Threats to Integrity: Virus , Logic Bomb, Backdoor etc
Confidentiality– Enforcement of necessary level of secrecy at each junction of
data processing– Common threats to Confidentiality: Network Monitoring, Social Engineering,
Stealing passwords, Shoulder Surfing
22
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Control Types ….
Controls are put into place to reduce the risk an organization faces
Three types: -
– Administrative Controls or soft controls
– Technical controls
– Physical controls
Defense in Depth
Multiple security controls in layered approach
Functionalities they offer
- Deterrent
- Preventive
- Corrective
- Recovery
© 2016 NTPC Ltd.
Multiple security controls in layered approach
23
- Recovery
- Detective
- Compensating
Security through Obscurity This is assuming that your
enemies are not as smart as you are and they cannot figure out something that you feel is very
tricky
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Examples of ControlsCategory Preventive
(Avoid)Detective(Identify)
Corrective(Correct)
Deterrent(Discourage)
Recovery(Restore)
Physical
Fences XLocks XI Cards XAdministrative
© 2016 NTPC Ltd.24
Security Policy XMonitoring & Supervising
X
Job Rotation XTechnical
Encryption XServer Images XData Backup X
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Lets Look at some definitions…..
Vulnerability : It is a lack of a countermeasure or weakness in a countermeasure that is in place. It may be hardware, software, procedural or human weakness in place.
Threat : It is any potential danger that is associated with the exploitation of vulnerability. The threat is that someone or something. Will identify a specific vulnerability and use it against a company of individual.
Risk : It is the likelihood of a threat agent exploiting a vulnerability and
© 2016 NTPC Ltd.
Risk : It is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. Risk ties the vulnerability, threat and likelihood of exploitation to the resulting business impact.
Exposure : It is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
Control : A countermeasure is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates the vulnerability or that reduces the likelihood of a threat agent will be able to exploit a vulnerability.
25
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Security Program – Lets understand the concept ….
Why Security Program …….– Avoid adhoc approach
– Deploy stovepipe solutions
– Avoid constantly “Putting out fires approach”
– Avoid security surprises in the organization
So we do not want our organization to be built on smoke and mirrors
and we also understand that we cannot trick our enemies.
© 2016 NTPC Ltd.
A security program is a framework made up of many
- Entities - Logical, administrative and physical protection mechanisms
- Procedures
- Business processes
- People
They all work together to provide protection level to an environment.
Each has an important role and if one is missing or incomplete, the whole framework may be affected
Lets see some Standard Security Frameworks ………26
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Building a Fortress aka Security Program -
ISO/IEC 27000 Series. Originally derived from BS7799
Follows
• Plan – Do- Check – Act (PDCA) Cycle
ISO/IEC 27000 – Overview and Vocabulary
27001 - ISMS requirements
27002 - Code of practice for information security management
27003 - Guidelines for ISMS Implementation
27004 - Guidelines for information security mgmt measurement
© 2016 NTPC Ltd.
27004 - Guidelines for information security mgmt measurement
27005 - Guidelines for information security risk management
27006 - Guidelines for bodies providing audit and certifications of
ISMS
27031-1 Guidelines for network security
The list continues ……….
27
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise Architecture Frameworks -
Zachman framework
– Has six basic communication interrogatives ( What, How, Where, Who, When and Why)
– Intersecting with different viewpoints ( Planner, Owner, Designer, Builder, Implementer & Worker)
This framework aims at looking at the same organization from different views.
It is not security oriented framework.
© 2016 NTPC Ltd.28
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise Architecture Frameworks
The Open Group Architecture Framework (TOGAF)
Can be used to develop and create individual architectures in an organization
- Business Architecture
- Data Architecture
- Application Architecture
- Technology Architecture
© 2016 NTPC Ltd.
Uses ADM iterative process of reviewing
and updating architectures as needed
29
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise Architecture Frameworks
Department of Defense Architecture framework (DODAF)
– Spans different complex Government Agencies
– These agencies have interoperability and proper hierarchical communication
– The focus of the frameworks is on command , control, communications, computers, intelligence, surveillance, and reconnaissance systems and processes
– The framework helps to ensure that all systems, processes, and personnel work in concerted effort to accomplish missions
DODAF
© 2016 NTPC Ltd.
personnel work in concerted effort to accomplish missions
Ministry of Defense Architecture Framework (MODAF)
– Based primarily on DODAF
– Crux is to able to get data in the right format to the right people as soon as possible
– In alignment to quick war decisions so that activities happen fast
30
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise Architecture Frameworks -
• To figure out which architecture framework is best for any organization
– Find out who are the stakeholders
– What information they need
© 2016 NTPC Ltd.
– The main difference between the various enterprise architecture framework is what type of information are they providing and how they are providing
Lets now move ahead with Enterprise Security Architecture Frameworks ………
31
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise Security Architecture Frameworks -
What are they ?
They are subset of Enterprise Architecture
Defines the Information Technology Strategy consisting of
– Layers of solutions , processes, and procedures
and the way they are linked across and enterprise
– Strategically
– Tactically
© 2016 NTPC Ltd.
– Tactically
– Operationally
Why they are required ?
They ensure that security efforts align with business practices in a standardized and cost effective manner
Provides frame of reference
Allows organization to better achieve interoperability, integration, ease-of-use, standardization and governance
32
Lets see some Enterprise Security Architecture model frameworks ………
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Enterprise Security Architecture Frameworks -
Sherwood Applied Business Security Architecture (SABSA)
Similar to Zachman framework
A layered model
Provides chain of traceability
Outlines following question to be answered at each level What are you trying to do at this layer ?
The assets to be protected by security architecture
© 2016 NTPC Ltd.
Why are you doing it ?
The motivation for wanting to apply security, expressed at this layer
How are you trying to do it ?
The functions needed to achieve security at this layer
Who is involved ?
The people and organizational aspects of security at this layer
Where are you doing it ?
The locations where the security shall be applied
When are you doing it ?
The time – related aspects of security relevant to this layer
33
SABSA
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Security Control Development -
Now we have
– ISO/IEC 27000 program series outlining the components of organizational security program
– Security enterprise architecture which helps to integrate the requirements outlined in our security program into our existing business structure
Now it’s the time to focus and look at the objectives of the controls we are going to put into place to accomplish the goals outlined in our security program and
© 2016 NTPC Ltd.
put into place to accomplish the goals outlined in our security program and enterprise architecture
Some Control frameworks
– CobiT
– NIST 800-53
– COSO
34
Lets see them one by one ………….
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Security Control Frameworks -
CobiT – Control Objectives for Information and related
Technology
– Developed by Information System Audit and Control Association ( ISACA) & IT Governance Institute (ITGI)
– Defines goals for the controls to properly manage IT and to ensure that IT maps to business needs
– Has four domains and further drill downs to each subcategories :
• Plan & Organize
• Acquire & Implement
• Deliver & Support
• Monitor & Evaluate
• Acquire and Maintain Application Software
• Acquire and Maintain Technology Infrastructure• Develop and maintain procedures• Install and Accredit Systems• Manage Changes
© 2016 NTPC Ltd.
• Monitor & Evaluate
– Framework mostly used in Commercial Organizations
– CobiT domain provides goals and guidance to companies that they can follow when they purchase, install, test, certify and accredit IT systems
– Provides checklist approach to IT Governance by providing a list of things that must be thought through and accomplished when carrying out different IT function
– Provides executive summaries, management guidelines, frameworks, control objectives, implementation toolset, performance indicators, success factors, maturity models and success factors
35
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Security Control Frameworks -
COSO – Committee of Sponsoring Organizations– Developed by the committee of sponsoring organizations of the
Treadway commission in 1985
– Deals with fraudulent financial activities and reporting
– COSO is model for corporate governance
– SOX is based on COSO model
– COSO deals with non-IT items also
– COSO is made up of the following components :-
• Control Environments– Management Philosophy and operating style
COSO
© 2016 NTPC Ltd.
– Company culture as it pertains to ethics and fraud
• Risk Assessment– Establishment of risk objectives
– Ability to manage internal and external change
• Control activities– Policies, procedures, and practices put in place to mitigate risk
• Information and Communication– Structure that ensures that the right people get the right information at
the right time
• Monitoring– Detecting and responding to control deficiencies
Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain
their internal COSO structure
36
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Process Management Development -
ITIL– Standard of best practices for IT service
management
– Focus is more toward internal service level agreements between IT department and
After ensuring that we have proper controls in place we also want to have ways to construct and improve our business, IT and security processes in structured and controlled manner
© 2016 NTPC Ltd.3737
agreements between IT department and ‘customers’ it serves
Six Sigma
– Developed by Motorola
– Process improvement methodology
– Uses statistical methods for measuring operation efficiency and reducing variation, defects and waste
– Used in security assurance industry in some instances to measure the success factors of different controls and procedures
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Process Management Development -
Capability Maturity Model Integration (CMMI)
– Aims to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture
Blueprints
© 2016 NTPC Ltd.3838
These are important tools to identify, develop and design security requirements for specific business needs
Presents granular layout of a process
They layout security solutions, processes and components the organization chooses to use to match its security and business needs
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Putting what we have learnt till now all together ……
ISO/IEC 27000
Security Enterprise Architecture (SABSA)
Blueprint
Control Objectives (CobiT)
Process Management and Improvement (ITIL, Six Sigma, CMMI)
Description of House
Layout of House
Detailed Descriptions
Specifications and codes
Daily Process Improvement
© 2016 NTPC Ltd.3939
Two Story House
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
IT Risk Management …..
Vulnerability : It is a lack of a countermeasure or weakness in a countermeasure that is in place. It may be hardware, software, procedural or human weakness in place.
Threat : It is any potential danger that is associated with the exploitation of vulnerability. The threat is that someone or something. Will identify a specific vulnerability and use it against a company of individual.
Risk : It is the likelihood of a threat agent exploiting a vulnerability and
© 2016 NTPC Ltd.
Risk : It is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. Risk ties the vulnerability, threat and likelihood of exploitation to the resulting business impact.
Exposure : It is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
Control : A countermeasure is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates the vulnerability or that reduces the likelihood of a threat agent will be able to exploit a vulnerability.
40
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Management … Life is full of risk
Why risk management is required in an organization ?
Identification of critical assets Identification
Discover threats that put assets to risks Discovery
Estimate possible damage that can happen Estimation
Protect the assets from potential damages Protection
Estimate risk acceptance Acceptance
© 2016 NTPC Ltd.41
Types of Risks
Physical Damage Fire, water, vandalism, power loss, & natural disasters
Human Interaction Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction Failure of systems and peripheral devices
Inside and outside attacks Hacking, cracking and attacking
Misuse of data Sharing trade secrets, fraud, espionage
Application error Computation errors, input errors and buffer overflows
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Management Methodologies
NIST SP 800 -30 : US Federal Govt. Standard
• Also known as “ Risk Management Guide for Information Technology Systems”
• Specific IT Threats and how they relate to information security threats
• Lays down following steps -• System Characterization
© 2016 NTPC Ltd.42
• System Characterization
• Threat Identification
• Vulnerability Identification
• Control Analysis
• Likelihood determination
• Impact analysis
• Risk Determination
• Control Recommendation
• Results documentation
Note: Does not cover larger organizational threats types, as in natural disasters , succession planning, environmental issues or how security risks relate to business risks
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Management Methodologies
FRAP – Facilitated Risk Analysis Process
• Qualitative methodology
• Focuses on systems that really need assessing to reduce costs & time
• Uses one system one application at one time approach
• Systems are prioritized on the basis of criticality
• Risk Management Team documents the controls required
© 2016 NTPC Ltd.43
• Action plans are put in action to implement controls
• Remember
• Here criticalities of the risks are determined based on the experience of the team
• Goal is to keep the scope of assessment small and simple to allow for efficiency and cost effectiveness.
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Management Methodologies
Octave – Operationally Critical Threat , Asset, Vulnerability Evaluation
• People in power positions manage and direct the risk evaluation
• Self directed team approach
• Aided by a facilitator who understands the risks better
• Has wide scope and assess all systems, applications and business processes
© 2016 NTPC Ltd.44
AS/NZS 4360
• Focus on health of a company
• Used to understand company’s financial , capital, human safety, and business decision risks
• No focus on security
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Management Methodologies
FMEA – Failure Mode and Effect Analysis• Approach that dissects a component into basic functions to identify
flaws and those flaws effects
• Method used to determine functional failures and assessing its causes
Example - Used to determine single point of failures in a network
• Prediction of failures that may happen in future and locate those areas that may impact business
• Take corrective measures before they become actual liabilities
FMEA
© 2016 NTPC Ltd.45
Fault Tree Analysis
• Approach to map specific flaws to root causes in complex systems
• Used for discovering complex failures modes in more complex environments and systems
• Examples –
• False alarms
• Sequencing or order
• Incorrect timing inputs
Fault Tree Analysis
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Analysis Approaches
Quantitative Analysis
• Assigns monetary and numeric value to all elements of the risk analysis process
SLE or Single loss expectancy Potential loss associated with single event a threat can cause
EF or Exposure factor Percentage of loss a realized threat could have on a certain asset
ARO or Annual rate of Occurrence Represents the estimated frequency of specific threat taking place
within a 12 month time frame
Example : Data center has asset value of 250 cr.
© 2016 NTPC Ltd.46
Example : Data center has asset value of 250 cr.
If there is a fire and it is estimated that 25% of Data Center would be damaged
Probability of fire event taking place is 1 in 10 years or ARO = 0.1 ( Past learning)
Calculating SLE
Asset Value x Exposure factor (EF) = SLE There fore in our example the SLE will be 62.5 Cr.
SLE x Annual Rate of Occurrence = ALE (Annual Loss Expectancy) or ALE will be 6.25 Cr
Conclusion: It would be wise to deploy controls/safeguards to curtail the threat for a value less than or equal to 6.25 Cr
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Analysis Approaches
Qualitative Analysis
• Involves walk through different scenarios and ranks the seriousness of threats
• Includes judgment, best practices, intuition and experience
• Qualitative techniques: -• Delphi Brainstorming
• Storyboarding Focus-groups
• Surveys Questionnaire
• Checklists One to one meetings
• Interviews
© 2016 NTPC Ltd.47
• Interviews
The exposure possibility and loss probability can be ranked as High, Medium or Low on a scale of 1 to 5 or 1 to 10.
Threat =Hacker Accessing Confidential Information
Severity of Threat
Probability of threat taking place
Potential loss to the company
Effectiveness of Firewall
Effectiveness of Intrusion Detection
System
Effectiveness of Honey pot
IT Manager 4 2 4 4 3 2
Database Administrator 4 4 4 3 4 1
Application Programmer 2 3 3 4 2 1
System Operator 3 4 4 4 4 2
Operational Manager 5 4 4 4 4 2
Results 3.6 3.4 3.6 3.8 3 1.4
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Analysis Approaches
Control Selection
• Should be cost effective – Benefit should outweigh costs
• Requires cost/benefit analysis
• Commonly used cost benefit analysis : -
( ALE before implementing safeguard) – (ALE after implementing safeguard) –(annual cost of safeguard) = value of safeguard to the company
© 2016 NTPC Ltd.48
• Example
• ALE of a threat of a hacker bringing down a web server is Rs. 12000
• ALE after implementation of Intrusion Detection System (IDS) is Rs 2000
• Annual maintenance of IDS is Rs 400
Value of safeguard (IDS) to company = 12000-2000-400 = Rs . 9600
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Risk Analysis Approaches
Total Risk
• Company chooses not to implement any safeguard
• Cost / benefit analysis indicate high safeguard costs
We have
Threats x vulnerability x asset value = total risk
Residual Risk
© 2016 NTPC Ltd.49
Residual Risk
• No company can remove all threats (100%) using any safeguards
• It is the level of risk the company is going to accept
We have
Total Risk – Countermeasures = Residual Risk
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Handling Risks
Four ways to deal with organizational risks
• Transfer Risk
Insurance is available to companies to protect their assets
• Avoid
Vulnerable Service discontinuation
© 2016 NTPC Ltd.50
• Reduce
Implementation of firewalls, IDS or IPS where risk levels are reduced
• Accept
Potential cost of loss is lower than the cost of counter measure. Management decides on the basis of cost/benefit analysis.
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Policies , Standards, Baselines, Guidelines and Procedures
• Security Policy
• General statement by Senior Management that dictates what role security plays within the organization
• Lays out program goals, assigns responsibilities, shows strategic and tactical value of security and outlines how law enforcements should be carried out
• Must address relative laws, regulations, and liability issues and how they are to be satisfied
• Provides process for dealing with those who choose not to comply with the security policy and a structured method for response to non-compliance.
• Types of policies
• Regulatory
© 2016 NTPC Ltd.51
• Regulatory
• Ensures that organizations are following standards
• Specific to Industry
• Used mostly in Govt. Industries
• Example . HIPPA, SOX, PCI-DSS
• Advisory
• Strongly advises employees as to which types of behaviors and activities should and should not take place with possible ramifications
• Informative
• Informs employees of certain topics
• Not enforceable but rather teaches individuals about specific issues relevant to the company
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Policies , Standards, Baselines, Guidelines and Procedures
• Standards
• Refer to mandatory activities, actions, or rules.
• They provide policy its support and reinforcement in direction
• Examples• Provide expected user behavior
• Standard for use of hardware and software in an organization
• Standards for using encryption for confidential data in rest or on wire
• Display of company identity cards by employees
• Baselines• Refers to a point in time that is used as a comparison for future changes
© 2016 NTPC Ltd.52
• Refers to a point in time that is used as a comparison for future changes
• It is a consistent reference point
• Defines the minimum level of protection required
• Security personnel must assess the systems as changes take place and ensure that the baseline level of security is always being met.
• Guidelines
• They are recommended actions and operational guides to users, IT Staff, operations staff and others when specific standards to not apply.
• These are general purpose approaches that provide the necessary flexibility for unforeseen circumstances
• Procedures
• These are detailed step by step tasks that should be performed to achieve a certain goal.
• They are the lowest level in the documentation chain as they are closest to users and computers
• Procedures spell out how the policy standards and guidelines will actually be implemented in operating environment
IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards
Organization Security Program
© 2016 NTPC Ltd.53