Kirk Bailey, CISSP, CISM Chief Information Security Officer

University of Washington

kirkb01@washington.edu

RISK MANAGEMENT: AT THE HEART OF SECURITY

DECISION-MAKING

FOR THE CISO

Ernie Hayden, CISSP Chief Information Security Officer

Port of Seattle

Hayden.e@portseattle.org

THE CURRENT TECHNOLOGY

RISK PICTURE

PLENTY OF MONSTERS

OUT THERE!

True Cost of Convenience Model: Security vs Convenience

Liability vs Convenience

AT THE HEART

OF MOST TECHNOLOGY-BASED RISK

A different way to look at your risk

The Convenience Factor

Less More

Increased

The Convenience Factor

Less More

Increased

The Convenience Factor

Less More

Increased Increased

Crossover

Point moves

based on

Security

Needs, etc.

The Convenience Factor Buy Insurance

Less More

Increased Increased

Buy Insurance /

Transfer Risk

Shift in

Crossover

PointMore Convenience

Allowed

The Convenience Factor Add Security Controls

Less More

Increased Increased

Shift

Add

Security

Controls

Different kinds of risk management:

Daily work issues Larger strategic and planning issues

Different approaches, models, and tools

can be used by a CISO

COMING TO GRIPS WITH

RISK MANAGEMENT

AS A CISO

Technology

Security

Information

Security

Firewalls

Intrusion Detection

Network Security

Viruses, Worms, Crimeware

System Hardening

Encryption

Engineering

Technology

Problems

Risk Management

Business Continuity / Disaster Planning

Intellectual Property

Business / Financial Integrity

Regulatory Compliance

Industrial Espionage

Privacy

Forensics & Investigations

Business

Problems

Chart Based on Forrester, April 2005

And Enhanced/Modified by Kirk Bailey and Ernie Hayden

Critical Security

Problems

Strategic

Security

SECURITY PROFESSION EXPERTISE LEVELS

R E S E A R C H

Terrorism & CyberCrime

Regional Interests (Including Cyber and Natural

Disasters)

Nation State Interests

Intelligence

Professional Alliances

Politics

Strategies and Tactics

The POS Risk In Basket

Microsoft Word Zero-Day Exploits

Microsoft Only Releases 4 vs 8 Patches What is the Risk of not having the other 4?

Implications of Federal Rule on Criminal Procedure regarding E-Discovery? What about IM? Voicemail? Email?

How Securely Handle TSA Data? Transmission, Storage

House Audit of Personal Information Handling

PCI Compliance Issues

Vista Roll Out Concerns

UW

Information

Systems

Security

Risk Mapping

RISK AREAS RISK REGISTER

UW ERM program has

identified four (4) general

Risk Areas for defining, grouping and analyzing

risks. They are:

Compliance

Financial

Operational

Strategic

ISS OPERATIONAL RISK (5 identified):

Computing Systems:

Loss, disruption or unauthorized use of computing resources

Network / Telecommunications:

Loss, degradation or unauthorized access of network/telecommunication resources

Data Management:

Destruction, corruption or theft of information Physical and Environmental Management:

Theft, destruction or unauthorized access to facilities or assets

Environmental/natural caused damage to facilities, assets or harm to people

example

ISS STRATEGIC RISK (6 identified):

Organizational Authority (lack of it):

Unnecessary financial costs Unable to correct high risk incidents or behavior upon notice

Loss of competitive advantage Overall security may suffer as a result of competing priorities

Strategic Business Partnering and Alliances:

Missed legal and regulatory interests Missed business opportunities

example

Rank Description Injuries Financial Loss Asset Loss Interruption

of Services

Reputation &

Image

Performance

Loss

5 Catastrophic

Multiple

deaths or

severe

permanent

disabilities

$10M > or 6% > of

Operational

Budget

Complete loss

of assets 1 month >

Substantiated, public

embarrassment, very

high multiple

impacts, high

widespread news

profile, third party

actions

>50%

variation to

Key

Performance

Indicators

(KPIs)

4 Disastrous Death or

extensive

injuries

$3M - $10M or 6%

of

Operational

Budget

Significant

loss of assets

1 week - 1

month

Substantiated, public

embarrassment, high

impact, high news

profile, third party

actions

25 - 50%

variation to

KPI

3 Serious Medical

treatment

$250K - $3M or 2%

of

Operational

Budget

Major damage

to assets

> 1 day to < 1

week

Substantiated, public

embarrassment,

moderate impact,

moderate news

profile

10 - 25%

variation to

KPI

2 Minor First aid

treatment

$50K - $250K or 1%

of Operational

Budget

Minor loss or

damage to

assets

1/2 - 1 day

Substantiated, low

impact, low news

profile

5 - 10%

variation to

KPI

1 Insignificant No injuries < $50K or 0.5% of

Operational

Budget

Little or no

impact on

assets

< 1/2 day

Unsubstantiated, low

impact, low profile or

no news items

Up to 5%

variation to

Key

Performance

Indicators

(KPI)

Risk Ranking: measures of likelihood and impact are

multiplied to determine the level of risk.

Almost

Certain 5 5 10 15 20 25

Likely 4 4 8 12 16 20

Possible 3 3 6 9 12 15

Unlikely 2 2 4 6 8 10

Rare 1 1 2 3 4 5

LIKELIHOOD 1 2 3 4 5

Insignificant Minor Serious Disastrous Catastrophic IMPACT

RISK MAP

WITHOUT CONTROLS

RISK MAP

WITH CURRENT CONTROLS

RISK MAP

MTIGATION PLAN

RISK MANAGEMENT HEAT CHARTS

1

3

2

7

5 8

4

6

9

10 12

11

10

11

1 9 2

4

5

6 7

8

3

12

12

11

10

9

8

7

6

5

4 3

2

1

Says one Microsoft source, carefully speaking in the

hypothetical: "It would be nice to come out with a very

low-cost/low profile server--something easy to use and

easy to add large hard drives to. It would not only back

up all the PCs in your house, but also handle patch

management, anti-virus, spam filtering, anti-spyware,

firewall management, AND also act as a TV server."

CES 2007: Gates Launches

Windows Home Server at

CES 2007 (HP, AMD partner on home server, due in second half of 2007

Discussion Point: Risk assessment of this idea?

Technology Response vs Risk

Response

Risk Mitigation Considerations Handling Reputation Loss? Risk of Notifying or Not? How Respond When Technology Fails?

I will say this ...organized cybercrime is now capable of by-passing

ALL current industry standard security measures. We (the

security/technology industry) are making the wrong bets

concerning possible solution sets. If you manage security by the

book or rely heavily on technology counter-measures you are

playing into the skilled adversary's hands. You would be better off

not wasting your time and spend it instead on staffing and planning

for incident response, reputation loss and notification costs.

Thanks!