Architecting to Auditing Risk Based Controls
Dan Seider, Information Security Architect
Nitin Salvi, Information Security Architect
The views, thoughts, claims or opinions in this presentation are solely those of the presenter. Nothing in this presentation represents the views, thoughts, claims or opinions of GM Financial Corporation, General Motors Corporation or any other organization or entity.
Disclaimer
Architecting risk based security controls
Baseline and Monitoring risk based controls
Developing a risk based control audit plan
Recommendations For:
A risk point of view is a different sort of “Beastie”
A Risk Focus?
Source: © Maurice Sendak
No Standard Definition Oxford dictionary
a situation involving exposure to danger. the possibility that something unpleasant will happen. 3 a person or thing causing a risk or regarded in relation to risk: a fire risk
ISO Guide 73, Risk Management
The combination of the probability of an event and its consequence
ISO 13335, Information Technology Security Techniques
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
Conclusion differences exist between dictionary, government, industry, and Information
Security definitions of well used terms.
Also, Considerable disagreement around definition of “threat,” “impact,” “probability” and “risk”, though the use of “threat” as a circumstance, and “risk” as having elements are largely agreed
Risk Definitions
Risk is the product of 3 primary parts:
“Risk” contains controllable elements of vulnerability, probability and business impact.
It also contains the uncontrollable element of a threatening circumstance (actor, motivation).
Risk Elements
Risk
Threat: What are we
concerned about ?
Vulnerability
with
probabilities
Consequences
Do they Cascade?
X X =
Cyber Threat Actors
John C. Mallery, Massachusetts Institute of Technology
Current Control Environment
Historically controls driven by regulatory and compliance requirements and folklore (i.e. we’ve always done it this way).
Perceived vulnerability.
Synchronization with real threats,
Different levels of the technology stack .
Existing Controls Environment
Risk vs. Spending
2013 Ponemon Institute study on risk-based security management
Dynamic business environment coupled with dynamic risk with static controls,
Multiple risk scenarios – single control assumed adequate,
multiple national and international requirements.
Why the Imbalances?
Managing risk not transferring / ignoring it,
Business aligned and customer focused,
Proactively seeks process improvement based on risk assessments,
Supports continual risk-reassessment.
A Risk Based Architecture Is…
Risk and Opportunity Model
Source: SABSA Institute
Risk and Opportunity
Source: SABSA Institute
Balancing threat, impact and vulnerability
Flexible and agile selection / deployment of safeguards and countermeasures
Protection Using Risk Based Controls
Improves ROI,
Driver for business performance and assurance,
Manages risk and enables the creation and preservation of business value,
Risk-based decisions,
Enables consistent controls tailoring risk level,
Supports continuous monitoring and reporting for risk, compliance and security.
Why Risk Based Controls?
Process
Risk
Control
Design
Control
Implementation
Baseline
& Monitor
Assure /
Audit
Risk Based Control Selection
Identify
Process
Risk
Identify
Security
Services and
Controls
Develop
Assurance/
Audit plan
(KPI – KRI and
Key Enablers)
Mechanisms
to Support
Controls
Create
Process
Baseline
Creating
Metrics
Reporting
Assurance
Matrix
Reporting
Aggregated ScoreCard
Metrics Results Periodic Reporting
Matrix Creations
Controls &Security Services
Solutions &Security Programs &
Implantation Guidelines
Process/Business Risk
BUSINESS (Enterprise)
INFORMATION SECURITY
(Strategic & Enterprise)
ITSECURITY
(Operational)
ITOPERATIONS
(Service Delivery)
AS
SU
RA
NC
E
Implementation Mechanisms
Risk Based Controls Tracing
Defense in Depth
Source: SABSA Institute
Defense In Depth
Application
Middleware
Platform
Network
Def
ense
In
Dep
th
Tec
hn
olo
gy
Sta
ck
Review risk assessments
Perform process risk assessment
Other risk process within your organization
Identify Process Risk
A
2
None / Information would be re-entered or revised with little or no further impact
would result in minor Company losses; not visible to customers
would cause moderate Company losses
would seriously/adversely impact business or Company objectives; risk of financial loss/legal liability exists
A
3
No impact to the organization
Information is important ; unavailable information would have moderate impact to the organization
Information is vital; organization/business partners and/or customers may be adversely impacted
Information is critical; unavailable information would seriously impact organization; financial penalties possible
I,C
4
No
Mandatory business non-regulatory compliance rules (e.g., PCI)
Legal jurisdiction, Federal laws and agencies (e.g., HIPAA-GLBA/Sarbanes-Oxley/SEC)
International jurisdiction
Don’t know
What is the business impact if information owned/generated/used by this business process is inappropriately or
inadvertently modified? Inappropriate or inadvertent modifications:
What is the business impact if information owned/generated/used by this business process
is unavailable for use for one day?
Is this business process governed by or affected International/US laws, regulations, or other mandatory business
requirement?
Example: Identify Process Risk
Process Risk M EDIUM
Identify security services related to the process,
Identify controls related to the services,
Assurance Profiles,
KPI, KRI, Key Enabler.
Controls Design
Process Relationships
External Entities Internal Entities
Business Process
Regulators Suppliers
Partners
External CustomersTechnology ProvidersBusiness Process
Business Units
Internal UsersTechnology Providers
Identify Security Services and Controls
Network Control Map
Assurance Profile
Controls Selection/Audit Plan
Process
Control
Number
Security Service/Requirement Required/Recommende
d/Optional
Controls Register
Referance number
Audit Plan/Guideline
System Hardening
1 Harden Windows Server Required Standard 13 CIS harding benchmark
2 Harden IIS Server Required Standard 13 CIS harding benchmark
Authentication and Identity Management
3 Users are identified with a unique user ID, and avoid the use
of shared or group accounts, dependent on data
classification.
Required Standard 94 users naming convention follow security
standanrds
4 Users are provided with a mechanism for selecting their
own passwords.
Required Standard 95 Password mechnisam supports security
standards
5 Password length and complexity requirements are enforced
for new passwords and password resets as stipulated in
applicable agency Password Standards.
Required Standard 95
6 Authentication controls are enforced on a trusted system
(i.e. server-side instead of client-side).
Required Standard 96
7 High value transactions utilise message integrity checks to
ensure that data has not been modified by an unauthorised
party.
Recommended Standard 97
8 Passwords are stored using cryptographically strong one-
way hashes (e.g. ASP.NET hash setting).
Required Standard 95
9 Existing password and authentication mechanisms (e.g.
ASP.NET membership providers) are used instead of
custom-developed authentication mechanisms.
Required Standard 95
10 Generic responses are returned for all authentication
failures such that they do not indicate which part of the
authentication data was incorrect.
Required Standard 95
Control Mechanisms
Monitor business process to develop baseline (3 to 6 months),
Document any anomalies,
Create alerts based on anomalies,
Create alerts for any activity outside baseline,
Create metrics ( KPIs, KRIs and Key Enablers).
Monitoring
Based on the business risk controls effectiveness is monitored and measured,
Reports are generated and forwarded to the business to assure business risk is properly managed,
Reporting metrics ( KPIs, KRIs and Key Enablers).
Reporting
Questions ?