Module I Kefa Rabah IT Risk Management Plan – The Way Forward

Module I SerengetiGroup
Risk Management Plan IT Security Project Solution

A Case Study www.serengetisys.com

Bedrock City University (BCU)

Secure Network Infrastructure Project

Developing IT Security Risk Management Plan

The Way Forward

Document History:
Date Version # Author(s) Description of Changes
Feb 02, 2008 BCU-RMP-001 BCU-ISESC, Final Issue
SISC

A Global Open Versity Reading Room Academic Technical Publication

Permissions: A GOV Open Knowledge Academic Access License

Learn more, visit:

www.serengetisys.com
www.globalopenversity.org
Kefa Rabah

CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 2 OF 50 Bright 2Future

 Module I Kefa Rabah IT Risk Management Plan – The Way Forward

Module I

Developing IT Security Risk Management Plan

Abstract

As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network
defense and entire enterprise risk management strategies. Security for that matter is not only about
protecting the network, but also the data. That requires a combination of tactics, from securing the
network perimeter to encrypting data on mobile and storage devices. Today, many enterprises look at
network as taking a layered approach. As security become more complex, businesses increasingly see a
need for enterprise security strategies, as well as ways to collate information from the various tools and
evaluate their performance. And they are grappling with new issues created by growing mobility and
anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall –
thus increasing risk to enterprise resources. In this respect, IT managers are currently focusing more and
more on getting end-to-end visibility. However, more importantly – the road to an enterprise security
strategy and risk management starts with consulting stakeholders to determine what level of risk is
acceptable. Then you can formulate a policy that lays out the controls that will achieve the goals via
implementing – a solid IT security risk management plan – geared towards organizations’ IT security
objectives driven by business requirements for improved performance.

1.0 INTRODUCTION

Risk management is a much talked about, but little understood area of the IT Security industry. While risk
management has been practiced by other industries for hundreds of years, little historical data exists to
support qualitative analysis in the IT environment.

The industry approach to-date has been to buy technology without really understanding the potential
underlying risks. To further complicate matters, new government regulations create additional pressure to
ensure sensitive data is protected from compromise and disclosure. Processes need to be developed that
not only identify the sensitive data, but also identify the level of risk posed due to noncompliance of
corporate security policies. Serengeti Information Security Consulting (SISC) at Bedrock City has
developed security procedures based on industry standards that evaluate and mitigate areas deemed not
compliant to internal security policies and standards. Through the use of quantitative analysis, AISC is
able to determine areas that present the greatest risk, which allows for identification and prioritization of
security investments.

1.1 OVERVIEW OF RISK MANAGEMENT IN IT SECURITY FIELD

The fundamental precept of information security is to support the mission of the organization. All
organizations are exposed to uncertainties, some of which impact the organization in a negative or positive
manner. In order to support the organization, IT security professionals must be able to help their
organizations’ management understand and manage these uncertainties.

Managing uncertainties is not an easy task. Limited resources and an ever-changing landscape of threats
and vulnerabilities make completely mitigating all risks impossible. Therefore, IT security
professionals must have a toolset to assist them in sharing a commonly understood view with IT and
business managers concerning the potential impact of various IT security related threats to the mission.
This toolset needs to be consistent, repeatable, cost-effective and reduce risks to a reasonable level.
However, due to the complex nature of the network infrastructure and its integrated information system, it

CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 3 OF 50 Bright 3Future

 Module I Kefa Rabah IT Risk Management Plan – The Way Forward

is important to present the reader with a clear picture of the risky business of protecting information
systems.

In this respect, risk assessment plays a vital role in any information-security program, ensuring that
resources are being allocated in the most effective way to support the business objectives. Because
resources are always limited, controls should be applied to areas that represent the biggest risks. It's
crucial that the risk-assessment process link security exposures to business needs; risks should be
measured against the potential impact to the confidentiality, integrity or availability of any critical
business process. Basically stated, every security control has an associated cost, and there must be a
business reason for it to be implemented. Risk-assessment methodologies should be used to provide
justification and prioritization for the implementation of security controls to mitigate risks.

1.2 Historical Perspective of Risks in the IT Security Field

A few years ago not many computers were connected to the Internet. Nowadays with the prices for
broadband falling and households joining the Internet, things changed. The same is happening with the
small to medium to corporate sector businesses. While email was not widely used, nowadays every
company needs that form of communication in some form. With these changing habits, the risk is
changing as well. A point to note here – you cannot eliminate risk – you can only reduce it!

Moreover, in the computing age of today, we have witnessed the growing popularity of the Internet and
networks in our society. With these tools at our fingertips, we are able to communicate and do business
even more quickly and efficiently than ever before. For example, businesses can market their products
online so customers do not have to leave their homes, and banks can conduct transfers and manage
accounts with more ease, speed, and functionality than with the paperwork of the past. Also, what is
probably the most popular means of communication, email, is used by just about everyone each and every
day.

Furthermore, today, the world continues to witness an explosion in mobile technology designed to help
people communicate faster and more easily. We carry powerful digital computers in our pockets,
exchange digital information in addition to voice data with our mobile phones, and surf the Web with
high-end PDAs. In the near future, especially the coming of age of 3G wireless devices, every type of
electronic data channel will be used to exchange every type of electronic information. This has become
even more challenging with the entry of “Incredible Hulk” of smart-phone family, the iPhone 2.0. One of
the great challenges of the ability to communicate digitally is securing the increased amount of electronic
information now exchanged over the network. To make the matter worse today, everyone wants to be
everywhere and anywhere and be reached via his tech-mobile system exchanging data with enterprise
network. And that makes mobile security risk management a top priority for many businesses that want to
offer high-end mobile customer application.

It is clear that these modern conveniences have made our lives much smoother. However, as we continue
to add these conveniences to our lives, we open the door to more numerous, possibly even more
dangerous, outlets for attacks ranging from malware to identity theft. With the prominence of identity
theft on the rise, we must all be weary of the security of online communication. Moreover, in today’s
network environment, and as every organization tries to deliver value from IT while managing an
increasingly complex range of IT-related risks, the effective use of best practice can help to avoid re-
inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks,
such as: Project failures, Wasted investments, Security breaches, System crashes, and Failures by service
providers to understand and meet customer requirements. See Fig. 1 for the evolution of IT threats.

CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 4 OF 50 Bright 4Future

 Module I Kefa Rabah IT Risk Management Plan – The Way Forward

While a few years ago every network needed to have a firewall and then everything was good, things
changed here as well. Our society today, is based and relay on a free flow of information. That is, in real-
time, information is constantly and continuously moving around, leaving and entering inter-networks (the
Internet) around the world at any one instance. Today, therefore, IT professional’s main problem is, that
this information can not be protected by a simple firewall, because that information will not stay in one
place but “move around”. One could argue that we then should keep the information in one place where
we can protect them. But, as mentioned above, our society needs that flow of information to further evolve
and keep pace with ongoing industrial revolution and constantly ever changing innovative ideas being
fueled by the ever rapidly evolving cyber-space, the Internet, and on its wake the mighty and vicious
cyber-crime fueled by tech-savvy cybercriminals run by organized criminals looking upon the Web as a
new – and extremely lucrative – source of ill-gotten gain mainly via identity theft.

High

Sophistication of
Hackers Tools

Packet Forging/Spoofing
Boot Nets
Stealth Diagnostics

DDOS Internet Worms

Sweepers Sniffers
Internet
Back Doors SQL Injections
Hijacking Sessions
Exploiting Known Disabling Audits
Vulnerabilities
Viruses
Script Kiddies

Self Replication
code Password Cracking

Trojan Horses

Password
Guessing Technical Knowledge
Required

1980 1990 2000 2010

Fig. 1: Threats are more dangerous; and easier to use

The Full document has moved to docstoc.com. You may access it from here:

http://www.docstoc.com/docs/28838188/?key=MmFlZGE5ZGEt&pass=YTRlOS00ZDQ1

-----------------------------------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance
your educating and career goals using the latest innovations and technologies.

CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 5 OF 50 Bright 5Future