Course : 7083M - IS RISK MANAGEMENT

Managing Information Security

Session 1

Information Security
What Is Information Security?
Information security is more than setting up a firewall,
applying patches to fix newly discovered
vulnerabilities in your system software, or locking the
cabinet with your backup tapes. Information security
is determining what needs to be protected and why,
what it needs to be protected from, and how to protect
it for as long as it exists.

Vulnerability Assessment
A vulnerability assessment is a systematic, point-in-time examination
of an organization's technology base, policies, and procedures. It
includes a complete analysis of the security of an internal computing
environment and its vulnerability to internal and external attack. These
technology-driven assessments generally
Use standards for specific IT security activities (such as hardening
specific types of platforms)
Assess the entire computing infrastructure
Use (sometimes proprietary) software tools to analyze the
infrastructure and all of its components
Provide a detailed analysis showing the detected technological
vulnerabilities and possibly recommending specific steps to address
those vulnerabilities

Information Systems Audit

Information systems audits are independent appraisals of a company's
internal controls to assure management, regulatory authorities, and
company shareholders that information is accurate and valid. Audits will
typically leverage industry-specific process models, benchmarks,
standards of due care, or established best practices. They look at both
financial and operational performance. An audit may also be based on
proprietary business process risk control and analysis methods and
tools. Audits are generally performed by licensed or certified auditors
and have legal implications and liabilities. During an audit, the business
records of a company are reviewed for accuracy and integrity.

Information Security Risk Evaluation

Security risk evaluations expand upon the vulnerability
assessment to look at the security-related risks within a
company, including internal and external sources of risk
as well as electronic-based and people-based risks.

These multifaceted evaluations attempt to align the risk evaluation with business
drivers or goals and usually focus on the following four aspects of security:
They examine the corporate practices relating to security to identify strengths
and weaknesses that could create or mitigate security risks. This procedure
may include a comparative analysis that ranks this information against
industry standards and best practices.
They include a technological examination of systems, reviews of policy, and
an inspection of physical security.
They examine the IT infrastructure to determine technological vulner abilities.
Such vulnerabilities include susceptibility to any of the following situations:

The introduction of malicious code

Corruption or destruction of data
Exfiltration of information
Denial of service
Unauthorized change of access rights and privileges

They help decision makers examine trade-offs to select cost-effective

countermeasures.

Managed Service Providers

Managed security services providers rely on human expertise to
manage a company's systems and networks. They use their own or
another vendor's security software and devices to protect your
infrastructure. Usually, a managed security service will proactively
monitor and protect an organization's computing infrastructures from
attacks and misuse. The solutions tend to be customized for each
client's unique business requirements and to use proprietary
technology. They can either actively respond to intrusions or notify
you after they occur. Some employ automated, computer-based
learning and analysis, promising decreased response time and
increased accuracy.

Information Security Risk Evaluation and

Management
Think about how much you rely upon access to information and systems to
do your job. Today, information systems are essential to most organizations,
because virtually all information is captured, stored, and accessed in digital
form. We rely on digital data that are accessible, dependable, and protected
from misuse. Systems are interconnected in ways that could not have been
imagined ten years ago. Networked systems have enabled unprecedented
access to information. Unfortunately, they have also exposed our
information to a variety of new threats. Organizations today have
implemented a wide variety of complex computing infrastructures. They
need flexible approaches that enable them to understand their informationspecific security risks and then to create strategies to address those risks.

An organization that wishes to improve its security posture must be

prepared to take the following steps:
Change from a reactive, problem-based approach to proactive
prevention of problems.
Consider security from multiple perspectives.
Establish a flexible infrastructure at all levels of the organization
capable of responding rapidly to changing technology and security
needs.
Initiate an ongoing, continual effort to maintain and improve its
security posture.

Evaluation Activities
Consider what happens during an evaluation. When an
organization conducts an information security risk
evaluation, it performs activities to
Identify information security risks
Analyze the risks to determine priorities
Plan for improvement by developing a protection strategy
for organizational improvement and risk mitigation plans
to reduce the risk to critical organizational assets

The evaluation only provides a direction for an organization's

information security activities; it does not necessarily lead to
meaningful improvement. No evaluation, no matter how detailed or
how expert, will improve an organization's security posture unless the
organization follows through by implementing the results. After the
evaluation, the organization should take the following steps:
Plan how to implement the protection strategy and risk
mitigation
plans
from the evaluation by developing detailed
action plans. This
activity can include a detailed cost-benefit
analysis among strategies and actions.
Implement the selected detailed action plans.
Monitor the plans for progress and effectiveness. This activity
includes monitoring risks for any changes.
Control variations in plan execution by taking appropriate
corrective
actions.

Risk evaluation is only the first step of risk management.

Illustrates an information security risk management
framework and the "slice" that an evaluation provides.
The framework highlights the operations that
organizations can use to identify and address their
information security risks.

An Approach to Information Security Risk

Evaluations
An information security risk evaluation must identify both
organizational and technological issues to be effective. It must
address both the computing infrastructure and the way in which
people use it as they perform their jobs. Thus, an evaluation needs
to incorporate the context in which people use the infrastructure to
meet the business objectives of the organization as well as
technological security issues related to the infrastructure. It must
consider what makes the organization succeed and what makes it
fail.

OCTAVE Approach
The Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE) enables an organization to sort
through the complex web of organizational and
technological issues to understand and address its
information security risks. OCTAVE defines an approach
to information security risk evaluations that is
comprehensive, systematic, context driven, and selfdirected.

Three Phases
The organizational, technological, and analysis aspects
of an information security risk evaluation lend
themselves to a three-stage approach. OCTAVE is built
around these three phases to enable organizational
personnel to assemble a comprehensive picture of the
organization's information security needs.

Phase 1: Build Asset-Based Threat Profiles. This is an

evaluation of organizational aspects. Staff members from
the organization contribute their perspectives on what is
important to the organization (information-related assets)
and what is currently being done to protect those assets.
The analysis team consolidates the information, selects
the assets that are most important to the organization
(critical assets), and identifies the threats to these
assets.

Phase 2: Identify Infrastructure Vulnerabilities. This is an

evaluation of the computing infrastructure. The analysis
team identifies key information technology systems and
components related to each critical asset. The team then
examines the key components for weaknesses
(technology vulnerabilities) that can lead to unauthorized
action against critical assets.

Phase 3: Develop Security Strategy and Plans. During

this part of the evaluation, the analysis team identifies
risks to the organization's critical assets and decides
what to do about them. The team creates a protection
strategy for the organization and mitigation plans to
address the risks to the critical assets, based upon an
analysis of the information gathered.

OCTAVE Variations
The specific ways in which business practices (e.g., planning,
budgeting) are implemented in different organizations vary
according to the characteristics of the organizations. Consider the
differences between management practices at a small start-up
company and those required in a large established organization.
Both organizations require a set of similar management practices for
planning and budgeting, but the practices are implemented
differently. Similarly, the OCTAVE approach defines an information
security risk as a management practice. We have found that the
ways in which organizations implement information security risk
evaluations differ based on a variety of organizational factors.
OCTAVE implemented in a large multinational corporation is
different from OCTAVE in a small start-up. However, some common
principles, attributes, and outputs hold across organizational types.

Common Elements
The common elements of the OCTAVE approach are
embodied in a set of criteria that define the principles,
attributes, and outputs of the OCTAVE approach. Many
methods can be consistent with these criteria, but there is
only one set of OCTAVE criteria. The Software Engineering
Institute (SEI) has developed one method consistent with
the criteria, the OCTAVE Method, which was designed with
large organizations (more than 300 employees) in mind.
The institute is presently developing a method for small
organizations (fewer than 100 employees).