1. Lesson 1: Risk Management Overview
This domain is entitled the Information Risk Management and what we’re going to take a look at is a lot of processes that deal with all facets of risk management. We’re going to talk about establishing a process for your information asset classification and ownership, implementing a systematic and structured information risk assessment process to ensure that business impact assessments are done. Periodically we’ll take a look at making sure that the threat and vulnerability evaluations are performed.
Talk about identifying and periodically evaluating information security controls and countermeasures to help mitigate risk to your acceptable levels. We’re also going to talk about integrating risk, threat and vulnerability identification and management into a lifecycle process and then talk about ways of reporting any significant changes in information for the risk so that we can make sure that we can again analyze that risk and try to get to the appropriate levels of risk acceptance that management can improve.
2. Risk Management Overview
We’re going to begin by taking an overview look at risk management. Now, it’s pretty basic that risk management is the attempt to optimize the balance between your opportunities for gain and minimizing vulnerabilities and loss. So having said that, it’s kind of the idea that without risk management, if you think about it, we really won’t be able to say, what can we do to understand, number one, what the risks are? And if all we say is, let’s just throw money at some solutions because everybody says that we need firewalls and intrusion detection and antivirus software and let’s just put it all on, well, now you’ve just thrown out money, you’ve purchased some things, you’ve got people busy. Did it do you any good? Did it really minimize the vulnerabilities and the loss that you could incur? Were any of those even issues that you had to deal with as far as the potential threats to your network or to your assets in case it’s other than just the information itself?
So what we tell people is that risk management as well as your business impact analysis are mandatory if you want to have a good security strategy. Because what they do is they identify, number one, what is important, what’s a critical component of your particular business, and knowing what those critical assets are, we can then say, okay, what threats could there be and how frequent could those threats occur and what kind of damage or exposure factor might that cause? And knowing all of that information through risk management, then we’re like, okay, now we know where the threats are, we know what we have to come up against, we know what we have to mitigate, and now we can come up with a strategy to protect those assets. So really your risk management is your framework for your policies, procedures, practices and guidelines that you’re going to implement in your security strategy.
3. Types of Risk Analysis
Now, when we talk about the types of risk analysis, really our goal is that we’re going to try to find some controls, things that we use to help reduce risk. And those are going to be controls that we find as a part of our risk management that we might use as part of the analysis to say, is this a good control? Will it do what it’s supposed to and mitigate the risk? Now at the same time, controls might also, as it says, present a good return on your investment or should, I should say, it should present a good return on your investment. All right, that’s an important aspect. I mean, you could over purchase or even under purchase if it doesn’t even do close to what you want, it wasn’t worth a quarter. And if you over purchase you might get to the point of security that you like, but your return on investment might not be so great.
So what we do is we have some options and we say two types even though we list three. Really there’s just two types of risk analysis options that we’re going to use and those are to help us determine the proper controls and those ways that we have. Number one is the quantitative approach which is all about money. I might say it’s a numerical approach, but it’s all about dollars having actual values. And then we have the qualitative, which is opinions where I might send out surveys with checkboxes that you can choose your thoughts. Now, very popularly being used as a semi quantitative, which is technically a hybrid, a combination of a qualitative and quantitative. Now on a qualitative, you might very well just have.
It could be as simple as having some categories and saying we have an option of using a firewall intrusion detection prevention or antivirus software. And we’d like your opinion of a rating of one to five for each of these categories about how well you think it’ll protect the database and how well you think it’ll protect the server. And so people can say, well, maybe the firewall ranks a four out of five and intrusion detection maybe a two. And on the server I really think you should have antivirus software and so you can kind of give opinion ratings that kind of coincide with the qualitative. Now, that’s not an exact qualitative study but in just trying to diagram some examples you can see that it is open to a lot of subjection and it depends on who am I when I’m making this decision?
Am I a firewall specialist when I made this chart or response? Am I a server operator, am I a manager of some kind? So it’s mostly, like I said, an opinion or scenario based type of an approach. Quantitative uses numerical values and we started off with basically the value of the asset. And I’ve used this as an example before to talk about having a facility that we want to keep safe from fire. So we’re going to give that facility a value of a million dollars. I’m going to be brave and see if I can do this math. And part of this quantitative study is we say, okay, we need to determine what is your exposure factor? So if we’re worried about a fire, and we have determined from buildings of similar construction, similar material, similar location oh, and we have no sprinkler systems in our building, we’ve decided that our exposure factor is about 50% loss if there is a fire. And so having done that, then we know that for any one event, the single loss expectancy would be about $500,000. Now, the reason that quantitative is not necessarily used by itself and qualitative not used just by itself, and people are favoring the semi quantitative is. I’m talking about the cost of a building. There are many other add ons that you would have to worry about, right? Because now we have loss of production. People can’t get to work.
The building is not inhabitable. Maybe we’ve lost some reputation because we’re not getting our products out. We may have lost even business partners because they were relying on us and they’ve had to move somewhere else. And so when we start checking these things off, we’re adding to the fact that we really can’t put pure numbers into these cases, and we have to start thinking about those maybe from a qualitative standpoint, besides just having lost half a million dollars to the property. All right, well, back to the quantitative. So now that we have this value down, the next thing you might ask then is, okay, let’s look at the rate of occurrence of how often this occurs.
And I keep using these easy numbers. I tell you if this was true. If I told you that the odds of a fire in your building was once out of every ten years for an annualized rate of occurrence, I don’t think I’d ever go into your building or I’d make sure I was on the bottom floor by a window that I can open, I guess. So that means that one out of ten chance each year. So each year there’s a 10% chance of a fire, which means that I could expect what we call an annualized loss expectancy of $50,000 in a year. Now, maybe I’ve decided to add a control. And the control I’m going to use is to put in sprinkler systems. And let’s say that control is going to cost me $5,000 to be able to put that in. But if I do put that in with a $5,000, my exposure factor is going to go down to 10% instead of 50% of a loss.
So what would that do for me? Well, what happens then is I start off with the value of that resource again at a million dollars. And I know now that my exposure factor is equal to 10%. So now I’m at $100,000 loss for a single loss expectancy. I still know that the fire rate didn’t change. So I know that my annualized loss expectancy is now $10,000. And if I factor in that $5,000 over that same ten year time period, then I’m talking about $500 that it’s going to cost me. So I’m going to add that $500 on there to the cost of the control for my loss. But I guess you could say now is if my $5,000 investment worth the savings annually $40,000 in risk. And that’s where you can then get kind of the idea is a good return on investment. And certainly this is a very simplistic form, but it’s just trying to describe some of these different types of risk analysis that you might be involved with.
4. The Importance of Risk Management
So I guess it’s important that we understand why risk management is up at the top of the list of what we need to do. Well, number one, risk management drives the logic for all of your information security activities. It’s really one of your keys to being able to manage the regulatory requirements. I mean, if we think about it, if we have regulatory requirements to say that we need to be secure for certain things and meet certain standards, we need to kind of have an idea where are we? And risk management can help me understand where we currently are in our state of security.
And knowing where I am and knowing where I need to be provides for me the ability at some point to create a roadmap that says, okay, I want to get from this current state to that desired state. But it starts with the risk management. Without it, it would be very almost impossible to determine what the potential cost of an impact of any event is going to be to even know where I am, to get to where I need to go to meet those requirements. Now your risk management can be influenced of course, by things like the culture, the culture of the company, people having a bias if this is how we’ve always done things, cultures, maybe if it’s a multinational focused company, obviously your company is involved in making certain products or producing something or finding a way to make a profit.
So your risk management may also be influenced by the company’s mission and objectives for its products and services. Again, very important to understand that our eventual security strategy has to be in alignment with the business objectives. Because if it’s not, if we somehow make our strategy more important than the business objectives, there’s no more money coming in for that business and there’s no more need for security strategy. I guess in a way you’ve solved the problem, but not probably in a great way. And of course your physical and environmental and regulatory conditions all are going to have an influence on how the risk is managed. And again, it’s a part of the process that we’re going to be going through. So now risk management, of course, is going to be part of managing your risk risk assessments, your business impact analysis, and putting it together and making it in alignment with your overall strategy.
5. Risk Management Outcomes
Now the main goal of risk management is to really minimize the impact of an event. Now in order to do that, you need to know some things. Number one, understanding the risk profile of the company. Understanding the risk profile. Part of that is kind of understanding their appetite for residual risk or their approach to risk. Their risk profile may be of trying to do risk, risk transference, buying insurance, if that’s what they want to do for their risk profile, that’s okay. I need to know that as a part of my way of managing risk, if I am trying to reduce risk, I need to know what are they willing to still accept as residual risk? Because we can’t get rid of all risk altogether.
We also need to understand what are the potential consequences of any asset being compromised? What would that do to the company? What would happen if we chose the wrong priorities? If we said, oh, let’s protect this email server so we can always get email and not worrying about the database of customer credit card accounts, maybe we have the wrong priorities in there as well. So it’s important we understand those priorities. And we also have way of measuring where we are and how we’re doing. So we need to have metrics that our resources can look at and they should be appropriate as well as letting us know if the controls that we’ve chosen are also appropriate and cost effective. I mean, we need a method of measuring those outcomes so we can see how things are functioning.
6. Risk Management Strategy
To be effective, your risk management should be integrated into the business process. Again, it should be consistent and integrated into the overall security governance strategy, and that should be in line with the business strategy. So let’s put it together. I can’t make a business strategy really unless I have a good security governance strategy, because I may you could have a business strategy with that one, but you run into the risk of losing a lot of information, having a lot of problems, not meeting regulations. But before I can even get a good security governance strategy to work with the business strategy, I need to know, what am I looking at, what are the problems, what are the risks, what are the threats? So I guess in a way, going backwards like that risk management kind of starts this process off.
Without good risk management, I really am not going to be very good at coming up with a security governance strategy. If I don’t have a good security governance strategy, it doesn’t matter if I try to make it in alignment with the business strategy. I’m probably failing the overall goal of the business, especially if part of the business strategy is to maintain certain certifications, security certifications and certain regulatory requirements. So I’m hoping that you kind of see how the pieces of this puzzle fit together.
Now, the issues regarding risk management must be communicated throughout the organization as well as to all the stakeholders, because stakeholders need to understand that. A couple of things. What are we doing as a company to reduce risk, to help protect their investments, whether they’re invested because they are shareholders, invested because they’re employees and they want to continue working. Ah, you know, we need to talk about the residual risks. And again, so this is something that needs to be communicated with everyone besides just senior management and the board of directors.
7. Lesson 2: Good Information Security Risk Management
So let’s take a look at good information security risk management. Now number one, risk management should be supportive from all members of the organization, but especially from the top down. That is the C level people, the CIO, CEO, CISO, right, everybody in that C. Sometimes they call it a Csuite of staff, board of directors, executive management, all of way down. Having good security practices would need management commitment. And let’s think about that one statement. I can have a practice that says you cannot go to social networking sites where you’re at work and I may have people that do it. And so I say, okay look, it says you can’t go here and somebody might say, yeah, well you can’t do anything because nobody ever enforces this rule there. I would need to say, look, I need management commitment.
I need to be able to make sure people understand that if you are violating these rules that are prepared and designed for us to meet certain security objectives, that there’s actually support in the enforcement as well. So that’s a part of the management commitment. Now that’s one part of it, right? To have good security practices I need the commitment. And risk management is required to really be able to have good security. So again, without risk management we have no idea of what we’re trying to protect ourselves from. I mean we may have some good guesses. We might kind of in an ad hoc process, just buy some stuff that sounded really good to keep our system safe.
Some latest and greatest antivirus software maybe took a server we’re not using any more, loaded Linux on it and I decided to run IP tables and make a firewall out of it. And I’m not saying that’s not a bad solution. The idea is there’s no thought process into it. So we need to have good risk management. We need to understand what we’re protecting, why we’re protecting it, what the threats are that makes it security practices and of course the management commitment. All right? So to get that risk management part, that’s kind of our focus on this domain.
That means we need a couple of things to develop this program. Number one, what is the purpose of the program? What is the scope and charter? Now, scope and charter and I hope I’ve already kind of answered the purpose of the program. Scope and charter is what areas do I care about? We do have to sometimes worry that each individual business unit may silo themselves off into their own little sections and do their own risk assessments and their own business impact assessment. That’s a good thing. It should be done. But we have to realize that some of one part of a business unit may interact with another business unit.
I might be able to be bold enough to say that most every business unit in some way or another is going to have some interface with information technology I mean, if they’re utilizing our network for going to the internet for retrieving email, at some point I think there’s this interaction. But if we’re looking at all of the scopes as just being these each little law business units we don’t have then that ability to see if we can overlap. Maybe we’re duplicating efforts and wasting money that we shouldn’t be. Maybe we need to work together so that we can expect better input from one business unit for another business unit and having some of the overlap of the setups of the responsibilities and that all together is going to be the charter basically how we work this together.
Now we need to identify and classify the assets. Very important aspect. And everything can be an asset, but some things are more important than others. And that’s where we’ll talk a little bit later about the classification system. We need to have objectives. What’s our goal of doing the risk management? Obviously many times our goal is trying to safeguard our assets to lower the risk or the exposure factor. And we also have to pick a methodology or the types of methodologies that we’re going to use in the use of our risk analysis. While we’re talking about risk management, we have to make some choices about those methodologies.
