Risk Management on IS by P L Pradhan on 16/04/04

Abstract

Risk management is the process of identifying vulnerabilities and threats to an organization’s information resources or IT infrastructures in achieving business objectives and deciding what counter measures, if any, to take in reducing the level of countermeasures and deciding which, if any, to take in reducing risk to an appropriate
acceptable level, based on the value of the information resource to the organization. A summary of this concept is shown in the equation as follows:

Total Risk = Threats x Vulnerability x Asset Value

Generally, risk can be transferred, reject, reduced or accepted at high, medium and low
Level Risk.

  • Security risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk management
  • Risks can be identified & reduced, but never eliminated
  • No matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and money
  • People are usually cheaper & easier to compromise than advance technological safeguards


Risk Management Nomenclature

  • Annualized loss expectancy (ALE)
    – Single loss expectance x annualized rate of occurrence = ALE
  • Annualized rate of occurrence (ARO)
    – On an annualized basis, the frequency with which a threat is expected to occur
  • Exposure factor
    – A measure of the magnitude of loss or impact on the value of an asset
  • Probability
    – Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur
  • Threat
    – An event, the occurrence of which cold have an undesired impart
  • Safeguard
    – Risk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat or category of threats
  • Vulnerability
    – The absence or weakness of a risk-reducing safeguard


Risk Assessment

  • Since you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performed
  • A risk assessment answers 3 fundamental questions:
    – Identify assets - What I am trying to protect?
    – Identify threats - What do I need to protect against?
    – Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection?
  • After risks are determined, you can then develop the policies & procedures needed to reduce the risks


Identifying Assets

  • Tangibles
    – Computers, communications equipment, wiring
    – Data
    – Software
    – Audit records, books, documents
  • Intangibles
    – Privacy
    – Employe safety & health
    – Passwords
    – Image & reputation
    – Availability
    --Employee morale


Identifying Threats

– Earthquake, flood, hurricane, lightening
– Structural failure, asbestos
– Utility loss, i.e., water, power, telecommunications
– Theft of hardware, software, data
– Terrorists, both political and information
– Software bugs, virii, malicious code, SPAM, mail bombs
– Strikes, labor & union problems
– Hackers, internal/external
– Inflammatory usenet, Internet & web postings
– Employee illness, death
– Outbreak, epidemic, pandemic


Calculating (quantifying) Risks

  • This is the hard part. Insurance & historical records may help, but your actuary is your best friend.
    – How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000
  • Review the risks
    – Lists should be regularly updated
    – Small changes in operations or corporate structure can have significant risk implications
    – Changes such as location, vendor, M&A, etc., must be included into the risk factor


Cost/benefit Analysis

  • Cost of a loss
    – Often hard to determine accurately
  • Cost of prevention
    – Long term/short term
  • Adding up the numbers
    – Output of an Excel spreadsheet listing assets, risks & possible losses
    – For each loss, know its probability, predicted loss & amount of money needed to
    – defend against the loss


Security Awareness

  • Must be driven from the top-down
  • Must be comprehensive, all the way down to the floppy & hard copies
  • Education
    – Hard copies
    – Web-based
    – Training & education


Security Management Planning

  • But most importantly, to be successful in selling security you must know your company’s or client’s business
  • Know what is important
    – Each industry has differing priorities


Security management planning I

Identify costs
– Initial investment
– ongoing costs

Identify benefits
– Help Desk reduction
– Common data locations
– Reduced Remote Access costs
– Improve Business Partner access
– Enhanced public perception
Ernst & Young Cyberprocess Certification


Security management planning II

Identify potential losses if security is not properly implemented
– Trade secrets
– confidential information
– personal e-mail
– adverse publicity
– viruses, worms, malicious Java and ActiveX applications
– denial of service
– hard drive reformats, router reconfigurations
– M&A
– financials
– hacked web pages
– breach of Human Resources information


Security management planning III

Management Procrastination
Four primary reasons why the decision maker typically procrastinates in deciding whether to allocate funds or commence the initiative:

  • Unable to understand or quantify security threats and technical vulnerabilities. This results in buying decision paralysis.
  • Unable to measure (through quantitative or qualitative analysis) the severity and probability of risk.
  • Begins the analysis with a preconceived notion that the cost of controls will be excessive or the security technology does not exist.
  • Believes that the security solution will interfere with the performance or appearance of the business product


Benefits

Minimize the risk factor at minimum level.
Therefore, we can able to safeguard or protect the IS infrastructure/assets ( Data, Hardware, Software, Network), from intruder, hacker and external vendor or contractor.

The risk management & assessment method to ensure and achieve protection, data integrity, effectiveness and efficiencies must be designed implement as per requirement of business objective of an organization.


Conclusion

In summary, the risk assessment process is about making decisions. The impact of a successful attack and the level of acceptable risk for any given situation is a fundamental policy decision. Likewise, vulnerabilities are design issues and must be addressed during the design, development & implementation of information resources. A fundamental problem of risk management then is to achieve a cost-effective balance between design characteristics and the related countermeasures to threats and impact.


References

1). Information System audit & control by Ron Weber PHI ( Chap 7 P- 243-285)
2) CISSP Exam study guide by Shon Harrish DRP/BCP (Chap 9 P 591-603 )
3). CISSP Exam study guide by Shon Harrish Security Mgmt Practices
(Chap 4 P 57-92 )
4) Mcl.ean, Kevin & Lenwatts ( 1996) Risk Analysis Methodology “ IS audit & contron Journal III 32-36

5). Essentail of System Administration O’ Reilly (Chap 10, P467- 485) & Chap 6
( p201-243 )
6). CISSP Exam cram by Coriolis ( Chap 4 p 61-77 )
7) Software Engg by Pressman Chap 6 ( P 145- 162 )
8) ISACA Monthly Journal Vol 2, 2003


Author

P L Pradhan, M. Sc (Phys), DCA, PG DBA, Sun Solaris Certified (UNIX) plpradhan@rediffmail.com

At present doing Ph D program on System Security Under Sambalpur University, Orissa, India

Working Area: ( 18 Yr exp in System/IT) System Security, Risk Mgmt, Unix System Administration, Backend Solution ( Unix Oracle Database), ERP, Datacomm & Networking, Internet Technology, MIS & System Analysis and Design.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.