Why Risk Management? Risk management means that due diligence and due care are being done. It makes all the difference in the world after an incident has happened because it proves that proactive measures were taken and action was done.
We all deal with risk every day. We evaluate the risk, we determine it’s impact, we mitigate the risk; and when we feel we fully understand and have dealt with the risk, then we consider it ‘taken care of’.
In a business environment however, RISK=MONEY….. Whether positive or negative. As a business you can make money from risk (like an entrepreneur), or lose money from risk (loss from an event). The key is being proactive and practicing due diligence.
The main areas of risk management are:
- Risk Assessment – Knowing what your risks are (you don’t know what you don’t know, and can’t plan effectively)
- Understanding and assigning risk severity (assigning $$ value or ‘reputation value’)
- Practicing effective risk mitigation (planning, prevention, or transference of risk)
- Management Buy-In (A top-down approach must be adopted and communicated organization wide)
Risk can be addressed in the four following ways:
- Eliminate the risk (example – patch a vulnerable system)
- Mitigate the risk (example – operational necessity, reduce risk by adding countermeasures)
- Transfer the risk (example – buy insurance)
- Ignore the risk (example – know of risk, but do nothing about it)
Businesses are adept at managing business risk but often times are not skilled at determining information technology (IT) risk. The cyber threat environment is a constantly changing landscape, and since IT is a crucial business tool it must be addressed with a robust risk management architecture. GRAVICOM has been in the enterprise risk management arena since 2001, and is fully aware of the current threat environment. We want to help our customers develop robust risk management architectures that address all areas of your mission.
GRAVICOM will bring about an Information Security Systems Engineering (ISSE) approach to risk management. In that approach, we will methodically analyze our customer’s environment, their information protection needs, the threats, vulnerabilities, and other factors; then we will design a robust risk management architecture and policy management engine that will facilitate a continuous risk management cycle. When you know your risk, it takes the worry out of the unknown.
A robust risk management architecture will address at minimum the following items:
- Confidentiality – the security objective to protect from improper disclosure of sensitive information.
- Availability – the requirement of business to have access to systems and data.
- Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.
Known as the CIA or AIC Triad, Confidentiality, Availability, and Integrity must to work in concert to keep data not only protected and accurate, but accessible to authorized users.
Other areas that are addressed in a robust risk management program are:
- Policy – management stating the role security plays in an organization.
- Procedure – a mandated series of steps to accomplish a task, such as software upgrades, patching, or vulnerability management.
- Configuration Management – Recording changes throughout an organization so that changes are made methodically and are traceable. This is crucial in validation that risk is managed and traceable.
- Standards – the implementation of a common hardware or software solution to a security risk
- Baselines – a consistent minimum benchmark for security configurations across a multitude of implementations.
- Guidelines – a recommendation until adopted as standards, but are considered industry best practices, such as the mature policies, procedures, or industry guidelines.
- Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
- Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
- Threat – a potential accidental or intentional danger to an information system.
- Exposure – an opportunity for a threat to cause damage.
- Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
- Risk Transference – the passing on of risk to a third party, such as insurance.
- Countermeasure – reactive controls applied after an incident.
- Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
- Operational Planning – a mid term plan focusing on an organization’s functional plans.
- Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.
- Planning Horizon – is the compilation of strategic, operational, and tactical planning.
- Job Rotation – movement of employees to expose collusion and policy violations.
- Mandatory Vacations – forced leave to detect elements of fraud.
- Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
- Need to Know – only those persons absolutely requiring information should have access to such information.
- Least Privilege – allowing processes and users only enough permission to accomplish their job.
- Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
- Due Diligence – Identifying threats and risks – performing reasonable examination and research before committing to a course of action. Basically, “look before you leap.” In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be “haphazard” or “not doing your homework.”
- Due Care – Acting upon findings to mitigate risks – performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is “negligence.”
- Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
- Data Custodian – is the security enforcer for the data owner, such as an email server admin.
- Auditor – independent assurance that the security controls are being implemented correctly and are operational.
- Application Owners – addresses user permissions and security controls on data specific to a particular application.
- Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
- ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
- Asset Identification – are tangible, such as the facility, and intangible, such as data.
- Assurance – a level of confidence that a particular security level is being upheld.
- CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate.
- Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management, and appropriate use of enterprise resources.
- Project Sizing – a pre risk analysis documentation of the scope of the project.
- Quantitative Risk Analysis – a determination of risk based on numbers, like assigning a $$ amount to a risk.
Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk – like low, medium, or high risk. Used when numerical values cannot easily be assigned, or used when comparing systems that are not similar.
- Delphi Technique – an anonymously communicated group decision.
- Single Loss Expectancy (SLE) – amount that could be lost if a threat is executed upon, such as the value of data, cost to replace data, and potential opportunities missed.
Risk Analysis Formulas
Total Risk = Threats X Vulnerability X Asset Value
Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year
- Single Loss Expectancy (SLE): It is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place. It represents an organization’s loss from a single threat and is derived from the formula: SLE = Asset value ($) x EF (%).
- Exposure Factor (EF): This factor represents the percentage of loss a realized threat could have on a certain asset.
- Annualized Loss Expectancy (ALE): It is the annually expected financial loss to an organization from a threat. It is given by the formula: ALE = SLE x Annualized rate of occurrence (ARO).
- Annualized Rate of Occurrence (ARO): It is the value that represents the estimated frequency of a specific threat taking place within a one year timeframe.