Aug 10 2009

Managing Risks and NIST 800-53

Category: Security Risk AssessmentDISC @ 5:48 pm

logo of en:National Institute of Standards and...
Image via Wikipedia

FISMA Certification & Accreditation Handbook

The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

The management of day to day risks is a key element in an organizationā€™s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

nist_rmf1

Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

Mar 04 2009

HIPAA accountability and security program

Category: hipaa,Security Risk AssessmentDISC @ 7:34 pm

Logo of the United States Department of Health...
Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victimsā€™ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

Risk Management Process:

Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.

rm-process

Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

A Five-step Roadmap to HIPAA Security Compliance

Related videos by youtube
httpv://www.youtube.com/watch?v=3Srhrow67f8

Reblog this post [with Zemanta]

Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

Feb 25 2009

Small business and assessment of IT risks

Category: Security Risk AssessmentDISC @ 5:02 pm

Network and Information Security Agency
According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
o DO: run pilots in different contexts inside EU
o CHECK: get feedback from pilots and aggregate and analyze it
o ACT: review and improve the simplified approach starting from the feedback
It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
ra-process
Diagram: Overview of the phases of the ENISA simplified approach
ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

ENISA report and findings

As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time donā€™t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

Related articles by Zemanta

Computer Security
httpv://www.youtube.com/watch?v=MUQzEJ82TrQ

Reblog this post [with Zemanta]

Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME

Oct 07 2008

vsRisk and security risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

Information Security Risk Management for ISO27001 / ISO27002

The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesnā€™t.

Major benefits of vsRisk tool:
1. It is the definitive ISO27001 risk assessment tool, compliant
with all the key information security standards – which means that
you can be certain that a vsRisk risk assessment will help you
achieve ISO27001 certification.
2. It is designed to be usable – your lead risk assessor and any
asset owners involved in your risk assessment are going to find
their task made easier
3. Unique features include the risk assessment wizard, which
standardizes the risk assessment process and guides asset owners
through the risk assessment process.
4. vsRisk creates a baseline from which future risk assessments can
easily be made.
5. vsRisk integrates with ISMS documentation toolkit, for even
greater usability.

ā€œvsRiskā„¢- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.ā€

The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
EIN News (press release) – Netherlands
vsRiskā„¢- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

« Previous Page