Feb 16 2010

Security risk assessment process and countermeasures

Category: Security Risk AssessmentDISC @ 4:01 pm

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
Preventive controls reduce exposure. Firewall is an example of preventive control
Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

Related articles by Zemanta

Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process

Sep 21 2009

Due Diligence, and Security Assessments

Category: Information Security,Security Risk AssessmentDISC @ 9:21 pm

Microsoft Baseline Security Analyzer
Image via Wikipedia

Fighting Computer Crime: A New Framework for Protecting Information

Risk assessment demands due diligence, which makes business sense and derives organization mission. Due care care is also about applying the specific control that counts. In information security, due diligence means a complete and comprehensive effort is made to avoid a security breach which could cause detrimental effects and identify various threats that may be exploited for a possible security breach.

Donn Parker defines due care as a “use of resonable safeguards based on the practices of similiar organizations”

Fred Cohen defines “due diligence is met by virtue of compliance review.”

Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
(FIPS 200, Section 3, Minimum Security Requirements)


Reblog this post [with Zemanta]

Tags: donn parker, due care, due diligence, Fred Cohen, security controls

Aug 18 2009

Control selection and cost savings

Category: Security Risk AssessmentDISC @ 3:53 pm

rm-process

Information Security Risk Analysis

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system


Reblog this post [with Zemanta]

Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

Aug 10 2009

Managing Risks and NIST 800-53

Category: Security Risk AssessmentDISC @ 5:48 pm

logo of en:National Institute of Standards and...
Image via Wikipedia

FISMA Certification & Accreditation Handbook

The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

nist_rmf1

Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

Mar 04 2009

HIPAA accountability and security program

Category: hipaa,Security Risk AssessmentDISC @ 7:34 pm

Logo of the United States Department of Health...
Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

Risk Management Process:

Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.

rm-process

Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

A Five-step Roadmap to HIPAA Security Compliance

Related videos by youtube
httpv://www.youtube.com/watch?v=3Srhrow67f8

Reblog this post [with Zemanta]

Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

Feb 25 2009

Small business and assessment of IT risks

Category: Security Risk AssessmentDISC @ 5:02 pm

Network and Information Security Agency
According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
o DO: run pilots in different contexts inside EU
o CHECK: get feedback from pilots and aggregate and analyze it
o ACT: review and improve the simplified approach starting from the feedback
It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
ra-process
Diagram: Overview of the phases of the ENISA simplified approach
ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

ENISA report and findings

As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

Related articles by Zemanta

Computer Security
httpv://www.youtube.com/watch?v=MUQzEJ82TrQ

Reblog this post [with Zemanta]

Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME

Oct 07 2008

vsRisk and security risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

Information Security Risk Management for ISO27001 / ISO27002

The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

Major benefits of vsRisk tool:
1. It is the definitive ISO27001 risk assessment tool, compliant
with all the key information security standards – which means that
you can be certain that a vsRisk risk assessment will help you
achieve ISO27001 certification.
2. It is designed to be usable – your lead risk assessor and any
asset owners involved in your risk assessment are going to find
their task made easier
3. Unique features include the risk assessment wizard, which
standardizes the risk assessment process and guides asset owners
through the risk assessment process.
4. vsRisk creates a baseline from which future risk assessments can
easily be made.
5. vsRisk integrates with ISMS documentation toolkit, for even
greater usability.

“vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

Meet Stringent California Information Security Legislation with Comprehensive Toolkit

ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
EIN News (press release) – Netherlands
vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

« Previous Page