CSSLP Tutorial: Part Seven deals with risk management as a whole.
There’s certain aspects that this section will be over: for example, what risk management is, what the elements are, and steps of a guideline to decide a risk mitigation strategy. Risk management is kind of an overall terms because whenever you are doing something, even just talking about it, you are doing some form of risk management. The four main elements of risk management: assessment, analysis, mitigation, and ongoing monitoring. We’ll discuss each of these in more details later, but for now a definition of each is in order. Risk assessment is about identification. Risk analysis is about trying to get a value. Analysis leads us to mitigation. With the analysis, we figure out a risk response. The response is the mitigation process. Risk never goes away and so we have to continuously monitor and remain vigilant about the ever-changing landscape of risks, threats, and vulnerabilities.
CSSLP Tutorial: Risk analysis is about identification of your assets, your threats, your weaknesses, and such.
Start out this whole process by asking a few questions: What needs to be protected? What are potential threats / pose harm? What weaknesses would allow for the threat to come to fruition? The second component to analysis is then getting a value. What is the value of the item or data that has this potential of loss? What’s the risk worth? Quantitatively is a better position, especially if can generate a dollar amount. This can ultimately guide us as to how much we can spend either in performance of our system, or in realtime dollars.
CSSLP Tutorial: The cost-benefit analysis leads to mitigation.
So, we are balancing how much value we have in the analysis with the cost of the strategy to prevent compromise in the mitigation element. Are we going to respond to threat or risk? If so, how are we going to respond? From the previous section of material, the reflection is that this aspect is in terms of reduction of risk that’s at an acceptable level as opposed to eliminating it completely.
Since there is always risk and especially in this field, there are always ever-changing and new threats to our systems and other creations, then we have to remain on top of what the risks are and continuously adapt ourselves and our systems to accommodate those changes.
CSSLP Tutorial: So, let’s talk about each of these areas in more detail.
The first section is risk assessment. What’s driving our decisions about risk is what are we protecting and what is it worth. What is the asset and what value does it hold for us? How much value if it’s data? What is the value of the data to me or to my customers? If it has taken us hours or months to create, then it may be something more valuable than a quick and easy fixer upper type of data creation. When Sony had their systems compromised around the time of the release of The Interview, they lost employees and associates’ social security numbers and major medical records. So, if we have customers’ credit card numbers, medical information, social security numbers, personally identifiable information, then that data becomes very valuable. There’s also the possibility of having to deal with fines or court charges if that information is vulnerable to the point where others can access it. Not only is it important to discern the value of the information, but it is also important to analyze the threats and vulnerabilities as part of the risk assessment. Then we look at the threats and vulnerabilities and that’s our risk assessment.
CSSLP Tutorial: There are several different approaches to assessing risk.
Among many others, there’s at least three that I want to discuss here. There’s OCTAVE, FRAP, and NIST 800-30. The OCTAVE has three phases: organizational view, technological view and strategic and plan developmental view. OCTAVE is more of an internal investigation type of approach, to looking at the threats and vulnerabilities. It is a self-based assessment.
CSSLP Tutorial: On the other hand, FRAP is a Facilitated Risk Analysis Process.
It is a qualitative, somewhat subjective analysis where we are going through a process to prioritize risks. This is what will help to decide whether we should do a later study, that is quantitative. We might decide that qualitatively that the risk is so low that it just doesn’t justify going further with a numeric study. On the other hand, it may be such a high value it is deemed imperative to continue and in fact move further along to gain a more exact dollar amount that is at risk. That’s what the FRAP type of assessment accomplishes for the organization.
CSSLP Tutorial: The third main type of assessment discussed here is the NIST 800-30.
It is the risk management guide for information technology systems. It has a nine-step process that is all about risk and risk assessment. It is the guide that most other assessments or administrators base their decisions upon. This is really where we characterize our system. For example, if the system holds Top Secret data or if it holds sensitive but unclassified data, then using this guide is essential to determine the risk as in assessment but also other aspects of risk as well. If you recall, a threat is what could cause harm to the system. Vulnerabilities, on the other hand, are about weaknesses. After the initial assessment, then we analyze controls, probability of impact (or likelihood of severity). The probability of impact is how likely is it for some event to happen? If it does, then how severe will the impact be? The next step is to determine risk. Risk determination drives the decision-making for what kinds and how much in terms of amount of controls. This is where we decide on recommendations and then document results. In the documentation step, this is where we justify our results. The NIST type of assessment is more of a guide with its nine-step process. In summary, whether you are following the guidelines from OCTAVE, FRAP, NIST or any of the other organizations that have a say in risk management, they are very similar in a general sense.
CSSLP Tutorial: Overall for all three assessment types
hey say very similar things in their own unique ways. Evaluate your assets, analyze you threats and vulnerabilities, determine the risks, decide on a strategy, test and document the results.