Security Risk Management: Building an Information Security Risk Management Program from the Ground Up
One thing that makes this book so useful is the style that it has been written in, a credit to In an age of outsourcing tasks that are not considered to be Wheeler that it allows for direct engagement and is easily a core competency of the business, organisations have often digestible by any one at any level in the organisation. Evan Wheeler in his book on information security ISO series of standards on information security risk management does just that he equips professionals matters, and also other IT governance related frameworks, tasked with security, with the thinking required to create such as CoBIT.
While the claim is made that Wheeler offers a program that is more preoccupied with the complex a new approach in his book, shaking up old paradigms, it is strategic-level questions than the technical or operational probably more correct to say that Wheeler has taken tried and level skills required to execute particular tools and applica- tested elements in security management, and has presented tions. Wheeler, a practicing security consultant himself, asks them in a more accessible way to the professional who might the big questions which technicians usually cannot answer not necessarily have a security background.
But for the greater part, Wheeler is obviously porting role as policymaker and overseer. One criticism of Wheeler organizes his book in three very accessible parts. Take for example well as introduces the risk management lifecycle. The second a quantitative assessment based on annualized loss expec- part which is on risk assessment and analysis techniques, tancy ALE.
It is very likely to have two risks end up with includes chapters on risk profiling, formulating a risk, risk exactly the same dollar figure.
The fallback position in this exposure, security control, risk evaluation and reporting. And situation is to a qualitative assessment result to weigh up the final third part is on building and running a risk which is more significant to the given organizational context management program, with a focus on generating a blueprint when addressing the risk concerns.
Innovative modeling for security. What is practical about this book is that there are approaches which utilize a hybrid approach are now being quick guides to follow with detailed descriptions for each part, implemented in many organisations. The absence of this sub-part, and individual steps in the stages of the risk discussion from the book is noted, Wheeler taking the management workflow. The numerous template pro-formas perspective that most organisations use a qualitative included in the book also presents another tangible way for approach alone because the quantitative assessment practitioners to get involved in risk management, providing approach relies on too many historical facts which are usually an approach toward identifying and mapping an organisa- unknown, and based upon complex equations.
The book also contains Another detail that seems to have not been addressed is generic case studies wherever appropriate.
The appendices that security risk requires business owners to consider inter- which include example profiles and questionnaires are addi- dependencies at a variety of layers. These layers can be tionally supported by partly-filled out tabular forms in the considered as categories of resources, i.
Security Risk Management (eBook, PDF)
Despite that the reputational or regulatory levels. The failure to recognize book lacks key referencing from academic literature, it can interdependencies as being an integral dimension of risk still be used as the basis for setting a large-scale team assessments can lead to detrimental effects in any risk assignment on devising a risk management program from the management program.
Scenario analyses conducted to gauge ground up for a real organisation. The lifecycle workflow that is introduced in the first part of the book will be used as the structure that guides the discussion of risk profiling, risk assessment approaches, analysis methods, risk decision strategies, control selection, mitigation planning, documenting risks, and processing exceptions. A detailed walkthrough of a recommended risk assessment report and effective techniques to present risk to senior management wraps up this discussion of the risk lifecycle.
As a risk manager or analyst, you will need to adapt your approach depending on the scope of the assessment, whether it be an operational, project-based, or third-party assessment. It affects which resources you assess at all, how often you reassess them, how detailed the assessment needs to be, how to prioritize any risk findings, what level of risk is acceptable, and even the level of management needed to approve an exception.
Looking beyond the individual asset, it is necessary to know how best to gauge the risk appetite of the organization, which really means assessing the risk tolerance of the most senior leaders.
Following the formulation of the risk description, it is important to review the many approaches to modeling and analyzing potential threats. A structured approach to threat modeling can provide a great insight into areas of risk that need to be prioritized, but done wrong this activity can become a huge time drain and can easily distract the security team from the imminent threats.
This chapter focuses on simple and proven models for both qualitative and quantitative risk analysis. The majority of the chapter is spent framing out a qualitative risk measure that accounts for the sensitivity of the resource, the severity of the vulnerability, and the likelihood the threat will exploit the vulnerability. The chapter wraps up with a brief review of quantitative measures, highlighting several implementation challenges and a loss expectancy analysis method.
There are many standards and frameworks available that will prescribe the minimal security controls that every organization should have in place, but to really understand the significance of these controls, an understanding of the fundamental security services that all these controls implement in some way is required. After reviewing the basics, some particularly universal control requirements will be introduced along with references to additional resources for further guidance. Even more fundamentally, a decision needs to be made about which ones are even worth reviewing and addressing at all.
There is more than one way to mitigate a given risk, and the best risk managers are the ones who can get to the root of the problem and find a creative way to limit the exposure. Especially for risk managers and consultants, or anyone who is working with auditors regularly, this chapter will become an essential reference. Crafting management responses for auditors or regulators is truly an art form and anyone can greatly benefit from the advice throughout this chapter. A risk assessment associated with a single project is going to require a different approach than an assessment of an entire other company that is being acquired.
There will also be the everyday assessments of newly announced vulnerabilities or quick assessments of the risks discovered during an active incident investigation. This chapter reviews the most common categories of assessments and offers the most effective way to approach each. Most books and courses about risk management would have ended at this point, but it is critical to show how you can integrate these risk techniques into a comprehensive program to manage risk. To be in information security means that you are assessing and prioritizing risks, but without a structure for processing and filtering the risks, even the best assessor will get buried under the flood of risk information.
Monitoring and assessing threat trends, daily vulnerability reports, deviations from security baselines, and design oversights are all critical components of your program. The book ends by proposing a roadmap to pull the various aspects of a security program policy, threat and vulnerability management, incident response, baseline reviews, security architecture, and vendor management into one cohesive risk management program with a normalized view of risk across the entire organization.
TVM is the umbrella for the majority of the operational risk assessments including security scanning, patch management, and monitoring of security detection controls. Without a strategy for filtering out the lower risk items quickly, you will drown yourself in information almost immediately. This gap analysis is one of the fundamental on-going risk assessment activities that will help to gauge the security posture of the organization versus what controls might be documented on paper.
Security Risk Management - Evan Wheeler - Häftad () | Bokus
Of the three, the latter is the rarest, but it is also the most proactive and impactful of the three when done correctly. Security architecture is a big topic, so this chapter will focus on the highlights that risk managers and analysts need to understand in order to work with their architects to develop at least a basic risk assessment model.
As hard as it might be to assess some risks, the real challenge is integrating all these components into your existing security program and showing real value to the rest of the business. This chapter not only presents several of the prerequisites for a risk management program but also offers one possible roadmap for implementing a program with as little resistance as possible. Throughout the book, there is a large focus on the value of rating the risk sensitivity of information resources through profiling.
This appendix presents a sample security risk profile questionnaire that can be customized to fit the needs of a particular business or industry. Many risk analysis techniques, models, and scales are used throughout the book to demonstrate the assessment process with several case studies. This appendix pulls together the final qualitative analysis scales into one place for easy reference. Chapter 13 provides an overview of the architectural risk analysis process based on a model of assessing information flows. This appendix provides a several tables that are used to determine the appropriate security requirements for each information flow.
For a first-time author, having a team of editors available to guide me through this process has been invaluable. Writing this book has given me a chance to reflect on my own career experiences, and each success can be directly tied to the good fortune to find a mentor who saw potential and was willing to give me a chance to prove it. I would like to thank all my mentors for all the selfless hours that they have devoted to developing my career and for their positive impact on my life:.
I will never forget those late nights when I was working on projects, hoping someone would bring us some food. Did we ever see daylight those years? Among many things, Marc taught me that you can find the best barbecue in Alabama if you follow the dirt road to the house with the pig tied up out front, take a left, and take another left at the corner where the tree fell over back in , and then follow that road until you get to the house where the Parsons used to live and take a right.
More than anything, Bill taught me how to systematically troubleshoot a problem in a real way and that skill has been invaluable in my career. His trust and guidance have made it possible for me to build a risk management program that is worth sharing with the rest of the industry.
Security Risk Management
All these mentors have either set me on the right track or given me a push in the right direction, but the one who gives me the strength to keep challenging myself everyday and inspires me to be my best is my extraordinary wife and secret editor , Rachel. Despite her own challenging career demands, she has put up with my insane hours and inability to say no to new projects that consume our evenings and weekends, and every step of the way, she has always been my greatest supporter.
Clearly, I understand what it means to take risks, but with her as my partner, I am confident that nothing is out of reach. Sorry about making you read so much about risk profiling and exception processing! Working as a security consultant in many industries for over 10 years, Evan Wheeler is accustomed to advising clients on all aspects of information assurance. Specializing in risk management, digital forensic investigations, and security architecture development, he offers an expert insight into security principles for both clients and security professionals.
See a Problem?
He brings years of hands-on experience developing a risk assessment practice for a large security services company serving a diverse client base, designing architectural risk analysis frameworks for several major financial services organizations, and performing risk assessments for organizations of various sizes. Evan has spoken to many audiences on topics ranging from building a forensic incident response infrastructure to developing security risk management programs from the ground up.
As a complement to this diverse experience in the field and his Computer Science degree from Georgia Tech, he has earned a Master of Science in Information Assurance from the National Security Agency certified program at Northeastern University. Kenneth Swick is a 20 year veteran of the IT industry in multiple vertical markets with much of that time involved with Risk and Security. Currently, he is a Technical Information Security Officer and Vice President of Citi, being tasked with reducing risk across the organization. His hobbies include keeping up on the latest infosec news and spending time with his family.
Before even starting to think about the various steps required to design a program to assess and evaluate information security risks, it is important to briefly review the history of the field and take a quick look at Information Security as a discipline. Even those of you who are already familiar with some advanced risk assessment techniques can benefit from reviewing how we got here or you risk repeating the same mistakes. Information Security or Information Assurance needs to be viewed through the lens of business context to see the added value of basing your security program on a risk model.
Risk management is by no means a ubiquitous foundation for information security programs, but many visionaries in the field recognize that the future of information security has to be focused on risk decisions if we are to have any hope of combating the ever-changing threat landscape and constantly increasing business demands. If you attend any industry conference or pick up any information security trade magazine, you will certainly see many references to risk assessments, risk analysis, and risk management.
So, how is it possible that many security professionals are still arguing about the value of a risk-based approach to information security? Certainly, all the security products and service vendors have jumped on the risk bandwagon in full force. As a profession, have we fallen behind the vendors or are they contributing to the false perception of risk management?
In fact, walking on the expo floor of any major information security conference, the number of vendors touting their so-called risk management solutions has increased significantly compared to even 1 year prior. The answer is no, not really; but, the vendors are positioning it that way, and many people are more than happy to follow blindly if they can cross risk management off their compliance checklist.
This example highlights a great misunderstanding within the field about what risk management really is. Several other industries for example, insurance, economics, finance have implemented very robust and precise risk models to handle even complex scenarios. Unfortunately, the information security field itself is rather young compared with these other industries, and when you try to apply a mature discipline like risk management to an evolving practice, there will be gaps that need to be overcome.
This book is focused on addressing those gaps by providing a solid foundation upon which information security professionals can build a world-class risk management program that is aligned with the business objectives of the organization. In order to start the transformation into a risk mind-set, we first have to shed some of the baggage of outdated approaches to information security and dispel several misconceptions about how an information security function should operate. A growing problem in the information security field is the emphasis and reliance on checklists and so-called best practices as the only basis for many decisions.
For the sake of simplicity and consistency, the security field has evolved into a cookbook-type approach. Everyone gets the same recipe for security and is expected to implement it in the exact same way. Instead of blanketly applying best practices across the board, we should be using some risk analysis techniques to identify the critical focus areas and to select the most appropriate solutions for our organizations. The motivation behind this cookbook mentality and the value of security checklists are clear when you look at how the information security field has evolved.
There has always been a heavy technology focus in the field, and much of the security community got their start in an Information Technology IT role. As the discipline developed, implementations of security principles and concepts were inconsistent at best and the need to provide more standardized guidance to the practitioners who were battling it out in the trenches every day resulted in several generic security frameworks, some basic standards, and a lot of operationally focused training.
A typical information security standard might be that sensitive data needs to be encrypted wherever it is stored. Before you confront the business owner and ask them to implement encryption, start by asking yourself why encryption is necessary. What problem are you trying to solve?
What risk are you trying to mitigate? Encryption may not be necessary or appropriate every time. In some cases, it may even conflict with other security needs, such as the desire to inspect all communications in and out of the organization for malicious content or data leakage. Your boss may attend an industry presentation, likely by a vendor, where the speaker recommends database encryption for all sensitive data.
So, they run back to the office and you find yourself suddenly scoping out the effort to encrypt all your databases, but have you defined the problem you are trying to solve? This book is specifically focused on providing a risk model that will allow you to evaluate the threats and the vulnerabilities for your organization, and make educated decisions about how to address the most critical risks.
Having checklists and baselines does make it easy for security practitioners, and even people outside of security, to apply a minimal level of protection without having to understand the intricacies of information security, but at what expense? How can a single list of best practices possibly apply to every organization in the same way?
There are common practices, yes, but none of us is in the position to claim best practices. There is too much potential to be lulled into a false sense of security if we base evaluations of security posture solely on a checklist. Try removing best practices from your vocabulary whenever you are communicating with others in your organization and really focus on the business drivers to justify any recommended controls or mitigation actions. To be effective, senior security professionals need to learn how to perform a true risk assessment and not just accept the established security checklists.
Even the US federal government seems to be moving in this direction with the latest revision of the NIST SP guide  for managing the security of federal information systems formerly focused on Certification and Accreditation , which has been overhauled to use a risk-based approach. It is hard to deny that risk management is the future of the information security field, though some still try to argue against it. A risk-based model can provide a more dynamic and flexible approach to security that bases recommendations on the particular risks of each scenario, not just a single pattern for the entire field.
Just look at the Payment Card Industry PCI , given all the breaches in the retail space, it is clear that the PCI requirements have not made retail companies any more secure, just more compliant. Another important development in the information security field is the shift from focusing purely on securing the perimeter. Traditional information security practices were primarily concerned with keeping the bad guys out. The assumption was that anything outside your network or physical walls was un-trusted and anything inside could be trusted.
Although this perspective can be very comforting and simplifies your protection activities in an ignorance is bliss kind of way , unfortunately, it is also greatly flawed. As environments have grown more complex, it has even become necessary to separate different portions of the internal environment based on the sensitivity of the resources. It is hard to deny the statistics according to the Verizon Data Breach Investigations Report , 48 percent of the breaches were caused by insiders regarding the large percentage of security breaches initiated by malicious insiders or compromises resulting from attackers leveraging exploits on mobile devices to launch attacks on more sensitive internal resources.
At this point, it would be hard even to draw a meaningful perimeter line around your organization.