Computer Security:

Principles and Practice

Chapter 16 – IT Security Management
and Risk Assessment

First Edition
by William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown

 Overview
 security requirements means asking

what assets do we need to protect?

how are those assets threatened?

what can we do to counter those threats?
 IT security management answers these

determining security objectives and risk profile

perform security risk assessment of assets

select, implement, monitor controls } next

iterate process } chapter
 IT Security Management
 IT Security Management: a process used to achieve
and maintain appropriate levels of confidentiality,
integrity, availability, accountability, authenticity
and reliability. IT security management functions
include:
organizational IT security objectives, strategies and policies
determining organizational IT security requirements
identifying and analyzing security threats to IT assets
identifying and analyzing risks
specifying appropriate safeguards
monitoring the implementation and operation of safeguards
developing and implement a security awareness program
detecting and reacting to incidents
ISO 27000 Security Standards
ISO27000 a proposed standard which will define the vocabulary and definitions used in
the 27000 family of standards.
ISO27001 defines the information security management system specification and
requirements against which organizations are formally certified. It replaces
the older Australian and British national standards AS7799.2 and BS7799.2.
ISO27002 currently published and better known as ISO17799, this standard specifies a
code of practice detailing a comprehensive set of information security control
(ISO17799) objectives and a menu of best-practice security controls. It replaces the older
Australian and British national standards AS7799.1 and BS7799.1.
ISO27003 a proposed standard containing implementation guidance on the use of the
27000 series of standards following the “Plan-Do-Check-Act” process quality
cycle. Publication is proposed for late 2008.
ISO27004 a draft standard on information security management measurement to help
organizations measure and report the effectiveness of their information
security management systems. It will address both the security management
processes and controls. Publication is proposed for 2007.
ISO27005 a proposed standard on information security risk management. It will replace
the recently released British national standard BS7799.3. Publication is
proposed for 2008/9.
ISO13335 provides guidance on the management of IT security. This standard comprises
a number of parts. Part 1 defines concepts and models for information and
communications technology security management. Part 2, currently in draft,
will provide operational guidance on ICT security. These replace the older
series of 5 technical reports ISO/IEC TR 13335 parts 1-5.
 IT Security Management
 IT security management needs to be a key part of
an organization’s
 IT security risk assessment process should be
incorporated into the wider risk assessment of all
the organization’s assets
 unless senior management in an organization are
aware of, and support, this process, it is unlikely
that the desired security objectives will be met.
 contribute appropriately to the organization’s
business outcomes.
 IT management is not something undertaken just
once. Rather it is a cyclic process
 IT
Security
Manage
ment
Process
Plan - Do - Check - Act
 Plan - Do - Check - Act
• Plan - establish security policy, objectives, processes
and procedures relevant to managing risk and
improving information security
• Do - implement and operate the security policy,
controls, processes and procedures.
• Check - assess and, where applicable, measure
process performance against security policy,.
• Act - take corrective and preventive actions, based on
the results of the internal security audit and
management review
 Organizational Context and
Security Policy
 first examine organization’s IT security:

objectives - wanted IT security outcomes

strategies - how to meet objectives

policies - identify what needs to be done
 maintained and updated regularly

using periodic security reviews

reflect changing technical / risk environments
 examine role of IT systems in organization
 Security Policy Topics
 needs to address:

scope and purpose including relation of objectives to
business, legal, regulatory requirements

IT security requirements

assignment of responsibilities

risk management approach

security awareness and training

general personnel issues(trust) and any legal
sanctions

integration of security into systems development

information classification scheme

contingency and business continuity planning

incident detection and handling processes

how when policy reviewed, and change control to it
 Management Support
 IT security policy must be supported by
senior management
 need IT security officer

to provide consistent overall supervision

manage process

handle incidents
 large organizations needs IT security
officers on major projects / teams

manage process within their areas
 Security Risk Assessment
 Risk assessment of critical component of IT
process

else may have vulnerabilities or waste money
 ideally examine every asset verses risk

not feasible in practice
 choose one of possible alternatives based on orgs
resources and risk profile

baseline

informal

formal

combined
 Baseline Approach
 a basic general level of security controls on systems
a basic general level of security controls on systems
using baseline documents
 use “industry best practice”

easy, cheap, can be replicated

but gives no special consideration to org

may give too much or too little security
 implement safeguards against most common
threats
 baseline recommendations and checklist
documents available from various bodies
 alone only suitable for small organizations
 Informal Approach
 conduct informal, pragmatic(specific and
realistically) risk analysis on organization’s
IT systems
 exploits knowledge and expertise of analyst
 fairly quick and cheap
 does address some org specific issues
 some risks may be incorrectly assessed
 skewed by analysts views, varies over time
 suitable for small to medium sized orgs
 Detailed Risk Analysis
 most comprehensive alternative
 assess using formal structured process

with a number of stages

identify likelihood of risk and consequences

hence have confidence controls appropriate
 costly and slow, requires expert analysts
 may be a legal requirement to use
 suitable for large organizations with IT systems
critical to their business objectives
 For some organizations, there is no choice but to use
this approach
 Combined Approach
 combines elements of other approaches

initial baseline on all systems

informal analysis to identify critical risks of key
system

formal assessment on these systems

iterated and extended over time
 better use of time and money resources
 Easy to convince the management
 better security earlier that evolves
 may miss some risks early
 recommended alternative for most orgs
 Combined Approach
 there are some disadvantages.
 If the initial high-level analysis is
inaccurate, then
 some systems for which a detailed risk
analysis should be performed may remain
vulnerable for some time
Detailed
Risk
Analysis
Process
 Establish Context
 determine broad risk exposure of org

related to wider political / social environment

and legal and regulatory constraints

provide baseline for organization’s risk exposure
 specify organization’s risk appetite(level of risk
that an organization is willing to accept while
pursuing its objectives)
 set boundaries of risk assessment

partly on risk assessment approach used
 decide on risk assessment criteria used
 Asset Identification
 Identify assets

“anything which needs to be protected”

of value to organization to meet its objectives

tangible or intangible

in practice try to identify significant assets
 draw on expertise of people in relevant
areas of organization to identify key assets

identify and interview such personnel

see checklists in various standards
 Terminology
Asset: any thing that has value to the organization

Threat: a potential cause of an unwanted incident which may result in

harm to a system or organization
Vulnerability: a weakness in an asset or group of assets which can be
exploited by a threat
Risk: the potential that a given threat will exploit vulnerabilities' of an asset
or group of assets to cause loss or damage to the assets .

asset: anything that has value to the organization

threat: a potential cause of an unwanted incident which may result in harm to a system or
organization
vulnerability: a weakness in an asset or group of assets which can be exploited by a
threat
risk: the potential that a given threat will exploit vulnerabilities of an asset or group of
assets to cause loss or damage to the assets.
 Threat Identification
 to identify threats or risks to assets asK
1. who or what could cause it harm?
2. how could this occur?
 threats are anything that hinders or
prevents an asset providing appropriate
levels of the key security services:

confidentiality, integrity, availability,
accountability, authenticity and reliability
 assets may have multiple threats
 Threat Sources
 threats may be

natural “acts of god”

man-made and either accidental or deliberate
 should consider human attackers:

Motivation: why would they target this organization, how motivated are
they?

Capability: what is their level of skill in exploiting the threat?

Resources:how much time, money, and other resources could they deploy?

probability of attack(how likely and how often would your assets be targeted? )

Deterrence(what are the consequences to the attacker of being identified)
 any previous history of attack on org
 Threat Identification
 depends on risk assessors experience
 uses variety of sources

natural threat chance usually well known
from insurance companies record(stats)

lists of potential threats in standards, IT
security surveys, info from governments

tailored to organization’s environment

and any vulnerabilities in its IT systems
 Vulnerability Identification
 identify exploitable flaws or weaknesses in
organization’s IT systems or processes
 hence determine applicability and
significance of threat to organization
 note need combination of threat and
vulnerability to create a risk to an asset
 again can use lists of potential
vulnerabilities in standards etc
 Analyse Risks
 specify likelihood of occurrence of each
identified threat to asset given existing controls

management, operational, technical processes and
procedures to reduce exposure of org to some risks
 specify consequence should threat occur
 hence derive overall risk rating for each threat
risk = probability threat occurs x cost to organization
 in practice very hard to determine exactly
 use qualitative not quantitativ, ratings for each
 aim to order resulting risks in order to treat them
 Determine Likelihood
Rating Likelihood Expanded Definition
Description
1 Rare May occur only in exceptional circumstances and may
deemed as “unlucky” or very unlikely.
2 Unlikely Could occur at some time but not expected given current
controls, circumstances, and recent events.
3 Possible Might occur at some time, but just as likely as not. It may be
difficult to control its occurrence due to external influences.
4 Likely Will probably occur in some circumstance and one should
not be surprised if it occurred.
5 Almost Is expected to occur in most circumstances and certainly
Certain sooner or later.
 Determine Consequence
 judgment of the asset’s owners and the
organization’s management.
 consequence needs to be realistic.
 the impact on the organization as a whole
 not just the impact on the affected system
 impact on the organization could vary from it
being a minor inconvenience .
 Determine Consequence
Rating Consequence Expanded Definition.
1 Insignificant Generally a result of a minor security breach in a single area.
Impact is likely to last less than several days and requires only
minor expenditure to rectify.
2 Minor Result of a security breach in one or two areas. Impact is likely to
last less than a week, but can be dealt with at the segment or project
level without management intervention. Can generally be rectified
within project or team resources.
3 Moderate Limited systemic (and possibly ongoing) security breaches. Impact
is likely to last up to 2 weeks and generally requires management
intervention. Will have ongoing compliance costs to overcome.
4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeks
and require significant management intervention and resources to
overcome, and compliance costs are expected to be substantial.
Loss of business or organizational outcomes is possible, but not
expected, especially if this is a once off.
5 Catastrophic Major systemic security breach. Impact will last for 3 months or
more and senior management will be required to intervene for the
duration of the event to overcome shortcomings. Compliance costs
are expected to be very substantial. Substantial public or political
debate about, and loss of confidence in, the organization is likely.
Possible criminal or disciplinary action is likely.
6 Doomsday Multiple instances of major systemic security breaches. Impact
duration cannot be determined and senior management will be
required to place the company under voluntary administration or
other form of major restructuring. Criminal proceedings against
senior management is expected, and substantial loss of business and
failure to meet organizational objectives is unavoidable.
 Determine Resultant Risk
Consequences
Likelihood Doomsday Catastrophic Major Moderate Minor Insignificant
Almost E E E E H H
Certain
Likely E E E H H M
Possible E E E H M L
Unlikely E E H M L L
Rare E H H M L L

Risk Level Description

Extreme (E) Will require detailed research and management planning at an executive/director
level. Ongoing planning and monitoring will be required with regular reviews.
Substantial adjustment of controls to manage the risk are expected, with costs
possibly exceeding original forecasts.
High (H) Requires management attention, but management and planning can be left to senior
project or team leaders. Ongoing planning and monitoring with regular reviews are
likely, though adjustment of controls are likely to be met from within existing
resources.
Medium (M) Can be managed by existing specific monitoring and response procedures.
Management by employees is suitable with appropriate monitoring and reviews.
Low (L) Can be managed through routine procedures.
 Document in Risk Register
and Evaluate Risks

Asset Threat/ Existing Likelihood Consequence Level of Risk

Vulnerability Controls Risk Priority
Internet Router Outside Hacker Admin Possible Moderate High 1
attack password only
Destruction of Data Accidental Fire or None (no Unlikely Major High 2
Center Flood disaster
recovery plan)
Risk Treatment
 Risk Treatment Alternatives
 risk acceptance(Management take
responsibility)
 risk avoidance(Loss of convenience or ability
to perform some function)
 risk transferal(Third party e.g. insurance)
 reduce consequence(by modifying structure
reduce impact by Implementing control e.g.
backup)
 reduce likelihood(Lower the chance e.g.
deploying firewall)
Case Study: Silver Star Mines
 fictional operation of global mining company
 large IT infrastructure

both common and specific software

some directly relates to health & safety

formerly isolated systems now networked
 decided on combined approach
 mining industry less risky end of spectrum
 subject to legal / regulatory requirements
 management accepts moderate or low risk
 Assets
 reliability and integrity of SCADA(Supervisory
Control and Data Acquisition) ) nodes and net
 integrity of stored file and database information
 availability, integrity of financial system
 availability, integrity of procurement system
 availability, integrity of maintenance/production
system
 availability, integrity and confidentiality of mail
services
 Threats & Vulnerabilities
 unauthorized modification of control
system
 corruption, theft, loss of info
 attacks/errors affecting system
 attacks/errors affecting system
 attacks/errors affecting system
 attacks/errors affecting system
 Risk Register
Asset Threat/ Existing Likelihood Conseque Level of Risk Priority
Vulnerability Controls nce Risk
Reliability and integrity of Unauthorized layered Rare Major High 1
the SCADA nodes and modification of firewalls
network control system & servers
Integrity of stored file and Corruption, theft, firewall, Possible Major Extreme 2
database information loss of info policies
Availability and integrity Attacks/errors firewall, Possible Moderate High 3
of Financial System affecting system policies
Availability and integrity Attacks/errors firewall, Possible Moderate High 4
of Procurement System affecting system policies
Availability and integrity Attacks/errors firewall, Possible Minor Medium 5
of Maintenance/ affecting system policies
Production System
Availability, integrity and Attacks/errors firewall, Almost Minor High 6
confidentiality of mail affecting system ext mail Certain
services gateway
 Summary
 detailed need to perform risk assessment as
part of IT security management process
 relevant security standards
 presented risk assessment alternatives
 detailed risk assessment process involves

context including asset identification

identify threats, vulnerabilities, risks

analyse and evaluate risks
 Silver Star Mines case study