Week 8 - Risk Management

Risk Management is a term often heard in the information technology industry, but many in the industry do not understand the process or what is involved in managing risk.  All of us are aware of threats to information security, there seems to be a story in the news almost daily about another organization’s security being compromised and customer information being stolen.  Much of this is focused on the electronic payments industry as there is a high likelihood that financial account details can be used to steal funds using this information.  There are a number of compliance standards for this industry, and pressure from both the industry and government to implement these.  But how much thought goes into preventing this type of activity beyond standards and what is involved in protecting an organization’s information.  This is where risk management comes in.  Every organization has some amount of risk involved in their operations.  The unique situation with information technology risks is that the threats against the organization can come from anywhere.  Once there is a public connection available to an organization’s information technology system these risks are present.  To manage risks a risk assessment is conducted to understand what assets exist in the organization, what the threats to the organization are, and what efforts can be made to mitigate these threats.  There also must be an understanding of what the risk tolerance is for the organization as there may be situations where the risk to an asset is higher than the organization is willing to accept and consideration will be needed to the steps to reduce this risk to an acceptable level or discontinue use of the asset.  The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, provides a number of guidelines related to information security.  On the subject of risk management, the NIST Special Publication 800-30 Revision 1, available here provides detailed instructions, information, and templates for conducting risk assessment.  Steps described for conducting a risk assessment include:

1. Identify Threat Sources – Threats are subdivided into adversarial and non-adversarial categories.  Potential threats are identified as part of risk assessment preparation.  It is important to exclude threats that are not applicable to the organization as this will waste resources that can be used on true threats.
2. Identify potential threat events – Threat events look at specific threat situations.  In the recommendations from NIST there are three tiers of threat events.  Tier 1 are events that could affect the entire organization, tier 2 events can cross information system boundaries between different systems but not necessarily affect the entire organization, and tier 3 events are targeted a specific environments, technologies, or systems.
3. Identify vulnerabilities and predisposing conditions – This step uses the information from steps 1 and 2 to determine what vulnerabilities exist in the organization’s information assets.  Since the complexity of information systems is ever increasing it may be difficult to perform this step for every asset an organization has.  In this case this step can be used to understand the general nature of vulnerabilities that the organization faces.  The existence of predisposing conditions that increase vulnerability is also considered to reduce the size of the vulnerabilities to be reviewed.
4. Determine likelihood – This looks at how likely it is that the threats identified will occur.  This must take into account threat sources that could launch an attack, the vulnerabilities to organization assets that have been identified, and how effective the organization’s countermeasures are at defending against the threat.  Worded differently, how likely is the threat to occur, how well can the organization defend against the threat, and what is the overall likelihood of both of these occurring.
5. Determine impact – Here a review of the adverse effects of threat events is made.  This includes consideration of the possible threat sources, the identified vulnerabilities, and how susceptible countermeasures are to the type of threat. To some extent this step considers worst case scenarios and how the organization will react to these.

Many of the ideas included in the threat assessment can be tied back to the previous discussion on incident response, incident recovery, and disaster recovery.  This is a more in-depth look at what conditions could cause an incident to occur and the preparations the organization has made to deal with threats so they do not become incidents.  The information presented here is very high level.  The NIST SP 800-30 rev 1 document is 95 pages, so the items discussed just briefly touch on this subject matter.  In addition, the appendices in the document provide a substantial amount of detailed information for the subject areas.  An excellent source for threat information is the Verizon Data Breach Investigations Report available here.  The 2014 version of this report breaks out threats by industry with statistics on the number of attacks of each type reported.  This is a great source to use when considering the type of threats an organization could be facing.