Security Risk Management

Transcription

1 Security Risk Management Building an Information Security Risk Management Program from the Ground Up Evan Wheeler Technical Editor Kenneth Swick ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint of Elsevier SVNGRESS

2 Contents Preface xiii PART I INTRODUCTION TO RISK MANAGEMENT CHAPTER 1 The Security Evolution 3 Introduction 3 How We Got Here 3 Banning Best Practices 4 Looking Inside the Perimeter 6 A Risk-Focused Future 6 A New Path Forward 6 The Shangri-La of Risk Management 7 Information Security Fundamentals 8 Safety before Security 8 The Lure of Security by Obscurity 9 Redefining the CIA Triad 10 Security Design Principles 11 Threats to Information 16 The Death of Information Security 16 Security Team Responsibilities 16 Modern Information Security Challenges 17 The Next Evolution 18 Summary 19 References 19 CHAPTER 2 Risky Business 21 Introduction 21 Applying Risk Management to Information Security 21 Mission of Information Security 22 Goal of Risk Management 22 Architecting a Security Program 24 How Does it Help? 25 Business-Driven Security Program 28 Work Smarter, Not Harder 28 Positioning Information Security 30 Due Diligence 30 Facilitating Decision Making 32

3 vi Contents Security as an Investment 34 Security Metrics 35 Qualitative versus Quantitative 37 Qualitative Analysis 38 Quantitative Analysis 39 Summary 40 Action Plan 41 References 41 CHAPTER 3 The Risk Management Lifecycle 43 Introduction 43 Stages of the Risk Management Lifecycle 43 Risk Is a Moving Target 44 A Comprehensive Risk Management Workflow 46 Business Impact Assessment 48 Resource Profiling 48 A Vulnerability Assessment Is Not a Risk Assessment 50 Vulnerability Assessment 51 Risk Assessment 51 Making Risk Decisions 53 Risk Evaluation 53 Document 55 Mitigation Planning and Long-Term Strategy 56 Risk Mitigation 56 Validation 57 Monitoring and Audit 57 Process Ownership 59 Summary 60 Action Plan 60 PART 11 RISK ASSESSMENT AND ANALYSIS TECHNIQUES CHAPTER 4 Risk Profiling 63 Introduction 63 How Risk Sensitivity Is Measured 63 Making a Resource List 64 Sensitivity, Not Exposure 65 Security Risk Profile 66 Profiling in Practice 68 Asking the Right Questions 71

4 Contents vii Risk Impact Categories and Examples 71 Profile Design 73 Calculating Sensitivity 78 Assessing Risk Appetite 81 Assessing the C-Level 82 Setting Risk Thresholds and Determining Tolerance Ranges 83 Summary 84 Action Plan 84 Reference 85 CHAPTER 5 Formulating a Risk 87 Introduction 87 Breaking down a Risk 87 Finding the Risk, Parti 88 Terminology Is Key 88 Envision the Consequences 90 Finding the Risk, Part H 92 Who or What Is the Threat? 95 Defining Threats 95 Threat Analysis 99 Threats Are Different from Risks 100 Summary 102 Action Plan 102 References 103 CHAPTER 6 Risk Exposure Factors 105 Introduction 105 Qualitative Risk Measures 105 Defining Severity 106 Defining Likelihood Ill Qualitative Risk Exposure 114 Applying Sensitivity 115 Risk Assessment 117 Qualitative Risk Analysis 117 Quantitative Risk Analysis 123 Summary 124 Action Plan 125 Reference 125

5 viii Contents CHAPTER 7 Security Controls and Services 127 Introduction 127 Fundamental Security Services 127 Security Control Principles 128 Assurance Models 129 Access Control Models 130 Security Services 131 Composite Services 143 Recommended Controls 144 Fundamental Security Control Requirements 144 Summary 145 Action Plan 146 Reference 146 CHAPTER 8 Risk Evaluation and Mitigation Strategies 147 Introduction 147 Risk Evaluation 147 Security's Role in Decision Making 148 Documenting Risk Decisions 151 Calculating the Cost of Remediation 153 Residual Risk 154 Risk Mitigation Planning 154 Mitigation Approaches 154 Choosing Controls 156 Policy Exceptions and Risk Acceptance 156 Exception Workflow 157 Signature Requirements 159 Expiration and Renewal 161 Summary 161 Action Plan 162 CHAPTER 9 Reports and Consulting 163 Introduction 163 Risk Management Artifacts 163 A Consultant's Perspective 165 Octave Allegro 165 Risk Assessment Engagement 168 Structure of a Risk Assessment Report 175 Executive Communication 181 Writing Audit Responses 183

6 Contents ix Summary 187 Action Plan 188 References 188 CHAPTER 10 Risk Assessment Techniques 189 Introduction 189 Operational Assessments 189 Operational Techniques 190 Assessment Approaches for Different Sized Scopes 197 Project-Based Assessments 198 Risk Assessments in the Project Lifecycle 198 The FRAAP Approach 199 Third-Party Assessments 205 Industry Standard Assessments 206 Improving the Process 210 Summary 211 Action Plan 211 References 212 PART III BUILDING AND RUNNING A RISK MANAGEMENT PROGRAM CHAPTER 11 Threat and Vulnerability Management 215 Introduction 215 Building Blocks 215 Program Essentials 216 Asset and Data Inventory 218 Resource Profiling 219 Threat Identification 220 Threat Data Sources 221 Advisories and Testing 222 Rating Vulnerabilities 222 An Efficient Workflow 228 Defining a Workflow 229 Exceptions 230 The FAIR Approach 230 Measuring Risks 231 Summary 236 Action Plan 237 References 237

7 X Contents CHAPTER 12 Security Risk Reviews 239 Introduction 239 Assessing the State of Compliance 239 Balancing Security and Risk 240 Qualifying the Risk 241 Implementing a Process 242 Workflow Steps 242 Process Optimization: A Review of Key Points 251 The NIST Approach 253 The NIST Evolution 253 Focus of the NIST Process 254 Summary 257 Action Plan 257 References 257 CHAPTER 13 A Blueprint for Security 259 Introduction 259 Risk in the Development Lifecycle 259 Analysis Workflow 261 Security Architecture 263 Goal of Security Architecture 263 Developing an Architecture 264 Security Architecture Principles 267 Separation by Risk Profile 267 Rules of Data Movement 268 Information Flow Control Model 269 Nontraversable Boundaries 269 Trust Relationships 269 Security Zones 272 Patterns and Baselines 273 Services (Payload) Traffic 273 Management Traffic 273 Infrastructure Common Services 274 External versus Internal Traffic 274 Transitive Risk Considerations 274 Traversing Risk Sensitivity Boundaries 275 Combining Security Controls 275 Aggregate and Partial Data 276 Multidevice Systems 276 Front-End versus Back-End Application Tiers 277

8 Contents xi Public-Facing Resources 277 Internal Nonstandard Clients 277 Architectural Risk Analysis 278 Detailed Risk Analysis Workflow 278 Summary 283 Action Plan 284 Reference 284 CHAPTER 14 Building a Program from Scratch 285 Introduction 285 Designing a Risk Program 285 Risk Is the Core 286 Program Goals 287 Starting from Scratch 288 Comparing the Models 290 Prerequisites for a Risk Management Program 291 Security Policies and Standards 292 Information Resources Inventory 292 Security Liaisons 293 Risk at the Enterprise Level 295 Common Risk Formula 295 Enterprise Risk Committee 296 Mapping Risk Domains to Business Objectives 296 Examples of Risk Areas 298 Linking the Program Components 298 Tying Other Security Processes to Risk 298 Risk and Exception Tracking System 299 Program Roadmap 300 Summary Lessons from the Trenches Reference 302 Appendix A: Sample Security Risk Profile 303 Appendix B: Qualitative Risk Scale Reference Tables 309 Appendix C: Architectural Risk Analysis Reference Tables 313 Index 331