Risk Analysis versus Risk Assessment

February 23rd, 2010

By. Thomas R. Peltier, Security Sage

Overview

Risk Management is a process that provides management with the balance of meeting business objectives or missions and the need to cost-effectively protect the assets of the organization. In this period of increased external scrutiny due to the myriad recent questionable management decisions and the corresponding legislative backlash, risk management provides management with the ability to actively demonstrate due diligence and how they are meeting the fiduciary duty.

In this article we will examine how risk analysis helps manager’s meet their due diligence requirement and how risk assessment fulfills the fiduciary duty requirement.

The difference between risk analysis and risk assessment

When we examine the business process development cycle (BPDC) (also know as the system development life cycle (SDLC)), we see that there are phases in which certain activities are scheduled to be performed. In the BPDC that I am familiar with, the first phase is the “Analysis” process. This is the time when the case for a new project is created. The Risk Analysis, or Project Impact Analysis (PIA), is used to document and demonstrate the business reasons why a new project should be approved. When the PIA is complete, the formal documentation is presented to the Executive Management Committee for review, assessment and possible approval. If approved by the committee, the proposal is then registered and becomes a “project”.

Once a project has been approved, early in the next phase of the BPDC, the “Design” phase, a Risk Assessment must be performed to identify the threats to the organization’s mission or business objectives presented by this new project. The risk assessment allows the development team and the business stakeholders to identify potential threats, prioritize those threats into risks and identify controls that can reduce the risks to acceptable levels. Knowing the control requirements in the “Design” phase will help reduce costs when work begins on the project in the “Construction” or “Development” phase.

Risk Analysis and Due Diligence

Risk analysis is the process that allows management to demonstrate that they have met their obligation of Due Diligence when making a decision whether or not to move forward with a new project, capital expenditure, investment strategy or other such business process.

Due diligence has a number of variant definitions based on the industry that is being discussed. Typically, the consensus these definitions address is the measure of prudent activity, or assessment, as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent person under the particular circumstances. Due diligence is not measured by any absolute standard but depends on the relative facts of each case.
In brief, the risk analysis or Project Impact Analysis (PIA) examines the factors that come into play when trying to determine if a project should be approved. The PIA examines the tangible impacts, such as capital outlay, development costs and long term cost such as continued operations and maintenance. The risk analysis also addresses intangible impacts, such as customer connivance or regulatory compliance.

When the risk analysis is complete, the results are presented to a management over sight committee that is charged with reviewing new project requests and deciding whether or not to move forward. If the request is approved, the project is registered and a risk assessment is scheduled for early in the design phase of the DPDC or SDLC. The documentation is retained for a period of time and then can be used by the organization if ever there are any questions as to why a project was or was not approved.

Risk Assessment and Fiduciary Duty

Because many of our organizations do not know what the threats and risks are to operate in the changing business environment a formal risk assessment process must be conducted early in the design phase. Risk assessment provides a process to systematically identify threats and then determine risk levels based on a specific methodology designed for the organization conducting the assessment. By establishing a risk level the project under development can then look to identify control measures that will reduce the risk to acceptable levels.

Risk assessment has four key deliverables. It will identify threats to the organization’s mission; prioritize those threats into risk levels, identify mitigating controls or safeguards; and create an action plan to implement those mitigating controls.

The output from the risk analysis and risk assessment processes will generally be used twice. The first time will be when decisions are made, for the risk analysis that means deciding whether or not to proceed on a new project and for the risk assessment, what types of controls or safeguards need to be implemented. For risk assessment, the output will identify what counter measures should be implemented or that management has determined that the best decision is to accept the risk.

The other time the results will be used is when the “spam hits the fan”. That is, when a problem arises and the organization must show the process it used to reach the decisions that it did. The documentation created in the risk management processes will allow the organization to show who was involved, what was discussed, what considered and what decisions where made.

By implementing risk analysis and risk assessment, an organization has the tools in place to make informed business decisions. By integrating these processes across the entire enterprise, the organization can take back control of its activities from outside interference. With an effective risk assessment process in place, only those controls and safeguards that are actually needed will be implemented. An enterprise will never again face having to implement a mandated control to “be in compliance with audit requirements”.

Conducting a Risk Assessment

No one knows about your organization than your own employees. An external consultant can lead a risk assessment, but to get a true grasp and understanding on how current controls are working, where the threats are and what risks these threats present requires the input from your own employees. Your employees are an excellent resource for this knowledge.

If your organization is fortunate enough to have a Project Management office, then the facilitators from this group would be perfect for conducting the risk management processes. There are some groups, that because of their charters and responsibilities would be in a conflict of interest to lead or facilitate these processes. Applications development is a group that could have an impact on both risk analysis and risk assessment. There job is to create applications and systems as quickly and efficiently as possible. So there could be an appearance of conflict of interest.

The Audit staff and Systems Operations are two other groups that have charters of responsibility that would lend itself to an appearance of conflict of interest.

Risk Assessment Timetable

It should be completed in days, not weeks or months. To meet the needs of an enterprise, the risk management process must be able to complete it quickly with a minimum of impact into the employees’ already busy schedule. We currently offer classes in “How to Complete a Risk Assessment in 5 Days or Less”. This class has been very popular and the process is field tested every month to ensure that the 5-day time limit is attainable.

Time is a very precious commodity and process such as risk management must be structured to be fast and efficient. As you will see, if there is more time available, then there is no end to the different things that can be done. Most organizations, however, have little enough time to spare.

Risk Assessment and Risk Analysis Results

Risk assessment can identify to the enterprise what the threats are there and which threats pose the greatest risk to the organization. By identifying the areas of greatest risk, management can concentrate on addressing the areas of risk. Our resources are limited and the risk identification process will allow management to deploy these limited resources to where they can be most advantageous. The goal of risk assessment is not to eliminate all risk but to reduce risk to an acceptable level.

The greatest benefit of a risk analysis is to determine whether it is prudent to proceed with a new project or not. It allows management to examine existing tangible and intangible issues and then decide if moving forward with a project makes sound business sense.

Risk Management Metrics

The tangible way to measure success is to see a lower bottom line for cost. Risk assessment can assist in this process by identifying only those controls that are needed to be implemented. Organizations are not implementing controls because they think they are needed. Only those actions that are actually required are being implemented.

For risk analysis the metric is that only those projects that show a true business need re being implemented.

Another way that the success of a risk analysis and risk assessment is measured is if there is a time when management decisions are called into review. By having a formal process in place that demonstrates the due diligence of management in the decision –making process this kind of inquiry will be dealt with quickly and successfully.

Summary

The risk management process is a business process that supports management in its decision-making process. Risk analysis ensures that those projects that are needed by the business are screened, approved, funded and implemented. The risk assessment process provides management with the tools needed to perform their fiduciary responsibility of protecting the assets of the enterprise in a reasonable and prudent manner. These processes do not have to be a long, drawn out affairs. To be effective, risk analysis and risk assessment must be done quickly and efficiently.

20 Years of Information Security: Revolution or Evolution?

October 20th, 2009

By. Michael J. Corby CCP, PMP, CISSP
The Vision from 1989
Computer systems as we know them were in their infancy in the waning moments of the 1980’s and the early years of the 1990’s. Systems were still largely segregated by manufacturer. IBM shops had no DEC equipment anywhere, and vice versa. HP systems were found in manufacturing plants, and the world of CAD/CAE was dominated by stand alone graphical units that were the engineering versions of the memory typewriter.

As a CIO, my primary responsibilities were to integrate applications, reign in the size of databases and figure out how to integrate the Personal Computer into the work environment productively. Security was being promulgated in the form of model architectures and the “rainbow series”

Bang!

Within the next ten years, we were enveloped in the “dot-com” boom. Technology permeated every aspect of our lives. Billion dollar companies sprinkled the plethora of Silicon Valleys that were created across the country and the world in respectful imitation of their California heritage. What were we envisioning from the Information Security domain?
In many instances, what we were looking to do was revolutionary. We saw that virus code and other malware instances were gaining in popularity and Scott McNealy from Sun Microsystems warned that there is no longer any digital privacy .
So what have we actually done? Sometimes we have seen a revolution, sometimes we have seen a slower crawl forward, something we’ve seen nothing in 20 years. Let’s take a look at what has transpired over the past score of budget cycles:

Human Resources and Staffing
In 1989, security professionals were either writing crypto code for the military or were hanging backup tapes in a data center.
Today we are blessed with more than a dozen ways of measuring the security competence of our staff. We have training programs and conferences up the wazoo and enough credentials to exhaust a box of alphabet soup.
Verdict: Revolution

Network Architecture
In 1989, open systems were beginning to babble to each other. Communications was over leased lines or internal networks. Nobody ever used dial-up public communications for sensitive data (if you knew what data was actually sensitive).
Secure network architecture is now available on the shelf at the office supply store. Data in flight is routinely encrypted over public networks, and a major sub industry to monitor, trace, prevent, and identify rogue communication attempts have flourished.
Verdict: Revolution

Systems Development
The good old five (or six depending on your school of thought) phase approach to designing systems was de rigeur in 1989. Application teams went through stages of Scope, Design, Programming, Unit testing (& System Testing) and Implementation. Once all this as done, someone may have asked: “What about backup and recovery?”
The method is the same. Only some of the questions have changed. The question of compliance with laws and industry standards is now part of the design stage of major applications. Along with the questions come the parameters of secure application architecture. Several models exist, but are employed primarily by those who are up on the latest trends.
Verdict: Evolution

Monitoring and Forensics
In 1989, logs were generated and maybe printed. Tracing events were rare, but also largely unnecessary. Nearly everything could be reproduced or rerun if something bad happened, and only occasionally could people actually commit crimes with computers. (I remember in the mid 80’s in several states, computer crimes existed only when someone hit somebody else with a keyboard.)

Today, compliance laws and industry regulations have tightened the need for monitoring and active event investigations. Not only do you need to print the logs, you also need someone to review them. A log scanning software industry is being born. Can you hear it?
Verdict: Revolution

Business Awareness
Finally, let’s take a look at what the business sees as Information Security. I had a discussion with my company CEO regarding a security policy. We designed and built coal-fired steam-driven power plants. His answer was “Everyone knows that water boils a zero degrees centigrade at sea level. We don’t have any trade secrets.” Obviously national defense and some very creative industries were concerned, but not the average commercial organization.

Business Continuity and Data Privacy concerns are starting to find their way into board room discussions. Hurricanes, floods, terrorism are dominating the discussion of companies concerned about maintaining industry presence. Regulated industries are leading the way at identifying, segregating and protecting data that must be kept private. Laws are replicating like rabbits in a dark room. We are only seeing the beginning.

Verdict: Slow Starting Revolution

Summary
In these and other areas, we have made substantial progress in information security over the past 20 years. There is more to come. Here’s my prediction: over the next 20 years, security will be embedded in all information management technology. Data segregation will be the usual architecture, trace logs and factual responses to “how did that happen” will be commonplace. Hackers and malware will exist but will be just an annoyance.

Hmmm. Didn’t I say that in 1989?

“You have zero privacy anyway. Get over it.” Reported in a blog by Manes, Stephen (2000-04-18). “Private Lives? Not Ours!”. PC World 18 (6): 312. ISSN 0737-8939. http://www.pcworld.com/article/16331/private_lives_not_ours.html. Retrieved 2009-09-29.

Contingency Planning Reality Check: The Peak Oil Downside Will Be Steeper Than The Upside

October 20th, 2009

By Charles Cresson Wood

Peak oil is a topic that should be of great concern to all business contingency planners and all information systems contingency planners. It will profoundly affect the way that we all do business in the years ahead. If we don’t have enough energy, electricity supplied by the grid may be intermittent or degraded in quality. If we don’t have enough energy, timing-related bottlenecks in the computerized processes that we have designed may be created (some older readers may remember the long lines at gas stations in the 1970s). If we don’t have enough energy, staff may not be able to commute long distances to get to work in personal automobiles, and may therefore be forced to telecommute. If we don’t have enough energy, long-distance business arrangements, such as the use of offshore staff to perform certain tasks, may no longer be economically viable. There are many other contingency planning related impacts, but the nature of these will be specific to each organization, and will need to be illuminated via business impact analyses.

From many different credible and highly placed sources we are today hearing about the dire energy situation that industrialized civilization faces. Industrialized countries have remained dependent on oil for way too long. As evidence of this consider that fully 50% of the energy consumed in the United States comes from petroleum. Even though the notion of peak oil is now frequently discussed in newspapers, magazines, TV shows, we the industrialized nations are not moving to new sources of energy fast enough to avoid serious and painful adjustment problems. Dr. Fatih Birol, chief economist with the International Energy Administration, accurately summed it up when he recently said: “We must leave oil before it leaves us.”

According to statistics from the United States Energy Information Administration, the worldwide production of conventional oil has been on a plateau for the last several years (about 73 million barrels per day). In spite of a dramatic run up in prices culminating with the price of $147 per barrel in July 2008, producers were unable to bring more oil to market. This fact defies a widely-held but erroneous belief advanced by traditional economists, that producers will bring more oil to market as the price goes up. That of course makes sense if there is an unlimited supply of oil, but as the worldwide production statistics indicate, we seem to have reached peak worldwide production, and it is only down from this point forward. It’s time that the economists started adjusting their theories to incorporate the real world of resource constraints.

Those readers who have some passing familiarity with the concept of peak oil have no doubt seen a picture of the traditional statistical distribution known as a “bell shaped curve.” These bell shaped curves make sense to people, because in a world with finite resources, what goes up, must come down. These symmetrical bell shaped curves are however lulling us into an attitude of complacency, leading us to believe that we have decades to move off of oil. This is just not so, and this article discusses five serious reasons why this erroneous perception needs to promptly be abandoned.

The bell shaped curve customarily applied to peak oil was popularized by the late geophysicist Dr. M. King Hubbert. He predicted the total United States production of oil would peak on or about 1970. His prediction was accurate, and this type of curve did relatively well when it came to describing the total production of oil in the United States. But total world production of oil does not have another source that it can draw upon when worldwide supplies dwindle, as the United States did back in 1970. Social and economic panic and upheaval were avoided when the United States hit its internal peak oil because it could easily purchase additional supplies from the world marketplace. The social and economic upheaval that worldwide peak oil will bring about will be marked by hoarding, stockpiling, speculators cornering the market, long-term contracts pushing spot market buyers out of the market, government corruption, widespread rationing, and a host of other problems. These maneuvers will rapidly remove oil from the marketplace, and the intensifying competition for the remaining supplies will cause the price to rapidly go up.

The second reason why the drop off in world oil supplies will be steeper that the increase was involves exports. A very large percentage of the remaining oil supplies, perhaps half, is controlled by countries in the Persian Gulf (Iran, Iraq, Kuwait, Saudi Arabia, and United Arab Emirates). These countries are rapidly industrializing and in the process, as you might expect, their consumption of oil is rapidly increasing. As their production is declining in the years ahead, an increasing proportion of their production will go to meet domestic needs. This means that a decreasing proportion of their already declining production will be offered for export. At some point, there will be no more exports, as these countries will use all available supplies for internal consumption purposes. Countries such as the United States, that are big importers of oil, stand to be quickly cut off from their oil supplies. Thus the available exports of oil will come to a much more rapid end than total world production of oil, which in turn will be much more rapidly decreasing than the symmetrical bell shaped curve would lead us to believe.

The third reason why world supplies of oil will drop off more rapidly than anticipated involves rapidly developing countries, most notably although certainly not limited to India and China. These countries are working hard to be able to support something like an American lifestyle, including high levels of energy consumption. World oil demand has recently been increasing at about 2% per year, but to fuel the recent economic development of these countries, there will be a markedly increasing worldwide demand for oil. For example, Time magazine reports that China’s oil imports have doubled over the last five years (about 12% compounded each year). Thus the world will soon be drawing down remaining oil supplies at a faster rate than we were drawing down supplies in the recent past. This accelerated demand for, and the accelerated consumption of oil means that the downside slope of the peak oil curve is going to be much steeper than we currently anticipate.

The forth reason why world supplies of oil will decline far more rapidly than we anticipate involves modern technology. We are now able to drill for oil in the Artic, more than 10,000 feet below the sea, and in other inhospitable places that we could not economically drill in some fifty years ago. This fact reflects advancements in modern technology, such as computers to model geological deposits of oil. The fact that we have to go to these inhospitable places to get more oil is another indicator that we’re running out of it. But this impressive new technology allows us to accelerate our extraction of oil, in an effort to meet the accelerating demand mentioned in the last paragraph. Imagine the bell shaped curve except it is going to be pushed out on the upper right side. In other words, we will be producing slightly below peak levels for a brief while, on a plateau of sorts, and this will be a plateau created by this modern technology. Using elementary calculus, which assumes that the area under the curve remains the same, in other words assuming we have only so much oil available in the world, we can readily determine that when this area is pushed out, another area must be pushed in to compensate. Since everything to the left of this current peak moment is history, and therefore cannot be changed, the only thing that can be changed is the height of the curve (production) in the future. Said a different way, by sustaining our high-energy consumption lifestyle, we are prematurely consuming the oil that would otherwise be left for future generations. In other words, the bell shaped curve will in reality look more like a wave moving to the right (through time), and the wave is just about to come crashing down.

The fifth reason why world oil supplies will decline considerably faster than we now generally believe involves the fact that we produced the least expensive oil first. It is simply common sense, that oil producers would initially focus on the removal from the ground of the oil that was easiest to get to, that was the least expensive to refine, that was the easiest to handle, and that was the least expensive to pump. Reflecting this reality, we now see producers mining the “tar sands” of Canada in an effort to cook the oil out of these sands. Not only is this effort tremendously environmentally destructive, but it consumes a great deal of energy in order to produce oil. Thus the cost of producing each barrel of oil is going up. At the same time, the quality of each barrel thereby produced continues to go down. Combining these two trends, we see that the world will reach a point where it is no longer economical to produce any oil. Mind you, this occurs considerably before the point where the world runs out of oil, and so the curve of world oil production does NOT reflect the relationship that individuals have with the gas tank in their cars. We can’t just keep going until we run out. A lot of oil will be left in the ground because it simply won’t make sense to produce it. Certain locations will meet this point sooner than others, but as more and more locations do reach this point, they will remove themselves from the roster of the remaining oil producers. This in turn will hasten the descent of available oil supplies.

As these five points argue, the day of reckoning is a lot sooner than many of us would like it to be. We do not have decades to transition to alternative energy. It appears as though we have only a few years. We need to get underway with very serious efforts to transition away from petroleum immediately. Government agencies, businesses, non-profit organizations, families, and individuals should all be thinking hard about what their transition to a post-petroleum world looks like, and then promptly get into action with this transition.

—–
In addition to being an information security consultant, Charles Cresson Wood, MBA, MSE, is a sustainability management consultant with Post-Petroleum Transportation, based in Mendocino, California. His most recent book is entitled Kicking The Gasoline & Petro-Diesel Habit: A Business Manager’s Blueprint For Action (www.kickingthegasoline.com).

Business Continuity – Your People & the H1N1 (Swine) Flu

May 20th, 2009

By Michael J. Corby, CCP, PMP, CISSP

Global Health Issues Require a Careful Response

Once again, we are being challenged by the potential for a serious outbreak of a highly contagious disease. This time, the threat appears to have emanated from Mexico, and by all recent accounts, has spread from person to person through the air. The number of cases appear to be mounting in the US, Canada and elsewhere. Without throwing our entire organization into convulsions, how can we best prepare to withstand this threat? Even if the influenza outbreak does not replicate the global pandemics of the past, we need to do what is proper to avoid a steep decline in our ability to maintain our profitable and viable position. Overreacting can result in a “The boy who cried wolf” situation. Under reacting can result in extensive and prolonged employee absence or sharply decreased sales. How do we handle this latest challenge? In a word: carefully.
Communication is Crucial
A global issue such as an illness pandemic presents you with multiple challenges. If the threat materializes and many people are affected, you may lose a large percentage of key workers, your customers, clients and constituents will elect not to venture into crowded public places, and your vendors and suppliers may be required to substantially change their services.

On the other hand, if the threat remains only a potential, you risk causing a disruptive and possibly expensive response with no value. Obviously the best plan is one that has been tested over and over, but in the absence of this real experience, your best bet is frequent, factual communications.

Developing a well-orchestrated plan

Your response to pandemic threats should be well coordinated and specific. We recommend you take specific steps to developing your plan.

1. Provide Factual information. You can win public relations points by monitoring credible sources and dispelling gossip and rumors. You should look to reliable resources to maintain the latest facts including:

a.Centers for Disease Control (CDC) http://www.cdc.gov/swineflu/

b.World Health Organization http://www.who.int/csr/disease/swineflu/en/index.html

c.The ASIS Swine Flu update http://www.asisonline.org/

Remember that as of the end of April 2009, a relatively few cases have been identified in the United States, all had a connection with recent travel to Mexico and most are mild. There is presently no pandemic crisis. Phase 5 means sustained human to human transmission across countries. To an individual, this is only as dangerous as the “ordinary” flu. It is receiving attention because people have minimal immunization to it.

2. Conduct a brief risk assessment. Do you or your suppliers travel to and from Mexico? If the condition escalates, what will be the impact on your employees, your suppliers and your customers? Will the need for your products/services increase or decrease?

3. Review your policies. If you don’t have a pandemic response plan, now might be a good time to start getting one in place. If you do have a plan, review it plan for needed supplies that have not yet been purchased, e.g. masks and hand sanitizers. How would you handle 30%-40% absenteeism for 1-2 weeks in the next 12 months? Consider family needs if schools and day care centers are suddenly closed for 1-2 weeks to prevent the spread of infection. Make sure employees are kept informed.

4. Educate employees and take precautionary measures. Make sure employees know the symptoms for flu and encourage them to stay home if sick, and to seek medical attention if symptoms are present. Provide extra cleaning and sanitizing supplies, especially for telephones and keyboards.

How can IT Security Help?

If you’ve done nothing to date to assure your organization can respond under the crisis conditions posed by a disease pandemic, your chance of a fully successful program are reduced. If you have already created a Business Continuity Plan that addresses the disruption of what we term the four key elements of business resiliency: People, Physical Plant, Process and Technology, this would now be an excellent time to issue a memo reminding everyone of the plan, the location of it’s latest version, and the names of the initial response leaders. You may even have the time and resources to conduct a “table-top” exercise of what will happen if the pandemic potential increases and the disease spreads as quickly as some may fear. We have worked with hundreds of organizations in the development of these plans and in monitoring and assessing the results of plan exercises. From our experience, we recommend the following minimum actions:
Appoint a Response Team Leader. This individual should be directly in control of all communication regarding the situation. From making the ultimate decision to invoke the response and recovery plan to approving all communication to the media, employees, suppliers, customers and civil authorities. This individual should be able to effectively coordinate web site and telephone system communications, advise and approve technology relocation or deployment plans, and direct the flow of materials and supplies to the locations where they can be best suited for a responsive continuous operation. Our background in this area can be a valuable resource for you to select, appoint and commission this individual.
Deploy Technology Resources. In most situations where communicable disease is a threat, people will not want to go to work in a crowded, populated office. In addition, commuting via public transportation and even using elevators presents a risky and undesirable situation. Many of your key employees can be just as effective working from the safety of their homes if they have the required computer, network access and telephone resources. Although the technology to do this is readily available, you may be competing with thousands of other company employees to set up systems and provide access codes to company resources. This is not a good time to relax security and privacy standards. Criminals are literally salivating for the opportunity to exploit the situation and gain access to valuable, sensitive or protected data. You face the risk of losing this data privacy and also the risk of a lawsuit initiated by these same individuals who now have the facts to accuse you of failing in your data protection obligations. We know how to do this deployment quickly, effectively and securely.
Monitor the facts and your business. As with other disruptive events, things can change quickly and dramatically. The spread of the disease itself can change in the blink of an eye and the need for you to provide a different response to your customers can change just as quickly. We have the knowledge and skills to help monitor the operating environment in time to affect change.

Over the past few weeks, I’ve spoken to many groups about their response to this flu outbreak or pandemic disease threats in general. The most common response is that management has delegated to a medical advisor, either through the Human Resources department or through the company preferred medical provider. This is a noble response to help people defend from the flu, and help prevent it from spreading through the organization, but as we have seen in the business response to hurricanes, terrorism, snow and ice storms and other calamities, prevention aone doesn’t solve the problem. Business Continuity Planning (for Security purists, it’s the “Availability” in the C-I-A Security triad) provides a response the addresses resilience when and not if the situation materializes.


Nearly all successful Business Continuity Plans have depended on a well defined and tested process, known and followed by all employees under the guidance of a decisive leader. Is that you?



Ready – Set – Go!

A Primer on Risk

May 19th, 2009

By Pete Lindstrom, Research Director, Spire Security

The first and only necessary component of risk is likelihood. Likelihood is driven by the uncertainty of which outcome within a set of possible outcomes will occur for any single event. Some of those are wanted, and some unwanted by those involved in decisionmaking (I use the word “unwanted” instead of “negative” to cover a broader set of outcomes and address the fact that there are varying opinions about what is unwanted. If the mix of unwanted outcomes is not random or equally distributed (e.g. 2 possible outcomes each happening half the time, or 3 outcomes each happening 1/3 of the time), we use past frequencies of outcomes to inform our beliefs about future risks. The portion of unwanted outcomes out of the total population of outcomes is our likelihood number which corresponds to risk when dealing with potential losses.

The other component of risk involves consequences. I noted above that likelihood is the only necessary component of risk. That is because we often suggest that in order to quantify risk we must quantify our consequences as well, but this isn’t the case. Since we are identifying unwanted outcomes anyway, in many cases we implicitly understand the value or loss involved, even if we don’t quantify it in dollar (or other currency) terms. Not only that, but we can quantify consequences in other ways that are available in whatever circumstances are being evaluated. Whatever numbers we use, they constitute the total number of units in the population of outcomes. In IT security, that might be total endpoints or total number of records or total value of the assets, for example.

When we do have a number to express consequences, we use the risk (estimated using previous frequencies as a starting point) or likelihood expressed as a percentage of total outcomes to discount the total population. This is simply an expected value calculation.

Take for example a sales pipeline. The value of a sales pipeline for a company is the likelihood of closing a deal (making a sale) multiplied by the total possible amount of the deal itself. This likelihood number is a discount factor used to reduce the amount in question based on the risk involved. So a $100,000 deal with a 70% likelihood of closing is worth $70,000 in the pipeline. Risk is like the inverse of the pipeline numbers, since the pipeline measures positive outcomes and risk measures negative (unwanted) ones.

The final outcome of a risk calculation may be
a) the probability itself, qualified by what is meant in terms of consequences,
b) the portion of the population that is expected to be affected by the unwanted outcome (using the likelihood as a discount factor for the total population), or
c) the “value-at-risk” (VaR) expressed in monetary terms (our universal unit of costs or losses) that involves translating the number derived in the previous measure into currency units.

(comments to this article can be made at http://spiresecurity.typepad.com.)

Why Risk Assessments Fail

May 19th, 2009

By. Thomas R. Peltier, Security Sage

A risk assessment is the backbone of any effective information security program. It is impossible to know where to implement controls until the risks, threats, concerns and issues have been identified. This process can only be completed if the risk assessment process is treated as any other properly run project. This document will examine some of the key areas that cause risk assessment processes to fail.

Scope Creep

Every successful project begins with a definition of what is to be accomplished. For risk assessment, this will involve describing what is to be examined. This could be a physical environment such as a data center; a specific system such as a network supporting research and development; a processing entity such as the corporate WAN or a subsection of the network such as the Payroll Administration LAN; or a specific application such as Accounts Payable.

In creating a statement of work or a scope statement, it is customary to begin with identifying the sponsor. This is normally the Owner of the application, system, data or process. The owner is typically described as the management person responsible for the protection of the asset in question. In most organizations, the sponsor is not an Information Systems (IS) person.

To limit the possibility of scope creep, it will be necessary to establish the boundaries on what is to be examined. An application that uses the corporate network to pass data is within the scope of a normal risk assessment. However, conducting a corporate analysis of the security of the Internet may be counterproductive. Keep the focus on those processes that the organization can affect change.

The scope statement will next want to address the overall objectives of the analysis. For information security these objectives are normally the impact of threats on the integrity, confidentiality and availability of information being processed by specific applications or systems. Consider the types of information security challenges facing your organization, and use this to define the objectives.

Ineffective Project Team

Many information security professionals attempt to conduct the risk assessment either alone or just with other members of the security group. To be effective, the risk assessment process must have representatives from the following areas:

1) functional owners
2) system users
3) systems analysis
4) applications programming
5) data base administration
6) auditing (if appropriate)
7) physical security
8) communication networks
9) legal (if necessary)
10) processing operations management
11) systems programming (operating systems)

The key members of this team are the owner and the users. Make certain that there is representation from every business unit affected by the new application or system. This will assist in the acceptance of the final results or the analysis. By ensuring proper representation, the controls agreed upon will come from the owners and users and not as an edict from security or audit.

Stating Concerns as How They Impact Security

When conducting a risk assessment, it will be necessary to state the concerns as to how they impact the business objectives or the mission of the organization and not on how they impact security objectives. Proper controls are implemented because there is a strong business need, not so that the business unit will be in compliance with security requirements. Keep the business of the organization foremost in the discussions during the risk assessment process.

Every Threat is a Major Concern

Establish a method to prioritize the identified risks into categories of minor, moderate or major. No organization has sufficient resources to control every identified risk. Where an effective risk assessment gains support is when it attempts to ensure that limited corporate resources are spent where they will do the most good. A possible ranking process might be a simple as the following: (Click on image to enlarge)

Risk Assessment Graphs

Conclusion

Risk assessment is a necessary and cost effective part of an effective information security program. It will support management in fulfilling is mandate to exercise management’s fiduciary duty to protect the assets and resources of the enterprise. By understanding how a risk assessment can fail, then the security professional can take appropriate steps to ensure success.

Massachusetts Data Privacy Law and Regulation

April 6th, 2009

By: Michael J. Corby, M Corby & Associates

Overview:
The Commonwealth of Massachusetts has joined the many other states in enacting a law that protects its citizens from improper release of private data. The law and subsequent explanatory regulation identifies the data that must be kept private, establishes standards of due care, and prescribes penalties for failing to act properly.

The statute is Chapter 93 H of Massachusetts General Laws, enacted by the state legislature and signed into law on August 4, 2007. Its provisions were initially scheduled to go into effect January 1, 2009, but that date has now been pushed to January 1, 2010. The sponsoring agency is the Office of Consumer Affairs and Business Regulation (OCABR)

Commonwealth of Massachusetts Regulation (201 CMR 17.00) has been implemented to guide the response and enforcement of the law. This regulation establishes the scope of the law and prescribes twenty specific areas that organizations must address to be considered in compliance. Twelve of the areas deal with privacy in general, and eight deal specifically with electronic data privacy.
Scope of the Statute:
The Privacy Law is designed to protect Massachusetts residents from inappropriate disclosure or use of their private information. The private information is defined as the First Name (or initial) and Last Name in conjunction with any or all of the following:
• Social security number,
• Drivers license number,
• State issued identification number,
• Financial institution account number,
• Credit or Debit card number with access code.
It applies to any organization or person that owns, licenses, stores or maintains the above personal information pertaining to a Massachusetts resident. (Notably absent from this list of target organizations is the Government.) Data that is already in the public domain is not covered by this statute.

Inappropriate activity includes either unauthorized disclosure to a person not permitted to view the information or unauthorized use by a person permitted to view the information but not use it in the context in which they have used it.
Key Elements of the Regulation:
201 MGR 17.00 specifies that the organization who manages the data must, at a minimum:
• Designate an individual as a Data Security Coordinator who will administer their data privacy policies;
• Create a written information security policy (“WISP”) that defines the organization’s specific policies and procedures governing the protection of the private data elements;
• Train and/or provide refresher training for all employees who come in contact with private data;
• Monitor compliance with the WISP at least annually or more frequently as business needs dictate.
• Conduct a privacy risk assessment that takes into consideration the extent of protection that must be implemented to assure private data is not misused. That risk assessment should look at transaction or data volume, frequency, financial value, handling environment and threat potential.
• Data managed by Third Party Providers (“TPP”) is not immune from this statute and the controlling organization must verify that each TPP is performing all duties in compliance with this regulation.
• Breaches of privacy must be recognized and reported to the individual(s) whose data privacy has been compromised, Massachusetts Attorney General’s office and the Office of Consumer Affairs and Business Regulation in a timely manner. The exception to this is if the report would compromise an existing criminal investigation.
• If a data privacy breach occurs, the organization must demonstrate and effective plan to prevent future occurrences and mitigate similar vulnerabilities.

We Are Ignoring Serious Systemic Risk

April 6th, 2009

Author: Charles Cresson Wood, Independent Information Security Consultant
One of the big risks in the financial world, that caused our current banking crisis, was the level of exposure taken on through derivatives. For example, AIG admitted that they did not include certain scenarios in their models about the risks associated with the selling financial instruments such as these. They knew these risks existed, but they didn’t closely examine them, and as a result they didn’t factor them into their decision-making. The bloodbath we are all suffering is the result.

The same problem is found in the information security and business contingency planning fields. In the information security field, we worry about intruder break-ins, the latest zero-day attack, and some new phishing attack used to perpetuate identity theft. Our examination of risk is superficial, and it does not consider what would happen if we don’t have electricity to run a data center for an extended time. Likewise, in the contingency planning area, we worry about workplace violence, a fire in the headquarters building, and a chemical spill that keeps people away from the manufacturing plant. Again, we still fail to come to terms with the systemic risk that underpins everything that we do: the extent to which our economy is dangerously dependent on abundant and low cost energy.

While there are certainly other systemic risks, one of the most serious and unexamined risks that is not getting the attention it deserves is the fact that we are running out of petroleum. The International Energy Agency, a part of the United Nations, wrote a report in October 2008, which indicates that world oil production is now declining at the rate of 9.1% per year. This can’t help but have a profoundly negative impact on business and government. But where are our scenario analyses? Where are our transition plans to alternative energy? Where are our contingency plans, enabling us to deal with rapid increases in the price of petroleum-based fuels, rationing, and intermittent shortages?

It’s time we honestly dealt with the fundamental systemic risk on which the industrialized nations of the world have been built: the fact that we are running out of fossil fuels. People need to know that we do have viable solutions that can be used to deal with this risk, such as 12 different commercially available alternative fuels. It remains to be seen whether we will adopt these technologies before massive structural damage is done to our economy because we insist on remaining in denial about the systemic risk that we face. It is time to brace ourselves for the Bernard Madoff Ponzi scheme equivalent of a meltdown in the energy area.

Data Scams Have Kicked into High Gear as Markets Tumble

January 29th, 2009

Author: By Byron Acohido and Jon Swartz, Source: USA TODAY

In the midst of a struggling economy, cyber scams and attacks are on the rise. A USA Today recent article explains how the state of our economy and cyber crimes are correlated (Source USA Today: Click here for article).

Earn Your CPE Credits and Stay Local with SecureWorld

January 28th, 2009

In these current economic conditions, company budgets for training are shrinking but the CPE training requirements remain the same. In addition, many national training conferences are being canceled due to decline in attendance and increased travel costs. Read the rest of this entry »