eBook - ePub

Security Risk Management

Name: Security Risk Management
Author: Evan Wheeler

Building an Information Security Risk Management Program from the Ground Up

Evan Wheeler

Share book

360 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Security Risk Management

Building an Information Security Risk Management Program from the Ground Up

Evan Wheeler

Book details

Book preview

Table of contents

Citations

About This Book

Security Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used on a daily basis, while also explaining the fundamentals so students understand the rationale behind these practices. It explains how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive text for managing security risks.

This book will help you to break free from the so-called best practices argument by articulating risk exposures in business terms. It includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment. It explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk. It also presents a roadmap for designing and implementing a security risk management program.

This book will be a valuable resource for CISOs, security managers, IT managers, security consultants, IT auditors, security analysts, and students enrolled in information security/assurance college programs.

Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
Presents a roadmap for designing and implementing a security risk management program

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Security Risk Management an online PDF/ePUB?

Yes, you can access Security Risk Management by Evan Wheeler in PDF and/or ePUB format, as well as other popular books in Business & Information Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Syngress

Year

2011

ISBN

9781597496162

Topic

Business

Subtopic

Information Management

Index

Business

PART I

Introduction to Risk Management

1 The Security Evolution

2 Risky Business

3 The Risk Management Lifecycle

Chapter 1 The Security Evolution

Information in this Chapter

• How We Got Here

• A Risk-Focused Future

• Information Security Fundamentals

• The Death of Information Security

Introduction

Before even starting to think about the various steps required to design a program to assess and evaluate information security risks, it is important to briefly review the history of the field and take a quick look at Information Security as a discipline. Even those of you who are already familiar with some advanced risk assessment techniques can benefit from reviewing how we got here or you risk repeating the same mistakes. Information Security (or Information Assurance) needs to be viewed through the lens of business context to see the added value of basing your security program on a risk model. Risk management is by no means a ubiquitous foundation for information security programs, but many visionaries in the field recognize that the future of information security has to be focused on risk decisions if we are to have any hope of combating the ever-changing threat landscape and constantly increasing business demands. From an outsider’s perspective, risk management may seem like an obvious fit for information security, but, amazingly, within the profession, there are still debates regarding its merit.

How We Got Here

If you attend any industry conference or pick up any information security trade magazine, you will certainly see many references to risk assessments, risk analysis, and risk management. So, how is it possible that many security professionals are still arguing about the value of a risk-based approach to information security? Certainly, all the security products and service vendors have jumped on the risk bandwagon in full force. As a profession, have we fallen behind the vendors or are they contributing to the false perception of risk management? In fact, walking on the expo floor of any major information security conference, the number of vendors touting their so-called “risk management” solutions has increased significantly compared to even 1 year prior. Hopefully, as you look at each vendor’s offerings, you will start to ask yourself questions like “is a vulnerability scanner really a risk management solution?” The answer is no, not really; but, the vendors are positioning it that way, and many people are more than happy to follow blindly if they can cross risk management off their compliance checklist. This example highlights a great misunderstanding within the field about what risk management really is. Let’s face it—risk management is not a new concept. Several other industries (for example, insurance, economics, finance) have implemented very robust and precise risk models to handle even complex scenarios. Unfortunately, the information security field itself is rather young compared with these other industries, and when you try to apply a mature discipline like risk management to an evolving practice, there will be gaps that need to be overcome. This book is focused on addressing those gaps by providing a solid foundation upon which information security professionals can build a world-class risk management program that is aligned with the business objectives of the organization.

Banning Best Practices

In order to start the transformation into a risk mind-set, we first have to shed some of the baggage of outdated approaches to information security and dispel several misconceptions about how an information security function should operate. A growing problem in the information security field is the emphasis and reliance on checklists and so-called “best practices” as the only basis for many decisions. For the sake of simplicity and consistency, the security field has evolved into a cookbook-type approach. Everyone gets the same recipe for security and is expected to implement it in the exact same way. The fundamental flaw with this strategy is that we don’t live in a one-size-fits-all world. Instead of blanketly applying best practices across the board, we should be using some risk analysis techniques to identify the critical focus areas and to select the most appropriate solutions for our organizations.

The motivation behind this cookbook mentality and the value of security checklists are clear when you look at how the information security field has evolved. There has always been a heavy technology focus in the field, and much of the security community got their start in an Information Technology (IT) role. As the discipline developed, implementations of security principles and concepts were inconsistent at best and the need to provide more standardized guidance to the practitioners who were battling it out in the trenches every day resulted in several generic security frameworks, some basic standards, and a lot of operationally focused training. Moreover, there are a wide variety of training options available at the practitioner level, but almost nothing focused on how to build and lead an information security program; most programs are aimed at teaching management activities, but there aren’t many educational programs focused on true leadership.

Let’s look at a quick example of this problem in practice. A typical information security standard might be that sensitive data needs to be encrypted wherever it is stored. Suppose that you found a database within your organization where sensitive data isn’t encrypted. Before you confront the business owner and ask them to implement encryption, start by asking yourself why encryption is necessary. What problem are you trying to solve? What risk are you trying to mitigate? Encryption may not be necessary or appropriate every time. In some cases, it may even conflict with other security needs, such as the desire to inspect all communications in and out of the organization for malicious content or data leakage. Security controls need to provide business value and shouldn’t be applied without first analyzing the problem. Your boss may attend an industry presentation, likely by a vendor, where the speaker recommends database encryption for all sensitive data. So, they run back to the office and you find yourself suddenly scoping out the effort to encrypt all your databases, but have you defined the problem you are trying to solve? This book is specifically focused on providing a risk model that will allow you to evaluate the threats and the vulnerabilities for your organization, and make educated decisions about how to address the most critical risks.

Having checklists and baselines does make it easy for security practitioners, and even people outside of security, to apply a minimal level of protection without having to understand the intricacies of information security, but at what expense? How can a single list of best practices possibly apply to every organization in the same way? There are “common practices,” yes, but none of us is in the position to claim “best practices.” There is too much potential to be lulled into a false sense of security if we base evaluations of security posture solely on a checklist.

Tips & Tricks

Try removing “best practices” from your vocabulary whenever you are communicating with others in your organization and really focus on the business drivers to justify any recommended controls or mitigation actions.

To be effective, senior security professionals need to learn how to perform a true risk assessment and not just accept the established security checklists. Even the US federal government seems to be moving in this direction with the latest revision of the NIST SP800-37 guide [1] for managing the security of federal information systems (formerly focused on Certification and Accreditation), which has been overhauled to use a risk-based approach. It is hard to deny that risk management is the future of the information security field, though some still try to argue against it. A risk-based model can provide a more dynamic and flexible approach to security that bases recommendations on the particular risks of each scenario, not just a single pattern for the entire field. Just look at the Payment Card Industry (PCI), given all the breaches in the retail space, it is clear that the PCI requirements have not made retail companies any more secure, just more compliant.

Looking Inside the Perimeter

Another important development in the information security field is the shift from focusing purely on securing the perimeter. Traditional information security practices were primarily concerned with keeping the “bad guys” out. The assumption was that anything outside your network (or physical walls) was un-trusted and anything inside could be trusted. Although this perspective can be very comforting and simplifies your protection activities (in an “ignorance is bliss” kind of way), unfortunately, it is also greatly flawed. As environments have grown more complex, it has even become necessary to separate different portions of the internal environment based on the sensitivity of the resources. It is hard to deny the statistics (according to the 2010 Verizon Data Breach Investigations Report [2], 48 percent of the breaches were caused by insiders) regarding the large percentage of security breaches initiated by malicious insiders or compromises resulting from attackers leveraging exploits on mobile devices to launch attacks on more sensitive internal resources. At this point, it would be hard even to draw a meaningful perimeter line around your organization. You can’t assume that the other systems on your internal networks can be trusted or that not being directly Internet-facing excludes a system from needing to worry about external threats.

Early attempts by many organizations to address these issues without a common security framework have lead to the implementation of point solutions and ad hoc levels of protection, which in many cases have not been the best solutions to address the organization’s greatest risk areas. We all have seen organizations that spend a lot of money on technology or spend all their time trying to keep up with the bleeding-edge hacking techniques, but miss the big gaping holes that end up being exploited. Critical exposures are overlooked, and breaches occur despite the expensive controls in place. Technology won’t fix process and procedural weaknesses, which are what typically contribute to the major disclosures. As the threat landscape continues to shift, the old paradigms for information security just aren’t going to cut it anymore.

A Risk-Focused Future

No one can deny that keeping up with the pace of change in this field is challenging at best, and can, at worst, feel impossible. As soon as you feel like you have a good handle on the major threats to your organization, three new threats pop up. So how can you keep up? If you want to stay ahead or even just keep pace, you need not only to understand the fundamental principles of a solid information security program but also to understand how to apply them to mitigate your organization’s specific risks.

A New Path Forward

There are many good security advisory services available that can provide a steady feed of intelligence about the latest threats and vulnerabilities, but you will soon discover that keeping up with the pace of information can quickly become overwhelming. Along the same lines, try running a vulnerability scan of any average-sized environment for the first time and see how many hundreds of findings you get back; even if your organization has a mature security program, a typical scan will generate volumes of raw data that need to be analyzed. Unfortunately, many new security managers will start with this approach instead of first establishing the foundation for their program on a robust risk model, so they get lost in the race to combat the latest threats or close out vulnerabilities as quickly as possible without any prioritization. The result is that resource administrators spend all of their time responding to every new vulnerability report and applying every security patch; meanwhile, the security folks spend all of their time processing and tracking every new vulnerability when they should be focusing on prioritizing risks and developing a security strategy. It’s easy to get caught up in trying to address each risk finding as soon as you discover it, and in doing so, you lose sight of the big picture. If you don’t identify and address the root causes and systemic issues, then you will just keep killing time and resources fixing the same symptoms over and over again.

So how can we manage this better? How do we avoid the information overload? The answer is to develop a risk model that takes into account the particulars of your environment so you can stay focused on your organization’s most critical exposures. Risk is, and needs to be, more than just a buzz word that vendors use to sell products. When someone says that a particular system is “risky,” what does that mean? Does it mean that it has a low tolerance for risk exposures? Or does it mean that it has a high degree of exposure to threats? Maybe it indicates that the resource has a large threat universe? Potentially, the resource is a particularly attractive target? Does it have known and unmitigated vulnerabilities that are e...