Measuring and Managing Information Risk A FAIR Approach Jack Freund and Jack Jones AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier Acquiring Editor: Brian Romer Editorial Project Manager: Keira Bunn Project Manager: Poulouse Joseph Designer: Matthew Limbert Butterworth-Heinemann is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2015 Elsevier Inc. All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email: [email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN: 978-0-12-420231-3 For information on all Butterworth-Heinemann publications visit our web site at http://store.elsevier.com/ This book has been manufactured using Print on Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate. Acknowledgments by Jack Jones Something like FAIR doesn’t come about in a vacuum, and there are a lot of peo- ple who deserve my deepest gratitude for the role they played in its development. Sometimes their role was subtle and unintentional; perhaps an offhand comment that spurred deeper thinking or a twist in thinking that unlocked some conceptual obstacle I faced. In other cases the role was explicit and obvious; perhaps as a sound- ing board, support in the face of skeptics, or mentoring me through political mine fields that litter the information security and risk management landscape. Regardless, the following list (in alphabetical order except for the last two entries) inevitably is incomplete and I beg the forgiveness of anyone who feels I have left them out. • Dr. Henry Beker—whose deep wisdom and strong support have been so crucial to the ongoing success of FAIR and CXOWARE. It is a true privilege to know someone like Henry, let alone have the opportunity to work with him. • The team at CXOWARE—how lucky can one person get, to be surrounded by such great energy, intelligence, and skill. These people seem able to work magic, both in building a business and taking my sometimes half-baked ideas and turning them into truly remarkable software. • Jack Freund—whose mental quickness may be unmatched in my experience. Jack has been a dear friend, great colleague, and outstanding partner in writing this book. In fact, without his gentle persistence this book likely would not exist. • Mike Keller and Susan Gueli—two amazing people, both of whom I had the privilege of working for during my tenure as CISO at Nationwide. It is entirely accurate to say that without their support my career would have been quite dif- ferent and far less successful than it has been. I am deeply indebted to both of them. • Cindi Hart—who was my right hand (and very often my saving grace) in each of my CISO roles. I hold no other professional in higher regard, and her friend- ship has been a true blessing. • Kirk Herath—whose support and friendship has been so important over the years. You will not encounter a more courageous professional, or anyone more expert in the field of privacy. • Jim Hietala and Ian Dobson—whose support for FAIR within the Open Group has been so critical over the years. These gentlemen define the word “class,” and it has been a privilege to work with them. • Douglas Hubbard—perhaps unmatched as a risk guru, Douglas’ books and insights continue to stoke my internal flame for trying to get this right. • My team and colleagues at Huntington Bank—as with Nationwide, there simply are too many amazing people to list. Here again, my success was largely due to them, and I am deeply grateful for their support and hard work. ix x Acknowledgments by Jack Jones • Alex Hutton—great friend, tireless sounding board, and truly remarkable risk professional. It was his hard work in the early years that kept FAIR alive long beyond what would have happened if I had been trying to do it alone. • Ryan Jones—whose exceptional work developing and providing FAIR training was responsible for keeping CXOWARE afloat in the early days. His unique combination of creativity, critical thinking, work ethic and pragmatism make him a privilege to work with. • Marty Miracle—another great friend, deep thinker, and brilliant risk profes- sional. Few people have provided more honest feedback, and fewer yet can match the quality of Marty’s analyses. • Brooke Paul—great advocate and amazing businessman. Brooke’s business advice in the early days, though not always followed by me, was always spot-on. • My team and colleagues at Nationwide Insurance—any success I realized while at Nationwide was largely a function of the amazing team of professionals around me. There are simply too many to list here, but in my mind and heart they all stand out. • Eddie Schwartz—easily one of the sharpest minds I have ever encountered. Despite this, he seemed to believe there was something worthwhile in me and mentored me in many ways. I learned an awful lot from Eddie, and am truly grateful for his friendship, guidance, and the opportunities he gave me. • Steve Tabacek—dear friend and phenomenal business partner. I can’t imagine a harder working more ethical person, and FAIR would have certainly died on the vine without his tireless support and exceptional business acumen. • Chad Weinman—another great friend and outstanding colleague. I’ve never worked with anyone so completely dedicated to the customer. This combined with Chad’s energy and positive attitude continue to be critical to CXOWARE’s success. • I am also deeply indebted to all of the early adopters who found value in FAIR and advocated for it even in the face of criticism. These are the people who had the guts to advocate for something that sometimes ran counter to conventional wisdom. Without their timely support I would have likely given up somewhere along the path. • Last and most important: my wife Jill, son Ryan, and daughter Kristen. They are my inspiration, my heroes, and my reason for being. Their support has meant everything to me. With them I am truly blessed. About the Authors Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. Jack has been conducting quantitative information risk modeling since 2007. He currently leads a team of risk analysts at TIAA-CREF. Jack has over 16 years of experience in IT and technology working and consulting for organizations such as Nationwide Insurance, CVS/Caremark, Lucent Technologies, Sony Ericsson, AEP, Wendy’s International, and The State of Ohio. He holds a BS in CIS, Masters in telecommunication and project management, a PhD in information systems, and the CISSP, CISA, CISM, CRISC, CIPP, and PMP certifications. Jack is a visiting professor at DeVry University and a senior member of the ISSA, IEEE, and ACM. Jack chairs a CRISC subcommittee for ISACA and has participated as a member of the Open Group’s risk analyst certification commit- tee. Jack’s writings have appeared in the ISSA Journal, Bell Labs Technical Journal, Columbus CEO magazine, and he currently writes a risk column for @ISACA. You can follow all Jack’s work and writings at riskdr.com. Jack Jones, CISM, CISA, CRISC, CISSP, has been employed in technology for the past 30 years, and has specialized in information security and risk management for 24 years. During this time, he has worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Jack has over 9 years of experience as a CISO with three different companies, with five of those years at a Fortune 100 financial services company. His work there was recog- nized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 he was honored with the CSO Compass award for leadership in risk management. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework. Currently, Jack is cofounder and president of CXOWARE, Inc. xi Preface by Jack Jones Two questions and two lame answers. Those were the catalyst in 2001 for developing FAIR. At the time, I was the newly minted CISO for Nationwide Insurance, and I was presenting my proposed security strategy to senior executives in hopes of getting additional funding. One of the executives listened politely to what I had to say, and asked two “simple” questions: 1. How much risk do we have? 2. How much less risk will we have if we spend the millions of dollars you’re asking for? If he had asked me to talk more about the “vulnerabilities”1 we had or the threats we faced, I could have talked all day. Unfortunately (or, I guess, fortunately), he didn’t. He wanted to understand what he was going to get in return for his money. To his first question, I answered, “Lots.” To his second question, “Less.” Both of my answers were accompanied by a shrug of my shoulders—tacit admission that I didn’t have a leg to stand on (he knew when he asked the questions that I wouldn’t have a useful answer). The good news was that I got most of the money I was asking for, apparently out of blind faith. The even better news was that I left the meeting determined to find a defensible answer to those questions. When I began working on FAIR, I had absolutely no idea that an international standards consortium like The Open Group would adopt it as a standard, that people would be building software to implement it, or that organizations would pay to have their people trained in it. Nor had the idea of a book crossed my mind. It also never crossed my mind that what I was developing could be used to evaluate other forms of risk beyond information security. All I wanted was to never have to shrug my shoul- ders and mutter lame responses to those questions again. This, I have accomplished. WHAT THIS BOOK IS NOT, AND WHAT IT IS If you are looking for a book that spoon-feeds you answers to the daily questions and challenges you encounter as an information security professional, you’ve come to the wrong place. This book doesn’t provide much in the way of checklists. You will likewise be disappointed if you’re looking for a book based on deep academic research, complete with references to scores of scholarly resources. There are only a handful of references to other works, very few of which would probably qualify as “scholarly” in nature. If you’re looking for highly sophisticated math and formulas that make the average person’s eyes roll back in their heads—my apologies again. FAIR simply is not that complicated. 1You will see later in the book why I put the word “vulnerabilities” in quotes. xiii xiv Preface by Jack Jones First and foremost, this is a book about critical thinking. And if you get nothing else out of it, I hope it helps you to think critically and perhaps differently about risk and risk management. It represents the current state of my exploration into risk and risk management, and how it’s being applied today. And as with many explorations, the path has been anything but simple and straight. The experience has been like try- ing to unravel a tangled ball of twine. You pull on a thread for a while, thinking you are on the right track, only to realize you created a nasty knot that you have to pick apart—and then start over. Some of those knots were due to my own logical failures or limited background. Other times, too many times, the knots existed in large part due to risk-related fallacies I had (and the industry still has) bought into for years. You will find in here that I take square aim at a number of sacred risk management cows, which is certain to have me labeled a heretic by some folks. I’m more than comfortable with that. This book attempts to lay out before you the current state of this twine, which is now much less tangled. There are still strings to pull though, and knots to unravel, and there always will be. Maybe you will take what you read here and do some pulling and unraveling of your own. And if you find and unravel knots that I inadvertently created, so much the better. A snippet from a T.S. Eliot poem does a great job of capturing my experience with FAIR: … and the end of all our exploring will be to arrive where we started and know the place for the first time. T.S. Eliot That pretty much nails it. My exploration may not be over but there is no question that I know risk and risk management far better than if I hadn’t bothered to explore. I hope you’ll feel the same way after you’ve read this book. Cheers, Jack Jones March 2014 Preface by Jack Freund While writing this book, Jack Jones and I had a conversation about some of the difficulties faced by those in this profession, and especially those who are interested in bringing quantitative methods into common practice. During this discussion I did what I always do when I’m full of myself and waxing eloquent: I use Socratic Method to help summarize and build analogies to help illustrate key points. I have one friend who called me “The Great Distiller” (with tongue firmly planted in cheek). Jack liked the point I made, and suggested that I write about it here to help frame the book and the work being done on FAIR. Essentially, the point I made went something like this. What is one of the first things that a new leader in IT risk and security needs to do? Well, there are a lot of tasks to be sure: building relationships, hiring staff, diagnosing problem areas, and building out new and/or enhanced processes. This list could be writ- ten about most leadership jobs in any profession. However one task that will show up on that list is something like “identify risk assessment methodology.” How unique that is to our profession! Think about that for a minute: you could have a fully implemented risk function that is rating issues and risk scenarios everyday. Yet, when a new leader joins your organization, they may wipe all of that away because they disagree with the method being used. And this may be for reasons as simple as it’s unfamiliar to them, they prefer another method more, or a little from column A and a little from column B. I was discussing this with someone who runs a chemistry lab. She has a PhD in organic chemistry, runs a peptide laboratory, and who modestly refers to herself sim- ply as “a chemist.” I asked her if this is a routine practice in chemistry. “Does one of the early tasks of a new lab manager involve choosing the method of chemical inter- action they are going to use? Do they define their own approach and methodology for handling volatile chemicals?” “Certainly not,” she replied. Once it is determined the type of chemistry they are going to be doing (organic, inorganic, nuclear, etc.), they will need to supply the lab with the materials necessary to do their job. She said there are five basic chemicals she uses in her peptide lab and once those are selected, it is a matter of outfitting the lab with the correct safety devices and handling precautions (fume hoods, storage containers, etc.). “Do any of these tasks involve explaining to your staff your view on how these chemicals interact? Do you have to have conversa- tions to get their minds right on how to do chemistry?” I asked. She told me this is not the case (although we had a good chuckle over those that still insist on pipetting by mouth). There are well-known principles that govern how these chemicals work and interact. In areas where there is dispute or cutting-edge work, those involved in its practice use the scientific method to gain a better understanding of what “truth” looks like and present their work for peer review. We may never get to the equivalent of a periodic table of risk, but we need to try. We need to set stakes in the ground on what truth looks like, and begin to use scientific method to engage each other on those areas where we disagree. I genuinely xv xvi Preface by Jack Freund want to get better at the practice of IT risk, and I know that Jack Jones does too. It is for this reason that FAIR has been publicly reviewed and vetted for several years now and why Jack Jones placed the basic FAIR taxonomy discussed in chapter 3 in the hands of a neutral standards body (The Open Group). By all means, let us have an open dialogue about what works and what does not. But let us also use impartial, unbiased evidence to make these decisions. I wrote this book to accomplish several things. First, it is a great honor to be able to author a book with one’s mentor. It is an even bigger honor to help your mentor write a book about their life’s work. That really is significant to me, but it is also a weighty responsibility. I learned FAIR from Jack early on in the part of my career where I was beginning to do Governance, Risk, and Compliance (GRC) work in earnest. By that time, I had been studying, training in, and writing about various methods of risk assessment and it was becoming clear to me that what passed for a method was more process than calculation. Indeed, if you compare most major risk assessment methods, they all bear a striking resemblance: you should consider your assets, threats to them, vulnerabilities, and the strength of the controls. Somehow (although rarely ever explicitly identified), you should relate them to one another. The end result is some risk rankings and there you go. Except that is the problem: no one tells you how to do this exactly, and often times you are encouraged to make up your own solution, as if we all know the right way to go about doing that. What I learned from Jack was simple and straightforward. The relationship between the variables was well reasoned and well designed. It was easy to under- stand and explain. It also included some sophisticated math, yet was still easy for me to use (I always scored higher on verbal than math sections on any standardized test). I have often been accused of knowing only a single method for assessing risk (a statement that is wildly inaccurate). I know many methods for assessing risk, yet only one that seeks to calculate and analyze risk in a defensible way. Knowing how to do that gives you a sense of composure, and perhaps even some bravado. You do not shy away from difficult or hard problems because you have learned how to model these scenarios even when you do not have the best data available. This can be off-putting to some people. But you will come back to the FAIR taxonomy and calculation method over and over again. It is like learning the quadratic formula after years of solving quadratic equations using factoring. Why go back to something that is harder to do and takes longer to complete? I will tease Jack often by saying that he has “ruined me” for other types of risk analysis methods. He takes my good-natured ribbing well. What I mean is that he has showed me the right way to do it, and it is difficult for me to go back to other approaches since their flaws have been laid bare before me. So to that end, yes I only know one (good) method for practicing risk and I have been thoroughly ruined for all the other (not as good) methods for doing risk assessments. And for that I thank you Jack Jones. The second major reason I decided to write this book is because I believe we are on the precipice of something really amazing in our profession. IT risk is really starting to become its own distinct function that is slowly separating from Information Secu- rity proper while simultaneously becoming more intertwined with it. In my role as an Preface by Jack Freund xvii educator, I often have discussions with students who are looking to break into the risk and security profession I often tell them that these jobs are really IT specialties and what they really need is to gain some experience in a reference discipline; they need a strong foundation in networking or application development as an example. Only after a few years of work in these roles will they be able to provide useful security work to a future employer. This used to be the way that people entered the security function. Often it was only after many years of work administering servers or working on network routing tables that you were given the chance to be a security practitioner full time. The industry is changing now, and more and more I find that there are paths into risk and security that do not involve even a moderate level of knowledge of something else first. This is not necessarily bad, however it has some implications. Since we can no longer depend on someone having a solid skillset to draw upon, they may not know a lot about the environments they are now charged with assessing. Second, if they were trained with specific security knowledge that often means that they missed some of the foundational elements that are a part of a core liberal arts education (critical thinking and scientific method as an example). It is also important to learn how to be more autodidactic (a word I learned while being an autodidact). This book is written in part to help fill out the knowledge gap that a lot of people have when faced with a job that is primarily risk-based. I often draw a diagram for people, which I think adequately reflects the real nature of the skills necessary for working in this job (Figure P.1): FIGURE P.1 IT risk job skills. By and large, most of the job is talking to people. You have to learn how to per- form technical interviews of IT people and business process reviews with business people. You have to learn how to talk with the person running backups on main- frames, as well as to be able to present risk information to the board of directors. Do not forget the importance of being able to write: risk communication also includes the ability to write e-mails and reports. Essentially, you have to develop a skillset that includes general soft skills and some specialized techniques. This book will aid with some of this.