ebook img

Measuring and Managing Information Risk: A FAIR Approach PDF

410 Pages·2014·7.475 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Measuring and Managing Information Risk: A FAIR Approach

Measuring and Managing Information Risk This page intentionally left blank Measuring and Managing Information Risk A FAIR Approach Jack Freund and Jack Jones AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier Acquiring Editor: Brian Romer Editorial Project Manager: Keira Bunn Project Manager: Poulouse Joseph Designer: Matthew Limbert Butterworth-Heinemann is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2015 Elsevier Inc. All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email: [email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN: 978-0-12-420231-3 For information on all Butterworth-Heinemann publications visit our web site at http://store.elsevier.com/ This book has been manufactured using Print on Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate. Contents Acknowledgments by Jack Jones ..............................................................................ix About the Authors .....................................................................................................xi Preface by Jack Jones ..............................................................................................xiii Preface by Jack Freund ............................................................................................xv CHAPTER 1 Introduction ...............................................................................1 How much risk? ..............................................................................1 The bald tire ....................................................................................2 Assumptions ...................................................................................2 Terminology ...................................................................................3 The bald tire metaphor ...................................................................5 Risk analysis vs risk assessment ....................................................5 Evaluating risk analysis methods ...................................................6 Risk analysis limitations .................................................................8 Warning—learning how to think about risk just may change your professional life .........................................................9 Using this book .............................................................................10 CHAPTER 2 Basic Risk Concepts ............................................................13 Possibility versus probability .......................................................13 Prediction .....................................................................................16 Subjectivity versus objectivity ......................................................17 Precision versus accuracy .............................................................23 CHAPTER 3 The FAIR Risk Ontology .......................................................25 Decomposing risk .........................................................................27 Loss event frequency ....................................................................28 Threat event frequency .................................................................29 Contact frequency .........................................................................30 Probability of action .....................................................................31 Vulnerability .................................................................................32 Threat capability ...........................................................................33 Difficulty ......................................................................................34 Loss magnitude ............................................................................35 Primary loss magnitude ................................................................37 Secondary risk ..............................................................................38 Secondary loss event frequency ...................................................39 Secondary loss magnitude ............................................................40 Ontological flexibility ...................................................................40 v vi Contents CHAPTER 4 FAIR Terminology ..................................................................43 Risk terminology ..........................................................................43 Threat ............................................................................................45 Threat community ........................................................................48 Threat profiling .............................................................................50 Vulnerability event .......................................................................62 Primary and secondary stakeholders ............................................62 Loss flow ......................................................................................63 Forms of loss ................................................................................65 CHAPTER 5 Measurement ..........................................................................75 Measurement as reduction in uncertainty .....................................75 Measurement as expressions of uncertainty .................................77 But we don’t have enough data…and neither does anyone else ...................................................................................80 Calibration ....................................................................................84 Equivalent bet test ........................................................................85 CHAPTER 6 Analysis Process ...................................................................91 The tools necessary to apply the FAIR risk model .......................91 How to apply the FAIR risk model ...............................................92 Process flow ..................................................................................93 Scenario building ..........................................................................93 The analysis scope ........................................................................96 Expert estimation and PERT ........................................................99 Monte Carlo engine ....................................................................101 Levels of abstraction ...................................................................103 CHAPTER 7 Interpreting Results ...........................................................105 What do these numbers mean? (How to interpret FAIR results) ......105 Understanding the results table ..................................................107 Vulnerability ...............................................................................109 Percentiles ..................................................................................109 Understanding the histogram ......................................................110 Understanding the scatter plot ....................................................110 Qualitative scales ........................................................................111 Heatmaps ....................................................................................113 Splitting heatmaps ......................................................................115 Splitting by organization ............................................................116 Splitting by loss type ..................................................................117 Special risk conditions ...............................................................118 Unstable conditions ....................................................................119 Contents vii Fragile conditions .......................................................................119 Troubleshooting results ..............................................................120 CHAPTER 8 Risk Analysis Examples ...................................................123 Overview ....................................................................................123 Inappropriate access privileges ...................................................123 Privileged insider/snooping/confidentiality ................................128 Privileged insider/malicious/confidentiality ...............................130 Cyber criminal/malicious/confidentiality ...................................142 Unencrypted internal network traffic .........................................150 Privileged insider/confidentiality ................................................153 Nonprivileged insider/malicious ................................................164 Cyber criminal/malicious ...........................................................171 Website denial of service ............................................................175 Analysis ......................................................................................177 Basic attacker/availability ...........................................................186 CHAPTER 9 Thinking about Risk Scenarios Using FAIR ...............193 The boyfriend .............................................................................194 Security vulnerabilities ...............................................................195 Web application risk ...................................................................198 Contractors .................................................................................200 Production data in test environments .........................................202 Password security .......................................................................203 Basic Risk Analysis ....................................................................205 Project prioritization ...................................................................214 Smart compliance .......................................................................225 Going into business ....................................................................227 Chapter summary .......................................................................230 CHAPTER 10 Common Mistakes .............................................................231 Mistake categories ......................................................................231 Checking results .........................................................................231 Scoping .......................................................................................232 Data ............................................................................................235 Variable confusion ......................................................................235 Mistaking TEF for LEF ..............................................................236 Mistaking response loss for productivity loss ............................236 Confusing secondary loss with primary loss ..............................237 Confusing reputation damage with competitive advantage loss ..............................................................................................237 Vulnerability analysis .................................................................238 viii Contents CHAPTER 11 Controls .................................................................................241 Overview ....................................................................................241 High-level control categories ......................................................241 Asset-level controls ....................................................................245 Variance controls ........................................................................253 Decision-making controls ...........................................................262 Control wrap up ..........................................................................272 CHAPTER 12 Risk Management ..............................................................273 Common questions .....................................................................274 What we mean by “risk management” .......................................275 Decisions, decisions ...................................................................279 Solution selection .......................................................................286 A systems view of risk management ..........................................287 CHAPTER 13 Information Security Metrics .........................................293 Current state of affairs ................................................................293 Metric value proposition ............................................................294 Beginning with the end in mind .................................................295 Missed opportunities ..................................................................319 CHAPTER 14 Implementing Risk Management ..................................335 Overview ....................................................................................335 A FAIR-based risk management maturity model .......................336 Governance, risks, and compliance ............................................350 Risk frameworks .........................................................................356 Root cause analysis ....................................................................365 Third-party risk ...........................................................................373 Ethics ..........................................................................................374 In closing ....................................................................................375 Index ......................................................................................................................377 Acknowledgments by Jack Jones Something like FAIR doesn’t come about in a vacuum, and there are a lot of peo- ple who deserve my deepest gratitude for the role they played in its development. Sometimes their role was subtle and unintentional; perhaps an offhand comment that spurred deeper thinking or a twist in thinking that unlocked some conceptual obstacle I faced. In other cases the role was explicit and obvious; perhaps as a sound- ing board, support in the face of skeptics, or mentoring me through political mine fields that litter the information security and risk management landscape. Regardless, the following list (in alphabetical order except for the last two entries) inevitably is incomplete and I beg the forgiveness of anyone who feels I have left them out. • Dr. Henry Beker—whose deep wisdom and strong support have been so crucial to the ongoing success of FAIR and CXOWARE. It is a true privilege to know someone like Henry, let alone have the opportunity to work with him. • The team at CXOWARE—how lucky can one person get, to be surrounded by such great energy, intelligence, and skill. These people seem able to work magic, both in building a business and taking my sometimes half-baked ideas and turning them into truly remarkable software. • Jack Freund—whose mental quickness may be unmatched in my experience. Jack has been a dear friend, great colleague, and outstanding partner in writing this book. In fact, without his gentle persistence this book likely would not exist. • Mike Keller and Susan Gueli—two amazing people, both of whom I had the privilege of working for during my tenure as CISO at Nationwide. It is entirely accurate to say that without their support my career would have been quite dif- ferent and far less successful than it has been. I am deeply indebted to both of them. • Cindi Hart—who was my right hand (and very often my saving grace) in each of my CISO roles. I hold no other professional in higher regard, and her friend- ship has been a true blessing. • Kirk Herath—whose support and friendship has been so important over the years. You will not encounter a more courageous professional, or anyone more expert in the field of privacy. • Jim Hietala and Ian Dobson—whose support for FAIR within the Open Group has been so critical over the years. These gentlemen define the word “class,” and it has been a privilege to work with them. • Douglas Hubbard—perhaps unmatched as a risk guru, Douglas’ books and insights continue to stoke my internal flame for trying to get this right. • My team and colleagues at Huntington Bank—as with Nationwide, there simply are too many amazing people to list. Here again, my success was largely due to them, and I am deeply grateful for their support and hard work. ix

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.