Академический Документы
Профессиональный Документы
Культура Документы
Mandates
and Managing Risk
In This Chapter
Recognizing the importance of compliance
Reviewing the risk management process
Developing risk management strategies
Additional requirements
Beyond information technologyspecific directives, legal requirements can
include generalized mandates.
You must consider accessibility requirements under Section 508 of the
Rehabilitation Act of 1973 (amended), for example, in authentication and
data access planning.
Complex multi-factor or biometric authentication systems may prove difficult to
operate for individuals with physically disabling conditions.
Public-facing applications that dont support assistive screen reading technologies
such as JAWS and Window-Eyes may be unusable by some consumers.
You also need to consider legal requirements that are likely to be enacted in
the near future. Following recent large-scale accidental data exposure
events, particularly in the retail and financial industries, it is likely that new
laws will deal with backup media and other responsibilities in the
management.
Additional requirements
In addition, legislation under consideration could impose mandatory data
retention for Internet service providers and other agencies responsible for
the storage, processing, and transmission of information that could be
useful in law enforcement investigations.
In the United States, multiple states recently passed privacy laws that
require encryption in storage and use whenever personally identifying data
is collected on citizens living in that location.
Many of these laws require not only protective measures, but also a
mechanism for registration of the data storage with affected citizens home
state and mandates for reporting security breaches of databases containing
personal information. These laws can suddenly affect an organization
merely because a person living in one of these states becomes a client,
member, or consumer of services that involves entering data classified by
their home states legislature as protected.
Identifying threats
Threats typically fall into three categories :
Natural or environmental threats
Electronic threats
Human threats
Electronic threats
Malware such as viruses, Trojan horses, and spyware
Bugs and weaknesses in software applications and
operating systems
Bots and botnets, which are computers infected by
malware and controlled by malicious individuals
Phishing e-mails, which attempt to trick individuals into
providing passwords, bank account numbers, credit card
numbers, or other sensitive data to fraudulent Web sites
Human threats
Human threats can be deliberate attacks by malicious individuals for
purposes such as causing damage to an organizations assets, data, or
reputation, or stealing its physical or electronic assets.
Criminals
Disgruntled employees
Organizations competition, Industrial espionage the theft of trade secrets.
Human threats
Human threats arent limited only to physical actions taken by
individuals. The electronic threats often originate with or
perpetuate because of a human element.
Consider motivation when people are involved because it can help
determine the methods theyll use.
If industrial espionage is the motivation, attackers may be likely to use
social engineering techniques to trick employees into giving them access.
Disgruntled employee with revenge in mind may destroy or corrupt data
or provide his or her login credentials to unauthorized persons.
Other motivations include curiosity, monetary gain, blackmail, and
destruction, and other methods include hacking, theft, bribery, denial of
service attacks, and system intrusion.
Identifying vulnerabilities
You will continually spend time reviewing emerging and returning
vulnerabilities, exploits, and threats that must be dealt with through
updates, patches, or changes to protocol and service settings.
Theres no such thing as secure forever attack and vulnerability
options are always evolving into new forms and mechanisms that must
be included in enterprise defensive planning.
Some online sources for review include
The SANS Institutes Top Cyber Security Risks (www.sans.org/topcyber-securityrisks/?ref=top20)
United States Computer Emergency Readiness Team (www.uscert.gov)
National Vulnerability Database (http://nvd.nist.gov)
SecurityFocus (www.securityfocus.com)
Vendor Web sites for software in use in the enterprise
Assessing risk
In assessing risk, each threat is analyzed to determine its probability and impact.
Probability is the likelihood that the threat will materialize into an actual event
Impact refers to the loss that would occur from a successful threat event.
This loss can be tangible, such as loss of funds, equipment, or personnel
Intangible, such as a loss of reputation.
Assessing risk
Determining probability
Determining impact
Calculating risk rating
Determining probability
Probability can be determined by looking at how often threat events (both
successful and unsuccessful) occur in your organization and in general and also by
whether or not there are appropriate countermeasures in place to protect against
exploitation of vulnerabilities.
For example, if your organizations antivirus software is blocking hundreds of viruses per day,
then a probability rating of High could be assigned for any threats involving malware.
For countermeasures :
High might be assigned if no countermeasures are in place
Medium if inadequate countermeasures exist
Low if the countermeasures in place are sufficient.
Determining impact
Impact can be determined by the nature and severity of the consequences of a successful
threat event.
In some cases the impact is simple to establish :
cost of repairing or replacing stolen or damaged equipment,
cost of penalties or credit monitoring service in the event of unauthorized access to customer personally
identifiable information
sales lost due to a denial of service attack on your organizations Web site.
Deciding the impact rating for loss of reputation or other intangible consequences may be more
difficult. However, in a qualitative assessment there is quite a bit of wiggle room.
In all cases, the impact rating depends upon the organization. One company may consider
$10,000 in lost sales deserving of a High impact rating, while another might consider that Low.
Regardless, these ratings must be defined and used consistently to accurately compare risk
between threats.
In circumstances where threat events could lead to loss of life, the impact should always be
considered High and may need to be rated even at Very High or Critical, depending upon the
potential for harm. Examples of this include threats against network-enabled medical
equipment, control software for industrial facilities, or traffic control systems.
Addressing Risk
Prioritizing threats
Reducing probability
Reducing impact
Choosing appropriate mitigations
Prioritizing threats
Generally, risks are addressed in order of priority, highest to lowest. There
are four possible strategies that may be used to address an identified
threat:
Acceptance: The risk may be identified, examined, and accepted,
provided that the impact is fully understood and recognized.
Avoidance: The risk may be avoided by selecting an alternative option
that does not include the same level of risk or by simply not engaging in
the risky behavior.
Mitigation: The risk may be reduced to an acceptable level by including
additional protections or by altering the parameters producing the risk.
Transference: The risk may be transferred to another responsible party,
often through outsourcing or insurance protections.
Reducing probability
Reducing impact
The most effective strategy for reducing impact is to have a comprehensive
contingency plan. Contingency plans include actions to take in the event of a
specific occurrence.
Other strategies include
Implementing redundant solutions such as clusters, load balancing, and
alternative sites.
Ensuring that copies of critical data are stored in a secure, off-site facility for use
in the event that on-site data is corrupted or deleted.
Training users to report suspected security incidents to appropriate personnel.
Configuring intrusion detection applications, integrity verification solutions, data
loss prevention software, and other security solutions to notify appropriate
personnel of threat events such as denial of service, attempted theft of data, or
unauthorized altering of system files so that the threat may be contained in a
timely manner.