Cyber Security Risk Management:

A New and Holistic Approach

Understanding and Applying NIST SP 800-39

WebEx Hosted by: Business of Security and Federal InfoSec Forum

April 12, 2011

Dr. Ron Ross

Computer Security Division
Information Technology Laboratory

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Information technology is our greatest
strength and at the same time, our
greatest weakness…

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

 The Perfect Storm

Explosive growth and aggressive use of information
technology.

Proliferation of information systems and networks with
virtually unlimited connectivity.

Increasing sophistication of threat including
exponential growth rate in malware (malicious code).

Resulting in an increasing number of penetrations of

information systems in the public and private sectors…

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

 The Threat Situation
Continuing serious cyber attacks on public and private
sector information systems targeting key operations,
assets, and individuals…

Attacks are organized, disciplined, aggressive, and well
resourced; many are extremely sophisticated.

Adversaries are nation states, terrorist groups, criminals,
hackers, and individuals or groups with hostile intentions.

Effective deployment of malware causing significant
exfiltration of sensitive information (e.g., intellectual property).

Potential for disruption of critical systems and services.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Unconventional Threats to Security
Connectivity

Complexity

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

We expend far too many resources on
back-end security…
(chasing the latest vulnerabilities and patching systems)

and far too few resources on front-end

security…
(building information security into IT products and systems)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

 “Red Zone” Security

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

 The New SP 800-39

Multi-tiered Risk Management Approach STRATEGIC RISK

Implemented by the Risk Executive Function FOCUS

Enterprise Architecture and SDLC Focus
TIER 1

Flexible and Agile Implementation
Organization
(Governance)

TIER 2
Mission / Business Process
(Information and Information Flows)
TACTICAL RISK
FOCUS
TIER 3
Information System
(Environment of Operation)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

Characteristics of Risk-Based Approaches
(1 of 2)

Integrates information security more closely into the

enterprise architecture and system life cycle.

Promotes near real-time risk management and ongoing
system authorization through the implementation of
robust continuous monitoring processes.

Provides senior leaders with necessary information to
make risk-based decisions regarding information systems
supporting their core missions and business functions.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Characteristics of Risk-Based Approaches
(2 of 2)

Links risk management activities at the organization,

mission, and information system levels through a risk
executive (function).

Establishes responsibility and accountability for security
controls deployed within information systems.

Encourages the use of automation to increase
consistency, effectiveness, and timeliness of security
control implementation.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

 Risk Management Process
Risk Risk
Framing Framing

Assess Respond

Risk

Risk Risk
Monitor Framing
Framing

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

 Risk Framing

Establishing the context for how organizations manage
information security risk.

Assumptions.

Constraints.

Risk tolerance.

Priorities and tradeoffs.

Applied across all three tiers: organization, mission, and
information systems.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

 Risk Assessment

Identifying threats and vulnerabilities.

Determining risk.

Potential mission/business impact.

Likelihood of occurrence.

Determining uncertainty.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

 Risk Response

Developing risk response strategy.

Accept risk.

Reject risk.

Mitigate risk.

Share risk.

Transfer risk.

Developing, evaluating, deciding upon, and implementing
courses of action to respond to risk.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

 Risk Monitoring

Verifying compliance.

Determining effectiveness of risk mitigation measures.

Identifying changes to information systems and
environments of operation.

Bottom Line: Increase situational awareness to help determine

risk to organizational operations and assets, individuals, other
organizations, and the Nation.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

 Defense-in-Depth

Links in the Security Chain: Management, Operational, and Technical Controls

 Risk assessment  Access control mechanisms
 Security planning, policies, procedures  Identification & authentication mechanisms
 Configuration management and control (Biometrics, tokens, passwords)
 Contingency planning  Audit mechanisms
 Incident response planning  Encryption mechanisms
 Security awareness and training  Boundary and network protection devices
 Security in acquisitions (Firewalls, guards, routers, gateways)
 Physical security  Intrusion protection/detection systems
 Personnel security  Security configuration settings
 Security assessments and authorization  Anti-viral, anti-spyware, anti-spam software
 Continuous monitoring  Smart cards

Adversaries attack the weakest link…where is yours?

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
 Defense-in-Breadth
RISK EXECUTIVE FUNCTION
Organization-wide Risk Governance and Oversight

Core Missions / Business Processes

Security Requirements

Ongoing Authorization Decisions

Ongoing Authorization Decisions Security
Policy Guidance
Security
Plan Plan

INFORMATION INFORMATION
Security SYSTEM SYSTEM Security
Assessment Assessment
Report System-specific System-specific Report
Controls Controls

Plan of Action Plan of Action

and Milestones and Milestones

Hybrid Controls

Hybrid Controls
RISK
MANAGEMENT
FRAMEWORK
(RMF)

COMMON CONTROLS
Security Controls Inherited by Organizational Information Systems

Security
Security Plan of Action and
Assessment
Plan Milestones
Report

Ongoing Authorization Decisions

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Joint Task Force Transformation Initiative
Core Risk Management Publications

NIST Special Publication 800-53, Revision 3

Recommended Security Controls for Federal Information
Systems and Organizations Completed

NIST Special Publication 800-37, Revision 1

Applying the Risk Management Framework to Federal
Information Systems: A Security Lifecycle Approach Completed

NIST Special Publication 800-53A, Revision 1

Guide for Assessing the Security Controls in Federal
Information Systems and Organizations: Building Effective Completed
Assessment Plans

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Joint Task Force Transformation Initiative
Core Risk Management Publications

NIST Special Publication 800-39

Managing Information Security Risk: Organization, Mission,
and Information System View Completed

NIST Special Publication 800-30, Revision 1

Guide for Conducting Risk Assessments
Projected May2011 (Public Draft)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

 Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930

Project Leader Administrative Support

Dr. Ron Ross Peggy Himes
(301) 975-5390 (301) 975-2489
ron.ross@nist.gov peggy.himes@nist.gov

Senior Information Security Researchers and Technical Support

Marianne Swanson Kelley Dempsey
(301) 975-3293 (301) 975-2827
marianne.swanson@nist.gov kelley.dempsey@nist.gov

Pat Toth Arnold Johnson

(301) 975-5140 (301) 975-3247
patricia.toth@nist.gov arnold.johnson@nist.gov

Web: csrc.nist.gov/sec-cert Comments: sec-cert@nist.gov

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20