1

The Significance of IT Security Management & Risk Assessment

An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organizations financial impact due to the exploitation of numerous organizational assets.

Submitted by Brent Mohring & Bradley Susser Information Security & Controls / Information Security Management April 20, 2012

Table of Contents

Summary...................................................................................................................................3 Introduction..3 Fundamentals of IT Security Management..................................................................................3 Organizational Context and Security Policy................................................................................10 Developing a Security Policy.......................................................................................................12 Case Study ING: Making use of COBIT and Other Standards......................................................14 Security Risk Assessment............................................................................................................15 Risk Assessment Approaches......................................................................................................16 Quantitative and Qualitative Risk Analysis.................................................................................18 Detailed Security Risk Analysis.......................................................................................................20 Case Study Barrick Gold..............................................................................................................25 Conclusion...................................................................................................................................27 Works Cited.................................................................................................................................29

Summary The proliferation of the increasing number of attacks on organizational networks and systems has created a global phenomenon, one which was not foreseeable by many information technology pioneers. This is evident by the Kaspersky lab data - in particular, the report stated that the number of browser attacks in 2011 increased from 580 million to around 946 million (Namestnikov) . Due to this paradigm, IT Security Management and risk assessment have become an essential element that must be incorporated across all non-governmental organizations as well as those in public sector. In this paper, we will analyze IT Security Management, Organizational Policies, and Risk Assessment. Introduction IT Security Management encompasses how different organizations select, plan, implement, and review their IT security methods. In taking this a step further, it is essential to align IT security risk assessment with business objectives as well as organizational size. Risk assessment is the analysis and identification of specific threats and vulnerabilities of an organizations assets to help determine levels of risk. Therefore, this paper will encompass the various approaches in ISO 13335, inclusive is the baseline approach, the informal approach, the detailed risk analysis approach, and the combined approach. Furthermore, we will provide a brief overview of both quantitative and qualitative paradigms along with a case study that will help to provide why risk analysis is significant and essential to all organizations spanning all industry segments. Finally, youll be able to decipher how organizations can minimize risk while maximizing profits by implementing the proper countermeasures along with industry best practices. Fundamentals of IT Security Management IT Security Management is the formal process of answering three fundamental questions: What assets do we need to protect? What are the threats to these assets? What countermeasures can be

4 used? (Stallings, 467). To answer the first question, an asset must be defined. An asset is anything that an organization has or owns. It can be something physical like a computer, a server, or a database. It can also be something like a competitive advantage or a companys reputation amongst their customers. These are intangible assets. The second question addresses the threats to those assets. A computer network might be threatened by something that could harm it, like a virus, or by another competitor analyzing their network to make determinations about how the company operates. A physical asset may be computer servers that are threatened by physical world events like power outages or floods. Once an organization has identified the threats to their assets, they will need to understand what countermeasures they can employ to protect their assets or mitigate the damage to their assets. These countermeasures can be computer security products like firewalls or software protection, or physical protection like biometric locks. Another important term is vulnerability. Vulnerability is a weakness in an asset or group of assets which can be exploited by a threat, like an unsecured network, or a building with a high level of foot traffic near secure systems. The basics of IT security management include determining the security objectives & general risk profile of the company, performing an IT Security Risk Assessment on each asset in the organization, creating management, operational and technical controls, identifying if risks can be reduced to an acceptable level or if risks can just be accepted, selecting controls, writing plans and procedures for implementing the controls, determining if the plan meets the security objectives, and planning to maintain, adapt and upgrade the controls (Stallings, 470) . For risk profile, every company is different, so depending on a number of factors, such as their size, their industry, their location, their technology, etc., they need to determine what their objectives are. What security they need, and how much security they want to take on and how much risk they are willing to take. A large, established company with a lot to lose might want to take on more security and have a lower risk. A startup company might not have the resources for a full security suite and may try to go without some proper security to save

5 money and gain a competitive advantage in their market. For the asset risk assessment, ideally, every asset in the company, or at least every asset that is critical to the organizations business objectives should have a risk assessment to determine the most cost-effective way to protect the asset with an acceptable amount of risk to the company. For identification of risks, there might be a risk that is a low threat or may have a low impact on the company if it happens, and it may cost a lot to try to protect the vulnerability. So a company may strategically choose to not protect against a risk. The next step is for the organization to select what controls they will use, and write up the plans and procedures for how their security will work. Some examples of management controls are planning, assessments and services. Some examples of operational controls are maintenance, protections implemented, and training programs. And technical controls are security services, audits, and access control (Stallings, 482-483). These controls combine to ensure appropriate levels of security. Once the plan is written, it can be compared to the security objectives to make sure that the goals are met. The company will then create a plan to keep the system constantly working and upgrading. The security management process will be cyclic; it will circle around in that the companys assets and security concerns will constantly be changing due to changes in business, the rapid advancement of technology, and the changing risk environment. The company will have to keep reevaluating their security plans and changing them. When deciding on how to plan IT Management, a company can first look at International Standards of IT security. As companies can be audited on their security, it is best for them to examine the standards and their best practices. One important standard is from the ISO the International Standards Organization has consolidated their standards into ISO 27000. Specifically, ISO/IEC 27000:2009 provides an overview of information security management systems.

6 ISO Security Standards (Stallings, 468):

The above table displays recently adopted standards. Another standards group is NIST National Institute of Standards and Technology. They have standards on IT security management in NIST02 & NIST09. Organizations are being audited more frequently now after corporate governance issues like the Enron collapse and government organizations losing personal data. These standards are especially important today as organizations are expected to follow these standards to protect against losing their data. Recently, a company called Stratfor was hacked, and this intelligence report company is having their private documents leaked to the press (Perlroth). MasterCard and Visa also had their databases of customer information hacked (Pepitone). So organizations need to strictly adhere to these standards. One important standard is ISO 13335, comprising Security techniques on IT network security and

7 Management of information and communications technology security. It has chapters on topics like securing remote access, securing communications across networks using virtual private networks, selection of safeguards, and guidance on network security. After reviewing international standards, lets review the full definition of IT Security Management - A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability. The functions of it are to (Stallings, 471-472): Determine objectives, strategies, policies Determine security requirements Identify and analyze threats, risks Specify and monitor safeguards or countermeasures Monitor implementation and operation to protect information and services in a cost-effective manner Detect and react to incidents Develop a security awareness program

As with all business and IT projects, security implementations will need the backing of high level corporate employees, like the CIO. Without that support, they wont have the funding, resources, or attention needed to be implemented. In instances like this, an IT employee may have to lobby and convince them of the necessary work to be done. And the best way to do this is to tie the security to the organizations key business objectives, and show how the cost of not implementing the security, the risk, is greater than the cost of implementing the security. This will be shown coming up in risk assessment. There will always be a need in the security process for management. It wont end once all of the controls are set up and the systems are running. Delving further into how to approach management, a process model can be used to show the processes of IT security management. It: establishes security policy, objectives, processes and

8 procedures; performs risk assessment; creates an inclusive risk treatment plan with selection of controls and acceptance of risk; implements the risk treatment plan; and maintains and improves the implementation plan in response to risk incidences. The process works in a security framework, like the one below (Stallings, 469):

At the top, you have the organizational aspects coupled with the IT security policy, which defines and drives the rest of the process. There are four different security risk analyses listed here for the organization to choose from. Once an assessment type is selected, the company selects the controls to be used, and begins to develop the security plan and procedures that are shaped from all of the previous selections. The next stage is the Implementation, with the implementation controls as well as

9 security awareness and training. The last phase does not end the process, but it is the phase that the company will spend a lot of time in. The follow-up phase contains the maintenance on the systems, the changing of the processes to match new security compliances, and the incidence handlings when threats arrive. That includes detection, response, recovery, and documenting the incident for the future. We want to point out that the Follow-Up has an arrow that shows that it eventually leads back to the rest of the process as the security policy gets revised and the implementation starts over. In addition, management is significant and must be proactive in incorporating standards, policies, and guidelines to optimize the system to align with and meet business objectives. This in turn will effectively make the organization more efficient by minimizing risk and maximizing profits. Getting to an actual process model, the process model well be looking at is shown below (Stallings, 470):

In the textbook, this is described as Plan-Do-Check-Act Process Model. This model is from the ISO 27000 series standards and it is for managing information security. Its similar to the framework graph displayed previously. The first step is Plan. The Interested Parties, the executives or experts who are deciding the information security needs of the organization, will plan for possible and probable events.

10 They establish a security policy, objectives, processes and procedures that are relevant to managing the risk and improving information security to deliver results in accordance with an organizations overall policies and objectives. The second phase is Do this is the main implementation phase, when you implement and operate the security policy, controls, processes and procedures. The third phase is Check you assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review. The fourth phase is Act - you take corrective and preventive actions, based on the results of the internal security audit and management review or other relevant information, to achieve continual improvement of the security management process. The process model fits in to the framework model. You can see that everything in the process - the policy, organization risk analysis, control selection and development of security plan and procedures is all of the Plan phase, and the Implementation controls and training is all the Do phase. The Follow-Up Maintenance, security compliance, change management and incident handling are the check act. The feedback from the Follow-Up becomes the Act phase as you go back and change the security framework based on the results from the Follow-Up. Organizational Context and Security Policy Relating security with the role it plays within an organization and examining that role is part of the Organizational Context section. The organizational security policy describes what the objectives and strategies are, and the process used to achieve them. The intent of the policy is to provide a clear overview of how an organizations IT infrastructure supports its overall business objectives in general, and more specifically what security requirements must be provided in order to do this most effectively. The organizational or corporate security policy can be a single large document, or a set of related documents. The objectives are IT Security outcomes, and the strategies are how to meet the objectives. The policies identify the processes to be done, and must be maintained and updated regularly with periodic reviews of security. An IT systems role in organization may change over time. Costs of IT

11 Security should lower business risks to increase profitability for the organization, even if that has to entail additional capital expenditures. SANS defines the terms: A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. A standard is typically collections of systemspecific or procedural-specific requirements that must be met by everyone. A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended (Information Security Policy Templates). We will be focusing on policy in this presentation as the chart branches down to the subset of the functional policy branch (Watson, 7):

The above Security Policy Map is from Purdue University. Policies are statements of management intentions and goals, and this is a chart to show how policies affect the organizations processes. This is an example of Security Governance. You can see how the laws, regulations, security requirements, the

12 organizational goals and the business objectives all come together to influence and create the General Organizational Policies that leads down to the functional policies of the decided-upon Procedures, Standards, Guidelines and Baselines. Procedures are detailed steps to perform a specific task that is dictated by policy: handling resources, adding and deleting user accounts, change management, etc. (Watson, 9). Standards specify the use of specific technologies in a uniform manner and require uniformity throughout the organization. Examples include operating systems, applications, server tools, and router configurations (Watson, 10). Guidelines are recommended methods for performing a task, they are not required. Examples are malware cleanup, spyware removal, data conversion, and sanitization (Watson, 11). Baselines are similar to standards but account for differences in technologies and versions from different vendors like different operating systems or system versions (Watson, 12). Developing a Security Policy To develop a security policy, you would first list the key organization security objectives. For example, a large company that already has a lot of data might be a big target as people want to access that data, so they might want tighter security controls, while a newer or smaller company may not be an immediate target, and it would not make as much sense for them to try to develop elaborate security controls. Next you would develop broad strategy statements such as How will objectives be met? and How will we maintain consistency across our organization? Finally, you will factor in identified objectives, as well as other key points such as the size of the organization. Some important questions to ask during the development of the security policy are: What are the aspects of the organization that require IT support to function efficiently?, What are the tasks that can only be performed with IT support?, Which essential decisions depend on accuracy, currency, integrity, or availability of data managed by IT systems?, What data that is created, managed, processed and stored by the IT systems needs protection?, and What are the consequences to the company of an IT system security failure? (Stallings, 471). Youll need to tie these questions to the critical business objectives of the organization.

13 For example, a retail web site relies on its online order processing system to make money, so that is a critical process, and the organization will need to know how much money they could lose for each time period that the site is down. The security policy should address the following points (Stallings, 471-472): Scope and purpose including relation of objectives to business, legal, regulatory requirements IT security requirements - confidentiality, integrity, availability, accountability, authenticity and reliability Assignment of responsibilities for security employees Risk management approach of organization Security awareness and training General personnel issues and any legal sanctions for those in positions with trust Integration of security into systems development, procurement Information classification scheme to be used across an organization Incident detection and handling processes How when policy reviewed, and change control to it

Lastly, Id like to touch on the Organizational Security IT Officer. A company should have a single person for overall supervision of security an Organizational Security IT Officer. Because the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security, and a loss of central monitoring and control. The various standards strongly recommend that overall responsibility for the organizations IT security be assigned to a single person, the Organizational IT security officer. This position will have the key responsibilities of: oversight and management of IT security process, be a liaison with senior management, be in charge of maintenance, response to incidents, interaction with IT project management security officers, investigation of incidents and development of IT security awareness and training programs (Stallings, 473). The officer should keep

14 policies consistent. As the company grows, the Officer may manage teams who manage processes in their areas. Case Study ING: Making use of COBIT and Other Standards In further making a case about how significant standards can minimize an organizations risk profile, we have explored and examined the initiatives taken by ING Group (Le Bie) and their use of applying information technology governance and tools along with strong IT security management commitment to safeguard against attacks while meeting regulatory compliance, inclusive with SarbanesOxley and Basel II. ING Group, a financial services company that provides banking, investment, life insurance and retirement services on a global scale. In a case study that was written in 2006 by the IT Governance Institute, an organization established in 1998 to advance international thinking in standards for IT goes on to write in detail how ING Group was able to successfully execute what ITGI describes as Val IT initiative along with control objectives for information-related technology. One of the processes that encompasses Val IT or the Val IT framework is investment management, which in turn should come at an affordable cost with an acceptable level of risk. This particular process, along with the other two that encompass Val IT are backed up by empirical research, a common methodology, supporting publications and services. ING then integrated Val IT with COBIT which incorporates best practices enabled by key controls measured by outcome and performance metrics and key management which provides a disciplined approach at addressing information security issues. In simple terms, Val IT asks the strategic question Are we doing the right things? and the value question Are we getting the benefits? and the COBIT framework asks the architectural question Are we doing them the right way? and the delivery question Are we doing them well? Both methodologies, if used correctly, can aid in having a firms IT infrastructure support business objectives, maximize business investment in IT, and most importantly, administer IT-related risks which as you will soon see is distinctively the case when referencing the ING organization. At the time of this study, ING reported in its 2005 annual financials a

15 profit before taxes compared to full-year 2004 results of 19.4% to 18.5 million euros while earnings-pershare rose 22.7%. ING places extreme importance on IT security by implementing a hierarchy offering checks and balances where at the top is the executive board, second from the top is the procurement policy board, and third from the top an information risk steering committee which examines security measures and is more aligned with the topic of this paper. Looking further ahead, the global economic downturn did impact INGs operations and market capitalization, but with the companys proper IT security management in place it faired far better than many of its peers. That is to say they were not adversely impacted significantly due to lack of any compliance issues due to their strict IT security policy and procedures and in looking at the organization as a whole we were unable to see any evidence that INGs networks or critical data was exploited in any way. The standards that were put in place by this financial institution also aided in implementing a stringent risk policy that spanned across the entire firm, inclusive resulting in improved risk assessment, which reduced the need for costly provisions. INGs active management in the area of IT security deserves to be commended, which is why to date, the company has not been exploited and has continued to remain profitable with annual gross profit of around 12.47 billion dollars and total topline numbers at around 70 billion dollars. Security Risk Assessment After creating a framework for an organizations IT Security Management policies, standards and procedures, the most integral part of IT security is assessing risk to the overall organizations assets. Therefore assessing security resources is essential at mitigating financial loss, some risks will be addressed while others will not be addressed properly. Therefore, it is imperative that an organization makes use of an approach that also must align IT security objectives with the overall business organizational objectives. Before further discussing the various approaches towards risk analysis, we must define what risk is. Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. In simple terms, risk is the probability of a threat

16 occurrence multiplied by the cost to the organization or risk=probability*cost. In practice, it is difficult to determine, but there are many approaches that can be used. We must further emphasize that before describing these various approaches, each of these risk assessment methodologies need to address rapid changes in IT technology as well as the risk environment by incorporating a cyclic process. In other words, the process of risk analysis is never ending. Risk Assessment Approaches There are a number of organizations such as NIST and ISO that have developed over the years numerous standards for IT assessment. In this paper, we will focus on those that encompass the ISO 13335 series. This includes the baseline approach, the informal approach, the detailed risk analysis approach, and the combined approach. The baseline approach measures information security in several categories, to analyze the gap between current status and necessary level of status. A baseline approach implements safeguards to protect against the most common threats. It contains generalized standards and best industry practices. This approach implements basic general level security controls, and is best for small organizations (Stallings, 474). Some advantages are that capital expenditures are reduced due to minimizing the use of resources, and that this approach can be duplicated over a range of systems (it is easy, cheap, and easily replicated). The disadvantages are that no special consideration is given to variations in the organizations risk exposure (such as who they are, how systems are used). As a result of no special consideration to the organization, the baseline approach can be set too high leading to unnecessary capital expenditures, or too low, leading to increased security risks and opening up more vulnerabilities. The informal approach implements risk analysis by exploiting individual knowledge and experience. This approach is suitable to small and mid-size organizations. The advantages of this approach are that it usually does not require a lot of resources or time. Individuals who perform this

17 analysis do not require additional skills or training, therefore informal risk assessment can be performed fairly quickly and cheaply. This approach, unlike the baseline approach, does address the organizations specific systems and issues allowing for more targeted controls. The disadvantages to this approach are that it is highly dependent on the skills of person in charge and the likelihood of missing some important details will leave the organization vulnerable. Also, particular prejudices of the individuals may influence the results, and this may also cause an increase in additional capital expenditures that may be unnecessary. Based on the above disadvantages, informal approach may not be effective for many organizations. Detailed analysis involves in-depth identification and valuation of all information assets, the assessment of threats to those assets, and assessment of vulnerabilities. This is a more comprehensive approach, including numerous stages and is suitable for large organizations with IT objectives that are critical to their business objectives or governmental agencies. Also, legal requirements may require a detailed risk analysis. DRA has continued to evolve due to the development of trusted computer systems and a number of standards encompass this approach, which we will not elaborate on. This is the most comprehensive approach, and this approach provides the most detailed examination of an organizations security risks. It has the strongest justification for expenditure on controls. For disadvantages, it has significant cost, time, resources and expertise needed to perform the analysis. And the analysis taking too much time may take away time from other vulnerabilities. This type of analysis is typically performed as a legal requirement for government organizations and businesses providing key services to them. The combined approach is a combination of the baseline approach and the detailed analysis approach. It has many advantages, including an initial high-level analysis rather than a full-detailed risk analysis of all systems which may be easier to sell management. The use of the baseline and informal analysis in this approach ensures that a basic level of security protection is implemented early on. And

18 due to the speed of this process, resources are likely to be applied where they are most needed and systems most at risk are likely to be examined further early in the process. The disadvantages are that a high level analysis can be inaccurate, which is in contrast to detailed risk analysis, which can cause a greater chance for vulnerability. But for most organizations, the change of the above disadvantage is very minimal therefore this approach is the one that should be and is in fact most commonly used. Quantitative and Qualitative Risk Analysis There are a number of approaches as viewed above and for obvious reasons we will compare the detail risk analysis approach later on in this paper but one must also understand that many of these approaches can make use of either quantitative or qualitative metrics to compliment these various standards to assess threats and vulnerabilities. Quantitative analysis is being able to come up with actual costs associated with organizational risks whereby in contrast qualitative analysis is more of an intangible assessment based on the priority of identified risks using their probability of occurring, the corresponding impact as well as other factors such as the time frame and risk tolerance. In giving a simplified example between quantitative and qualitative analysis, we will use an example of a possible hospital exploit. In this scenario, a hospital has 1,000 electronic medical records. If this was compromised, we would have to come up with a cost-benefit analysis or a monetary value. One way of doing this is that if these records were compromised you would need to determine the cost associated with the compromise. To assess the actual costs associated with a compromise, we could first get in contact with the patients, create new identification numbers for the files, and create and reissue new ID cards. You would now know the cost, which under meticulous examination you come up with the figure of $30 per record. The cost of this compromise would come out to $30,000 just based on one thousand records. Here, you were just multiplying the cost of each record multiplied by the number of exploited records, which is where you would come up with the number $30,000. Pretty simplistic, except this is only 1-dimensional as if you had 500,000 records it would be a cost of 15 million dollars and would

19 involve greater complexity which is why now you must incorporate a qualitative approach. Within the above example, in addition, you now have an auditor walk through the door who says that you have 90 days to deploy the appropriate countermeasures due to the vulnerability he/she viewed on the system, which was stated as having no encryption mechanism between the database and the web server or encryption on the database itself, and therefore is not in compliance with HIPAA standards. We then begin through further analysis to take a look at additional vulnerabilities such as a code review, in which we discover that our assets are prone to an SQL injection attack (an appended message to exploit the system and the data within it). Hence, there has to be controls in place to filter out such an attack. Currently, we have the cost associated with the vulnerabilities in the system, and now the likelihood of discoverability must be assessed. Using quantitative analysis, the worst-case scenario would be that the compromise of 500,000 records comes to a cost of 15 million dollars. Going by quantitative analysis, this is again a 1-dimensional evaluation. We must have a way to assign risk level to vulnerabilities that take other factors into consideration. To keep it simple, we will use a qualitative weighting scale that consists of high-medium-low ratings. The information that weve gathered thus far is the number of records that could be compromised is from 1,000 to 500,000 and the records are valued at $30 each. The data is not encrypted in transit or at rest, multiple business units could access and modify the data, and systems are maintained by the operations group. Lastly, we have an audit requirement to document encryption and apply mitigation controls. Lets incorporate one additional piece to our assessment: reputation. Reputation encompasses impact on earnings, consumer confidence, and publicity. We can easily assign a qualitative risk level of high as an SQL injection attack is not often detected by system logs and intrusion detection services. Reputation is at risk from the hospital going public with a loss of 500,000 medical records and that once this vulnerability is known there will be an increase in this type of attack on hospital systems. We now have the qualitative cost and the quantitative cost, both of which have a high risk factor. Now here is where management plays an

20 important role in why we incorporate the single loss expectancy (SLE) formula. In using this example, we take the value of the asset ($30 in this case), and the exposure level (500,000) and multiply the asset value by the exposure level. We have a SLE of 15 million dollars. We now calculate the annual loss expectancy (ALE). Which determines how many times per year this will occur. To do this, you will take the SLE and multiply it by the annual rate of occurrence (ARO). In this scenario the database is very new, so we cant use historical examples. Going back to a qualitative approach, we cant come up with an appropriate cost-benefit analysis. So, we would come up with a way to mitigate this risk by customizing intrusion detection signatures for traffic analysis that poses a threat to the database and host intrusion detection software installed on both the web server and database server. Due to these initiatives, we now feel comfortable reducing the risk rating from high to medium. Furthermore, we could reduce the threat level to low via additional code testing. Inclusive is HIPS (Hosted Intrusion Prevention Software) and IDS tools being properly configured. The above is an example of how different organizations need to have a risk assessment initiated that aligns with its business objectives. We must emphasize that although both quantitative and qualitative analysis are useful, most organizations use a qualitative approach. This is why in the next section we will focus our attention on describing a detailed risk analysis approach that primarily focuses on qualitative metrics. Detailed Security Risk Analysis Although the majority of organizations make use of the combination approach, for educational purposes and to cover all areas of risk assessment we have chosen to describe in greater depth the detailed risk analysis approach along with techniques and models as this approach comprises of all the essential elements to optimize IT security safeguards and minimize risk exposure for any corporation. When first starting to examine an organizations risk profile using this approach the first area we examine is a firms perimeter. Inclusive is system boundaries, system functions, system/data criticality, and system/data sensitivity. After looking at the systems boundaries, the last step within the first

21 process of this approach and probably the most significant is to identify the assets that need to be analyzed. As described above, this addresses the first three fundamental questions: What assets do we need to protect? An asset is anything which needs to be protected because it has value to the organization and contributes to the successful attainment of the organizations objectives, and may be either tangible or intangible (Stallings, 480). It includes computer and communications hardware infrastructure, software including applications, information/data held on these systems, the documentation on these systems, and the people who manage and maintain these systems. Within the boundaries identified for the risk assessment, these assets need to be identified, and their value to the organization assessed. It is important to emphasize again, that whilst the ideal is to consider every conceivable asset; in practice this is not possible. Rather the goal here is to identify all assets that contribute significantly to attaining the organizations objectives, and whose compromise or loss would seriously impact on the organizations operation (Stallings, 480). Whilst the risk assessment process is most likely being managed by security experts, they will not necessarily have a high degree of familiarity with the organizations operation and structures. Thus they need to draw on the expertise of the people in the relevant areas of the organization to identify key assets and their value to the organization. A key element of this process step is identifying and interviewing such personnel. Many of the standards listed previously include checklists of types of assets and suggestions for mechanisms for gathering the necessary information. These should be consulted and used. The outcome of this step should be a list of assets, with brief descriptions of their use by, and value to, the organization. The next area we need to focus on is threat sources, which many times can be taken from past experiences. So a threat source can be a natural disaster, a human agent either acting directly (i.e. insider retrieving and selling information, or a hacker targeting a server over the internet) or indirectly (i.e. the result of an accident perhaps through the misconfiguration of various routers). The third area to focus on is threat identification. This addresses the questions What could cause the organization

22 harm? and How could this occur? (Stallings, 481). Threats to the assets need to be identified as well as the ways that the threats could affect the systems. To complement this, the next area to be examined is vulnerabilities. We would identify exploitable flaws or weaknesses in the organizations IT systems or processes and determine the applicability and the significance of threat to the organization. There is a need of a combination of the threat and the vulnerability to create a risk to an asset. We can use lists of potential vulnerabilities in standards to help determine our own vulnerabilities. After this step is examined, one must take it upon themselves to determine what controls are already in existence to reduce redundancy and eliminate wasteful spending. Determining Overall Risk Exposure by Making Use of Qualitative Risk Rating Tables The first table that will be applied will consist of a rating, a likelihood description, and an expanded definition to determine the overall likelihood that an asset will be compromised. This can be seen in the following table (Stallings, 483):

Table 1. The next essential step is to create a table that determines the consequence if a specified asset or a number of assets are exploited. This table would comprise of a rating, the rating of the consequence to the organization (from insignificant to a Doomsday scenario), and an expanded definition that would

23 briefly describe the magnitude of the impact and the repercussions to the overall organization. See the below example (Stallings, 484-485):

Table 2. Finally, due to meticulous examination and analysis based on the likelihood a threat will occur and the impact it will have on an organization we can create another table by correlating the two previous variables to qualitatively detail the risk level assigned to each combination. The title of this table will be deemed Risk Level Determination and Meaning, which can be found below (Stallings, 486):

24

Table 3. In our final table, we will create what is known as the Risk Register, which will allow management to determine the assets that require treatment against the assets that do not require treatment. The Risk Register should consist of the identified asset, the threat/vulnerability, the existing controls that are already in place, the likelihood that each identified threat could occur and cause harm to an identified asset, the consequence - which indicates the impact on the organization should a particular asset or assets be compromised, the level of risk, and the priority of the risk (Stallings, 486):

25 Table 4. The Risk Register would then allow executive management to accept the risk, avoid the risk, transfer the risk, reduce the consequences, or reduce the likelihood. By making use of these models and techniques allows for an organization to more efficiently and effectively handle any attacks by mitigating its risk profile while incorporating best practices. Case Study Barrick Gold In further discussing risk assessment we decided to take a detailed look at a well-known publicly traded organization primarily because it makes use of Supervisory Control And Data Acquisition (SCADA) system (Barrick Goldstrike Wireless Presentation). The use of SCADA is more pronounced and prevalent among many organizational systems that are vital to the United States infrastructure. Prior to 9/11, this may not have been seen as a high priority, but because we are in the midst of potential cyber warfare among various countries around the globe, any attack on such systems can cause significant economic impact to the US. To give a few examples, SCADA is deployed to monitor and control our electric power generation, transmission and distribution, water and sewage, mass transit, traffic signals and other various industrial systems. Typically, mining companies have a much greater risk tolerance, but due to the growing number of attacks on a multitude of corporations and governments around the world, Barrick Gold has taken this threat quite seriously, especially when it comes to the safety of all employees. Barrick Gold trades on the NYSE under the ticker ABX and is a Canadian-based company formed in 1983. It engages in sale and production of gold and copper with production in exploration and development projects located in North and South America, the Australia-pacific region and Africa, and it currently has 26 operating mines with annual revenues around 14.31 billion dollars with total cash on hand of 2.74 billion dollars and a debt of 13.37 billion dollars. Its current stock trades at a multiple of around 10.9 times earnings, and it is anticipated to trade over the next year and a half at 8 times earnings. In April 2011, Barrick acquired Equinox Minerals at around 7.3 billion Canadian. This

26 acquisition, along with other acquisitions adds further complexity to the organization. Therefore, risk analysis is of extreme significance due to disparate systems and need to be integrated together with appropriate assessment of IT security issues. In making use of the combined approach, we must not forget that detailed risk analysis is an important part of this technique. Therefore, instead of going in to great detail on the identification of assets, threats, and vulnerabilities and so forth, below we have provided a hypothetical risk register model that we believe would address many of the companys IT security concerns which in turn would aid Barrick in analyzing and driving action to minimize the likelihood of a risk occurring, reduce the visibility of the risk, increase the ability to handle the risk if it should occur and reduce the impact of the risk. One added thing is that as you can see in the risk register viewable below the reliability of the SCADA nodes and network was of the highest risk priority due primarily to the safety of the workers in the mine as the SCADA systems among other things monitors temperature control by placing various sensors throughout the mine and if say for example the system went down and the miners had no access to oxygen than there could be a significant amount of fatalities. On the other end of the spectrum are emails which were viewed as the least significant. One other thing to take not of is the integrity of the stored file and database information we believed was second as far as risk priority. One reason for this was it was of extreme importance not to allow access to any opponent who may want information on lets say company specific M&A activity by which they can retrieve insider information to benefit financially. See the table below (Stallings, 490):

27

Table 6. Conclusion As we begin to turn from centralized systems to more distributed systems the potential for attacks to propagate has increased dramatically. Furthermore, as technology has continued its rapid advancement, so too has the technology created and deployed by attackers or opponents. Therefore, it is an absolute necessity to create checks and balances in governance by using a systematic approach to alleviate these threats. IT security management and risk assessment helps to mitigate this problem. All organizations must use best practices in the area of IT security management and risk assessment. If done successfully through the number of policies, procedures and standards described in this paper, organizations and governments will effectively safeguard their assets. It must be further stated that it is virtually impossible to safeguard and protect every type of vulnerability. However, deploying and implementing the proper framework, along with a thorough risk assessment on all assets, vulnerabilities, threats, and countermeasures will vastly decrease the risk of exploitation. This will allow sovereigns and organizations around the world to place and use the appropriate controls, some which include antivirus software, antispyware software, firewalls, encryption of data in transit and rest, intrusion detection systems, intrusion prevention systems, and so on. In a recent Bloomberg

28 government study, it found that spies, criminals, and hacker activists are stepping assaults on US government and corporate systems (Englemen and Strohm). This study also stated that companies, including utilities, banks, and phone companies will have to spend almost 9 times more on cyber security to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial system, or cutting communications. The article cited above is a clear indication that IT security management and risk analysis must be an essential ongoing process to counter such an event from occurring.

29 References 1. Ameerally, Imran. "Risk Assessment: An Overview." Republic of Mauritius. Ministry of IT and Telecommunications, 01 Dec. 2006. Web. 20 Feb. 2012. <http://www.gov.mu/portal/sites/ncbnew/security/1dec/Risk%20Assessment.ppt>. 2. "Barrick Goldstrike Wireless Presentation." WMEA Technical Papers. Western Mining Electrical Association. Web. 20 Feb. 2012. <http://www.wmea.net/Technical%20Papers/Barrick%20Goldstrike%20Wireless%20Presentatio n.pdf>. 3. De Bie, Veronique. "IT Security Management Standards for Todays Businesses." Lsec.com. L-SEC, 20 Jan. 2006. Web. 20 Apr. 2012. <www.lsec.be/upload_directories/documents/standard2006.pdf>. 4. Engleman, Eric, and Chris Strohm. "Cybersecurity Disaster Seen in U.S. Survey Citing Spending Gaps." Bloomberg. Bloomberg, 31 Jan. 2012. Web. 20 Apr. 2012. <http://www.bloomberg.com/news/2012-01-31/cybersecurity-disaster-seen-in-u-s-surveyciting-spending-gaps.html>. 5. "How Business and Entrepreneurship Can Shine Your Life." Risk Analysis Business Basics. Business Basics, 21 Oct. 2010. Web. 17 Apr. 2012. <http://www.treatyoakmaps.com/?p=43>. 6. "Information Security Policy Templates." SANS. Web. 20 Feb. 2012. <http://www.sans.org/securityresources/policies/>. 7. "ISO - International Organization for Standardization." International Organization for Standardization. International Organization for Standardization. Web. 20 Feb. 2012. <http://www.iso.org/iso/home.htm>.

30 References (continued) 8. Namestnikov, Yury. "Kaspersky Security Bulletin. Statistics 2011." SecureList.com. Kaspersky Lab ZAO, 1 Mar. 2012. Web. 18 Apr. 2012. <http://www.securelist.com/en/analysis/204792216/Kaspersky_Security_Bulletin_Statistics_20 11>. 9. Pepitone, Julianne. "'Massive' Credit Card Data Breach Involves All Major Brands." CNNMoney. Cable News Network, 30 Mar. 2012. Web. 18 Apr. 2012. <http://money.cnn.com/2012/03/30/technology/credit-card-data-breach/index.htm>. 10. Perlroth, Nicole. "Inside the Stratfor Attack." Bits Blog. New York Times, 12 Mar. 2012. Web. 18 Apr. 2012. <http://bits.blogs.nytimes.com/2012/03/12/inside-the-stratfor-attack/>. 11. "Risk Assessment Case Study." The Security Risk Management Toolkit. Web. 20 Feb. 2012. <http://www.risk.biz/case.html>. 12. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 16 IT Security Management and Risk Assessment." Computer Security: Principles and Practice. Upper Saddle River, NJ: Prentice Hall, 2008. Print. 13. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 14 IT Security Management and Risk Assessment." Computer Security: Principles and Practice. 2nd ed. Upper Saddle River, NJ: Prentice Hall, 2011. Print. 14. Verheul, Eric. "Practical Implementation of ISO 27001 / 27002." Security in Organizations. Radboud University, 2011. Web. 20 Feb. 2012. http://www.cs.ru.nl/~klaus/secorg/Slides/02_IS_IMPL_20v0.51.pdf. 15. Watson, Keith A. "Security Management Practices." Secure Purdue. Purdue University. Web. 20 Feb. 2012. <http://www.purdue.edu/securepurdue/docs/training/SecurityManagementPractices.ppt>.