Complying with

Mandates
and Managing Risk

In This Chapter
Recognizing the importance of compliance
Reviewing the risk management process
Developing risk management strategies

Keeping Your Company Compliant

Legal mandates that affect the organization
Discovery and retention
Additional requirements

Legal mandates that affect the

organization
Sarbanes-Oxley Act (SOX)
publicly traded U.S. companies

Gramm-Leach-Bliley Act (GLBA)

Privacy and protection of personally identifying information (PII) are
required by privacy laws

Health Insurance Portability and Accountability Act (HIPAA)

Requirements for segregation of electronic personal health
information from other organizational data, for example, may
complicate data storage, backup, and archival planning

Federal Educational Rights Protection Act (FERPA)

Childrens Online Privacy Protection Act (COPPA)

Discovery and retention

Because so many legal investigations and compliance reviews require
access to electronic records, you should include provisions for information
archival and reporting in your long-term planning.
Subpoena-management practices should be firmly in place before
requests for data are received to ensure continuity of operations and
minimal impact on operations.
An enterprise architect can provide great value to your organization by
including data archival, storage, and handling options in your long-term
enterprise strategy. Mapping data resources together with details on
backup and archival practices for each can act to identify data held
beyond a desirable discovery window. This map also provides a ready
reference for organizations presented with a to avoid accidental
destruction of data due to normal backup media and archival procedures.

Additional requirements
Beyond information technologyspecific directives, legal requirements can
include generalized mandates.
You must consider accessibility requirements under Section 508 of the
Rehabilitation Act of 1973 (amended), for example, in authentication and
data access planning.
Complex multi-factor or biometric authentication systems may prove difficult to
operate for individuals with physically disabling conditions.
Public-facing applications that dont support assistive screen reading technologies
such as JAWS and Window-Eyes may be unusable by some consumers.

You also need to consider legal requirements that are likely to be enacted in
the near future. Following recent large-scale accidental data exposure
events, particularly in the retail and financial industries, it is likely that new
laws will deal with backup media and other responsibilities in the
management.

Additional requirements
In addition, legislation under consideration could impose mandatory data
retention for Internet service providers and other agencies responsible for
the storage, processing, and transmission of information that could be
useful in law enforcement investigations.
In the United States, multiple states recently passed privacy laws that
require encryption in storage and use whenever personally identifying data
is collected on citizens living in that location.
Many of these laws require not only protective measures, but also a
mechanism for registration of the data storage with affected citizens home
state and mandates for reporting security breaches of databases containing
personal information. These laws can suddenly affect an organization
merely because a person living in one of these states becomes a client,
member, or consumer of services that involves entering data classified by
their home states legislature as protected.

Planning to Manage Risk

Identifying threats
Identifying vulnerabilities
Assessing risk

Identifying threats
Threats typically fall into three categories :
Natural or environmental threats
Electronic threats
Human threats

Natural or environmental threats

Natural threats include weather events such as floods,
storms, tornadoes, and hurricanes.
Environmental threats include events such as fire,
extended power failures, and water leaks.
Natural/Environmental threats can cause a significant
amount of direct physical damage, as well as a general
disruption of business.
Unlike natural threats, however, Environment threats
may be caused by human elements with various
motivations.

Electronic threats
Malware such as viruses, Trojan horses, and spyware
Bugs and weaknesses in software applications and
operating systems
Bots and botnets, which are computers infected by
malware and controlled by malicious individuals
Phishing e-mails, which attempt to trick individuals into
providing passwords, bank account numbers, credit card
numbers, or other sensitive data to fraudulent Web sites

Human threats
Human threats can be deliberate attacks by malicious individuals for
purposes such as causing damage to an organizations assets, data, or
reputation, or stealing its physical or electronic assets.
Criminals
Disgruntled employees
Organizations competition, Industrial espionage the theft of trade secrets.

Not all attempts to circumvent security controls involve malicious intent.

Examples of such benign events
Propping open a secure door while moving equipment
Software developers leaving back doors in applications for testing or
administrative purposes
Employees sharing login credentials instead of waiting for access requests to be
approved.

Human threats
Human threats arent limited only to physical actions taken by
individuals. The electronic threats often originate with or
perpetuate because of a human element.
Consider motivation when people are involved because it can help
determine the methods theyll use.
If industrial espionage is the motivation, attackers may be likely to use
social engineering techniques to trick employees into giving them access.
Disgruntled employee with revenge in mind may destroy or corrupt data
or provide his or her login credentials to unauthorized persons.
Other motivations include curiosity, monetary gain, blackmail, and
destruction, and other methods include hacking, theft, bribery, denial of
service attacks, and system intrusion.

Identifying vulnerabilities
You will continually spend time reviewing emerging and returning
vulnerabilities, exploits, and threats that must be dealt with through
updates, patches, or changes to protocol and service settings.
Theres no such thing as secure forever attack and vulnerability
options are always evolving into new forms and mechanisms that must
be included in enterprise defensive planning.
Some online sources for review include
The SANS Institutes Top Cyber Security Risks (www.sans.org/topcyber-securityrisks/?ref=top20)
United States Computer Emergency Readiness Team (www.uscert.gov)
National Vulnerability Database (http://nvd.nist.gov)
SecurityFocus (www.securityfocus.com)
Vendor Web sites for software in use in the enterprise

Assessing risk
In assessing risk, each threat is analyzed to determine its probability and impact.
Probability is the likelihood that the threat will materialize into an actual event
Impact refers to the loss that would occur from a successful threat event.
This loss can be tangible, such as loss of funds, equipment, or personnel
Intangible, such as a loss of reputation.

IT risk assessment typically involves qualitative analysis.

Instead of numbers, values such as Low, Medium, or High are assigned to
probability and impact, and a risk matrix determines the level of risk. You define
Low, Medium, and High based on what is appropriate to your organizations
business.
To be more granularity, add ratings such as Very Low or Negligible on the low end
or Very High, Severe, or Critical on the high end.

Assessing risk
Determining probability
Determining impact
Calculating risk rating

Determining probability
Probability can be determined by looking at how often threat events (both
successful and unsuccessful) occur in your organization and in general and also by
whether or not there are appropriate countermeasures in place to protect against
exploitation of vulnerabilities.
For example, if your organizations antivirus software is blocking hundreds of viruses per day,
then a probability rating of High could be assigned for any threats involving malware.

For countermeasures :
High might be assigned if no countermeasures are in place
Medium if inadequate countermeasures exist
Low if the countermeasures in place are sufficient.

For example, the probability of unauthorized access if a confidential data file is

stored in :
open file share - High;
file share with appropriate access control but weak passwords - Medium
encrypted file share with appropriate access control and strong passwords - Low.

Determining impact
Impact can be determined by the nature and severity of the consequences of a successful
threat event.
In some cases the impact is simple to establish :
cost of repairing or replacing stolen or damaged equipment,
cost of penalties or credit monitoring service in the event of unauthorized access to customer personally
identifiable information
sales lost due to a denial of service attack on your organizations Web site.

Deciding the impact rating for loss of reputation or other intangible consequences may be more
difficult. However, in a qualitative assessment there is quite a bit of wiggle room.
In all cases, the impact rating depends upon the organization. One company may consider
$10,000 in lost sales deserving of a High impact rating, while another might consider that Low.
Regardless, these ratings must be defined and used consistently to accurately compare risk
between threats.
In circumstances where threat events could lead to loss of life, the impact should always be
considered High and may need to be rated even at Very High or Critical, depending upon the
potential for harm. Examples of this include threats against network-enabled medical
equipment, control software for industrial facilities, or traffic control systems.

Calculating risk rating

Use a risk matrix to determine the risk rating.

Simple risk matrix using ratings of Low, Medium, and High.
Note that if probability and impact are both rated as High,
the matrix lists the risk rating as Critical.
You can also use more granular ratings, which results in a
more complex matrix.

Addressing Risk
Prioritizing threats
Reducing probability
Reducing impact
Choosing appropriate mitigations

Prioritizing threats
Generally, risks are addressed in order of priority, highest to lowest. There
are four possible strategies that may be used to address an identified
threat:
Acceptance: The risk may be identified, examined, and accepted,
provided that the impact is fully understood and recognized.
Avoidance: The risk may be avoided by selecting an alternative option
that does not include the same level of risk or by simply not engaging in
the risky behavior.
Mitigation: The risk may be reduced to an acceptable level by including
additional protections or by altering the parameters producing the risk.
Transference: The risk may be transferred to another responsible party,
often through outsourcing or insurance protections.

Reducing probability

Reducing impact
The most effective strategy for reducing impact is to have a comprehensive
contingency plan. Contingency plans include actions to take in the event of a
specific occurrence.
Other strategies include
Implementing redundant solutions such as clusters, load balancing, and
alternative sites.
Ensuring that copies of critical data are stored in a secure, off-site facility for use
in the event that on-site data is corrupted or deleted.
Training users to report suspected security incidents to appropriate personnel.
Configuring intrusion detection applications, integrity verification solutions, data
loss prevention software, and other security solutions to notify appropriate
personnel of threat events such as denial of service, attempted theft of data, or
unauthorized altering of system files so that the threat may be contained in a
timely manner.

Choosing appropriate mitigations

The goal of risk mitigation is reduce risk.
Because all risk mitigation requires expenditure of resources (money), personnel, or
equipment, your organization must obtain the best value out of those resources. A cost
benefit analysis may assist with decision making, particularly in the following scenarios :
If the cost of a mitigation strategy exceeds the expected loss, you should investigate
other less-expensive strategies.
A mitigation strategy that isnt cost effective for one asset may become so when
spread across multiple assets.
The cost of a mitigation strategy may be minimal, but can significantly impact business
productivity due to an increase in the time it takes to perform certain tasks.
A mitigation strategy that calls for security measures that are so burdensome to users
that they actively try to circumvent it, is a clear waste of resources.
If no mitigation strategies are cost effective and acceptance isnt possible due to
regulatory or legal mandates, evaluate the possibility of transferring the risk through
outsourcing.

Watching out for risk

homeostasis
Sometimes a change made to reduce risk can cause
people to act in a more risky manner, which offsets the
intended reduction. This is known as risk homeostasis
For example, users may be more likely to open
unexpected e-mail attachments if they know antivirus
software is installed on their workstations.