Get started Bring yourself up to speed with our introductory content.

Managing Online Risk

In this excerpt of Managing Online Risk, author Deborah Gonzalez outlines the main steps of a risk management model.

The following is an excerpt from the book Managing Online Risk by author Deborah Gonzalez and published by Syngress. This section from chapter one outlines the risk management model.

Did you hear the one about the IT security officer who "resigned" after it was discovered that a data breach at its retail operations headquarters that affected millions of customers could have been avoided if only one of over 60,000 alerts had been heeded? Or the one about a security consultant who leaked information about a government surveillance program, bringing world leaders to the defense, who ended up exiled in Russia but had a great turnout at South by Southwest? Or how about the one of computer engineers who lost their life savings and their jobs in the misplacement of digital currency? Or the one about the employee who left a company laptop connected to public Wi-Fi at the coffee shop that led to insider trading violations and criminal penalties? Or the one…

I think you get the point. There have been a lot of "ones" in the news and even more not in the spotlight. In 2011, Verizon reported "855 incidents and 174 million compromised records." To update that, the Online Trust Alliance (OTA) released their report in January 2014, which indicated that of over 500 data breaches in the first half of 2013 "31 percent of incidents were due to insider threats or mistakes; 21 percent resulted from the loss of computers, hard drives, and paper documents; 76 percent were due to weak or stolen account logins and passwords; and 29 percent of compromises resulted from social engineering." What do these have in common? They all dealt with information technology in the online digital environment.

As we begin our exploration of online risk and security, it is useful to make sure we are on the same page. Defining the lexicon of the landscape allows us to define risk management and security in the context of the digital environment and determine whether they are different because of this new context or because they have they just been expanded. Therefore, we begin with standard definitions of risk management, risk, security, and threat. You may have your own favorite you use, but we will stick with these as we head out.

Risk management
The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.

Risk
A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

Security
The prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action; the extent to which a computer system is protected from data corruption, destruction, interception, loss, or unauthorized access.

Threat
Indication of an approaching or imminent menace; negative event that can cause a risk to become a loss, expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event. A threat may be a natural phenomenon such as an earthquake, flood, or storm, or a man-made incident such as fire, power failure, sabotage, etc.; action or potential occurrence (whether or not malicious) to breach the security of the system by exploiting its known or unknown vulnerabilities.

Most of those definitions should seem familiar to you. However, there are some key words within them that bear special consideration as we look at online security and risk management. First, risk management brings up the issue that there are acceptable and unacceptable risks -- what would be an acceptable risk has long been debated by security professionals. One school of thought is that any risk is unacceptable. The other believes it is a return-on-investment (ROI) question -- how much does it cost to mitigate the risk versus how much will the risk impact cost if left alone?

Second, notice that the definitions of risk and threat are symbiotic with two main differences: a threat is indicated as something that can be foreseen and is imminent; a risk is just a probability. But both indicate that they can be avoided to a certain extent -- excluding natural disasters.

Third, security is presented to offer a safety net around property -- whether tangible or intangible, such as online data. And last, risk management is about looking at risk and threats and setting up procedures to answer some specific questions to give a sense of security:

  1. What are the real, material risks and threats?
  2. What are we doing about them?
  3. Is what we are doing actually working?

RISK MANAGEMENT MODELS

Companies cannot eliminate all risks for two reasons. First the internal and external threats that cause risk are very dynamic. Second, control investments eventually result in diminishing returns.

There are quite a few risk management models out there. Just Google "risk management" and you will have, as I did in July 2013, over 388,000,000 results come up. But most of the models concur on a series of steps that make the process viable and effective.

STEP 1: RISK IDENTIFICATION

Identifying what risks may actually exist in a company's online infrastructure and digital activity is where it all begins. There are a number of tools to assist the internal risk management professional to complete this on their own, as well as a number of third-party companies that offer auditing and risk assessment services for a price.

Managing Online Risk

Author: Deborah Gonzalez

Learn more about Managing Online Risk from publisher Syngress

At checkout, use discount code PBTY25 for 25% off these and other Elsevier titles

The gathering and compilation of this information should go beyond a report. It should be looked at as a dynamic and changing set of factors that need to be understood and dealt with in a strategic way, meaning in the best interests of the company (legally of course).

Many companies use a series of security and risk management questions to help guide their collection of the needed data. One good resource is a paperback called The Ultimate Security Survey by James L. Schaub and Ken D. Biery. It is in its second edition and a bit on the expensive side ranging from $625 to over $1000 on Amazon.com. But it is very comprehensive. At a minimum, an audit to gather risk information relating to online and digital activity security should include:

  • The mission and demographics of the company
  • Inventory of the current online footprint of the company (social media platforms, Web sites, intra and internets, blogs, etc.)
  • Inventory of digital and mobile devices accessing company data (laptops, tablets, smartphones, etc.)
  • Inventory of access points into and out of company data systems
  • Review of current online and digital activity security and risk management strategies and plans
  • Review of online/digital employee roles, responsibilities, and liabilities (social media managers, mobile directors, app developers, etc.)
  • Review of current IT-related policies and procedures (including social media, IT, privacy, passwords, e-mail, etc.)
  • Review of online digital disclaimers and disclosures
  • Review of online digital assets (including copyrights, trademarks, trade secrets, content contracts, development contracts, etc.)
  • Review of company terms of use and service agreements with third-party vendors
  • Review of online and digital content/document retention policies and procedures (including cloud-related legal concerns)
  • Review of data collection, data security, authentication, and access
  • Review of online crisis and reputation management
  • Review of federal and state laws, and industry regulations and compliances that the company is subject to regarding online and digital activity
  • Review of human resources' use of online data for the employment cycle (including recruitment, interviewing, performance evaluation, and termination)
  • Review of marketing's use of online and digital resources to ensure compliance with specific regulations (such as contest and promotion rules, gaming laws, truth-in-advertising requirements, etc.)
  • Review of cyber-risk insurance and coverage

For an example of an audit specifically focused on social media risk and liability, see the Socially Legal Audit sidebar.

SOCIALLY LEGAL AUDIT®

The Socially Legal Audit™ (SLA) tool is an instrument developed by Law2sm, LLC (www.law2sm.com) and Avax Consulting (www.avaxusa.com) to assist a company to ensure that their social media presence and activity is in line with state and federal laws, as well as regulatory compliance.

The audit includes taking an inventory of the organization's social media/digital footprint, interviews with key staff members about social media usage in the firm, comprehensive assessment of legal risks associated with that footprint, and recommended strategies for protection of digital assets and reduction of liability. Components of the audit include:

  • Inventory of social media footprint
  • Comprehensive report of legal risks/liabilities
  • Recommended legal strategies

Audits function as invaluable strategic tool for a company to ensure an ROI in regard to online and digital activity security and risk management. An Ernst & Young commissioned Forbes Insights Global Survey (2012) found that 75% of the respondents indicated that their internal audit function has a positive impact on their overall risk management efforts. In an earlier 2010 survey, 96% of respondents indicate that their internal audit function has an important role to play in their overall risk management efforts.

By asking the right questions, the SLA leads a company to:

  • Strategic business insights
  • Increased subject matter expertise (specialized knowledge)
  • Compliance with laws and regulations
  • Decreased liability and risk, including reduction in litigation expenses
  • Improved employee–employer relations
  • Enhanced customer and brand advocacy relations

Audits are conducted by SLA-certified auditors and reviewed by SLA-trained attorneys who prepare recommendation reports for clients. Training and certification are provided various times throughout the year in various locations around the world.

Some information gathering techniques include:

  • Brainstorming -- a process whereby an individual or a group thinks about a topic or issue and comes up with ideas to solve the problem without filtering them first. The key to this technique is spontaneity. Ideas are reviewed for feasibility later.
  • Delphi Technique -- a group of experts respond to a questionnaire, their answers are reported back to them anonymously, and they are encouraged to revise their previous answers based on the group's answers. This can be repeated a number of "rounds" or until a consensus is achieved, thereby producing the most "correct" answer.
  • Interviewing -- a process of asking a specific individual specific questions regarding a specific issue or matter. In the case of online risk management and security, the interviews are usually conducted on key personnel related to the area such as the security director, IT director, as well as some regular staff to understand the breadth of online activity and mobile use throughout the company. In addition, some security and risk management professionals from outside the company may be interviewed to get some insight into the trends and best practices of the industry.
  • Root Cause Analysis -- a process of evaluating what caused a specific breach or security incident to occur. This takes place after the event but can be used to prevent the event from repeating in the future.
  • Checklist Analysis -- a tool that lists specific risks that may occur for a specific project or are known to have occurred in other security/risk management systems. The lists can be developed from historical information (prior incidents) and/or knowledge and expertise of current staff.
  • Assumption Analysis -- a process in which the individual or team documents all the presumptions that they have regarding the issue at hand. These "assumptions" can include things the team believes to be true, which may or may not be true.
  • Diagramming Techniques -- different processes to visualize data and its relationships by showing them in a sketch, drawing, and/or outline.
  • SWOT Analysis -- the process of evaluating the strengths, weaknesses, opportunities, and threats of a company's particular security and/or risk management system.
  • Expert Judgment -- the seeking and use of a decision made by an individual with wide-ranging and authoritative knowledge and/or skill in a particular area after he or she has reviewed and evaluated certain evidence and/or data.

We will be discussing specific risks throughout the rest of the book; however, most online and digital activity risks fall within the following categories:

  • IP/Sensitive Data Loss -- disclosure or leakage of data that the company defines as proprietary information or confidential information that relates to clients, company strategies, competitive intelligence, etc.
  • Compliance Violations -- disclosure of information or inappropriate communication of information that violates regulations set forth by federal and state laws and/or regulatory agencies.
  • Reputational Loss -- one key to successful online activity with clients and the public is transparency of who is communicating and the assurance to the public that it is the company speaking through official company channels. Misperceptions, damaging perceptions, and misinformed assumptions can generate a loss of good will and tarnish a company's name in a matter of characters or minutes due to the prolific and exponential nature of content sharing in the online environment.
  • Financial Loss -- security and risk incidents can be expensive between the breach itself, the investigation, and remediation strategies put into place, and notification requirements specifically related to leaked data, etc. There have been circumstances where stock prices went down because of a Twitter Tweet. All of the losses on this list can have a monetary consequence.
  • Safety Loss -- online and digital activity not only leave footprints of where an individual has been but also can provide information as to where an individual can be, whether that is a person or a corporation. This can lead to a physical safety concern for traveling executives and key members of a company's management team, including the board of directors.
  • Personal Reputation Loss -- online postings may take on a personal nature, indicating specific traits of an individual or describing specific behavior of that individual that may be judged as negative by a company's client base. Concerns here can lead to claims of defamation or damage to a person's character leading to a loss of their livelihood.

STEP 2: RISK ANALYSIS/ASSESSMENT

When asked to name the top three challenges (in regards to risk management) the largest proportion of executives (47 percent) cite difficulty of understanding the entire risk exposure on a global enterprise basis, and nearly as many (44 percent) see the same problem at the business unit level.

A phrase I like to share with clients is "data that is formatted is information; information that is processed is knowledge; knowledge that is applied is wisdom; and wisdom that is shared leads to success."

A company's list of identified risks must then be put into a risk analysis process to help evaluate the risks in terms of the company's risk aptitude. Greg Chevalier from BlueWave Computing (see Blue-Wave Computing) calls it a "company's risk appetite." The overall susceptible risk environment is the elephant in the room for many companies, and their key question is "how does one eat an elephant?" According to Chevalier, "one bite at a time." This then leads to the second question, "how much of the elephant does the company want to eat?"

BLUEWAVE COMPUTING

BlueWave Computing (BWC) was established in 1997 by Steven Vicinanza to provide comprehensive information technology services to small-to-mid-sized companies. Its mission statement reads:

BlueWave Computing is the IT management partner of choice for small and mid-size organizations that require the highest reliability and performance from their computing systems but for whom IT is not the core business. We deliver a comprehensive set of IT services that enables them to better achieve their objectives. We do this through highly educated, disciplined, and skilled employees, who aspire to be recognized as the best, and who are passionate about both the technology and the welfare of our clients.

BWC's business strategy is to have laser-focused solution disciplines within the company to ensure that they can attract the right kind of expertise and build integrity in the market place. One of those focused areas is information security and management, and in 2009 it started the BlueWave Computing Information Security Group. By doing so, BWC expanded its offerings to include information security risk and vulnerability assessments, penetration testing and vulnerability scanning, 7 × 24 × 365 managed security and monitoring that includes intrusion detection and prevention, information security education and training, and implementation of information security technologies. It is also set up to become a leader in information security education with a state-of-the-art training facility and Certified Information Systems Security Professional (CISSP)-compliant curriculum that will allow students to qualify for continuing education (CE) credits.

BWC is a nationally recognized managed service provider (MSP) that has won hundreds of awards and recognition by its peers and security industry associations. They currently have 140 employees, of whom 80% are engineers. They run both on-site and off-site operations for clients and in the security arena offer a "Chief Information Security Officer (CISO) In a Box" that provides the client a comprehensive turnkey solution -- risk/compliance, security analysis, network security monitoring -- and various complex analytical tools.

This is BWC's competitive edge -- offering a one-stop shop for clients from audit to monitoring to compliance. This edge allows the BlueWave client to look at information security in business terms and not just technical terms.

INDUSTRY EXPERT: GREG CHEVALIER

President, BlueWave Computing Information Security Group

Greg Chevalier is currently the president of BlueWave Computing's Information Security Group.

Greg has more than 25 years of experience in the technology field including: 10 years within the IBM Company running a $250 million business unit; 7 years providing executive leadership in growth-stage companies in the $5 million to $100 million revenue range; and 9 years in biometric identification and information security markets including authentication technologies, encryption technologies, and network and wireless access technologies delivered throughout the world.

During an interview, Greg outlined some specific trends he saw in the future regarding information security:

  1. Information security risk/advantage must become a front and center strategic decision for companies.
  2. Information security and risk management is no longer a percentage of the IT budget but now its own budget with a number of line items, emphasizing its increased importance to the company.
  3. Cyber-security insurance is now an option weighed against potential data breaches to offset risk, but will become a standard offering to companies.
  4. Within the next decade or so, self-policing of data will regulate privacy concerns as consumers will dictate to companies what data access they find acceptable and companies will adapt to these consumer demands.
  5. Wall Street and Financial Analysts will increase their scrutiny of a company's IT security to determine the value of the company's stock and overall value of the company itself.
  6. Advanced persistent threats (APTs) will become more evasive and more frequent requiring constant monitoring to detect and remediate these benign but sophisticated data breach attack methods and risks.
  7. Mobile makes everything more complex and less controllable as it provides new entry points into a company's data environment. Standards, policies, and controls, and enhanced training will be developed to address mobile risks.
  8. Education: it is my belief that information security awareness and education training, along with high-level information security degrees will grow into a national curriculum being pushed down to all levels of our education system -- from elementary school to graduate programs.

For many companies the answer depends on the risk analysis and the assessment of each risk in terms of:

1. What is the actual risk?

2. What is the probability of the risk occurring?

3. What is the likely impact the risk would have on the company should the risk occur?

4. What will it cost to minimize the risk?

5. What will it cost to remediate the risk should the risk occur?

5. What will it cost to do nothing at all?

Risk Analysis can be done from a qualitative or quantitative perspective and often encompasses both types for a more comprehensive overview of the actual impacts and costs of the risks. Qualitative Risk Analysis looks at the distinctive characteristics of the risk, while Quantitative Risk Assessment is about measuring the extent, size, or sum of countable or measurable discrete events, objects, or phenomenon, (of the risk) expressed as a numerical value.

Some examples of Qualitative Risk Analysis Tools and Techniques include:

  • Risk Probability and Impact Assessment -- the process of evaluating the likelihood that a risk may occur and the impact it would have (financially, operationally, etc.) if it does.
  • Probability and Impact Matrix -- the organization of data divided by columns of categories to highlight potential risks in an easily readable format.
  • Risk Categorization -- the process of identifying risks by classification and grouping them by those classes to better understand them in relation to the security and/or risk management system.
  • Risk Urgency Assessment -- the process of identifying and ranking risks by the time range the risk may occur; near-future medium risks may become prioritized over significant risks that may not occur for a year or more.

Some examples of quantitative risk analysis tools and techniques include:

  • Sensitivity Analysis -- the process of evaluating how a change in a certain factor or system variable can affect the entire security/risk management system. This process allows for a "what-if?" analysis of different results.
  • Expected Monetary Value Analysis (EMV) -- this process allows you to put a dollar amount on the risk by looking at the likelihood of the risk and the financial impact the risk would have on the company. Each risk can be assigned an EMV, and decisions on priority and handling of certain risks can be made based on the EMV score.
  • Cost Risk Analysis -- this process focuses on evaluating the risk that certain costs may exceed their initial budgeted amount and, if they do, what the impact would likely be to the system being put into place.
  • Schedule Risk Analysis -- the process of evaluating certain task durations (in terms of time ranges) and their impact on the system should they not be completed in the time allotted.

The measurements here focus on time and money, two significant assets for a company, as each can be in limited supply.

Matrixes are common in qualitative and quantitative risk analysis. This way of organizing data gives a comforting sense that everything has a place and is accounted for.

The key to the matrix is the column structure; each column should identify the kind of information being collected and analyzed. Following are two examples of a social media risk assessment matrix structure.

Example one

The matrix example in Figure 1.1 has a simple 6 column structure: Risk/Threat, Control, Mitigation, Likelihood, Impact, and Risk Rating. Likelihood of Occurrence Scales generally flow in an escalating fashion. For example, one scale used in some of these types of matrixes include: Negligible, Very Low, Low, Moderate, High, Very High, Extreme; defining these as to whether they may occur between 5 years and multiple times a day. A different matrix may use: Rare, Unlikely, Possible, Likely, Almost Certain; and defines these as whether they may or may not occur within the next 12–24 months. Some of these matrixes also give each Likelihood level a numeric score, for example, Rare is 1–2 and Almost Certain is 9–10, that will then be used to give an overall risk rating for the particular risk, threat, or vulnerability. This is a format that can be followed for Impact Severity levels as well. The table below provides an example (Table 1.1).

Facebook risk assessment matrix
Figure 1.1: Facebook Risk Assessment Matrix
Table 1.1: Impact severity level examples
Table 1.1: Impact severity level examples

To calculate a final risk rating, some matrixes will add up the individual numbers of Likelihood and Severity. Example one combines the two factors into a Risk Level Matrix.

Risk level matrix example

Example two

This matrix example (Figure 1.2) offers a seven-column structure that takes into account what controls already exist in contrast to what recommended controls need to be implemented. It also allows for specific comments in the matrix itself, such as who is accountable for mitigating the risk, specific details, due dates, etc.

STEP 3: REMEDIATE

After the initial risk assessment, decisions can be made as to what to do regarding each risk based on their particular circumstances, including their current and projected financial situation. A remediation plan will be developed and put into place outlining the strategies to be implemented to remedy the risk, threat, and/or vulnerability as well as a timetable and budget to ensure that sufficient and appropriate resources are committed to complete the process.

One core set of remediation tools includes the development of a policy and control framework, as well as the drafting and implementation of the policies and controls themselves. Keep in mind that the controls have to make good business sense and align with the company's goals and culture. So the key question is, are the controls being deployed operationally effective?

We can surmise that online and digitally related risks can fall into one of four specific categories:

1.       Process and procedure

2.       Compliance/regulations

3.       Policies and controls

4.       Technical risks (data, application systems, mobile, networking, etc.)

If these are the categories, the controls and remediation solutions need to align with them. Some of the controls include key information assurance services such as:

  • SSAE 16 -- Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010.
  • SOC 2 -- Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
  • PCI Compliance -- The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
  • ISO 27001 Certification -- specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of an information security management system.
  • FED RAMP Certification -- The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.20
  • Privacy Risk Management -- The framework that guides the collection, storage, protection, and use of personal data, including personally identifiable information (PII).
  • HIPAA/HITECH Compliance -- Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
  • U.S. Safe Harbor Agreement with European Union (EU) -- provides a streamlined and cost-effective means for U.S. organizations to satisfy the EU's directive's "adequacy" standard for privacy protection.
  • Data Management -- Administrative process by which the required data is acquired, validated, stored, protected, and processed, and by which its accessibility, reliability, and timeliness is ensured to satisfy the needs of the data users.
  • Information Technology Internal Audits -- address the internal control environment of automated information systems and how these systems are used. IT audits typically evaluate system input, output, and processing controls, backup and recovery plans, and system security.
  • Information Technology Governance -- The framework of how decisions are made regarding IT Strategic Alignment, IT Value Delivery, IT Resource Management, IT Risk Management, and IT Performance Management.

Many of these control standards require companies to develop and institute various policies in regard to the numerous factors of security risk and management. Policies are basically a statement of intent by a company as to how certain issues are to be addressed by the company and its employees. In many cases, policies also extend to representatives of the company such as freelance or independent contractors, vendors, suppliers, advertising affiliates, etc. Policies list the express rules that will govern certain decisions the company makes and how violations of these rules will then affect employees and those subject to the policies.

Certain policies relate specifically to technology use, and some even outline specific rules for online, digital, and mobile activity by managers, employees, and company representatives. Following is a short list of policies in alphabetical order:

  • Blogger Disclosure Policy -- this policy lays out guidelines for a company's bloggers to ensure that they reveal their relationship to the company or indicate whether a product/service they are reviewing was a gift from the company being reviewed. This is a requirement from the Federal Trade Commission (FTC) to avoid violation of the false advertising and/or misleading advertising guidelines.
  • Bring Your Own Device (BYOD) Policy -- this policy outlines specific guidelines and rules employees need to adhere to if they use their own smartphone, tablet, laptop, etc. for company purposes. We will discuss this issue in more detail in Chapter 2.
  • Document/Social Media Retention Policy -- here are specific laws regarding document retention, especially in regulated industries. Those laws are now taking into consideration digital imaging systems as a way to preserve the data. Companies may also have their own guidelines as to retaining certain information. This requirement is also extending to social media content, and new applications are offering this capturing of content service.
  • E-Mail Policy -- this policy outlines the use of electronic communication by employees using the internal company electronic mail delivery system. These policies usually contain prohibitions of private or personal use of the system by an employee.
  • Employee Contracts/Agreements with Social Media Clauses -- employment letters and agreements are now starting to include clauses that state acceptable and unacceptable use of social media and online activity, and indicating who owns the social media accounts themselves -- whether the company or the employee -- depending on the account name and the usage of the account.
  • Intellectual Property (IP) Policy -- this policy outlines the appropriate use of company-owned content: copyrights, trademarks, trade secrets, patents, etc. The IP policy may cover work-for-hire concerns, indicating that anything created by an employee during their scope of employment belongs to the company (including social media posts), as well as logo use on a social media account. We will discuss more on this issue in Chapter 6.
  • Information Technology/Computer Use Policy -- this policy lays out the guidelines for use of company computer equipment by an employee during their employment period. Certain restrictions, such as secure access to download certain apps, and if devices can be taken off-site, may be included.
  • Mobile Device Policy -- this policy outlines how mobile devices -- tablets and cell phones (whether smartphones or not) -- can be used if they are provided by the company or not, if the company does not have a BYOD policy.
  • Password Policy -- this policy is usually embedded into the computer use policy but it is sometimes helpful to keep separate to emphasize its importance. The policy should lay out the basics of password generation, the importance of why a strong password is a good defense against breach incidents, how often the password should be changed, etc. Considering that most data breaches have a human cause, this policy and the training of employees on all things password related is imperative.
  • Privacy/Confidentiality Policy -- in the online world, privacy policies usually outline what kind of data is collected and how the party collecting it will use that data. Confidentiality policies remind employees of the nature of certain types of information and the requirements to not disclose specific information to third parties as required for compliance and legal purposes.
  • Social Media Policy/Protocols -- this policy outlines how employees should use social media whether on behalf of the company or even on personal accounts. The National Labor Relations Board (NLRB) has a lot to say about whether certain clauses in these policies are valid or violate the National Labor Relations Act. Social media protocols are guidelines as to how certain social media posts/comments should be made.

We will review most of these policies in Chapter 4. The key here is to note whether the company has these policies or not and, if they do, are they consistent with each other and do not open up the possibilities of conflicts and therefore leave the company vulnerable to liability.

The SANS Institute also offers a list of 20 Critical Security Controls for Cyber Defense. This list was developed by a group of government and private organizations:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Malware Defenses
  6. Application Software Security
  7. Wireless Device Control
  8. Data Recovery Capability
  9. Security Skills Assessment and Appropriate Training to Fill Gaps
  10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  11. Limitation and Control of Network Ports, Protocols, and Services
  12. Controlled Use of Administrative Privileges
  13. Boundary Defense
  14. Maintenance, Monitoring, and Analysis of Audit Logs
  15. Controlled Access Based on the Need to Know
  16. Account Monitoring and Control
  17. Data Loss Prevention
  18. Incident Response and Management
  19. Secure Network Engineering
  20. Penetration Tests and Red Team Exercises

Security involves emotions, beliefs, models of behavior and other non-quantifiable factors which makes the 'how much?' question insufficient.

STEP 4: RISK RESPONSE PLANNING

Once the repairs and remediation have taken place, a plan to outline incident response procedures is developed for future reference. This plan will provide specific action steps and reporting guidelines should a breach or other security incident occur. The goal here is to reduce the impact of any specific incident by reducing the time to identify the incident, to locate and contain the incident, to mitigate whatever damage has been caused by the incident, and to institute practices to eliminate the risk of the incident happening again.

A "Risk Register" or "Risk Response Plan" is a good tool to extend the Risk Assessment of Step 2 with the Remediation Process of Step 3. The Risk Register identifies the risks, quantifies the risk score, and then recommends controls and response strategies building a remediation road map based on the company's priorities.

Key Components to a Risk Response Plan (RRP) include:

  • List of identified risks
  • Definition of who has the authority to act and who can be an owner of a risk to devise and apply the appropriate response
  • Results from the qualitative and quantitative risk analysis
  • Established responses for each risk
  • Expected level of residual risk
  • Specific actions required to implement the response
  • Budget and timing of each risk response
  • Description of any contingency or fallback plans

Based on research, experience, and prior knowledge, there may be a number of options as to how to respond to a particular risk. As the RRP is developed, each option needs to be vetted for feasibility to ensure that it is the best response for the company. Questions to ask to determine the best response option include:

  1. What options are there?
  2. What constraints are there to the particular project or security implementation?
  3. Based on review of the option characteristics, which one offers the most effective way to achieve the business goal?

There are generally four responses to negative risks: avoidance, transference, mitigation, and acceptance. Avoidance is when you change the plan to circumvent the risk all together. It is usually used when the risk is too high and therefore considered unacceptable. Transference is a strategy for when you can shift the risk to another party, such as through insurance, contracts, warranties, etc. Mitigation is when you can reduce the likelihood of a risk occurring or of the damage being unacceptable. Acceptance implies that the risk is considered too low to justify spending any resources on it.

These responses can change during the life cycle of a security project or the company's technology and online activity. Risks that may have been acceptable in the beginning may turn into a risk that needs to be mitigated, and vice versa. The RRP should be a dynamic document and an integral part of monitoring the system (see Step 6).

An interesting note I ran across discusses using an RRP model for evaluating and responding to positive risks or "opportunities." Three response strategies for positive risks are:

  1. Share the ownership of the risk with others to ensure you can seize the opportunity.
  2. Increase the likelihood of the opportunity coming to pass by enhancing triggers that can set it in motion.
  3. Exploit the opportunity by dedicating resources to it, whether in terms of experts or tools.

On a final note for this section, I would like to mention Bailey and Brandley's Ten Principles to Guide Companies in Creating and Implementing Incident Response Plans:

  1. Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
  2. Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
  3. Develop easily accessible quick-response guides for likely scenarios.
  4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
  5. Maintain relationships with key external stakeholders, such as law enforcement.
  6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
  7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
  8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
  9. Identify the individuals who are critical to incident response and ensure redundancy.
  10. Train, practice, and run simulated breaches to develop response "muscle memory." The best-prepared organizations routinely conduct war games to stress test their plans, increasing managers' awareness and fine-tuning their response capabilities.

STEP 5: EDUCATE

Plans and policies may look great on paper, but getting them to be of optimal benefit to the company implies that they have to be implemented effectively. Part of that implementation is the training phrase that should be part of any security and risk management program. The company needs to outline who needs to be trained and what they need to be trained on. A good place to start is on the employee's role in the company and to determine whether they need access to certain information and how they need to access that information digitally and/or via online. However, even though not all employees require access to all company data, there are some basic security issues all employees (including top managers and executives) need to know to keep company data protected and safe.

Read an excerpt

Download the PDF of chapter one to learn more!

"Security awareness" training for the general employee population has become an essential component to any security and risk management initiative. It consists of two components: security issues (the content) and adult learning theory (the context). Malcolm Knowles, an American practitioner and theorist of adult education, in the 1970s identified six principles of adult learning:

  • Adults are internally motivated and self-directed
  • Adults bring life experiences and knowledge to learning experiences
  • Adults are goal oriented
  • Adults are relevancy oriented
  • Adults are practical
  • Adult learners like to be respected

Rose McDermott, professor at the University of California, Santa Barbara, gives us a crucial factor to add to this list when the content in the training relates to security and threats. In an interview regarding a paper she wrote for Association for Computing Machinery (ACM) in 2012 entitled "Emotion and Security," she cautions IT professionals to learn how to train non-IT people. "People will listen to a conversation that is valid, salient, concrete and emotionally engaging. Abstract, pallid, statistical arguments tend to make people's eyes glaze over." If you are going to communicate about a threat you should:

  • be an expert and a trustworthy source,
  • be focused on a specific anticipated attack,
  • motivate respondents to act, and
  • provide specific concrete actions individuals should take to counter the threat.

In addition to the above, I would like to bring to your attention Ira Winkler and Samantha Manke's list of seven key elements for a successful awareness program:

  1. Get executive-level support from chief officers (C-suite) -- this will provide you with additional funding and support.
  2. Partner with key departments that have mutual interests and can carry their own level of influence (such as the legal or compliance departments).
  3. Be creative in terms of the curriculum and activities; engagement is the key to learning.
  4. Make sure to set up metrics beforehand to be able to measure success of the program via change of behavior, attitudes, etc.
  5. Educate people about how they can do something instead of just focusing on what they are prohibited from doing.
  6. Put your program on a 90-day cycle to ensure information is relevant, current, and reinforced as required.
  7. Be multimodal in your program. Use different formats and delivery methods to spread the message of security awareness -- from online games and apps to traditional newsletters and posters -- offering something for everyone.

Connecting those seven factors, Ira continues: The mere act of providing a set body of knowledge does not change behavior. Information must be provided in a way that relates to how employees think and behave. There must be a personal association of how the knowledge would impact their actions. There is also a difference in providing an individual information on a one time basis, and delivering information in different formats over the course of time to effect change.

STEP 6: MONITOR

The three certainties of life: Death, Taxes, and Getting Hacked.

Having done a risk assessment once does not mean you are finished. Continuous monitoring involves the identification, analysis, planning, and tracking of new risks, constantly reviewing existing risks, monitoring trigger conditions for contingency plans, and monitoring residual risks, as well as reviewing the execution of risk responses while evaluating their effectiveness. Various tools used to accomplish this daunting task include:

  • Risk Audits -- the process of investigation, evaluation, and assessment of the actual, perceived, and projected risks that a company may face. These audits can be performed by an internal company professional or an external third party or company.
  • Variance Analysis -- this process looks at what was projected to occur and what actually occurred, whether financial (budget targets) or operational (performance goals), as well as the causes of the differences between the two.
  • Trend Analysis -- the evaluation of information from a designated period of time of a specific factor to identify patterns and relationships between factors and to use that data to project what may occur in the future.
  • Technical Performance Measurements -- reviewing specific indicators that the company has identified to determine whether the strategies and/or tools being implemented are achieving the desired results.
  • Reserve Analysis -- the process of reviewing the physical and financial status of equipment, tools, and other resources relating to the online and technology activity of a company, including costs to repair and/or replace those resources.
  • Status Update/Review Meetings -- risk management and security strategies need to be reviewed and the RPP and other risk management/security documents updated. It is important to keep the security and risk management teams up to date on any incidents that may occur, the response to the incident, new tools available for responding to incidents, new trends in security concerns, etc.

Keep in mind that if you set up policies as part of your controls, you need to ensure that you are enforcing them. Periodic policy reviews and enforcement reviews will provide you with data to determine whether the policy implementation has been successful or not.

Corporations will spend around $68 billion worldwide this year on IT security measures including firewalls, network monitoring, encryption and end-point protection.

STEP 7: RESPOND

Keep in mind that what hackers are usually after with a breach is the data and not necessarily the device the data was on. The device serves as an access point, a critical one that needs to be watched and protected.

When responding to an incident, the goals are simple: limit the damage; increase the confidence of external stakeholders; and reduce recovery time and costs.

Responsiveness to an incident focuses on time. The basic stages of a breach include:

  • Incursion -- the moment the unauthorized enters the system
  • Discovery -- the period of time the unauthorized takes to map out the system and discover where the data is
  • Capture -- the stage where the unauthorized commandeers the data using root kits or other tools at their disposal
  • Exfiltration -- when the data is sent back to the unauthorized; data is not necessarily removed from the system but copied to another location

These stages present three critical points for responding to the incident to mitigate the damage and repair the breach:

  • From the point of entry to the compromise
  • From the compromise to discovery by the company
  • From discovery by the company to remediation

An incident response team with specified members is a must and should be summoned as soon as an incident is discovered. Each member of this group should have and understand his or her role in the upcoming investigation and the remediation of the damage. Internal company members to this elite group should include representatives from the following departments:

  • IT Security
  • IT Operations
  • Data Collection and Monitoring Division (if applicable)
  • Physical Security
  • Human Resources
  • Legal Department
  • Compliance Department
  • Public Relations
  • Management/Executive Level

In addition, third parties or individuals from outside the company may be called in an advisory role to the team and to ensure objectivity in terms of development and implementation of security and risk management systems.

Risk Analysis can be done from a qualitative or quantitative perspective and often encompasses both types for a more comprehensive overview of the actual impacts and costs of the risks. Qualitative Risk Analysis looks at the distinctive characteristics of the risk, while Quantitative Risk Assessment is about measuring the extent, size, or sum of countable or measurable discrete events, objects, or phenomenon, (of the risk) expressed as a numerical value.

Some examples of Qualitative Risk Analysis Tools and Techniques include:

  • Risk Probability and Impact Assessment -- the process of evaluating the likelihood that a risk may occur and the impact it would have (financially, operationally, etc.) if it does.
  • Probability and Impact Matrix -- the organization of data divided by columns of categories to highlight potential risks in an easily readable format.
  • Risk Categorization -- the process of identifying risks by classification and grouping them by those classes to better understand them in relation to the security and/or risk management system.
  • Risk Urgency Assessment -- the process of identifying and ranking risks by the time range the risk may occur; near-future medium risks may become prioritized over significant risks that may not occur for a year or more.

Some examples of quantitative risk analysis tools and techniques include:

  • Sensitivity Analysis -- the process of evaluating how a change in a certain factor or system variable can affect the entire security/risk management system. This process allows for a "what-if?" analysis of different results.
  • Expected Monetary Value Analysis (EMV) -- this process allows you to put a dollar amount on the risk by looking at the likelihood of the risk and the financial impact the risk would have on the company. Each risk can be assigned an EMV, and decisions on priority and handling of certain risks can be made based on the EMV score.
  • Cost Risk Analysis -- this process focuses on evaluating the risk that certain costs may exceed their initial budgeted amount and, if they do, what the impact would likely be to the system being put into place.
  • Schedule Risk Analysis -- the process of evaluating certain task durations (in terms of time ranges) and their impact on the system should they not be completed in the time allotted.

The measurements here focus on time and money, two significant assets for a company, as each can be in limited supply.

Matrixes are common in qualitative and quantitative risk analysis. This way of organizing data gives a comforting sense that everything has a place and is accounted for.

The key to the matrix is the column structure; each column should identify the kind of information being collected and analyzed. Following are two examples of a social media risk assessment matrix structure.

Example one

The matrix example in Figure 1.1 has a simple 6 column structure: Risk/Threat, Control, Mitigation, Likelihood, Impact, and Risk Rating. Likelihood of Occurrence Scales generally flow in an escalating fashion. For example, one scale used in some of these types of matrixes include: Negligible, Very Low, Low, Moderate, High, Very High, Extreme; defining these as to whether they may occur between 5 years and multiple times a day. A different matrix may use: Rare, Unlikely, Possible, Likely, Almost Certain; and defines these as whether they may or may not occur within the next 12–24 months. Some of these matrixes also give each Likelihood level a numeric score, for example, Rare is 1–2 and Almost Certain is 9–10, that will then be used to give an overall risk rating for the particular risk, threat, or vulnerability. This is a format that can be followed for Impact Severity levels as well. The table below provides an example (Table 1.1).

This was last published in April 2016

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The fact is that most data gets leaked out on cell phones and that form of communication is rarely safe. I see people come into my cell phone repair business in Schaumburg all of the time with concerns like these.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close