Ask ten information security managers how they define and manage risk, and you’ll get at least ten distinctly different answers. Many firms have their own unique ways of factoring risk into decision making, utilizing everything from detailed industry standards to informal spreadsheets.
Many factors such as the industry and distribution in the market determine the amount of security investment and security testing for a given product.
Gunter Bitz, senior manager of product security governance, SAP AG
But experts agree that effective information security risk management processes take time to develop, with even the most mature organizations constantly searching for the best way to come to grips with rapid changes in the threat landscape and the effect they have on the security of their products and services.
Performing risk assessments for every product that leaves the production line has been an evolving process at EMC Corp., where each product manager is required to provide metrics on quality and support requirements, residual risk and other factors that weigh heavily on strategic decisions at the company. Eric Baize, senior director in the office of strategy and technology at RSA, the Bedford, Mass.-based security division of EMC Corp., has a company-wide responsibility for product security assurance. Baize said it has taken years to reach a level of maturity to where risk-based decision making is a fundamental process.
“It’s now very much ingrained into the fabric of our product organizations,” Baize said. “These risk decisions are now easier to make, but it is not easy to get to that point.”
A number of methodologies and best practices exist to help guide companies into making more calculated risk-based decisions. NIST provides a set of best practices that can be used as a guide for injecting risk into the decision making process. The NIST Risk Management Framework outlines steps organizations can take from categorizing systems to assessing current security controls, to prioritizing and making changes based on impact analysis. The NIST framework begins with categorizing systems and processes based on the likelihood that they will be impacted. It then guides organizations into selecting appropriate security controls, implementing them and then performing an assessment. Other frameworks take broader approaches, incorporating governance and compliance processes. The Committee of Sponsoring Organizations’ (COSO) Enterprise Risk Management Integrated Framework (.pdf), encompasses strategic goals and operational resources to meet reporting and compliance objectives. Meanwhile, the COBIT IT governance framework focuses on policy development and getting IT to effectively support business goals.
But even the best guides fail to factor in each organization’s unique requirements, said Pete Lindstrom, research director at Malvern, Penn.-based Spire Security. Further complicating the problem is that far too many organizations are using multiple frameworks. Applying quantitative analysis can be tricky to introduce to different parts of an organization, Lindstrom said, because there are so many different factors that weigh into risk-based decisions.
“The idea is to evaluate the controls you’re putting in place based on the likelihood the asset you’re protecting will be impacted significantly by external or internal events,” Lindstrom said. “Many organizations are generally not assessing things from the likelihood of impact perspective, which is a purer form of risk measurement.”
Gary McGraw, CTO of Dulles, Va.-based Cigital Inc., whose Building Security in Maturity Model, or BSIMM, assesses the software security processes at more than 40 organizations, including Microsoft, Bank of America, Adobe Systems and Google, said documenting how organizations approach risk-based decision making is difficult, because risk is typically directly tied into business concerns.
“Some firms start out with a risk-based questionnaire to categorize or classify their products into different risk categories and then adjust their SDL according to their results,” McGraw said. “Others have already categorized their high-risk applications and they’ll put almost all their focus on them.”
One issue with risk assessments is a large number of organizations apply separate, disparate risk management approaches to specific project areas instead of taking a cohesive approach, Lindstrom said. To address the problem, ISACA, a nonprofit association of IT professionals, issued the RISK IT framework in 2009. Based on the COBIT IT governance framework, RISK IT aims to help organizations manage risks related to late project delivery, compliance and obsolete IT architecture. The organization said RISK IT brings together a variety of concepts and approaches, such as COSO ERM, ARMS and ISO 31000. The framework is intended to get executives and management to apply an enterprise-wide risk framework rather than applying risk assessments in incomplete, disconnected areas of the organization.
Gunter Bitz, senior manager of product security governance at SAP, said the German software vendor has for many years categorized projects based on risk metrics and other factors. SAP weaves a risk-based approach into each set of requirements for a project, Bitz said. The enterprise software maker also evaluates each product to determine if the industry uses it and the threats posed to the industry. For example, an application developed for the defense industry would logically be considered a higher risk, he said. Product managers also think through the kind of activity an application manages to gain an understanding of the significance of an application.
“Many factors such as the industry and distribution in the market determine the amount of security investment and security testing for a given product," Bitz said.