A SYSTEMS APPROACH TO
INFORMATION SECURITY RISK MANAGEMENT
FREDERICK G. TOMPKINS
Director of Policy Analysis
National Computer Security Association
ABSTRACT
In today's complex business world, managers should recognize a fundamental premise: it is not possible to have a risk free telecommunications environment. Risks, therefore must be managed. Organizations should establish a risk management process. This paper provides a discussion of the underlying risk management process in terms of a systematic approach for identifying and categorizing risks, the steps required to perform a risk reduction analysis, and the steps required to manage the implementation of security safeguards. This paper will also discuss the steps required to establish an information security risk management program.
OVERVIEW
The major questions facing management when attempting to manage risks are: What is at risk? What is the impact on business goals and objectives if risks materialize? Which of the identified risks are acceptable and which risks are unacceptable? What security safeguards are available to reduce risks to an acceptable level? Which security safeguards will provide the best return on investment? Who is responsible for risk reduction implementation? How will safeguards be implemented and over what period of time? How effective are the security safeguards once they have been implemented?
To answer these questions, management should establish an information security program using a risk-based approach. Historically, the governments and many regulated industries have use a threat-based approach to develop security policies, standards, procedures and practices. Over the last few years, it has been recognized by various security communities that a threat-based approach is not the most desirable approach. The Joint Security Commission1 recognized that security decisions have been based on a risk avoidance mentality. The report states:
The threats today are more diffuse, multifaceted, and dynamic. National security concerns now include a daunting array of challenges that continue to grow in diversity in our unstable and unpredictable world.
In most cases, however, it is possible to balance the risk of loss or damage of disclosures against the cost of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it. We must and can provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making."
A threat-based approach to security has resulted in highly controlled, structured security programs whose procedures are intricate and rigidly enforced (a compliance-based approach). In dealing with information and telecommunications systems, compliance-based programs have some notable advantages and disadvantages. The advantages are:
The disadvantages of a compliance-based approach are:
However, if one asks the question, "Is the system secure?"
the answer is "maybe!" If the compliance manual is followed to the
letter, there are two probable results:
2. Resources will not have been expended to protect against threats/vulnerabilities that are applicable because they are not considered in the manual.
An information security program based upon a risk management approach,
assures implementation of security safeguards which are appropriate to
the specific environment.
RISK MANAGEMENT
Risk management is both an analytical and a managerial process. At the analytical level, risk management provides a systematic approach for defining and analyzing the threats to organizational assets and capabilities and assisting management in optimizing the amount of security return on the investment dollar. At the managerial level, a risk management process assures that the responsibility for reducing security risks to an acceptable level is placed in the hands of line managers who are most familiar with the environment in which information and network system operate. Responsibilities include determining the actual threats to a processing or telecommunications environment, and how much risk to accept. Senior management's responsibility shifts from making detailed risk decisions to auditing the process by which line managers make risk decisions. A risk-based information security program should not focus on risk elimination or risk avoidance but rather the program should provide a sound and logical methodology, consistent with good system engineering practices. It is in this way that that security risks can be managed. Once the risks are assessed and ranked by priority, the risks can be reduced during the normal course of developing and operating information and telecommunications systems.
Risk management is an application of the systems approach to problem solving.2 The underlying approach is fundamental to the design, development and maintenance of information and telecommunications systems in use today. The generic systems approach is designed to answer a number of basic questions, such as:
The following discussion provides an overview of the information
systems security risk management process when viewed as a specific application
of the generic systems approach. As with the generic systems approach,
the activities in the information systems security risk management provide
the framework for identifying the strengths and weaknesses in the system.
This facilitates the implementing of a new or improved system, and provides
for controlling its performance. (Note: The term "system" is being used
herein to mean a assemblage of
safeguards for a facility, individual software application, or an organization.
2. Risk Reduction Analysis involves identifying the availability of potential safeguards; determining the operational and economic feasibility of potential safeguards; and, developing a risk reduction decision study for presentation to management.
3. Management Decision is the determination, by those responsible for allocation of resources, which risks are acceptable and which are unacceptable. For those that are currently not acceptable, management decides which of the alternatives will be implemented and approves the resources required to purchase, or design and develop, and implement the safeguards.
4. Development of Risk Reduction Plans identifies the tasks to be performed prior to the implementation of the safeguards approved by management. Tasks include: identification of the specific safeguards; assignment of responsibility for the design, development or purchase; and finally, the implementation of the safeguards. Plans should also include a timetable, or milestones, leading to implementation.
5. Implementation and Maintenance of Safeguards involves the installation, operation and maintenance of the new or modified safeguards. Implementation may involve training of personnel and coordinating any required changes in operational procedures with the affected organizations and personnel. Maintenance procedures should also be in place to accomplish minor changes that may be required following installation.
6. Review and Audit involves periodic review to identify ineffective, non-functioning or unnecessary safeguards. Significant changes in the risk environment may indicate the need to update the risk analysis or the risk reduction analysis. Most changes should be accomplished by routine sustaining engineering procedures.
The foregoing discussion is presented to illustrate that risk management
is not a separate process from the life cycle management of information
and telecommunications systems. Rather, it is an integral part of the life
cyclea comprehensive process for defining, analyzing, and managing the
risks of operating automated information resources (or infrastructures).
Risk management is not a one-time activity, but an ongoing process.4
The implementation of a risk management approach will assure that there is a determination of viable, not just the postulated, threats in developing security policies, procedures and practices. Accepting threat, without sufficient intelligence to ascertain how real they are, has resulted in the expenditure of resources without any cost-benefit or economic feasibility analyses being conducted. The likelihood of threat actualization must be compared against vulnerabilities and established safeguards to determine a realistic risk posture.
Note: see the following at http://www.icsa.net/knowledge/research/
THE EFFECT OF CERTIFICATION ON INFORMATION SECURITY RISK MANAGEMENT
by: Frederick G. Tompkins, Director of Policy Analysis, ICSA ftompkins@icsa.net
Peter Tippett, President and CEO, ICSA ptippett@icsa.net
ICSA APPROACH TO CERTIFICATION:
A PARADIGM SHIFT FOR INFORMATION SECURITY
by: Frederick G. Tompkins, Director of Policy Analysis (ftompkins@icsa.net)
July 22, 1997
BIBIOGRAPHY
Copeland, Guy L., and Tompkins, Frederick G., A NEW PARADIGM FOR THE DEVELOPMENT OF U.S. INFORMATION SECURITY POLICY, Computer Sciences Corporation, Herndon, Va., September 1995.
Tompkins, Frederick G., U.S. INFORMATION SECURITY POLICY - HOW SHOULD THE GOVERNMENT APPROACH THE POST COLD WAR ENVIRONMENT?, Eastern Michigan University, Ypsilanti, MI, September 22, 1995.
Joint Security Commission, REDEFINING SECURITY; A Report to the Secretary of Defense and the Director of Central Intelligence, U. S. Government Printing Office, Washington, D. C., February 28, 1994.
U. S. Congress, Office of Technology Assessment, ISSUE UPDATE ON INFORMATION
SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS, OTA-BP-ITC-147, U. S. Government
Printing Office, Washington, D. C., June 1995.5
©1997 National Computer Security Association, All Rights Reserved
1 Joint Security Commission, REDEFINING SECURITY; A Report to the Secretary
of Defense and the Director of Central Intelligence; Washington, D. C.,
February 28, 1994.
2 Copeland, Guy L., and Tompkins, Frederick G. A NEW PARADIGM FOR THE
DEVELOPMENT OF U.S. INFORMATION SECURITY POLICY, Computer Sciences Corporation,
Herndon, VA., September 1995.
3 Tompkins, Frederick G., Information Security Risk Management, DATAPRO
Reports on Information Security, Report IS20-160, DATAPRO Research Corporation,
Delran, NJ, May 1986.
4 Tompkins, Frederick G., U.S. INFORMATION SECURITY POLICY - HOW SHOULD
THE GOVERNMENT APPROACH THE POST COLD WAR ENVIRONMENT, Eastern Michigan
University, Ypsilanti, MI, September 22, 1995.
5
Retirado do site: http://www.icsa.net/library/research/97072402.shtml em jul/99