® InfoJur.ccj.ufsc.br
 


A SYSTEMS APPROACH TO
INFORMATION SECURITY RISK MANAGEMENT

FREDERICK G. TOMPKINS
Director of Policy Analysis
National Computer Security Association




ABSTRACT

In today's complex business world, managers should recognize a fundamental premise: it is not possible to have a risk free telecommunications environment. Risks, therefore must be managed. Organizations should establish a risk management process. This paper provides a discussion of the underlying risk management process in terms of a systematic approach for identifying and categorizing risks, the steps required to perform a risk reduction analysis, and the steps required to manage the implementation of security safeguards. This paper will also discuss the steps required to establish an information security risk management program.

OVERVIEW

The major questions facing management when attempting to manage risks are: What is at risk? What is the impact on business goals and objectives if risks materialize? Which of the identified risks are acceptable and which risks are unacceptable? What security safeguards are available to reduce risks to an acceptable level? Which security safeguards will provide the best return on investment? Who is responsible for risk reduction implementation? How will safeguards be implemented and over what period of time? How effective are the security safeguards once they have been implemented?

To answer these questions, management should establish an information security program using a risk-based approach. Historically, the governments and many regulated industries have use a threat-based approach to develop security policies, standards, procedures and practices. Over the last few years, it has been recognized by various security communities that a threat-based approach is not the most desirable approach. The Joint Security Commission1 recognized that security decisions have been based on a risk avoidance mentality. The report states:

THREAT VERSUS RISK

A threat-based approach to security has resulted in highly controlled, structured security programs whose procedures are intricate and rigidly enforced (a compliance-based approach). In dealing with information and telecommunications systems, compliance-based programs have some notable advantages and disadvantages. The advantages are:


The disadvantages of a compliance-based approach are:


However, if one asks the question, "Is the system secure?" the answer is "maybe!" If the compliance manual is followed to the letter, there are two probable results:


An information security program based upon a risk management approach, assures implementation of security safeguards which are appropriate to the specific environment.

RISK MANAGEMENT

Risk management is both an analytical and a managerial process. At the analytical level, risk management provides a systematic approach for defining and analyzing the threats to organizational assets and capabilities and assisting management in optimizing the amount of security return on the investment dollar. At the managerial level, a risk management process assures that the responsibility for reducing security risks to an acceptable level is placed in the hands of line managers who are most familiar with the environment in which information and network system operate. Responsibilities include determining the actual threats to a processing or telecommunications environment, and how much risk to accept. Senior management's responsibility shifts from making detailed risk decisions to auditing the process by which line managers make risk decisions. A risk-based information security program should not focus on risk elimination or risk avoidance but rather the program should provide a sound and logical methodology, consistent with good system engineering practices. It is in this way that that security risks can be managed. Once the risks are assessed and ranked by priority, the risks can be reduced during the normal course of developing and operating information and telecommunications systems.

Risk management is an application of the systems approach to problem solving.2 The underlying approach is fundamental to the design, development and maintenance of information and telecommunications systems in use today. The generic systems approach is designed to answer a number of basic questions, such as:


The following discussion provides an overview of the information systems security risk management process when viewed as a specific application of the generic systems approach. As with the generic systems approach, the activities in the information systems security risk management provide the framework for identifying the strengths and weaknesses in the system. This facilitates the implementing of a new or improved system, and provides for controlling its performance. (Note: The term "system" is being used herein to mean a assemblage of
safeguards for a facility, individual software application, or an organization.


The foregoing discussion is presented to illustrate that risk management is not a separate process from the life cycle management of information and telecommunications systems. Rather, it is an integral part of the life cyclea comprehensive process for defining, analyzing, and managing the risks of operating automated information resources (or infrastructures). Risk management is not a one-time activity, but an ongoing process.4

The implementation of a risk management approach will assure that there is a determination of viable, not just the postulated, threats in developing security policies, procedures and practices. Accepting threat, without sufficient intelligence to ascertain how real they are, has resulted in the expenditure of resources without any cost-benefit or economic feasibility analyses being conducted. The likelihood of threat actualization must be compared against vulnerabilities and established safeguards to determine a realistic risk posture.

Note: see the following at http://www.icsa.net/knowledge/research/

THE EFFECT OF CERTIFICATION ON INFORMATION SECURITY RISK MANAGEMENT

by: Frederick G. Tompkins, Director of Policy Analysis, ICSA ftompkins@icsa.net
Peter Tippett, President and CEO, ICSA ptippett@icsa.net

ICSA APPROACH TO CERTIFICATION:
A PARADIGM SHIFT FOR INFORMATION SECURITY
by: Frederick G. Tompkins, Director of Policy Analysis (ftompkins@icsa.net) July 22, 1997
 
 

BIBIOGRAPHY

Copeland, Guy L., and Tompkins, Frederick G., A NEW PARADIGM FOR THE DEVELOPMENT OF U.S. INFORMATION SECURITY POLICY, Computer Sciences Corporation, Herndon, Va., September 1995.

Tompkins, Frederick G., U.S. INFORMATION SECURITY POLICY - HOW SHOULD THE GOVERNMENT APPROACH THE POST COLD WAR ENVIRONMENT?, Eastern Michigan University, Ypsilanti, MI, September 22, 1995.

Joint Security Commission, REDEFINING SECURITY; A Report to the Secretary of Defense and the Director of Central Intelligence, U. S. Government Printing Office, Washington, D. C., February 28, 1994.

U. S. Congress, Office of Technology Assessment, ISSUE UPDATE ON INFORMATION SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS, OTA-BP-ITC-147, U. S. Government Printing Office, Washington, D. C., June 1995.5


©1997 National Computer Security Association, All Rights Reserved


1 Joint Security Commission, REDEFINING SECURITY; A Report to the Secretary of Defense and the Director of Central Intelligence; Washington, D. C., February 28, 1994.
2 Copeland, Guy L., and Tompkins, Frederick G. A NEW PARADIGM FOR THE DEVELOPMENT OF U.S. INFORMATION SECURITY POLICY, Computer Sciences Corporation, Herndon, VA., September 1995.
3 Tompkins, Frederick G., Information Security Risk Management, DATAPRO Reports on Information Security, Report IS20-160, DATAPRO Research Corporation, Delran, NJ, May 1986.
4 Tompkins, Frederick G., U.S. INFORMATION SECURITY POLICY - HOW SHOULD THE GOVERNMENT APPROACH THE POST COLD WAR ENVIRONMENT, Eastern Michigan University, Ypsilanti, MI, September 22, 1995.
5



 

Retirado do site: http://www.icsa.net/library/research/97072402.shtml em jul/99