ABSTRACT

In today's complex business world, managers should recognize a fundamental premise: it is not possible to have a risk free telecommunications environment. Risks, therefore must be managed. Organizations should establish a risk management process. This paper provides a discussion of the underlying risk management process in terms of a systematic approach for identifying and categorizing risks, the steps required to perform a risk reduction analysis, and the steps required to manage the implementation of security safeguards. This paper will also discuss the steps required to establish an information security risk management program.

OVERVIEW

The major questions facing management when attempting to manage risks are: What is at risk? What is the impact on business goals and objectives if risks materialize? Which of the identified risks are acceptable and which risks are unacceptable? What security safeguards are available to reduce risks to an acceptable level? Which security safeguards will provide the best return on investment? Who is responsible for risk reduction implementation? How will safeguards be implemented and over what period of time? How effective are the security safeguards once they have been implemented?

To answer these questions, management should establish an information security program using a risk-based approach. Historically, the governments and many regulated industries have use a threat-based approach to develop security policies, standards, procedures and practices. Over the last few years, it has been recognized by various security communities that a threat-based approach is not the most desirable approach. The Joint Security Commission1 recognized that security decisions have been based on a risk avoidance mentality. The report states:

"In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. For the better part of the last half century, we viewed the Soviet Union and its allies as capable of exploiting our every weakness. Against this danger, we strove to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Since the future of the free world was considered highly dependent on how successfully we maintained our secrets, the costs of security programs, the constraints on needed information flow, and the negative impact on individuals and our economic competitiveness were all secondary considerations. We used worst case scenarios as the basis for our security planning.

The threats today are more diffuse, multifaceted, and dynamic. National security concerns now include a daunting array of challenges that continue to grow in diversity in our unstable and unpredictable world.

In most cases, however, it is possible to balance the risk of loss or damage of disclosures against the cost of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it. We must and can provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making."

A threat-based approach to security has resulted in highly controlled, structured security programs whose procedures are intricate and rigidly enforced (a compliance-based approach). In dealing with information and telecommunications systems, compliance-based programs have some notable advantages and disadvantages. The advantages are:

• Requirements are easily understood.
• Stated Requirements are easily audited.
• Managers are not required to analyze and evaluate their unique environments to determine the need for countermeasures.

The disadvantages of a compliance-based approach are:

• Every system is treated the same. All systems must protect against the same threats, whether they exist or not.
• The line manager, who controls and processes the information, has no flexibility to make reasonable decisions about risk acceptability.
• The system does not respond well to rapid changes in technology.

However, if one asks the question, "Is the system secure?" the answer is "maybe!" If the compliance manual is followed to the letter, there are two probable results:

1. Resources will have been expended to protect against threats/vulnerabilities that are not applicable to the environment; or,

2. Resources will not have been expended to protect against threats/vulnerabilities that are applicable because they are not considered in the manual.

An information security program based upon a risk management approach, assures implementation of security safeguards which are appropriate to the specific environment.

RISK MANAGEMENT

Risk management is both an analytical and a managerial process. At the analytical level, risk management provides a systematic approach for defining and analyzing the threats to organizational assets and capabilities and assisting management in optimizing the amount of security return on the investment dollar. At the managerial level, a risk management process assures that the responsibility for reducing security risks to an acceptable level is placed in the hands of line managers who are most familiar with the environment in which information and network system operate. Responsibilities include determining the actual threats to a processing or telecommunications environment, and how much risk to accept. Senior management's responsibility shifts from making detailed risk decisions to auditing the process by which line managers make risk decisions. A risk-based information security program should not focus on risk elimination or risk avoidance but rather the program should provide a sound and logical methodology, consistent with good system engineering practices. It is in this way that that security risks can be managed. Once the risks are assessed and ranked by priority, the risks can be reduced during the normal course of developing and operating information and telecommunications systems.

Risk management is an application of the systems approach to problem solving.2 The underlying approach is fundamental to the design, development and maintenance of information and telecommunications systems in use today. The generic systems approach is designed to answer a number of basic questions, such as:

• What is the nature of the problem?
• What needs to be changed, modified, or accomplished?
• What alternatives are available to solve the problem?
• Specifically, how will the problem be solved?
• How well does the solution work?3

The following discussion provides an overview of the information systems security risk management process when viewed as a specific application of the generic systems approach. As with the generic systems approach, the activities in the information systems security risk management provide the framework for identifying the strengths and weaknesses in the system. This facilitates the implementing of a new or improved system, and provides for controlling its performance. (Note: The term "system" is being used herein to mean a assemblage of
safeguards for a facility, individual software application, or an organization.

1. Risk Analysis involves identifying the assets and resources that are at risk; the threats to those assets and resources; the vulnerabilities in the risk environment that might allow the threats to materialize; the estimated frequency with which the threats might occur; the safeguards currently in place that would reduce the likelihood that the threat would materialize; and, the cost of the loss or of the impact that could be incurred if the threats to the risk environment were successfully implemented.

2. Risk Reduction Analysis involves identifying the availability of potential safeguards; determining the operational and economic feasibility of potential safeguards; and, developing a risk reduction decision study for presentation to management.

3. Management Decision is the determination, by those responsible for allocation of resources, which risks are acceptable and which are unacceptable. For those that are currently not acceptable, management decides which of the alternatives will be implemented and approves the resources required to purchase, or design and develop, and implement the safeguards.

4. Development of Risk Reduction Plans identifies the tasks to be performed prior to the implementation of the safeguards approved by management. Tasks include: identification of the specific safeguards; assignment of responsibility for the design, development or purchase; and finally, the implementation of the safeguards. Plans should also include a timetable, or milestones, leading to implementation.

5. Implementation and Maintenance of Safeguards involves the installation, operation and maintenance of the new or modified safeguards. Implementation may involve training of personnel and coordinating any required changes in operational procedures with the affected organizations and personnel. Maintenance procedures should also be in place to accomplish minor changes that may be required following installation.

6. Review and Audit involves periodic review to identify ineffective, non-functioning or unnecessary safeguards. Significant changes in the risk environment may indicate the need to update the risk analysis or the risk reduction analysis. Most changes should be accomplished by routine sustaining engineering procedures.

The foregoing discussion is presented to illustrate that risk management is not a separate process from the life cycle management of information and telecommunications systems. Rather, it is an integral part of the life cyclea comprehensive process for defining, analyzing, and managing the risks of operating automated information resources (or infrastructures). Risk management is not a one-time activity, but an ongoing process.4

The implementation of a risk management approach will assure that there is a determination of viable, not just the postulated, threats in developing security policies, procedures and practices. Accepting threat, without sufficient intelligence to ascertain how real they are, has resulted in the expenditure of resources without any cost-benefit or economic feasibility analyses being conducted. The likelihood of threat actualization must be compared against vulnerabilities and established safeguards to determine a realistic risk posture.

Note: see the following at http://www.icsa.net/knowledge/research/

THE EFFECT OF CERTIFICATION ON INFORMATION SECURITY RISK MANAGEMENT

by: Frederick G. Tompkins, Director of Policy Analysis, ICSA ftompkins@icsa.net
Peter Tippett, President and CEO, ICSA ptippett@icsa.net

Copeland, Guy L., and Tompkins, Frederick G., A NEW PARADIGM FOR THE DEVELOPMENT OF U.S. INFORMATION SECURITY POLICY, Computer Sciences Corporation, Herndon, Va., September 1995.

Tompkins, Frederick G., U.S. INFORMATION SECURITY POLICY - HOW SHOULD THE GOVERNMENT APPROACH THE POST COLD WAR ENVIRONMENT?, Eastern Michigan University, Ypsilanti, MI, September 22, 1995.

Joint Security Commission, REDEFINING SECURITY; A Report to the Secretary of Defense and the Director of Central Intelligence, U. S. Government Printing Office, Washington, D. C., February 28, 1994.

U. S. Congress, Office of Technology Assessment, ISSUE UPDATE ON INFORMATION SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS, OTA-BP-ITC-147, U. S. Government Printing Office, Washington, D. C., June 1995.5

1 Joint Security Commission, REDEFINING SECURITY; A Report to the Secretary of Defense and the Director of Central Intelligence; Washington, D. C., February 28, 1994.
2 Copeland, Guy L., and Tompkins, Frederick G. A NEW PARADIGM FOR THE DEVELOPMENT OF U.S. INFORMATION SECURITY POLICY, Computer Sciences Corporation, Herndon, VA., September 1995.
3 Tompkins, Frederick G., Information Security Risk Management, DATAPRO Reports on Information Security, Report IS20-160, DATAPRO Research Corporation, Delran, NJ, May 1986.
4 Tompkins, Frederick G., U.S. INFORMATION SECURITY POLICY - HOW SHOULD THE GOVERNMENT APPROACH THE POST COLD WAR ENVIRONMENT, Eastern Michigan University, Ypsilanti, MI, September 22, 1995.
5

Retirado do site: http://www.icsa.net/library/research/97072402.shtml em jul/99