With dependencies on two networks, you’ll have to look at the risks for both. One risk that could be cited might even be that the user enrollment process is dependent on two networks. If the Houston facility gets flooded by a hurricane and loses power, then the user enrollment process will stop working—even if the New York site remains operational. Clearly, one way to mitigate this risk would be to migrate the functionality of the user enrollment process entirely to the New York site. However, that may not be possible for all kinds of different reasons. Instead, it may be easier to build a failover system in Washington, D.C., that automatically picks up the user enrollment functionality provided by Houston if there is an outage in Houston. When developing a Business Risk Assessment, you have to take into consideration var- ious different scenarios that could affect the business process.There are, of course, other risks aside from natural disasters. In taking into consideration the different scenarios, you need to construct risk statements. Construct Risk Statements Risk statements are assertions that connect a possible circumstance to a fore- casted impact. A common format for a risk statement is: If <this threat circumstance occurs>, then <this will be the impact>. Once risk statements have been developed, the impact can be forecasted and the potential likelihood of the threat can be determined. Risk statements state the presumed threat, and the impact in the form of damage that could occur.The potential impact can then be factored with the probability of its occurrence to find out just how great the risk exposure is in actuality. Some threats will create a more severe impact to the business process than others. When you are creating risk statements for business risks, knowing the technical details of the IT infrastructure is not really necessary. Save that for the System Risk Assessment. It shouldn’t matter whether the firewall is a Cisco firewall or a Juniper firewall. It also shouldn’t matter if the database is an Oracle or Microsoft SQL Server database. Likewise, whether the operating system is Sun Solaris or Microsoft Windows doesn’t matter. Business Risk Assessments look at things from a high level. In the Business Risk Assessment you want to focus on business processes necessary to the organization to be able to carry out its mission(s) and the impact that the loss or degradation of www.syngress.com 230 Chapter 14 • Performing the Business Risk Assessment 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 230 one of those business processes would have.The low-level, more technical and granular risks to the information systems that support those business processes will be evaluated in the System Risk Assessment, discussed in Chapter 16. Examples of risk statements for a Business Risk Assessment are: ■ If the Houston facility gets flooded, then it won’t be possible to enroll new users. (This is an availability threat.) ■ If the Houston facility gets flooded, then it won’t be possible to pro- cess time and attendance for any employees. (This is an availability threat.) ■ If an unauthorized user gains access to the Washington, D.C., network, then the integrity and confidentiality of the annual budget could be compromised. (This is an integrity and confidentiality threat.) ■ If an employee accidentally misspells a user’s name, then the mis- spelling could be propagated to two different locations. (This is an integrity threat and most likely a relatively minor one.) ■ If a disgruntled systems administrator purposefully and maliciously creates a backdoor account into the user enrollment system, it could be propagated to two different locations. (This is an integrity, confi- dentiality, and availability threat.) ■ If a terrorist destroys the New York facility, then it won’t be possible to enroll new users into the special program. (This is an availability threat.) ■ If an intruder breaks into the budgeting system and changes some of the numbers in an Excel spreadsheet used for forecasting, too much, or too little money may be allocated to certain programs. (This is an integrity threat.) ■ If a system administrator erroneously configures a firewall rule for the Houston firewall, then access to both user enrollment, and time and attendance, might be blocked. (This is an availability threat.) ■ If a virus proliferates throughout the Houston network, both the user enrollment system and the time and attendance system could be damaged. (This is an integrity threat, and possibly an availability threat as well.) www.syngress.com Performing the Business Risk Assessment • Chapter 14 231 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 231 ■ If an intruder breaks into the user enrollment system they could steal a database of private user information. (This is a confidentiality threat.) ■ If security patches are never applied to the time and attendance sys- tems, then intruders may gain access to the attendance systems and damage them. (This is an integrity threat, and possibly an availability threat as well.) Once we know what the threats are, if we have a sensitivity model to measure their likelihood and impact, we can determine the risk exposure. Describe the Sensitivity Model According to the American Heritage Dictionary of the English Language, risk is the “possibility of suffering harm or loss; danger.” 1 Risk analysis can be performed in a variety of different ways. One of the goals of a C&A program is to have some consistency from one C&A package to another.Therefore, it’s important to pick a risk analysis methodology, describe it, and use it as described for each C&A package you develop. A sensitivity model takes into consideration the impact of a threat, and the likelihood of its occurrence, so that you can rank the risks according to their sensitivity for the purpose of prioritizing them. In any given organization there is a limited amount of time and resources. If you were able to deter- mine all of the risks to your organization, would you have enough time and resources to address each and every one? Probably not.Therefore, a goal is to describe the most obvious and likely risks and then further predict the proba- bility of their occurrence.The objective is to think of what situational hazards and threats are most likely to occur, determine the risk exposure, and then either mitigate, transfer, or accept each risk based on priority. Your sensitivity model should consist of a process for determining the risk exposure. (We already categorized the levels of Confidentiality, Integrity, and Availability of the data in Chapter 6 so we are not going to repeat that here.) In business risk assessment, risk exposure is a value that is calculated to deter- mine the degree of risk that the mission is exposed to.The purpose of deter- mining the risk exposure is so you can understand which business processes www.syngress.com 232 Chapter 14 • Performing the Business Risk Assessment 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 232 and missions require additional safeguards.You’ll want to mitigate the most severe risks to business missions first. It’s possible to use simple equations to determine risk exposure.You don’t have to be a math genius to do this.The equations we use will multiply the likelihood of a threat by the potential impact to the organization. However, before you can set up these equations, you need to create an impact scale and a likelihood scale so you know what to multiply. Impact Scale In qualitative risk analysis, the impact of a threat to the mission is measured in relative terms.The values that are used to measure the impact are perceived values, and are not actual values. Since a threat actually has not occurred yet, it is not possible to use actual values. If your C&A Handbook already has threat impact values defined, you should use those values (unless you think they are significantly flawed).Table 14.1 shows an example of an impact measurement scale with five measurements.This same scale could be set up to have more, or fewer, levels of impact to fit the unique requirements of your agency or department. Table 14.1 An Example of an Impact Scale Threat Impact Impact Value Description of Impact None 0 The threat poses absolutely no risk to the mission. Very Low 20 The threat poses very little risk to the mission. Safeguards currently provide near complete pro- tection of the mission. Low 40 The threat poses some risk to the mission. The current safeguards provide adequate protection though it is conceivable that the mission could be impeded. Moderate 60 The threat poses a moderate risk to the mission. The safeguards that are in place provide some protection, though it is possible for the mission to be thwarted. www.syngress.com Performing the Business Risk Assessment • Chapter 14 233 Continued 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 233 Table 14.1 continued An Example of an Impact Scale Threat Impact Impact Value Description of Impact High 80 The threat poses a high risk to the mission and the current safeguards provide few protections. Severe 100 The threat may completely thwart the mission and the current safeguards provide no protection. Likelihood Scale The likelihood that a threat will occur is a probability expressed in relative terms.Table 14.2 lists probability levels based on likelihood of occurrence. Table 14.2 An Example of a Likelihood Scale Probability of Probability of Loss to Mission Loss to Mission Expressed as Expressed as a a Percentage Decimal Description Likelihood 0% – 10% .1 There is little to no chance Low that the threat could thwart the mission. 10% – 50 % .5 There is a moderate chance Moderate that the threat could thwart the mission. 50% – 100 % 1.0 There is a high chance that High the threat could thwart the mission. Calculating Risk Exposure In qualitative risk analysis, risk exposure is determined by multiplying the prob- ability of mission loss (the likelihood it will occur) by the potential severity of the impact to the agency due to that loss. If we represent probability with P, and impact severity with S, our risk exposure equation looks like this: P x S = Risk Exposure (RE) www.syngress.com 234 Chapter 14 • Performing the Business Risk Assessment 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 234 We can also write the expression a different way to more clearly indicate we are talking about the probability of loss (L) multiplied by the severity of the loss (L): P (L) x S (L) = R (E) P (L) represents the likelihood. S (L) represents the impact.The probability that loss will occur is another way of referring to the likelihood.The severity of the loss is another way of referring to the impact.Therefore: Likelihood x Impact = Risk Exposure Now for a particular threat, we take the impact values from Table 14.1 and multiply them by the probability of loss values from Table 14.2.All the pos- sible outcomes of multiplying the likelihood by the impact are listed in Table 14.3. Lead the Team to Obtain the Metrics For the purpose of C&A, when putting together your risk exposure metrics, it is important to interview the support, development, and management staff to obtain their input. It is not possible to determine the impact and likelihood of a threat to a business process in a vacuum.You need to sit down with the folks that run the business. I recommend holding a business risk assessment meeting and getting everyone together in a room. While it may seem unim- portant to list risks that are so obviously low likelihood or low impact, the reason for doing so is so that you can record all the issues that are raised by the staff. It is important to record the issues raised by all the participants. Remember, C&A is a format for holding people accountable. When you develop the business risk assessment, it’s not your job to determine the likeli- hood and impact on your own.You should take on the role of a facilitator of the process and should use the values for impact and likelihood that the team gives you in order to determine the risk exposure. Analyze the Risks Once you have determined the risk exposure, it is time to analyze the risks to prepare for making an informed decision.There are multiple reasons for ana- lyzing risks. When a threat is exploited, otherwise competent staff are often www.syngress.com Performing the Business Risk Assessment • Chapter 14 235 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 235 left flustered not knowing what to do first. Analyzing risk is about antici- pating the incident in order to prevent it, and also to prepare for how to respond in the event it does occur. Determining business risk exposure helps you understand what risks to address first. Even in the absence of malicious attackers, disgruntled users, and adminis- trative errors, power outages still occur and natural disasters wreak havoc. Understanding risks, and applying safeguards to mitigate those risks not only prevent loss to the mission, but also helps maintain the flow of order by poten- tially reducing the amount of circumstances that may create disorder.You ana- lyze risks so you can prioritize them for the purpose of managing them. Once the risk exposure is determined and ranked from high to low, the findings should be presented to the business owner.The business owner and ISSO should engage in discussions with the business risk assessment team that origi- nally assisted you in putting together the list of risks, their impact, and likeli- hood. Analyzing the risks means discussing the possible outcomes before making a decision on what action to take.Table 14.3 lists risk exposure metrics. Table 14.3 Risk Exposure Metrics Likelihood x Impact Risk Exposure .1 x 0 0 .1 x 20 2 .1 x 40 4 .1 x 60 6 .1 x 80 8 .1 x 100 10 .5 x 0 0 .5 x 20 10 .5 x 40 20 .5 x 60 30 .5 x 80 40 . 5 x 100 50 1 x 0 0 1 x 20 20 www.syngress.com 236 Chapter 14 • Performing the Business Risk Assessment Continued 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 236 Table 14.3 Risk Exposure Metrics Likelihood x Impact Risk Exposure 1 x 40 40 1 x 60 60 1 x 80 80 1 x 100 100 Another way of presenting the information in Table 14.3 is shown in Table 14.4. Table 14.4 Risk Exposure Determination Table Impact Likelihood and Values Low (.1) Medium (.5) High (1.0) None (0) 0 x .1 = 0 0 x .5 = 0 0 x 1 = 0 Very low (20) 20 x .1 = 2 20 x .5 = 10 20 x 1 = 20 Low (40) 40 x .1 = 4 40 x .5 = 20 40 x 1 = 40 Moderate (60) 60 x .1 = 6 60 x .5 = 30 60 x 1 = 60 High (80) 80 x .1 = 8 80 x .5 = 40 80 x 1 = 80 Severe (100) 100 x .1 = 10 100 x .5 = 50 100 x 1 = 100 Source: Chapter 10, HIPAA Security Implementation 2.0, SANS Press, 2004. Make an Informed Decision Once risks have been identified and analyzed, a decision can be made on what action to take.Your choices are to accept the risk, transfer the risk, or mitigate the risk.You should be able to justify your reason for whatever deci- sion you make. Accept the Risk If the risk exposure is extremely low, and the cost to remove such a small risk is extremely high, the best solution may be to accept the risk. Keep in mind that for the purposes of C&A, it is up to the business owner to accept the risk.The business owner usually will accept the risk or not based on the rec- www.syngress.com Performing the Business Risk Assessment • Chapter 14 237 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 237 ommendation from the ISSO and the staff that prepares the Business Risk Assessment.The business owner usually always wants a recommendation on whether to accept the risk or not so be prepared to make one. Transfer the Risk When you transfer the risk, you make another entity responsible for it. When you buy insurance, you are transferring the risk to a third party who has agreed to assume the risk for an agreed upon cost. In a federal agency, in many situations it may not be possible to buy insurance to transfer risks. However, there are other ways to transfer risk. It’s possible that you may not have the appropriate personnel to support a business function. A business owner could possibly negotiate with another department to take on the responsibility of supporting the business function. If you know something is at risk, and you know another department could manage the risk better, you might be able to transfer the risk to the other department. For example, if one of the risks to your business process is that you don’t have a UNIX Systems Administrator to manage a business process that runs on a UNIX system, you may decide to transfer the man- agement of the business process to the department that provides UNIX sys- tems administration.The business owner will be looking for recommendations on transferring risks. A business owner is not preserving any sort of managerial territory or integrity by insisting on retaining a sub- stantial risk that they know they cannot mitigate. A smart business owner will want to get rid of all substantial risks. A risk to a business process puts the business owner’s career at risk. Imagine the outcome if an expensive security incident occurs and in the process of resolving the incident it becomes known that the business owner knew all along that a substantial risk was present, and yet did nothing about it. Mitigate the Risk To mitigate the risk means to either remove it completely, or reduce it to an acceptable level. If the risk exposure is very high, you’ll want to consider mit- igating the risk.You can mitigate risks by putting safeguards in place, or reconfiguring existing safeguards.You can also remove the factors that con- www.syngress.com 238 Chapter 14 • Performing the Business Risk Assessment 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 238 tribute to the risk (e.g., move the business to a location that is not prone to hurricanes), or remove some of the dependencies of the business process. Typically the more dependencies that a business process has, the more risks there are. When a business process is dependent on multiple systems, multiple software packages, and multiple locations, there most certainly will be mul- tiple risks. TIP Remember the following risk monikers: L = Likelihood I = Impact RE = Risk Exposure Probability of loss = P (L) = Likelihood Severity of loss = S (L) = impact Multiple physical locations can go either way when it comes to risk.Two locations mean that there are two facilities to protect, which doubles the nec- essary safeguards. However, if the reason you have two facilities is so that one can serve as a backup site in the event of a natural disaster, you may not be mitigating risks by consolidating to one location. Every situation is unique and you should keep in mind that each business unit may have risks that are incomparable to another agency, bureau, or line of business. For the purpose of tracking and managing your decision, you can summa- rize you risk statements and risk exposure metrics in a table.Table 14.5 shows a sample risk summary table. Table 14.5 Risk Summary Table with Decision Risk Statement L I RE Decision If an unauthorized user .1 80 8 Mitigate the risk by installing gains access to a veteran’s a host-based intrusion hospital enrollment detection system on the system, then the intruder enrollment system. could remove patients from the system and impede treatment. www.syngress.com Performing the Business Risk Assessment • Chapter 14 239 Continued 409_Cert_Accred_14.qxd 11/3/06 9:34 AM Page 239 [...]... there are two network domains, describe their architecture and connectivity requirements www.syngress.com 255 409_Cert_Accred_ 16. qxd 2 56 11/3/ 06 2:45 PM Page 2 56 Chapter 16 • Developing the Contingency Plan Network Diagrams and Maps Network diagrams and maps are extremely helpful in understanding how a failover scenario is supposed to work, and how the network components should connect to each other... communications facilities and services ■ Supervises all telecomm installations and configurations www.syngress.com 261 409_Cert_Accred_ 16. qxd 262 11/3/ 06 2:45 PM Page 262 Chapter 16 • Developing the Contingency Plan ■ Overseas access to telecomm wiring closets ■ Works with ISOC to restore connectivity between systems and networks ■ Oversees testing of alternate communications ■ Reports status and recommendations... www.syngress.com 263 409_Cert_Accred_ 16. qxd 264 11/3/ 06 2:45 PM Page 264 Chapter 16 • Developing the Contingency Plan often are full backups performed and how often are incremental backups performed? Include the backup schedule in a table When files need to be recovered, what are the commands that are used to recover these files? In restoring data, it should be very clear precisely which commands are to restore... inforwww.syngress.com 409_Cert_Accred_ 16. qxd 11/3/ 06 2:45 PM Page 257 Developing the Contingency Plan • Chapter 16 mation.You can document the sources and destination of your data in a table similar to the one depicted in Table 16. 1 Table 16. 1 Data Sources and Destinations Source Data Conduit Destination Users typing in data from different locations over the Web Internet using HTTPS and SSL SQL Database #5 on... ■ Alerts vendors of the situations and requests their assistance as necessary ■ Makes recommendation on whether to relocate to alternate site ■ Briefs team members on recovery duties and responsibilities ■ Reports status and recommendations back to the Contingency Planning Coordinator www.syngress.com 259 409_Cert_Accred_ 16. qxd 260 11/3/ 06 2:45 PM Page 260 Chapter 16 • Developing the Contingency Plan... ISBN: 1931332223 Hiles, Andrew Enterprise Risk Assessment and Business Impact Analysis: Best Practices Rothstein Associates, March 2002 ISBN: 19313321 26 www.syngress.com 409_Cert_Accred_ 16. qxd 11/3/ 06 2:45 PM Page 253 Chapter 16 Developing the Contingency Plan “O to be self-balanced for contingencies, to confront night, storms, hunger, ridicule, accidents, rebuffs, as the trees and animals do.” —Walt... with vendors providing equipment www.syngress.com 409_Cert_Accred_ 16. qxd 11/3/ 06 2:45 PM Page 261 Developing the Contingency Plan • Chapter 16 ■ Documents estimated delivery times for new equipment ■ Retains copies of all service level agreements and provides them to team ■ Retains any encryption keys that are escrowed ■ Reports status and recommendations back to the Contingency Planning Coordinator... (or ConOps), should describe in dialogue how the information systems and major applications that make up your C&A package work and interoperate.Three key subsections of your CONOPS are the System Description, Network Diagrams and Maps, and Data Sources and Destinations System Description Include a description of the information systems and major applications to which the Contingency Plan applies.Your... include low-level file execution instructions such as what command line interface (CLI) commands to run and what graphical user interface (GUI) parameters to click on.The various types of procedures you should include are described in the following sections Backup and Restoration Procedures Backup and restoration procedures for restoring systems and major applications from backup media needs to be thoroughly... address, phone number, and which employees are authorized to obtain backup media from it You’ll want to describe the backup and restoration architecture so that the reader can understand the backup and recovery process enough to completely recreate it from your description.The restoration procedures should indicate if any particular software recovery programs (and their version number and patch level) are . .5 = 10 20 x 1 = 20 Low (40) 40 x .1 = 4 40 x .5 = 20 40 x 1 = 40 Moderate (60 ) 60 x .1 = 6 60 x .5 = 30 60 x 1 = 60 High (80) 80 x .1 = 8 80 x .5 = 40 80 x 1 = 80 Severe (100) 100 x .1 = 10. enrollment, and time and attendance, might be blocked. (This is an availability threat.) ■ If a virus proliferates throughout the Houston network, both the user enrollment system and the time and attendance. x 0 0 .1 x 20 2 .1 x 40 4 .1 x 60 6 .1 x 80 8 .1 x 100 10 .5 x 0 0 .5 x 20 10 .5 x 40 20 .5 x 60 30 .5 x 80 40 . 5 x 100 50 1 x 0 0 1 x 20 20 www.syngress.com 2 36 Chapter 14 • Performing the Business