- Email: [email protected]
Risk Management — Practising What We Preach
august.qxd
7/29/02
3:23 PM
Page 10
(Black plate)
feature noting some of the recommendations of the Ludwig Report. One would have assumed that these basic and commonsense practices are normal in the financial world, but maybe not. Furthermore, they can be automated on a secure computer system, especially things like confirming all trades immediately and generating confirmations for all trades instead of relying solely on counter parties. In fact, Ludwig suggests considering the use of an automatic confirmation programme as well as formal alert reports on open items. He also suggests that all market prices used to value open positions should be verified by treasury risk control directly with a market source and that operating systems should have direct market feeds. Furthermore, a report should be prepared each day that presents the high and low prices for each currency and any transaction done outside of this range should be flagged for explanation. Regarding access to systems, Ludwig recommends that a review should be performed of what, if any, remote access to bank systems should be permitted, and how such access should be controlled. This is important since Rusnak frequently accessed the bank’s systems from his
home computer. Recommendations that ‘administration rights’ to the bank’s back office systems should be controlled with all access monitored, and be permitted only by personnel completely independent of the business line is also particularly important since not only did Rusnak access systems from home, but he was able to manipulate key files. The source of client and counterparty data should be independent from the front office and validated and inputted independently, vital in the case of Allfirst where the divisions between the front and back office were blurred. Ludwig also recommends that a formal new product review should be performed before new products are introduced to the bank. He further recommends that significant operational and other procedures for existing products should not change without a full review and sign-off by all the groups that would sign off on a new product review. Again, there was a definite shortfall and lack of uniformity between AIB and Allfirst when it came to product utilization. Rusnak was known as a vigorous operator, trading from home after hours, at weekends and while on vacation and the Ludwig report suggests ways of
Risk Management — Practising What We Preach Cliff May, principal consultant, Integralis
The extent to which security breaches, high profile hacks and viruses gain coverage on prime time news has grown dramatically in the last 12 to 18 months. The result is that there can be few people working at management level today who will be totally oblivious to the possible risks they face. A few years ago, ignorance might be considered a predictable, albeit weak, defence — today, there is simply too much at stake. Given this growing level of awareness of the security risks we all share on a daily basis, it is deeply ironic that many organizations still seem to actively avoid considering how such risks can be controlled or minimized. The result is that 10
the disciplines behind risk management, risk assessment or risk analysis make it into boardroom agendas all to infrequently. Yet we all practise risk management on an ongoing basis, and something as
preventing these practices in the future. The two-week vacation policy should be strictly enforced. No remote access should be permitted during the two-week period. Telephone communications with the office and trading directions should be severely curtailed during this period and after hours trading should be discontinued. Finally, telephones of the dealers and operations personnel should be recorded through the use of a centralized tamper-proof system. It’s worth remembering though, while seamless, end-to-end automation would have prevented Rusnak’s fictitious deals, such automation can also have its drawbacks. This was painfully highlighted in 1998 when a Salomon Brother’s trader mistakenly sold £850 million worth of French Government bonds by carelessly leaning on his keyboard!4 1
The Role of Spreadsheets in the Allied Irish Banks / Allfirst Currency Trading Fraud, Ray Butler, CAS Salford. 2 A statistical measure to estimate the maximum range of loss that is likely to be suffered in a given portfolio. 3 Allfirst Financial: Out of Control. Baseline, March 12th 2002, Sean Gallagher 4 By BBC News Online's James Arnold http://news.bbc.co.uk/hi/english/business/newsi d_1804000/1804410.stm
common as crossing the road remains an excellent analogy for the processes involved in minimizing and controlling risk. Most people would not dream of ignoring such obvious risks in their daily life, and a proactive approach on a business level has scope to make a tremendous difference to the health and well being of most organizations.
A proactive approach Developing a proactive approach to information security risk management requires some key considerations: • An understanding of what needs to be protected (assets). • Calculating the value of the
august.qxd
7/29/02
3:23 PM
Page 11
(Black plate)
feature
Unmanaged Risk — Wireless LANs There are many examples of unmanaged risk, an increasing variety of which are making headlines. For example, recent press coverage has shown how easy it is for people to listen in to wireless LANs. The most famous case highlighted how a directional antenna made with a can of Pringles crisps could be used to spot wireless networks vulnerable to attack. It is even possible to download tools from the Internet — such as Netstumbler — that helps locate WLANs. But it is also easy for companies to locate these problems by undertaking a security audit. Unfortunately the story doesn’t end there, as more worrying still is the issue that many companies do not know that there is a serious problem with lack of encryption. Wireless LANs are a beacon to the outside world, and although many people think that signals do not extend very far, they are easily intercepted as the Pringles example illustrates.
• • • • • • •
information assets to the business. Knowing who your enemies are (threats). Identifying weaknesses (vulnerabilities). Assess strengths and counter measures (controls). Assess the likelihood of attack (probability). Recognize residual risks. Assess the consequences. Take preventative action.
Information assets The primary role of information security is to protect information assets. That means people, accounting data, intellectual property, company reputation, designs, plans, forecasts, servers, networks, and all of the elements that are critical to the future of every business.
It is important to identify the most valuable information assets and the critical business functions because only then will it be most possible to know what measures need to be put in place. For instance, it wouldn’t make sense to spend £50 000 protecting an asset worth only £5000 to the business. Many companies find it hard to value their information assets, but there are some questions which businesses can ask themselves to bring additional clarity: • How do we generate income? • Sales, services, leases. • How do we communicate internally & externally? • Paper, email, fax, website. • Where do we store key data? •People, networks, backups, filing systems. • What are key ‘people’ functions? •Management, sales staff, developers, traders. • Could the business function without any of the above? • What would be the financial/productivity impact if they were lost? • Would we lose competitive advantage? • Would there be a loss of customer/shareholder confidence if they were compromised? • What would be the effects of bad publicity?
BS7799 — An opportunity too good to miss BS7799 dates back to 1993 when the UK Department of Trade and Industry wanted to produce a code of best practise for secure online business. It was designed to help firms identify, manage and minimize the range of threats to which information is regularly subjected. The challenge since has been to encourage the adoption of BS7799 within business, but with many adopting a ‘who cares?’ attitude, the challenge has been considerable. This is especially true at the management levels who often see information security as the responsibility and preserve of technical experts. To say it’s not often high on the agenda of those at board level is putting it mildly. Consequently, the potential advantages of getting to grips with BS7799 have by-passed many organizations with barely a flicker of acknowledgement. The result? Too often, IT teams must rely on ad-hoc, often last-minute measures when what they really need is better boardroom support — in the shape of long-term policies, efficient procedures and technical safeguards.
Threats Threats take many forms and every organization faces different internal and external threats. External threats such as environmental issues — fire, flood and storm damage are threats to all businesses, but only those reliant on Internet connectivity are concerned with hacker intrusion. Fraud, theft of intellectual property and misuse of company systems are common high risk internal threats. Most companies have a diverse cross-section of employees and this has many implications — staff with debts, gambling problems, alcohol or drug addiction, petty jealousies, grudges for being passed over for promotion and all the many failings of
the human spirit. The threat from staff, contractors, cleaners and even security guards can be far greater than any external threat. Employees can pose one of the greatest threats to company security — often unwittingly. Conversations in the pub after work, using a laptop on the train, holding the door open for a someone instead of making them swipe an ID card — all of these things can potentially compromise the overall security of a business. All it takes is for a hacker to overhear a conversation mentioning company names, departments or projects, and they can begin to build up insider knowledge to use to their advantage. Once a certain 11
august.qxd
7/29/02
3:23 PM
Page 12
(Black plate)
feature
Real hack attack Below is an example of a ‘real hack’ that actually occured with changed names, of course. The company information was easily extracted from surfing the Internet and was subsequently used to compromise the corporate network. #JulianR,Recipients,UK-HeadOffice,Example Corp. dn: cn=JulianR,cn=Recipients,ou=UK-HeadOffice,o=Example Corp. objectClass: organizationalPerson objectClass: person objectClass: Top rdn: JulianR cn: Julian Smithson rfc822Mailbox: [email protected] mail: [email protected] textEncodedORaddress: c=US;a= ;p=Example Corp.;o=UKHeadOffice;s=Smithson;g=Julian; otherMailbox: MS$EXAMPLE/EXCHANGE/JulianS otherMailbox: MSA$Julian Smithson@Exchange Connection otherMailbox: CCMAIL$Smithson, Julian at UK-HeadOffice otherMailbox: [email protected] secretary: Janice Richardson Company: Corporate department: Board givenName: Julian uid: JulianS MAPI-Recipient: TRUE physicalDeliveryOfficeName: Building C sn: Smithson facsimileTelephoneNumber: 237997 secretarytelephoneNumberDDI: 01333-237441 title: Chairman Employees are becoming one of the key access routes to corporate networks for many hackers. This practice, known as ‘Social Engineering’, is one of the easiest ways to circumvent physical security systems. In the example above, data was easily 'extracted' from a well-known company database that was visible from the Internet. All company details have been edited. The significant point to be highlighted is how easily inside information can be obtained. Armed with details of the name, number and location of the chairman’s secretary, an adept hacker can work to find an entry point onto the corporate network. As a starting point, a call can be made to find out if the chairman is on site or out, which helps to determine if his PC is idle or not. Alternatively, the hacker may pose as someone from another support department, who needs access to the chairman’s PC. The secretary may be asked to reveal the chairman’s password and inadvertently open the gates for the hacker into the company network. This may sound implausible, but it is becoming one of the more common methods of network access. amount of inside information is gained, something as harmless as a telephone call can be used as a tool 12
to obtain further privileged information. The potential problems are underlined on a regular basis. A recent survey
published by Egg highlighted how more than half of computer users never bother to change their passwords, and many of those passwords used are relatively easy to guess, such as family names, birthdays or a football team name.
Assessing vulnerabilities & exercising control Assessing potential vulnerabilities is difficult but with consideration and a sound security audit an organization can quickly measure how strong or weak its defences are. The possibilities are varied — perhaps physical security is suspect; strangers can ‘tailgate’ staff through locked doors. Alternatively, firewalls may be configured incorrectly leaving the website open to intruders. Many businesses do not routinely security screen staff in sensitive posts. But wherever the vulnerability lies, security is a mixture of policies, procedures and technical controls, all of which need to be constantly regulated and evaluated for scope and effectiveness. It is also vital to determine how strong existing control measures are. For instance: • Are virus scanners up to date and effective? • Does the business have an acceptable usage policy for the Internet? • Does it have procedures for ensuring that access rights are revoked immediately for staff leaving the company? Those are just a few of the main considerations, but an organization following this process will need to ask as many questions in order to identify the true picture. The aim is to establish how much reliance can be placed on existing control measures. Failure to do so will leave behind a false sense of security, which is often more dangerous than knowing that security is weak. The next stage is to also assess the likelihood of vulnerabilities being
august.qxd
7/29/02
3:23 PM
Page 13
(Black plate)
feature exploited against the strength of existing controls. Historical data is useful here; for instance it is generally accepted that it is foolish not to scan all email for viruses. If thieves have previously targeted the office, or the premises sit in a flood plain and have been flooded before, the likelihood of it happening again is increased.
Calculating residual risk Residual risk is what is left behind after the following has been performed: Assessment of the value of an organization’s information assets. Consideration of the threats they are subject to. Discovery of where the security vulnerabilities lie. What the likelihood of those vulnerabilities being exploited is. It can be calculated using a simple formula:
Value of information assets X Threats X Vulnerabilities X Probability — Existing Controls = Residual Risk
How to ‘TAME’ residual risks The primary aim in a risk management strategy is to reduce residual risk to acceptable levels and this varies by market sector or geographical location. Risk management is about balancing risk acceptance against the consequences of inadequate control. Small companies do not usually have the financial resources to implement comprehensive information security measures and may
choose to ‘take a gamble’. Invariably this is dangerous as the loss of say intellectual property such as designs; plans or programmes could conceivably cause business failure. One choice is to Transfer the risk to someone else, for example taking out ‘cyberliability’ insurance cover for an Ecommerce site. This can help mitigate the consequences of a major security breach, but won’t in itself make a breach any less likely. There is always the chance that prior assessment could indicate that the residual risk is low — in such circumstances, the business may choose to Accept that level of risk. But in most cases, some level of action will need to be taken, and most organizations will probably choose to Mitigate the risk by improving policies, procedures and control measures. Many technical security weaknesses can be reduced or eliminated by the installation of additional software or hardware, or by updating existing systems. In exceptional cases the residual risk may be considered so high as to warrant more drastic action to Eliminate all remaining risk. This could involve the removal of a system from direct access to the Internet or the axing of a business function, for instance.
produce great benefits. It demonstrates to staff, customers and trading partners that security is taken seriously, their data is safe, and that there is independent verification of the fact. An independent qualification also gives the company involved benchmarks to aim towards and a method of rating the security measures already in place. As part of achieving accreditation, the security measures already implemented will be evaluated, and appropriate action will be taken to improve security sufficiently to acheive the goal of accreditation. By being proactive about risk management, many insurance companies will look more favourably on such efforts in terms of liability insurance. So, if a business is hacked, there is less chance that they will be held legally responsible if they can prove that they have undertaken due diligence in assessing and managing information security risks. Ultimately strong information security requires a series of key steps, of which risk management is a key component:
The importance of taking action
If a business understands what risks it faces and has appropriate processes in place to manage them, then they will be better placed to deal with the here and now as well as assessing what risks are involved when embarking on new ventures.
There are many more complex methods of performing risk management, but only by actually taking action can security be improved. Knowing the assets that need protecting, their business value, the potential threats and vulnerabilities and the chances of those vulnerabilities being exploited means an organization can take cost effective, intelligent action to reduce the residual risks. A carefully executed risk assessment can bring great benefits in a short timescale and security audits will highlight any areas of potential weakness. The adoption of an information security standard such as BS7799 can also
• Management commitment. • Clear, security-related roles and responsibilities. • Security education. • An understanding of risk management. • A proactive approach.
About the Author: Principal consultant at Integralis, Clifford May, has 31 years experience of systems auditing and computer forensics investigation in the public and private sector. At Integralis, he undertakes forensic investigations as well as being a consultant on risk management and BS7799.
13
7/29/02
3:23 PM
Page 10
(Black plate)
feature noting some of the recommendations of the Ludwig Report. One would have assumed that these basic and commonsense practices are normal in the financial world, but maybe not. Furthermore, they can be automated on a secure computer system, especially things like confirming all trades immediately and generating confirmations for all trades instead of relying solely on counter parties. In fact, Ludwig suggests considering the use of an automatic confirmation programme as well as formal alert reports on open items. He also suggests that all market prices used to value open positions should be verified by treasury risk control directly with a market source and that operating systems should have direct market feeds. Furthermore, a report should be prepared each day that presents the high and low prices for each currency and any transaction done outside of this range should be flagged for explanation. Regarding access to systems, Ludwig recommends that a review should be performed of what, if any, remote access to bank systems should be permitted, and how such access should be controlled. This is important since Rusnak frequently accessed the bank’s systems from his
home computer. Recommendations that ‘administration rights’ to the bank’s back office systems should be controlled with all access monitored, and be permitted only by personnel completely independent of the business line is also particularly important since not only did Rusnak access systems from home, but he was able to manipulate key files. The source of client and counterparty data should be independent from the front office and validated and inputted independently, vital in the case of Allfirst where the divisions between the front and back office were blurred. Ludwig also recommends that a formal new product review should be performed before new products are introduced to the bank. He further recommends that significant operational and other procedures for existing products should not change without a full review and sign-off by all the groups that would sign off on a new product review. Again, there was a definite shortfall and lack of uniformity between AIB and Allfirst when it came to product utilization. Rusnak was known as a vigorous operator, trading from home after hours, at weekends and while on vacation and the Ludwig report suggests ways of
Risk Management — Practising What We Preach Cliff May, principal consultant, Integralis
The extent to which security breaches, high profile hacks and viruses gain coverage on prime time news has grown dramatically in the last 12 to 18 months. The result is that there can be few people working at management level today who will be totally oblivious to the possible risks they face. A few years ago, ignorance might be considered a predictable, albeit weak, defence — today, there is simply too much at stake. Given this growing level of awareness of the security risks we all share on a daily basis, it is deeply ironic that many organizations still seem to actively avoid considering how such risks can be controlled or minimized. The result is that 10
the disciplines behind risk management, risk assessment or risk analysis make it into boardroom agendas all to infrequently. Yet we all practise risk management on an ongoing basis, and something as
preventing these practices in the future. The two-week vacation policy should be strictly enforced. No remote access should be permitted during the two-week period. Telephone communications with the office and trading directions should be severely curtailed during this period and after hours trading should be discontinued. Finally, telephones of the dealers and operations personnel should be recorded through the use of a centralized tamper-proof system. It’s worth remembering though, while seamless, end-to-end automation would have prevented Rusnak’s fictitious deals, such automation can also have its drawbacks. This was painfully highlighted in 1998 when a Salomon Brother’s trader mistakenly sold £850 million worth of French Government bonds by carelessly leaning on his keyboard!4 1
The Role of Spreadsheets in the Allied Irish Banks / Allfirst Currency Trading Fraud, Ray Butler, CAS Salford. 2 A statistical measure to estimate the maximum range of loss that is likely to be suffered in a given portfolio. 3 Allfirst Financial: Out of Control. Baseline, March 12th 2002, Sean Gallagher 4 By BBC News Online's James Arnold http://news.bbc.co.uk/hi/english/business/newsi d_1804000/1804410.stm
common as crossing the road remains an excellent analogy for the processes involved in minimizing and controlling risk. Most people would not dream of ignoring such obvious risks in their daily life, and a proactive approach on a business level has scope to make a tremendous difference to the health and well being of most organizations.
A proactive approach Developing a proactive approach to information security risk management requires some key considerations: • An understanding of what needs to be protected (assets). • Calculating the value of the
august.qxd
7/29/02
3:23 PM
Page 11
(Black plate)
feature
Unmanaged Risk — Wireless LANs There are many examples of unmanaged risk, an increasing variety of which are making headlines. For example, recent press coverage has shown how easy it is for people to listen in to wireless LANs. The most famous case highlighted how a directional antenna made with a can of Pringles crisps could be used to spot wireless networks vulnerable to attack. It is even possible to download tools from the Internet — such as Netstumbler — that helps locate WLANs. But it is also easy for companies to locate these problems by undertaking a security audit. Unfortunately the story doesn’t end there, as more worrying still is the issue that many companies do not know that there is a serious problem with lack of encryption. Wireless LANs are a beacon to the outside world, and although many people think that signals do not extend very far, they are easily intercepted as the Pringles example illustrates.
• • • • • • •
information assets to the business. Knowing who your enemies are (threats). Identifying weaknesses (vulnerabilities). Assess strengths and counter measures (controls). Assess the likelihood of attack (probability). Recognize residual risks. Assess the consequences. Take preventative action.
Information assets The primary role of information security is to protect information assets. That means people, accounting data, intellectual property, company reputation, designs, plans, forecasts, servers, networks, and all of the elements that are critical to the future of every business.
It is important to identify the most valuable information assets and the critical business functions because only then will it be most possible to know what measures need to be put in place. For instance, it wouldn’t make sense to spend £50 000 protecting an asset worth only £5000 to the business. Many companies find it hard to value their information assets, but there are some questions which businesses can ask themselves to bring additional clarity: • How do we generate income? • Sales, services, leases. • How do we communicate internally & externally? • Paper, email, fax, website. • Where do we store key data? •People, networks, backups, filing systems. • What are key ‘people’ functions? •Management, sales staff, developers, traders. • Could the business function without any of the above? • What would be the financial/productivity impact if they were lost? • Would we lose competitive advantage? • Would there be a loss of customer/shareholder confidence if they were compromised? • What would be the effects of bad publicity?
BS7799 — An opportunity too good to miss BS7799 dates back to 1993 when the UK Department of Trade and Industry wanted to produce a code of best practise for secure online business. It was designed to help firms identify, manage and minimize the range of threats to which information is regularly subjected. The challenge since has been to encourage the adoption of BS7799 within business, but with many adopting a ‘who cares?’ attitude, the challenge has been considerable. This is especially true at the management levels who often see information security as the responsibility and preserve of technical experts. To say it’s not often high on the agenda of those at board level is putting it mildly. Consequently, the potential advantages of getting to grips with BS7799 have by-passed many organizations with barely a flicker of acknowledgement. The result? Too often, IT teams must rely on ad-hoc, often last-minute measures when what they really need is better boardroom support — in the shape of long-term policies, efficient procedures and technical safeguards.
Threats Threats take many forms and every organization faces different internal and external threats. External threats such as environmental issues — fire, flood and storm damage are threats to all businesses, but only those reliant on Internet connectivity are concerned with hacker intrusion. Fraud, theft of intellectual property and misuse of company systems are common high risk internal threats. Most companies have a diverse cross-section of employees and this has many implications — staff with debts, gambling problems, alcohol or drug addiction, petty jealousies, grudges for being passed over for promotion and all the many failings of
the human spirit. The threat from staff, contractors, cleaners and even security guards can be far greater than any external threat. Employees can pose one of the greatest threats to company security — often unwittingly. Conversations in the pub after work, using a laptop on the train, holding the door open for a someone instead of making them swipe an ID card — all of these things can potentially compromise the overall security of a business. All it takes is for a hacker to overhear a conversation mentioning company names, departments or projects, and they can begin to build up insider knowledge to use to their advantage. Once a certain 11
august.qxd
7/29/02
3:23 PM
Page 12
(Black plate)
feature
Real hack attack Below is an example of a ‘real hack’ that actually occured with changed names, of course. The company information was easily extracted from surfing the Internet and was subsequently used to compromise the corporate network. #JulianR,Recipients,UK-HeadOffice,Example Corp. dn: cn=JulianR,cn=Recipients,ou=UK-HeadOffice,o=Example Corp. objectClass: organizationalPerson objectClass: person objectClass: Top rdn: JulianR cn: Julian Smithson rfc822Mailbox: [email protected] mail: [email protected] textEncodedORaddress: c=US;a= ;p=Example Corp.;o=UKHeadOffice;s=Smithson;g=Julian; otherMailbox: MS$EXAMPLE/EXCHANGE/JulianS otherMailbox: MSA$Julian Smithson@Exchange Connection otherMailbox: CCMAIL$Smithson, Julian at UK-HeadOffice otherMailbox: [email protected] secretary: Janice Richardson Company: Corporate department: Board givenName: Julian uid: JulianS MAPI-Recipient: TRUE physicalDeliveryOfficeName: Building C sn: Smithson facsimileTelephoneNumber: 237997 secretarytelephoneNumberDDI: 01333-237441 title: Chairman Employees are becoming one of the key access routes to corporate networks for many hackers. This practice, known as ‘Social Engineering’, is one of the easiest ways to circumvent physical security systems. In the example above, data was easily 'extracted' from a well-known company database that was visible from the Internet. All company details have been edited. The significant point to be highlighted is how easily inside information can be obtained. Armed with details of the name, number and location of the chairman’s secretary, an adept hacker can work to find an entry point onto the corporate network. As a starting point, a call can be made to find out if the chairman is on site or out, which helps to determine if his PC is idle or not. Alternatively, the hacker may pose as someone from another support department, who needs access to the chairman’s PC. The secretary may be asked to reveal the chairman’s password and inadvertently open the gates for the hacker into the company network. This may sound implausible, but it is becoming one of the more common methods of network access. amount of inside information is gained, something as harmless as a telephone call can be used as a tool 12
to obtain further privileged information. The potential problems are underlined on a regular basis. A recent survey
published by Egg highlighted how more than half of computer users never bother to change their passwords, and many of those passwords used are relatively easy to guess, such as family names, birthdays or a football team name.
Assessing vulnerabilities & exercising control Assessing potential vulnerabilities is difficult but with consideration and a sound security audit an organization can quickly measure how strong or weak its defences are. The possibilities are varied — perhaps physical security is suspect; strangers can ‘tailgate’ staff through locked doors. Alternatively, firewalls may be configured incorrectly leaving the website open to intruders. Many businesses do not routinely security screen staff in sensitive posts. But wherever the vulnerability lies, security is a mixture of policies, procedures and technical controls, all of which need to be constantly regulated and evaluated for scope and effectiveness. It is also vital to determine how strong existing control measures are. For instance: • Are virus scanners up to date and effective? • Does the business have an acceptable usage policy for the Internet? • Does it have procedures for ensuring that access rights are revoked immediately for staff leaving the company? Those are just a few of the main considerations, but an organization following this process will need to ask as many questions in order to identify the true picture. The aim is to establish how much reliance can be placed on existing control measures. Failure to do so will leave behind a false sense of security, which is often more dangerous than knowing that security is weak. The next stage is to also assess the likelihood of vulnerabilities being
august.qxd
7/29/02
3:23 PM
Page 13
(Black plate)
feature exploited against the strength of existing controls. Historical data is useful here; for instance it is generally accepted that it is foolish not to scan all email for viruses. If thieves have previously targeted the office, or the premises sit in a flood plain and have been flooded before, the likelihood of it happening again is increased.
Calculating residual risk Residual risk is what is left behind after the following has been performed: Assessment of the value of an organization’s information assets. Consideration of the threats they are subject to. Discovery of where the security vulnerabilities lie. What the likelihood of those vulnerabilities being exploited is. It can be calculated using a simple formula:
Value of information assets X Threats X Vulnerabilities X Probability — Existing Controls = Residual Risk
How to ‘TAME’ residual risks The primary aim in a risk management strategy is to reduce residual risk to acceptable levels and this varies by market sector or geographical location. Risk management is about balancing risk acceptance against the consequences of inadequate control. Small companies do not usually have the financial resources to implement comprehensive information security measures and may
choose to ‘take a gamble’. Invariably this is dangerous as the loss of say intellectual property such as designs; plans or programmes could conceivably cause business failure. One choice is to Transfer the risk to someone else, for example taking out ‘cyberliability’ insurance cover for an Ecommerce site. This can help mitigate the consequences of a major security breach, but won’t in itself make a breach any less likely. There is always the chance that prior assessment could indicate that the residual risk is low — in such circumstances, the business may choose to Accept that level of risk. But in most cases, some level of action will need to be taken, and most organizations will probably choose to Mitigate the risk by improving policies, procedures and control measures. Many technical security weaknesses can be reduced or eliminated by the installation of additional software or hardware, or by updating existing systems. In exceptional cases the residual risk may be considered so high as to warrant more drastic action to Eliminate all remaining risk. This could involve the removal of a system from direct access to the Internet or the axing of a business function, for instance.
produce great benefits. It demonstrates to staff, customers and trading partners that security is taken seriously, their data is safe, and that there is independent verification of the fact. An independent qualification also gives the company involved benchmarks to aim towards and a method of rating the security measures already in place. As part of achieving accreditation, the security measures already implemented will be evaluated, and appropriate action will be taken to improve security sufficiently to acheive the goal of accreditation. By being proactive about risk management, many insurance companies will look more favourably on such efforts in terms of liability insurance. So, if a business is hacked, there is less chance that they will be held legally responsible if they can prove that they have undertaken due diligence in assessing and managing information security risks. Ultimately strong information security requires a series of key steps, of which risk management is a key component:
The importance of taking action
If a business understands what risks it faces and has appropriate processes in place to manage them, then they will be better placed to deal with the here and now as well as assessing what risks are involved when embarking on new ventures.
There are many more complex methods of performing risk management, but only by actually taking action can security be improved. Knowing the assets that need protecting, their business value, the potential threats and vulnerabilities and the chances of those vulnerabilities being exploited means an organization can take cost effective, intelligent action to reduce the residual risks. A carefully executed risk assessment can bring great benefits in a short timescale and security audits will highlight any areas of potential weakness. The adoption of an information security standard such as BS7799 can also
• Management commitment. • Clear, security-related roles and responsibilities. • Security education. • An understanding of risk management. • A proactive approach.
About the Author: Principal consultant at Integralis, Clifford May, has 31 years experience of systems auditing and computer forensics investigation in the public and private sector. At Integralis, he undertakes forensic investigations as well as being a consultant on risk management and BS7799.
13