- Email: [email protected]
Risk, security, and assurance
Chapter 2
Risk, security, and assurance The US Government has long maintained the need and the requirement to evaluate and ascertain the IT systems operating on its networks and backbones as secure as possible. Over the past 30 years, various organizations within the Federal Government have developed and operated under multiple different methodologies to provide the assurance to managers and executives that the IT systems were safe, secure, and trustworthy. This process began back in the 1970s and 1980s in the US Governmental Intelligence Community (IC) with the original directives for ensuring confidentiality of the systems and the data retained in these systems. The current security practices and processes all focus on managing and mitigating risks associated with the confidentiality, integrity, and availability of the information associated with the operation and maintenance of each Federal IT system. The risk review, tolerance criteria, and management activities all are associated with the actual data stored on the IT system, the downstream liabilities of others using that same data, and the legal and regulatory requirements for the use and storage of that same data and information. The National Institutes of Standards and Technology (NIST) has produced a series of documents and publications, which are designed to provide Federal Agencies guidance and best practices for these agency actions and activities with the relevant data and information. These publications are mostly found on their specific security website at http://csrc.nist.gov and are openly available to all who are interested. There are many frameworks and guidelines available for organizational-level and corporate-level Risk Management. Among the available guides include COBIT 5, COSO, FAIR, ISO 31000, ISO 27000, and others. Many of these risk frameworks are industry specific, and further research for your industry should reveal which risk approach and framework are appropriate for your organization. Our goal here is to let you know that there are many ways to address risk in an organization, with NIST providing the primary way within the US Government. To evaluate, examine, and assess risk, the assessor will need to know the organizational approach to risk and how these risks are mitigated, transferred, or otherwise treated.
The NIST approach to Risk Management is found in Special Publication (SP) 800-37, rev. 2 entitled “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach to Security and Privacy.” This guide was published in December 2018 and was updated to include the federal requirements for continuous monitoring, revised security engineering concepts, added a new step (Preparation) to the Risk Management Framework process, incorporated Supply Chain Risk Management, and Privacy into the risk considerations as well as the on-going system authorizations. As defined by NIST, Risk Management is the process that provides for IT managers and executives to make riskbased decisions on the security and assurance of the IT systems under their control. These decisions are the result of balancing the operational and economic costs of the protective components and achieve the resultant gains in the organization’s mission capability by protecting and defending these various IT systems and the associated information, which support the organization’s missions. Risk is defined in SP 800-37, rev. 2 as a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of (a) the adverse impacts that would arise if the circumstance or event occurs and (b) the likelihood of occurrence.
Risk management NIST opens up SP 800-37 with the following: “Organizations depend on information systems to carry out their missions and business functions. The success of the missions and business functions depends on protecting the confidentiality, integrity, availability of information processed, stored, and transmitted by those systems, and the privacy of individuals. Threats to information systems include equipment failure, environmental disruptions, human or machine errors, and purposeful attacks that are often sophisticated, disciplined, well organized, and well funded. When successful, attacks on information systems can result in serious or catastrophic damage to
Security Controls Evaluation, Testing, and Assessment Handbook. https://doi.org/10.1016/B978-0-12-818427-1.00002-1 Copyright © 2020 Elsevier Inc. All rights reserved.
5
6 Security Controls Evaluation, Testing, and Assessment Handbook
organizational operations and assets, individuals, other organizations, and the Nation. Therefore, it is imperative that organizations remain vigilant and that senior executives, leaders, and managers throughout the organization understand their responsibilities and are accountable for protecting organizational assets and for managing risk.”1 Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal computers, personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems (ICS), testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber-attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.2
When NIST published SP 800-37, rev. 1 in early 2010, it changed the entire government’s approach to Risk and Risk Management. Prior to that point, Certification and Accreditation (C&A) had focused most efforts to a “snapshot” view of security as sufficient to ensure the security of IT systems as referenced in the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) guidance documents in use during the previous 8 years (FISMA) and 25 years (OMB A-130). This shift in the approach to security moved the viewpoint to focus now on risks in an operating environment that is ever changing, ever evolving, fluid, and full of emerging threats.
1. SP 800-37, rev 2, December 2018, page 1 2. SP 800-37, rev 1, Updated version June 2014, page 1
The goal of this Risk Management approach is to provide for mission accomplishment by the following: (1). Better secure the IT systems, which store, process, or transmit organizational information. (2). Enable management to make well-informed riskbased decisions to justify the expenditures that are part of an IT budget. (3) Assist management in authorizing the IT systems on the basis of the supporting documentation resulting from the performance of Risk Management. As part of the Risk Management process, each organization is recommended to review all risks at an organizational level, a business unit/department level, and at the IT system level. Managing these IT-related risks is a detailed, complex, multifaceted activity, which requires senior management support for the strategic and organizational goals for tolerating and treating risks, midlevel managers to plan for and conduct the projects, and then operating the systems that are core to the organization. NIST SP 800-39 “Managing Information Security Risk” defines these three levels as Tier 1dOrganizational Level, Tier 2dMission and Business Process Level, and Tier 3dInformation System Level of Risk Management. SP 800-39 goes further to define these three tiers as thus: (1) “Tier 1 addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by federal laws, directives, policies, regulations, standards, and missions/business functions. Governance structures provide oversight for the Risk Management activities conducted by organizations and include (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s Risk Management strategy including the determination of risk tolerance; and (iii) the development and execution of organization-wide investment strategies for information resources and information security.”3 (2) “Tier 2 addresses risk from a mission/business process perspective by designing, developing, and implementing mission/business processes that support the missions/business functions defined at Tier 1. Organizational mission/business processes guide and inform the development of an enterprise architecture that provides a disciplined and structured methodology for managing the complexity of the organization’s information technology infrastructure. A key component of the enterprise architecture is the embedded information 3. SP 800-39, March 2011, page 11.
Risk, security, and assurance Chapter | 2
security architecture that provides a roadmap to ensure that mission/business process-driven information security requirements and protection needs are defined and allocated to appropriate organizational information systems and the environments in which those systems operate.”4 (3) “All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle. In addition to the Risk Management activities carried out at Tier 1 and Tier 2 (e.g., reflecting the organization’s Risk Management strategy within the enterprise architecture and embedded information security architecture), Risk Management activities are also integrated into the system development life cycle of organizational information systems at Tier 3. The Risk Management activities at Tier 3 reflect the organization’s Risk Management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems supporting the mission/business functions of organizations. Risk Management activities take place at every phase in the system development life cycle with the outputs at each phase having an effect on subsequent phases.”5 So for assessing risk and the security controls used to control risk, an understanding of Risk Management within the organization is paramount to provide the right kind of assessment along with recommendations for risk mitigation.
7
The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring). To support the risk assessment component, organizations identify (i) the tools, techniques, and methodologies that are used to assess risk; (ii) the assumptions related to risk assessments; (iii) the constraints that may affect risk assessments; (iv) roles and responsibilities; (v) how risk assessment information is collected, processed, and communicated throughout organizations; (vi) how risk assessments are conducted within organizations; (vii) the frequency of risk assessments; and (viii) how threat information is obtained (i.e., sources and methods).”6 There are many different ways to conduct risk assessments. The publisher of this book has several different books currently available on Risk Assessments and the Methods for conducting them, so I will not attempt to add to that data. NIST has produced a guide to conducting Risk Assessments too under the NIST SP 800-30, rev 1 publication.
Security controls
(i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur.
CNSSI 4009, the US Government’s authoritative source of definitions within the security arena, defines security controls as “the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information” and defines the assessment of these controls as “the testing and/ or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.“7 So understanding the controls and their functions are of utmost value to both the assessor and the organization. Within the Risk community, there are several catalogs of security controls available. We will be examining the controls in this book from the NIST SP 800-53 Control Catalog with its 18 areas of controls and from the ISO 27001 International Security Management catalog with its 11 areas of controls. Chapters 8 and 9 of this book delineate the controls, their requirements, and methods of assessment.
4. SP 800-39, March 2011, page 17. 5. SP 800-39, March 2011, page 21.
6. SP 800-39, March 2011, page 7 7. CNSSI-4009, April 2010, page 65.
Risk assessments Within the Risk construct that has been produced by the NIST, there are major criteria for risk assessments at every point within the life cycle of the information system under review. NIST SP 800-39 states this as “the second component of Risk Management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify
8 Security Controls Evaluation, Testing, and Assessment Handbook
Privacy Privacy has grown in consideration and attention in the last few years with several large-scale privacy data breaches and many smaller breaches of privacy information. SP 80037, rev. 2 addresses this area of confidentiality with the inclusion of the privacy controls, Risk Management on further considerations throughout the document. The introduction for SP 800-37, rev. 2 includes the following privacy focus: “In addition to the responsibility to protect organizational assets from the threats that exist in today’s environment, organizations have a responsibility to consider and manage the risks to individuals when information systems process personally identifiable information (PII). The information security and privacy programs implemented by organizations have complementary objectives with respect to managing the confidentiality, integrity, and availability of PII. While many privacy risks arise from unauthorized activities that lead to the loss of confidentiality, integrity, or availability of PII, other privacy risks result from authorized activities involving the creation, collection, use, processing, storage, maintenance,
dissemination, disclosure, or disposal of PII that enables an organization to meet its mission or business objectives. For example, organizations could fail to provide appropriate notice of PII processing depriving an individual of knowledge of such processing or an individual could be embarrassed or stigmatized by the authorized disclosure of PII. While managing privacy risk requires close coordination between information security and privacy programs due to the complementary nature of the programs’ objectives around the confidentiality, integrity, and availability of PII; privacy risks also raise distinct concerns that require specialized expertise and approaches. Therefore, it is critical that organizations also establish and maintain robust privacy programs to ensure compliance with applicable privacy requirements and to manage the risk to individuals associated with the processing of PII.”8 In the next chapter we will look at the legal and regulatory frameworks for security and privacy and the assessment requirements for security and privacy controls.
8. SP 800-37, rev 2, December 2018, pages 1e2
Risk, security, and assurance The US Government has long maintained the need and the requirement to evaluate and ascertain the IT systems operating on its networks and backbones as secure as possible. Over the past 30 years, various organizations within the Federal Government have developed and operated under multiple different methodologies to provide the assurance to managers and executives that the IT systems were safe, secure, and trustworthy. This process began back in the 1970s and 1980s in the US Governmental Intelligence Community (IC) with the original directives for ensuring confidentiality of the systems and the data retained in these systems. The current security practices and processes all focus on managing and mitigating risks associated with the confidentiality, integrity, and availability of the information associated with the operation and maintenance of each Federal IT system. The risk review, tolerance criteria, and management activities all are associated with the actual data stored on the IT system, the downstream liabilities of others using that same data, and the legal and regulatory requirements for the use and storage of that same data and information. The National Institutes of Standards and Technology (NIST) has produced a series of documents and publications, which are designed to provide Federal Agencies guidance and best practices for these agency actions and activities with the relevant data and information. These publications are mostly found on their specific security website at http://csrc.nist.gov and are openly available to all who are interested. There are many frameworks and guidelines available for organizational-level and corporate-level Risk Management. Among the available guides include COBIT 5, COSO, FAIR, ISO 31000, ISO 27000, and others. Many of these risk frameworks are industry specific, and further research for your industry should reveal which risk approach and framework are appropriate for your organization. Our goal here is to let you know that there are many ways to address risk in an organization, with NIST providing the primary way within the US Government. To evaluate, examine, and assess risk, the assessor will need to know the organizational approach to risk and how these risks are mitigated, transferred, or otherwise treated.
The NIST approach to Risk Management is found in Special Publication (SP) 800-37, rev. 2 entitled “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach to Security and Privacy.” This guide was published in December 2018 and was updated to include the federal requirements for continuous monitoring, revised security engineering concepts, added a new step (Preparation) to the Risk Management Framework process, incorporated Supply Chain Risk Management, and Privacy into the risk considerations as well as the on-going system authorizations. As defined by NIST, Risk Management is the process that provides for IT managers and executives to make riskbased decisions on the security and assurance of the IT systems under their control. These decisions are the result of balancing the operational and economic costs of the protective components and achieve the resultant gains in the organization’s mission capability by protecting and defending these various IT systems and the associated information, which support the organization’s missions. Risk is defined in SP 800-37, rev. 2 as a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of (a) the adverse impacts that would arise if the circumstance or event occurs and (b) the likelihood of occurrence.
Risk management NIST opens up SP 800-37 with the following: “Organizations depend on information systems to carry out their missions and business functions. The success of the missions and business functions depends on protecting the confidentiality, integrity, availability of information processed, stored, and transmitted by those systems, and the privacy of individuals. Threats to information systems include equipment failure, environmental disruptions, human or machine errors, and purposeful attacks that are often sophisticated, disciplined, well organized, and well funded. When successful, attacks on information systems can result in serious or catastrophic damage to
Security Controls Evaluation, Testing, and Assessment Handbook. https://doi.org/10.1016/B978-0-12-818427-1.00002-1 Copyright © 2020 Elsevier Inc. All rights reserved.
5
6 Security Controls Evaluation, Testing, and Assessment Handbook
organizational operations and assets, individuals, other organizations, and the Nation. Therefore, it is imperative that organizations remain vigilant and that senior executives, leaders, and managers throughout the organization understand their responsibilities and are accountable for protecting organizational assets and for managing risk.”1 Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal computers, personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems (ICS), testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber-attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.2
When NIST published SP 800-37, rev. 1 in early 2010, it changed the entire government’s approach to Risk and Risk Management. Prior to that point, Certification and Accreditation (C&A) had focused most efforts to a “snapshot” view of security as sufficient to ensure the security of IT systems as referenced in the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) guidance documents in use during the previous 8 years (FISMA) and 25 years (OMB A-130). This shift in the approach to security moved the viewpoint to focus now on risks in an operating environment that is ever changing, ever evolving, fluid, and full of emerging threats.
1. SP 800-37, rev 2, December 2018, page 1 2. SP 800-37, rev 1, Updated version June 2014, page 1
The goal of this Risk Management approach is to provide for mission accomplishment by the following: (1). Better secure the IT systems, which store, process, or transmit organizational information. (2). Enable management to make well-informed riskbased decisions to justify the expenditures that are part of an IT budget. (3) Assist management in authorizing the IT systems on the basis of the supporting documentation resulting from the performance of Risk Management. As part of the Risk Management process, each organization is recommended to review all risks at an organizational level, a business unit/department level, and at the IT system level. Managing these IT-related risks is a detailed, complex, multifaceted activity, which requires senior management support for the strategic and organizational goals for tolerating and treating risks, midlevel managers to plan for and conduct the projects, and then operating the systems that are core to the organization. NIST SP 800-39 “Managing Information Security Risk” defines these three levels as Tier 1dOrganizational Level, Tier 2dMission and Business Process Level, and Tier 3dInformation System Level of Risk Management. SP 800-39 goes further to define these three tiers as thus: (1) “Tier 1 addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by federal laws, directives, policies, regulations, standards, and missions/business functions. Governance structures provide oversight for the Risk Management activities conducted by organizations and include (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s Risk Management strategy including the determination of risk tolerance; and (iii) the development and execution of organization-wide investment strategies for information resources and information security.”3 (2) “Tier 2 addresses risk from a mission/business process perspective by designing, developing, and implementing mission/business processes that support the missions/business functions defined at Tier 1. Organizational mission/business processes guide and inform the development of an enterprise architecture that provides a disciplined and structured methodology for managing the complexity of the organization’s information technology infrastructure. A key component of the enterprise architecture is the embedded information 3. SP 800-39, March 2011, page 11.
Risk, security, and assurance Chapter | 2
security architecture that provides a roadmap to ensure that mission/business process-driven information security requirements and protection needs are defined and allocated to appropriate organizational information systems and the environments in which those systems operate.”4 (3) “All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle. In addition to the Risk Management activities carried out at Tier 1 and Tier 2 (e.g., reflecting the organization’s Risk Management strategy within the enterprise architecture and embedded information security architecture), Risk Management activities are also integrated into the system development life cycle of organizational information systems at Tier 3. The Risk Management activities at Tier 3 reflect the organization’s Risk Management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems supporting the mission/business functions of organizations. Risk Management activities take place at every phase in the system development life cycle with the outputs at each phase having an effect on subsequent phases.”5 So for assessing risk and the security controls used to control risk, an understanding of Risk Management within the organization is paramount to provide the right kind of assessment along with recommendations for risk mitigation.
7
The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring). To support the risk assessment component, organizations identify (i) the tools, techniques, and methodologies that are used to assess risk; (ii) the assumptions related to risk assessments; (iii) the constraints that may affect risk assessments; (iv) roles and responsibilities; (v) how risk assessment information is collected, processed, and communicated throughout organizations; (vi) how risk assessments are conducted within organizations; (vii) the frequency of risk assessments; and (viii) how threat information is obtained (i.e., sources and methods).”6 There are many different ways to conduct risk assessments. The publisher of this book has several different books currently available on Risk Assessments and the Methods for conducting them, so I will not attempt to add to that data. NIST has produced a guide to conducting Risk Assessments too under the NIST SP 800-30, rev 1 publication.
Security controls
(i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur.
CNSSI 4009, the US Government’s authoritative source of definitions within the security arena, defines security controls as “the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information” and defines the assessment of these controls as “the testing and/ or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.“7 So understanding the controls and their functions are of utmost value to both the assessor and the organization. Within the Risk community, there are several catalogs of security controls available. We will be examining the controls in this book from the NIST SP 800-53 Control Catalog with its 18 areas of controls and from the ISO 27001 International Security Management catalog with its 11 areas of controls. Chapters 8 and 9 of this book delineate the controls, their requirements, and methods of assessment.
4. SP 800-39, March 2011, page 17. 5. SP 800-39, March 2011, page 21.
6. SP 800-39, March 2011, page 7 7. CNSSI-4009, April 2010, page 65.
Risk assessments Within the Risk construct that has been produced by the NIST, there are major criteria for risk assessments at every point within the life cycle of the information system under review. NIST SP 800-39 states this as “the second component of Risk Management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify
8 Security Controls Evaluation, Testing, and Assessment Handbook
Privacy Privacy has grown in consideration and attention in the last few years with several large-scale privacy data breaches and many smaller breaches of privacy information. SP 80037, rev. 2 addresses this area of confidentiality with the inclusion of the privacy controls, Risk Management on further considerations throughout the document. The introduction for SP 800-37, rev. 2 includes the following privacy focus: “In addition to the responsibility to protect organizational assets from the threats that exist in today’s environment, organizations have a responsibility to consider and manage the risks to individuals when information systems process personally identifiable information (PII). The information security and privacy programs implemented by organizations have complementary objectives with respect to managing the confidentiality, integrity, and availability of PII. While many privacy risks arise from unauthorized activities that lead to the loss of confidentiality, integrity, or availability of PII, other privacy risks result from authorized activities involving the creation, collection, use, processing, storage, maintenance,
dissemination, disclosure, or disposal of PII that enables an organization to meet its mission or business objectives. For example, organizations could fail to provide appropriate notice of PII processing depriving an individual of knowledge of such processing or an individual could be embarrassed or stigmatized by the authorized disclosure of PII. While managing privacy risk requires close coordination between information security and privacy programs due to the complementary nature of the programs’ objectives around the confidentiality, integrity, and availability of PII; privacy risks also raise distinct concerns that require specialized expertise and approaches. Therefore, it is critical that organizations also establish and maintain robust privacy programs to ensure compliance with applicable privacy requirements and to manage the risk to individuals associated with the processing of PII.”8 In the next chapter we will look at the legal and regulatory frameworks for security and privacy and the assessment requirements for security and privacy controls.
8. SP 800-37, rev 2, December 2018, pages 1e2