Author name: Bruce

The DoD information system vulnerabilities are alerted with messages called Information Assurance Vulnerability Alerts (IAVA).  Vulnerabilities are evaluated to see what impact (if any) the might have and sent out by to all branches and units withing the organization.  This is done in accordance with DoDD 8500.1, Information Assurance directive. Implementation of security-related software patches directed through the DoD IAVA program shall not be delayed pending evaluation of changes that may result from the patches. — DoDI 8500.2 Compliance with DoD-directed solutions, such as USSTRATCOM Command Tasking Orders (CTOs), Information Assurance Vulnerability Alerts (IAVAs), and Information Operation Conditions (INFOCONs) shall be a management review item. — DoDI 8500.2 RSS widget Information assurance vulnerability alert are technical advisories, alerts and vulnerabilities of applications, operating systems, and servers identified by DoD Computer Emergency Response Team which is a division of the United States Cyber Command.     Information Assurance Vulnerability Management (IAVM) is the process of the getting the IAVAs out to all Combatant Commands/Services/Agencies/Field Activities (CC/S/A/FAs). Specifically, the IAVM process: Establishes positive control of the Department of Defense (DoD) Information Assurance Vulnerability Alert (IAVA) system Provides access to vulnerability notifications that require action Requires acknowledgement of action messages Requires compliance and reporting status Tracks compliance and reporting Conducts random compliance checks  

Risk management principles can be found in ISO 31000:2009,  Risk management – Principles and guidelines and its companion guides ISO Guide 73:2009, Risk management – Vocabulary with has a collection of definitions relevant to the management of risk.  ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk. Other documents with risk management principles include NIST SP 800-39,  and NIST SP 800-30. The principle of risk management center around looking at corporate risk.  What is the risk to the bottom-line of the organization?  Whether the bottom-line is money, reputation, a mission, or process.  How will the organization address risk from the top down?  Risk is addressed at every level of the organization from the very top to the bottom.  NIST 800-39 breaks this all down in tiers. To address the actual risk and organization must be able to predict the likelihood of a harmful event (threat) adversely affecting an asset vulnerability. Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk An organization uses a quantitative approach to analyzing and managing the risk to its resources.  To do this, they must identify the threat, the asset, the vulnerability and countermeasures (security controls) of the asset.  They must determine the level of impact that the organization would suffer if the harmful event occurs.  To determine all this they must do risk assessments.    

The National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) and DISA Field Security Operations (FSO) are pleased to announce the publication of the DoD Annex for NIAP Protection Profiles for mobile devices.  Mobile Device Fundamentals Protection Profile (MDFPP) is a document created through DISA/NIAP collaboration, addresses the DoD specificity to the NIST SP 800-53 controls identified in the MDFPP. As a result, the Annex in conjunction with the PP serves as a single specification, within the DoD, for security of Mobile Devices and supersedes the current DISA MOS SRG Version 1, Release 3. The publication of the Annex does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available. The DoD Annex for NIAP Protection Profiles for mobile devices, MDFPP, is located at http://iase.disa.mil/stigs/niap/index.html. The scope of the DoD Annex for NIAP Protection Profiles for mobile devices is applicable to all DoD-administered systems and all systems connected to DoD networks. According to the document: [DoD Annex for NIAP Protection Profiles for mobile devices] does not eliminate the DoD need for a product-specific Security Technical Implementation Guide (STIG); however, the results of the Common Criteria evaluation will be used to formulate a STIG. The benefit of this approach is that at the conclusion of a successful NIAP evaluation, a vendor’s product will be certified as meeting the requisite NIST SP 800-53 controls and the information needed for a STIG will be available Mobile Device Fundamentals Approved Protection Profiles   More one Assurance Technology

You should deal with business risk BEFORE disaster strikes. Business risk deal with negative impacts to an organizations bottom line.  If harm should strike exposed weaknesses, the business needs to know how they will deal with it and how do they adjust to the situation. A Business Impact Analysis (BIA) is sometimes done to identify the threats, vulnerabilities, assess, the likelihood of threats acting on identified weakness and the impact if they do.  DIARMF pulls for NIST and the NIST is robust enough to address address BIA / business risks.  The main documents dealing with business risks are 800-39, 800-30, and 800-34. NIST SP 800-39, Manage Information Security Risk deals with the process of business risks by way of explaining the risk management necessary for an organization. NIST SP 800-30, Guide for Conducted Risk Assessment describe the tasks and steps of business impact assessments: A Business Impact Analysis (BIA) identifies high-value assets and adverse impacts with respect to the loss of integrity or availability. DHS Federal Continuity Directive 2 provides guidance on BIAs at the organization and mission/business process levels of the risk management hierarchy, respectively. NIST Special Publication 800-34 provides guidance on BIAs at the information system level of the risk management hierarchy. One of the biggest business risks capture while doing business impact assessments is interruptions of service.  After all, if the business is not DOING business then mission, work and revenue stop.  So the business/organization and or department must have  a contingency plan.  NIST Special Publication 800-34, Contingency Planning Guide for Federal Information Systems covers what to do in case of interruptions. A contingency plan covers what to do in the event of service disruptions including procedures, and technical measures that can get systems back quickly for a while until the disruption passes.  NIST 800-34 covers information system contingency plans (ISCPs) who documents them and how. This is also a major part of the security controls addressed in 800-53/DIARMF.   ƒ

NIST SP 800-39, Manage Information Security Risk NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization.  Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization. The Fundamentals of Security Risk Management (Chapter 2, 800-39) The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are: Tier 1: Organization level Tier 2: Mission/Business Process level Tier 3: Information System level Tier 1: Organization Level security risk management Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing. In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.   Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy. Security Risk Management Tier 2: Mission/Business Process  Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.   Tier 3: Information System Security Risk management From the information system perspective, tier 3 addresses the following tasks: Categorization of the information system Allocating the organizational security control Selection, implementation, assessment, authorization, and ongoing Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include: Risk Framing Risk Assessing Risk Response Risk Monitoring Risk Assessment NIST 800-30 goes into Risk Assessment process.  800-39 covers from a high level.  Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk. Risk Response Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. Risk identification is key to risk response. Risk types include: Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions. Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk. Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system. Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies). Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.  This is where Continuous monitoring comes in.

I am looking for a decent risk management magazine online.  The first ones I found were  RM Risk Management Magazine (rmmagazine.com) from the Risk Management Society (rims.org) and RMProfessional (RMP).  RM is a little too broad since it included things like industrial, health, safety and insurance.  Similarly, RMProfessional (RMP) covers OTHER aspects of risk management. So for this site, our focus is security risk management.  While these are very serious risk management issues, I was hunting for a risk management magazine for Information Technology and Information Security. A more relevant SECURITY risk management magazine would be CSO Online (http://www.csoonline.com) which focuses on security risks.. not industrial, insurance and safety.  CSO covers security news, security jobs, data protetions, indentification & access, business continuity, security leadership and physical security.  I think that there name CSO is taken from Chief Security Officer. Of course if you are calling ALL security magazines “risk management magazine” then there are thousands.  But I would not say that and online hacker magazine like Phrack was a risk management mag, but you could get away with calling it security.  There are many others such as 2600, Hack9 then there are pentesting online magazines like Pentest Mag.  All of these focus on the “threat” side of the risk scale.  Where the risks come from? How the threat exploit the vulnerability, how effective is the threat, what happens when the threat is implemented.  All of these could qualify as information security related sites by but not really risk managements.  Why?  Because they are missing one major piece.. Management.    

Risk mitigation can only be done by first identifying the risk.  And risk identification can only be done by characterization of the assets, discovery of vulnerabilities of those assets and determination of threats and/or possible harm to that system. So risk mitigation is based on the results of risk assessments. Risk assessment is a 9 step process.   1)  System characterization – a system is an organization asset.  So the first step is to discover all the features of that system and understand why it is important. 2)  Threat Identification – risk is determined by the likelihood of a threat affecting the weakness of an asset.  To limit the risk (risk mitigation), a security practitioner must determine the possible threat, find the weakness and then come up with a way to protect that system. 3)  Vulnerability Identification – The security practitioner (information system security officer, information system security analyst, system security engineer etc) must find the weakness of a system. 4)  Security Control Analysis – The security control protecting the vulnerability is the actual risk mitigation.  Analysis is determining what is needed, when and how much it will cost. 5)  Likelihood determination – The importance of risk mitigation is directly proportionate to the likelihood of the threat impacting the organization and its assets vulnerabiltiy. 6)  Impact Analysis – The bottom line of risk is the impact that will occur if harm should come to an asset.  If the asset ceases to function, what happens to the organization?   That question should drive how and why risk is mitigated. 7)  Risk Determination / Risk Identification – Based on all the data gathered you can make a pretty good risk determination.  You should have defined the systems components and what data is important, made a pretty good conclusion on threat sources and likelihood of the vulnerability exploits and know exactly what kind of impact there will be if the system goes down. 8)  Control Recommendation – This is where the actual RISK MITIGATION comes in.  All data is gathered from the risk assessment and risk has been identified and evaluated.  Risk is mitigated by applying to correct security controls. 9)  Results Documentation – The mitigation of risk must be documented for future reference.  Sometimes it can only be mitigated later and documented in a Plan of Action and Milestone. Who does Mitigates the Risk: First of all, risk cannot always be mitigated.  In this cases it is documented in something called a Plan of Action and Milestone (POA&M).  And sometimes risk is simple accepted because there is just nothing that can be done.  The mitigation of risk is the responsibility of the system owner.  The system owner will sometime have a right hand adviser on matters of security, a Chief Security Officer who is not afraid to say NO and will always give the system owner (CIO) the facts no matter how gruesome.  The CSO (or equivalent) delegates risk mitigation (implementation of security controls) to security practitioners (DoD 8140 compliant professionals) who hopefully know what they are doing.  

Security Analysis and Risk Management Association (SARMA) is one of many risk management associations.  SARMA is a non-profit dedicated to security practitioners that are in the business of mitigating risks from man made threats. ISACA is another risk management association with over 100,000 constituents in 180 countries.  They are the creators and proprietors of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information System Controls (CRISC) certifications.  They also created an Risk IT Framework. More than just a risk management association, the Information Systems Security Association (ISSA) is a non-profit international organization for information security practitioners an managers.  I have been a member of this organization, and it has LOTS of great people involved in it.  They have local chapters in most major cities in the U.S.  They are great at bringing security professionals together to solve common issues in the industry, barter skill sets, teach new skills, train for IT certifications and promote products and services that involve risk management and/or security. RIMS – Risk Management Society The Risk Management Society has a vision of becoming the global leading in all aspects of risk management.  A VERY tall order. As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management societyâ„¢, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries. For more information on RIMS, visit www.RIMS.org

Risk assessment table is usually a 2 dimensional matrix used to measure the likelihood of risk by matching vulnerability, assets, threats and/or impacts of threats to vulnerability of assets. A risk assessment table can be homemade.  Homemade might be best because the no one knows better than they organization the landscape within their information systems infrastructure, the threats associated or the importance of the assets should they get compromised.

If you are looking for a risk management guide there are several references text to choose from.  NIST SP 800-37, Risk Management Framework, ISO 31000:2009 Risk Management,  ISACA RISK IT Framework, and ITSG-33 are all pretty good risk management guides NIST SP 800-37,  Guide for Applying the Risk Management  The US federal government uses NIST SP 800-37.  The Defense Department uses DIARMF on which this site is based and DIARMF is based on NIST SP 800-37.  The document is comprehensive and branches in to several other documents:  NIST SP 800-39, Risk Management Security, NIST SP 800-30, Risk Assessment, NIST SP 800-53, Security controls and many others.  The NIST risk management guides were developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS). ISO 31000:2009 Risk Management Guide ISO 31000:2009, Risk Management is a practical guide designed for any organization.  Designed by the International Organization for Standardization (ISO) 31000: 2009 offers a robust open standard for risk management framework.   ISACA RISK IT Framework ISACA Risk IT Framework provides complete end to end guide for risk management of information technology addressing security threats exploiting asset vulnerabilities for corporations. ITSG – IT Security Risk Management guide Created by the Government of Canada’s, the ITSG is a IT Security Risk management guide ITSG-33 covers roles, responsibilities and activities of the Canadian risk management.