Risk Management In Information Technology

Published Date: 02 Nov 2017

In this graduation project, I reviewed National Institute of Standards and Technology (NIST) publication of Information Technology. Moreover, general information about risk and risk management was given in the project. An example adopted from Commonwealth of Virginia, Information Technology Risk Management Guideline Virginia Information Technologies Agency is discussed to better present the implementation. Furthermore, the obtained results were presented and solutions were discussed as well.

1 INTRODUCTION

Computers are used in almost every field even where it is most unexpected. That is why this age is called as the era of Information Technology. Nowadays one cannot imagine a world without computers, because it is very accurate, fast and can accomplish many tasks easily.

Information Technology (IT) is basically the use of computers and software to manage information. It is concerned with the development, management, and use of computer-based information systems. IT plays important role in the sectors of Telecommunications, Banks, and Businesses etc.

Every organization uses information technology. For example, e-mail helps to communicate among employees, suppliers and customers, and also organizations are using IT to improve the way they design and manage customer relationships.

Each organization has missions. IT systems serve to better accomplish these missions.

Organizations may face obstacles during processes, which can pose some risks on their endeavors. Risk management plays crucial role in protecting an organization's information assets, therefore IT security is an important part of risk management process. IT experts must help their organizations' management and they must realize and manage organizations uncertainties.

2 BASIC CONCEPTS OF RISK MANAGEMENT

2.1 WHAT IS RISK? WHAT IS RISK MANAGEMENT?

Risk is the danger and it may turn into a disaster. Considering vulnerability without hazard, it is not dangerous. It is dangerous when these two terms come together, because then they become risk. Even so, risks can be reduced or managed. If we are careful about how we treat the environment, and if we are aware of our weaknesses and vulnerabilities to existing hazards, then we can take measures for hazards before they turn into disasters.

There are many explanations of risk, but therein IT risks will be considered.

According to National Institute of Standards and Technology," Risk for information technology is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization." (1) For that reason, risk management is an important part of information technology, because managing risk is not easy and risk is strictly tied to uncertainty.

Risk management is about identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, according to risk management, risk manager will create a plan to eliminate or minimize the impact of negative events. Basic strategies for managing risk includes avoiding and reducing negative effect of the risk or even accepting some potential consequences of a risk.

http://upload.wikimedia.org/wikipedia/commons/2/2d/Risk_Management_Elements.jpg

Figure 1. Risk Management Elements

Considering Figure 1, first of all people should plan the risk according to answering what, when, how questions. They should establish a strategy by establishing goals and objectives. Then, risk is needed to identified and analyzed. Risk identification activities are concerning about what the risks are. After that, risk should be mitigated. It is the prime purpose of risk handling. Lastly, it should be observed and reported. Risk management process is continuous process of tracking and evaluating the risks.

When looking at the risk management according to IT, it is about protecting the confidentiality, integrity and availability of information. For protection of this information, we need to understand and respond the situations that may cause failure of this objective.

3 RISK ASSESSMENT OF INFORMATION TECHNOLOGY

There are two main approaches for the risk assessment that are quantitative and qualitative risk assessment.

Quantitative risk assessment assigns numerical values to both impact and likelihood. The quantitative measure of risk calculated by statistical model is used to judge whether it is acceptable. This measurement is the standard way of measuring risk in many fields but it is not used to measure risk in information systems. (2) The difficulties in identifying and assigning a value to assets, and the lack of statistical information that would make it possible to determine frequency are two main reasons for that.

Qualitative risk assessment describes likelihood of consequences in detail. This assessment is used in events where it is difficult to express numerical measure of risk. Qualitative risk assessments give risk results as "High", "Moderate" and "Low".

Considering Figure 2, event A has low values, and risk is acceptable. Event B is between the limits and it is hard to make decision. Event C is above the limits and it is unacceptable. It needs some measurements to reduce consequence and/or probability/frequency.

Frequency/Probability of occurrence

Consequence

Figure 2. Evaluation of Risk

Qualitative risk assessment includes six steps, which are identification of threats, identification of vulnerabilities, control analysis, likelihood determination, impact determination and risk determination. This assessment is used for information technology.

3.1 IDENTIFICATION OF THREATS

Threat:  The potential for a threat-source to exploit a particular information system vulnerability and it causes possible harm.

Threat-Source: According to National Institute of Standards and Technology, threat source is intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. (1)

In this step, both threat and threat-source must be defined. Threats should include threat-source to provide exact assessment.

There are some common threat-sources, which are;

• Natural Threats—floods, earthquakes, hurricanes

• Human Threats—threats caused by human beings, including both unintentional and deliberate actions (virus infection, unauthorized access)

• Environmental Threats—power failure, pollution, chemicals, water damage

Table 1. Human Threats (1)

Threat-Source

Threat Actions

Hacker

Hacking

Social engineering

System intrusion

Unauthorized system access

Computer criminal

Computer crime (e.g., cyber stalking)

Fraudulent act (e.g., replay, impersonation, interception)

Information bribery

Spoofing

System intrusion

Terrorist

Bomb/Terrorism

Information warfare

System attack (e.g., distributed denial of service)

System penetration

System tampering

Industrial espionage (companies, foreign governments, other government interests)

Economic exploitation

Information theft

Intrusion on personal privacy

Social engineering

System penetration

Unauthorized system access

Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees)

Assault on an employee

Blackmail

Browsing of proprietary information

Computer abuse

Fraud and theft

Information bribery

Input of falsified, corrupted data

Interception

Malicious code (e.g., virus, logic bomb, Trojan horse)

Sale of personal information

System bugs

System intrusion

System sabotage

Unauthorized system access

These are the estimation of some human threats. According to this identification, organizations may overcome some attacks.

The threat should be recognized according to environment. Information about natural threats exists, such as earthquakes, storms. Many government and organizations identified common threats. There are many threats and for that reason; some infraction detection tools are becoming more widespread. According to that, government or organizations collect data on security actions. In this way, organizations or government has ability to improve identifying threats. Sources of information include, but are not limited to, the following(1):

Intelligence agencies (for example, the Federal Bureau of Investigation’s National Infrastructure Protection Center)

Federal Computer Incident Response Center (FedCIRC)

Mass media, particularly Web-based resources such as SecurityFocus.com, SecurityWatch.com, SecurityPortal.com, and SANS.org.

3.2 IDENTIFICATION OF VULNERABILITIES

Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. (1)

Due to vulnerability, businesses may lose money and reputation, and services may be disrupted. For information technology, security is a long-term process that needs to be considered. Lack of technical precaution which basis on hardware and software, or physical security weaknesses or unconscious users cause vulnerability. Therefore, precautions should be reviewed at frequent intervals, the necessary corrections should be made, and operational staff should be trained about safety issue.

In table 2, there are some examples of vulnerability/threat pairs (1);

Table 2. Vulnerability/Threat Pairs

Vulnerability

Threat

Threat Action

Terminated employees’ system identifiers (ID) are not removed from the system

Terminated employees

Dialing into the company’s network and accessing company proprietary data

Company firewall allows inbound telnet, and guest ID is enabled on XYZ server

Unauthorized users (e.g., hackers, terminated employees, computer criminals, terrorists)

Using telnet to XYZ server and browsing system files with the guest ID

The vendor has identified flaws in the security design of the system; however, new patches have not been applied to the system

Unauthorized users (e.g., hackers, disgruntled employees, computer criminals, terrorists)

Obtaining unauthorized access to sensitive system files based on known system vulnerabilities

Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipment from water damage are not in place.

Fire,

negligent persons

Water sprinklers being turned on in the data center.

These are some important vulnerability/threat pairs that should be considered, but we do not forget that there may increase types of vulnerability in the future.

3.3 CONTROL ANALYSIS

The aim of this step is to analyzing of the controls implemented in order to minimize likelihood of an event, which exercises system vulnerability. This step should also consider that if control is in-place or planned or not, and it is currently enforced or not.

There are two methods for the security controls, which are technical and nontechnical methods. Technical controls are computer software, hardware and firmware such as identification and authentication mechanisms. Nontechnical controls are management and operational controls such as security policies.

3.4 LIKELIHOOD DETERMINATION

The aim of this step is to indicate likelihood rating of high, moderate or low according to identification of each risk.

Table 3. Likelihood Definitions (1)

Likelihood Definition

High

The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.

Medium

The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

Low

The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

According to likelihood determination, these following factors should be considered:

Vulnerability nature

Capability and motivation of threat-source

Existence and effectiveness of current controls.

3.5 IMPACT DETERMINATION

Impact analysis requires information about performed processes. The impact level can be determined according to loss of integrity, availability and confidentiality. Qualitative assessment can be done according to "high, medium and low" terms. Quantitative assessment can include an estimation of the frequency occurrence, costs of repairing, and assumed damage factor.

The following list provides a brief explanation about impact levels;

Loss of Integrity: System and data integrity needs to be protected from inappropriate modification. If there are unauthorized changes in the IT system, it causes loss of integrity. If these changes are not corrected, then it causes wrong decisions or corrupted data may cause inaccuracy.

Loss of Availability: Availability is about timely and reliable access and use of information. A loss of availability is the disruption of timely and reliable access or use of information. Availability of the network is very important for anyone whose business or education relies on a network connection.

Loss of Confidentiality: System and data confidentiality is very important. It should be protected from unauthorized disclosure. If confidential information is disclosed, it may cause a national threat.

Table 4. Magnitude of Impact Definitions (1)

Impact Definition

High

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.

Medium

Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.

Low

Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

3.6 RISK DETERMINATION

The aim of this step is to determine the level of risk. It is combination of likelihood and impact of occurrence.

In table 5, the sample risk determination matrix indicates overall risk ratings. Risk levels may be subjective. The reason for that can be explained in terms of the probability assigned for each threat likelihood level and a value assigned for each impact level. For example (1),

The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for Medium, 0.1 for Low

The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for Low.

Multiplying threat likelihood and threat impact gives risk ratings.

Table 5. Sample Risk Determination Matrix

Impact

Low(10)

Moderate(50)

Likelihood

High(1.0)

Low

10 X 1.0 = 10

Moderate

50 X 1.0 = 50

Moderate

(0.5)

Low

10 X 0.5 = 5

Moderate

50 X 0.5 = 25

Low(0.1)

Low

10 X 0.1 = 1

Moderate

50 X 0.1 = 5

High: After the calculation of risk, if it says high, then there is a strong need for corrective measures. System may continue to work but there must be a plan to correct that problem.

Moderate: After the calculation of risk, if it says moderate, then system needs to correction and a plan must be improved in an acceptable period of time.

Low: After the calculation of risk, if it says low, then the system authorizing official, which is responsible for determining whether risk is acceptable or not, must determine corrective actions are needed or decide to accept the risk.

4 HOW IS RISK MANAGED?

Four main strategies for managing risk are mitigation, transference, acceptance and avoidance. Risk management strategy minimizes the risk and also helps to reduce the negative effect or probability of the risk. Cost is important for organizations for that reason, risk management strategy is related with that and for accomplishing the strategy, basic steps must be determined.

4.1 MITIGATION

Mitigation attempts to reduce impact of vulnerability exploitation according to planning and preparation. Because, elimination of all risk is not applicable and it is also close to impossible. It is the responsibility of senior management and functional and business managers. Installing a patch will be very useful for risk mitigation. Installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall are about risk mitigation.

4.2 TRANSFERENCE

Transference is the process that provides to shift risk to other assets or organizations. Most people use transference in their life but it is not useful for IT systems. For example, insurance companies help to transfer risk from person to insurance firm. However, that doesn't mean that you reduce the likelihood. It decreases the impact on the organization.

4.3 ACCEPTANCE

Acceptance of risk is about doing nothing to protect a vulnerability and accepting the outcome of its exploitation. In other words, it is about being fully aware that the risk exists and doing nothing. Low risks can be acceptable. The managers may accept some high risks but sometimes this cause a problem. After that, IT staffs try to handle these problems.

4.4 AVOIDANCE

Avoidance provides to prevent the exploitation of the vulnerability. In other words, risk is avoided when the individual refuses to accept the risk. For example, not flying in order not to take the risk that the airplane was to be crashed. This is avoidance from the risk. Another example for that, a website of one of university was disclosed that let the students view their pictures, IDs and grades. Detecting about this risk, university removed this page and then they did new web page for the university.

5 EXAMPLE

This example is taken from Virginia Information Technologies Agency(VITA). The aim of example is to help each Commonwealth of Virginia (COV) Agency according to analyzing risks of its IT systems and protecting COV’s source material through its mission. They were applied risk assessment methods according to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, "Risk Management Guide for Information Technology Systems". This example is about Information Technology Assessment for Budget Formulation System (BFS). COV’s Budget Formulation Agency was applied risk assessment for BFS to provide requirement of Information Technology Risk Management Standard SEC501-01. Risk assessment was repeated by BFA every 3 years or if they were had big changes in their system. This example was done on July 2007.

Figure 3. IT System Boundary Diagram(3)

C:\Users\Dilsad\Desktop\diagram.jpg

Considering Figure 3, it shows system and network architecture. Figure includes all components of the system. BFS and Budget Consolidation System connected to Switch and then it goes data center router, passes data center firewall and with agency internal IP network, client and system administrator connects each other.

In order to show implementation of the methodology studied in this project, a case study run by Commonwealth of Virginia’s Budget Formulation Agency has been presented in detail.

Identification of vulnerabilities

Vulnerability is flaw or weakness in the system. In this example, Staff of the Commonwealth of Virginia (COV) Budget Formulation Agency (BFA), identified vulnerabilities for their budget formulation system (BFA) by interviewing with BFA system owner, data owner and BFA operational and technical support personnel, they used automated ITRSK tool and they also reviewed their previous BFA risk assessment vulnerabilities. Interviewing with BFA system owner, data owner and BFA operational and technical support personnel would help them to recognize some of basic vulnerabilities in the system. Automated ITRSK tool was also useful for identification of vulnerabilities. Handling vulnerability is not easy. It is process, so reviewing previous BFA risk assessment vulnerabilities will be very useful, because they may face same vulnerability again and it may help to see future vulnerability of the system.

Identification of threats

If existing vulnerability has potential to exploit, then it leads to threat. In this example, threats are identified by using automated ITRSK tool, interviewing BFS system owner, data owner and system administrators to get some information about existing threats for BFS and by looking at the previous BFS risk assessment and analyzing the effect of the BFS threats to the environment.

In table 6, there are some threats for BFS;

Table 6. Credible Threats (3)

Credible Threats Identified for the BFS

Air Conditioning Failure

Earthquakes

Aircraft Accident

Fire (Major or Minor)

Biological Contamination

Flooding/Water Damage

Blackmail

Fraud/Embezzlement

Bomb Threats

Human Error

Chemical Spills

Malicious Use

Communication Failure

Loss of Key Personnel

Computer Crime

Cyber-Terrorism

By looking at them, we can see the three types of threats, which are human, natural and environmental threats.

Vulnerability and threat pairs cause risks. In this example, BFA is also summarizes some risk by gathering this pairs. For example, according to Budget Formulation Agency, unauthorized use of terminated BFS users identifiers did not removed from BFS and it is caused confidentiality and integrity of BFS data. Another example of that is when there is a fire, wet-pipe sprinkler system will work and BFS data center will not be available no longer.

Control analysis

For the control analysis, we need to focus the control is in place or planned. In this example, IT security controls are planned and in place for BFS system. They had done table for this part of risk management. Table consists control area, in-place or planned and description of controls. Firstly, they decided control area and then is it in-place or planned and after they described the controls. Choosing one of example from this, control area of BFS is IT security roles and responsibilities, it is in-place and it requires written IT security roles for BFS and BFA. Another example of this, control area is risk assessment. It is in place because this report indicates risk assessment of BFS in July 2007, it is built on previous BFS risk assessment in July 2004, and it is planned that BFA will verify the current risk assessment in July 2008 and 2009.

Likelihood determination

Likelihood ratings are low, moderate and high. For this example, BFA defines likelihood rating for BFS. Considering fire risk, it will run sprinkler system and it will damage BFS. There is not any control for the water damage, for that reason, effectiveness of controls is low and also fire possibility in the data center is low. By looking these risks, we can say risk likelihood rating is moderate because the threat-source is motivated and capable, but controls are in place that may prevent from the vulnerability.

Another example for that is unauthorized use of BFS data. Closing user accounts won’t be the solution so effectiveness of controls is low. Learning user ID and password is low risk, so threat source capability is low. Moreover, physical access to the building is low because of its protection. By looking these risks, we can say risk likelihood rating is moderate.

Impact determination

Impact is rated as high, moderate and low. These ratings used to evaluate impact of BFS risk on the BFA.

In table 7, there are risk impact ratings definitions of Commonwealth of Virginia;

Table 7. Risk Impact Rating Definitions (3)

Risk Impact Rating Definitions

Magnitude of Impact

High

Moderate

Low

Through BFA, by looking at fire risk, it will run sprinkler system and it will cause damage on BFS. For that reason, BFS will be unavailable. This is the impact of the risk and it is rated as high. This causes loss of availability.

Unauthorized use of user IDs will cause unauthorized modification or disclosure of BFS data and the impact rated as high. Unauthorized uses of IDs bring loss of confidentiality and integrity with them.

Risk determination

Risk determination is about both likelihood and impact of the risk and risk ratings rely on these two subjects. We have impact and likelihood of some examples, so we can calculate risk ratings through them. For example, for the risk that fire runs sprinkler system and causes damage of BFS, likelihood rating was moderate and impact rating was high so risk rating is moderate. For another example, likelihood rating was moderate and impact rating was high so risk rating is moderate.

There are recommendations for the some identified risks in the system according to BFA;

Table 8. Recommendations (3)

Recommendations

Risk

No.

Risk Summary

Risk Rating

1

Fire would activate sprinkler system causing water damage & compromising the availability of BFS.

Moderate

2

Unauthorized use of unneeded user IDs could compromise confidentiality & integrity of BFS data.

Moderate

3

Unauthorized access via ad-hoc privileges could compromise of confidentiality & integrity of BFS data.

Moderate

4

Loss or theft of USB drives could result in compromise of confidentiality of BFS data.

High

Discussion of the case study, each steps of risk management methodology applied successfully. They identified threats and vulnerabilities nicely. After that, control assessed and determined likelihood and impact. With gathering these things, they recognized risks of the system. We can see some example of that in this risk assessment matrix;

Table 9. Risk Assessment Matrix (3)

Risk Assessment Matrix

Risk

No.

Vulnerability

Threat

Risk

Risk

Summary

Risk

Likelihood

Rating

Risk

Impact

Rating

Overall Risk

Rating

1

Wet-pipe

sprinkler

system in

BFS Data

Center.

Fire

Compromise

of BFS

availability.

Fire would

activate

sprinkler

system

causing water

damage &

compromising

the

availability of

BFS.

Moderate

High

Moderate

2

BFS user

identifiers

(IDs) no

longer

required are

not

removed

from BFS in

timely

manner.

Unauthorized

Use

Compromise

of confidentiality

&

integrity of

BFS data.

Unauthorized

use of

unneeded

user IDs

could

compromise

confidentiality & integrity

of BFS data.

Moderate

High

Moderate

This report helps senior management to understand their systems deficiency so with this methodology, they can use resources effectively and they also have chance to correct errors and decrease potential losses.

6 CONCLUSION

Risks should evaluate and manage effectively for IT systems. Some project managers do not consider risks of the project, so it causes the project failure. According to risk management, we need to examine risks well, because organizations do not want to waste time, their personnel and they don’t want to face unexpected costs. By applying risk assessment methodologies to projects help to take precaution for possible damages on organization’s systems.

Herein, I studied risk management methodologies for Information Technology System projects. In order to present implementation of risk management to IT systems a case study presented in Information Technology Risk Management Guideline Virginia Information Technologies Agency (VITA) have been studied .The main problems mention in this example, unauthorized uses and access of data, fire, and malicious use of computer crime. They tried to understand their risks for the system and tried to handle these problems with identifying them. Risk assessment is systematic tool for identifying security weaknesses and calculating risk. I can also say that, they applied this methodology successfully, because they followed up all the steps of risk management carefully. In this context, my graduation project includes;

Defining risk and risk management

Defining risk assessment methodologies

Threat Identification

Vulnerability Identification

Control Analysis

Determination of Likelihood

Determination of Impact

Determination of Risk

How risk managed

Example of Risk Management

To sum up, I tried to explain risk management steps and then I studied on an example to understand every steps of this risk management graduation project successfully.