Chapter 2

Risk, Security, and Assurance

Abstract

The general principles of risk, security, and assurance are discussed. Criteria for actual system assurance are introduced and defined. Risk management, risk assessments, and security controls are all defined.

Keywords

risk management framework
risk assessment
security control
The US government has long maintained the need and the requirement to evaluate and ascertain the IT systems operating on its networks and backbones were as secure as possible. Over the past 25 years, various organizations within the federal government have developed and operated under multiple different methodologies to provide the assurance to managers and executives that the IT systems were safe, secure, and trustworthy. This process began back in the 1970s and 1980s in the US government Intelligence Community (IC) with the original directives for ensuring confidentiality of the systems and the data retained in these systems.
The current security practices and processes all focus on managing and mitigating risks associated with the confidentiality, integrity, and availability of the information associated with the operation and maintenance of each federal IT system. The risk review, tolerance criteria, and management activities all are associated with the actual data stored on the IT system, the downstream liabilities of others using those same data, and the legal and regulatory requirements for the use and storage of those same data and information. The National Institutes of Standards and Technology (NIST) has produced a series of documents and publications which are designed to provide federal agencies guidance and best practices for these agency actions and activities with the relevant data and information. These publications are mostly found on their specific security website at http://csrc.nist.gov and are openly available to all who are interested.
There are many frameworks and guidelines available for organizational-level and corporate-level risk management. The available guides include COBIT 5, COSO, FAIR, ISO 31000, ISO 27000, and others. Many of these risk frameworks are industry-specific and further research for your industry should reveal which risk approach and framework are appropriate for your organization. Our goal here is to let you know there are many ways to address risk in an organization, with NIST providing the primary way within the US government. To evaluate, examine, and assess risk, the assessor will need to know the organizational approach to risk and how these risks are mitigated, transferred, or otherwise treated.
The NIST approach to risk management is found in Special Publication (SP) 800-37, rev. 1 entitled Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This guide was published in February 2010 and recently was updated (June 2014) to include the federal requirements for continuous monitoring and ongoing system authorizations. As defined by NIST, risk management is the process that provides for IT managers and executives to make risk-based decisions on the security and assurance of the IT systems under their control. These decisions are the result of balancing the operational and economic costs of the protective components and achieve the resultant gains in the organization’s mission capability by protecting and defending these various IT systems and the associated information which support the organization’s missions. Risk is defined in SP 800-37, rev. 1 as a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of:
1. The adverse impacts that would arise if the circumstance or event occurs
2. The likelihood of occurrence

Risk management

NIST opens up SP 800-37 with the following: “Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber-attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.”1
When NIST published SP 800-37, rev. 1 in early 2010, it changed the entire government’s approach to risk and risk management. Prior to that point, certification and accreditation (C&A) had focused most efforts on a “snapshot” view of security as sufficient to ensure the security of IT systems as referenced in the FISMA and OMB guidance documents in use during the previous 8 years (FISMA) and 25 years (OMB A-130). This shift in the approach to security moved the viewpoint to focus now on risks in an operating environment that is ever changing, ever evolving, fluid, and full of emerging threats.
The goal of this risk management approach is to provide for mission accomplishment by:
1. Better securing the IT systems which store, process, or transmit organizational information
2. Enabling management to make well-informed risk-based decisions to justify the expenditures that are part of an IT budget
3. Assisting management in authorizing the IT systems on the basis of the supporting documentation resulting from the performance of risk management
As part of the risk management process, each organization is recommended to review all risks at an organizational level, a business unit/department level, and the IT system level. Managing these IT-related risks is a detailed, complex, multifaceted activity which requires senior management support for the strategic and organizational goals for tolerating and treating risks, midlevel managers to plan for and conduct the projects, and then operating the systems that are core to the organization. NIST SP 800-39 Managing Information Security Risk defines these three levels as the Tier 1 (organizational level), Tier 2 (mission and business process level), and Tier 3 (information system level of risk management).
SP 800-39 goes further to define these three tiers as follows:
1. “Tier 1 addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by federal laws, directives, policies, regulations, standards, and missions/business functions. Governance structures provide oversight for the risk management activities conducted by organizations and include: (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s risk management strategy including the determination of risk tolerance; and (iii) the development and execution of organization-wide investment strategies for information resources and information security.”2
2. “Tier 2 addresses risk from a mission/business process perspective by designing, developing, and implementing mission/business processes that support the missions/business functions defined at Tier 1. Organizational mission/business processes guide and inform the development of an enterprise architecture that provides a disciplined and structured methodology for managing the complexity of the organization’s information technology infrastructure. A key component of the enterprise architecture is the embedded information security architecture that provides a roadmap to ensure that mission/business process-driven information security requirements and protection needs are defined and allocated to appropriate organizational information systems and the environments in which those systems operate.”3
3. “All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle. In addition to the risk management activities carried out at Tier 1 and Tier 2 (e.g., reflecting the organization’s risk management strategy within the enterprise architecture and embedded information security architecture), risk management activities are also integrated into the system development life cycle of organizational information systems at Tier 3. The risk management activities at Tier 3 reflect the organization’s risk management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems supporting the mission/business functions of organizations. Risk management activities take place at every phase in the system development life cycle with the outputs at each phase having an effect on subsequent phases.”4
So for assessing risk and the security controls used to control risk, an understanding of risk management within the organization is paramount to provide the right kind of assessment along with recommendations for risk mitigation.

Risk assessments

Within the risk construct that has been produced by the NIST, there are major criteria for risk assessments at every point within the life cycle of the information system under review. NIST SP 800-39 states this as follows: “The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify:
1. threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation;
2. vulnerabilities internal and external to organizations;
3. the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
4. the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).
To support the risk assessment component, organizations identify:
1. the tools, techniques, and methodologies that are used to assess risk;
2. the assumptions related to risk assessments;
3. the constraints that may affect risk assessments;
4. roles and responsibilities;
5. how risk assessment information is collected, processed, and communicated throughout organizations;
6. how risk assessments are conducted within organizations;
7. the frequency of risk assessments; and
8. how threat information is obtained (i.e., sources and methods).”5
There are many different ways to conduct risk assessments. The publisher of this book has several different books currently available on risk assessments and the methods for conducting them, so I will not attempt to add to those data. NIST has produced a guide to conducting risk assessments too under the NIST SP 800-30, rev. 1 publication.

Security controls

CNSSI 4009, the US government’s authoritative source of definitions within the security arena, defines security controls as: “The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information” and defines the assessment of these controls as: “The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.”6
So understanding the controls and their functions is of utmost value to both the assessor and the organization. Within the risk community, there are several catalogs of security controls available. We will be examining the controls in this book from the NIST SP 800-53 Control Catalog with its 18 areas of controls and from the ISO 27001 International Security Management Catalog with its 11 areas of controls. Chapters 8 and 9 delineate the controls, their requirements, and methods of assessment. Next we look at the legal and regulatory frameworks for security and the assessment requirements for security controls.