Ask ten information security managers how they define and manage risk, and youll get at leastten distinctly different answers. Many firms have their own unique ways of factoring risk intodecision making, utilizing everything from detailed industry standards to informalspreadsheets.
Many factors such as the industry and distribution in the market determine the amount ofsecurity investment and security testing for a given product.
Gunter Bitz, senior manager of product security governance, SAPAG
But experts agree that effective informationsecurity risk management processes take time to develop, with even the most matureorganizations constantly searching for the best way to come to grips with rapid changes in thethreat landscape and the effect they have on the security of their products and services.
Performing risk assessments for every product that leaves the production line has been anevolving process at EMC Corp., where each product manager is required to provide metrics on qualityand support requirements, residual risk and other factors that weigh heavily on strategic decisionsat the company. Eric Baize, senior director in the office of strategy and technology at RSA, theBedford, Mass.-based security division of EMC Corp., has a company-wide responsibility for productsecurity assurance. Baize said it has taken years to reach a level of maturity to where risk-baseddecision making is a fundamental process.
Its now very much ingrained into the fabric of our product organizations, Baize said. Theserisk decisions are now easier to make, but it is not easy to get to that point.
A number of methodologies and best practices exist to help guide companies into making morecalculated risk-based decisions. NIST provides a set of best practices that can be used as a guidefor injecting risk into the decision making process. The NIST Risk Management Frameworkoutlines steps organizations can take from categorizing systems to assessing current securitycontrols, to prioritizing and making changes based on impact analysis. The NIST framework beginswith categorizing systems and processes based on the likelihood that they will be impacted. It thenguides organizations into selecting appropriate security controls, implementing them and thenperforming an assessment. Other frameworks take broader approaches, incorporating governance andcompliance processes. The Committee of Sponsoring Organizations (COSO) Enterprise Risk ManagementIntegrated Framework (.pdf), encompasses strategic goals and operational resources to meetreporting and compliance objectives. Meanwhile, the COBIT IT governanceframework focuses on policy development and getting IT to effectively support businessgoals.
But even the best guides fail to factor in each organizations unique requirements, said PeteLindstrom, research director at Malvern, Penn.-based Spire Security. Further complicating theproblem is that far too many organizations are using multiple frameworks. Applying quantitativeanalysis can be tricky to introduce to different parts of an organization, Lindstrom said, becausethere are so many different factors that weigh into risk-based decisions.
The idea is to evaluate the controls youre putting in place based on the likelihood the assetyoure protecting will be impacted significantly by external or internal events, Lindstromsaid. Many organizations are generally not assessing things from the likelihood of impactperspective, which is a purer form of risk measurement.
Gary McGraw, CTO of Dulles, Va.-based Cigital Inc., whose Building Security in Maturity Model,or BSIMM, assesses the software security processes at more than 40 organizations, includingMicrosoft, Bank of America, Adobe Systems and Google, said documenting how organizations approachrisk-based decision making is difficult, because risk is typically directly tied into businessconcerns.
Some firms start out with a risk-based questionnaire to categorize or classify their productsinto different risk categories and then adjust their SDL according to their results, McGraw said.Others have already categorized their high-risk applications and theyll put almost all theirfocus on them.
One issue with risk assessments is a large number of organizations apply separate, disparaterisk management approaches to specific project areas instead of taking a cohesive approach,Lindstrom said. To address the problem, ISACA, a nonprofit association of IT professionals, issuedthe RISKIT framework in 2009. Based on the COBIT IT governance framework, RISK IT aims to helporganizations manage risks related to late project delivery, compliance and obsolete ITarchitecture. The organization said RISK IT brings together a variety of concepts and approaches,such as COSO ERM, ARMS and ISO31000. The framework is intended to get executives and management to apply an enterprise-widerisk framework rather than applying risk assessments in incomplete, disconnected areas of theorganization.
Gunter Bitz, senior manager of product security governance at SAP, said the German softwarevendor has for many years categorized projects based on risk metrics and other factors. SAP weavesa risk-based approach into each set of requirements for a project, Bitz said. The enterprisesoftware maker also evaluates each product to determine if the industry uses it and the threatsposed to the industry. For example, an application developed for the defense industry wouldlogically be considered a higher risk, he said. Product managers also think through the kind ofactivity an application manages to gain an understanding of the significance of an application.
Many factors such as the industry and distribution in the market determine the amount ofsecurity investment and security testing for a given product," Bitz said.
0 comments:
Post a Comment