Cybersecurity risk management
APA 7th edition format
Cybersecurity Risk management
step by step
You’ve been hired to work within the United States Cyber Attack Response and Strategy (CARS) Unit, an arm of the Pentagon that defends against newly reported or anticipated cyber threats, thwarts future attacks, and executes counter-offenses. In your new role, you may be asked to coordinate with or lend assistance to other government agencies (e.g., DHS, the White House) and/or private companies to improve their cybersecurity posture.
After a few months in your new position, you and the rest of your team are called into a special briefing. Commander Karen Garrett discloses that a well-known adversary is expected to step up cyber-targeting of critical industries and government agencies during the early hours of the following morning.
Commander Garrett announces, “As you know, we shift priorities rather quickly at CARS. It’s key in this instance to defend forward. Starting today, I am launching a new mission, Operation Aquarius.” She nods to you: “You will be working through DHS in helping critical industries become aware of the constantly changing threat landscape posed by this and other adversaries.”
She continues: “As you may know, DHS has identified 16 critical infrastructure sectors. Although you may be asked to help with a company in any of these sectors, for your first assignment, you will choose one based on your expertise and interest. You will be helping that company assess its current cybersecurity risk and determine ways to improve its posture. For maximum impact, I would like you to focus on one or two of the company’s business-critical IT systems.
“I will send further instructions soon. I’ll notify you should we receive additional intelligence on the adversary’s actions. That’s all for now.”
As she leaves the briefing room and everyone begins murmuring about next steps, you consider the value of your profession and hope this assessment can help inform and defend critical infrastructure across the nation.
Step:1
Commander Garrett has directed you to select an organization in the critical infrastructure sectors. Choose a company or organization that has publicly available information sufficient to support a reasonable risk assessment based on your interests and background. Do not use insider or proprietary information: All the information you collect must be readily available for anyone to access.
You will describe in your proposal how you intend to collect your information. Before you focus on an organization, you first need to get a good footing on a formal risk assessment methodology and how to apply that methodology to an organization’s IT assets.
The National Institute of Standards and Technology (NIST) is a United States federal agency that provides standards for industries in science and technology. NIST is a key resource used by your organization. Because you will be following NIST’s risk assessment methodology to create your risk assessment report, you must understand the different steps that make up a risk assessment, including evaluating the likelihood of a specific threat manifesting into an attack or intrusion and the impact of that event.
Critical Infrastructure Sectors
·
Overview
·
Chemical Sector
·
Commercial Facilities Sector
·
Communications Sector
·
Critical Manufacturing Sector
·
Dams Sector
·
Defense Industrial Base Sector
·
Emergency Services Sector
·
Energy Sector
·
Financial Services Sector
·
Food and Agriculture Sector
·
Government Facilities Sector
·
Healthcare and Public Health Sector
·
Information Technology Sector
·
Nuclear Reactors, Materials, and Waste Sector
·
Transportation Systems Sector
·
Water and Wastewater Systems Sector
·
STEP:2
By understanding and qualitatively capturing the impact of all threats an organization faces, you are assessing its risk exposure. You may first need to get a good feel for a few basic cybersecurity concepts and terms:
Confidentiality, Integrity, and Availability (CIA): The Security Triad
and
Threats, Attacks, and Vulnerabilities
.
In the next step, you’ll review an example of the NIST risk assessment methodology in practice.
Commander Garrett provides a template for this risk assessment methodology. Please familiarize yourself with this template and the methodologies it uses.
·
Risk Assessment Report Template
STEP:# 3
You are now ready to focus on an enterprise/company in a critical industry. Choose one or two of the company’s business-critical IT systems as the focus of your assessment. You might want to brush up on your knowledge of
IT (Information Systems and Data) assets
.
Information Technology (IT) Assets
The term security in its most basic sense means the protection of assets from harm. Assets are anything of value, including physical, tangible items such as buildings, people, and the items they use, and intangible assets, such as information or knowledge. In the computer security realm, most organizations divide the overall practice of security into two categories: physical security and information security.
An information technology (IT) asset is any system resource that needs to be protected in order for an organization to meet its information security objectives and goals. IT assets include the computer hardware, software, communication systems, and data critical to business operations. Further, IT assets include the facilities that house system operations and equipment, and the policy and procedure documentation.
The assets of a computer system can be categorized as follows:
· Hardware, which is the system equipment such as computer systems and other data processing, data storage, and data communications devices.
· Software, including the operating system, firmware, middleware, database management system, system utilities, and applications.
· Data contained in an information system, including files and databases, or in a service provided by a system, or system capability. Data can also refer to the operation of a system, e.g., security-related data like password files, data required for efficient routing in a network, and performance data.
· Communication facilities and networks, including local and wide area network communication links, bridges, routers, etc.
After you’ve chosen an enterprise and determined which of its critical systems you will focus on, begin your search for relevant information to include in your proposal. Examples of relevant information include
· enterprise and purpose (i.e., the nature of its business),
· IT systems you’ve chosen to assess,
· management or basic organization structure of organizations within your company, and
· identification of relevant aspects of the company’s computing and network infrastructure.
Note: Do not try to access unpublished information through social engineering or through attempted cyberattacks or intrusion attempts.
STEP:4
Begin Writing Your Annotated Bibliography
Begin by compiling a set of resources, carefully documenting the significance of each one and noting how it might be useful in the context of the work ahead of you. Use the template and NIST materials to guide your efforts. You will submit this document, called an annotated bibliography, with the proposal in the next step.
In this step, you will develop and submit your proposal and annotated bibliography for review and approval.
The project proposal should be a one-and-a-half-page (double-spaced) description of the company you propose to analyze, with a summary of the scope (IT systems associated with this company, and the assets impacted) of the risk assessment you are expected to conduct. The proposal should identify the subject company with a brief explanation of why you chose the subject for this assignment.
An important step in developing your risk assessment report will be the construction of an annotated bibliography. Having developed and described a subject company and scope of analysis in the proposal, the next step is to identify and assess the value of potential research material. You should identify five or six significant articles relevant to your subject company (or the industry sector of the company), identifying and assessing risks in a context similar to the scope of your report.
For a report of this nature, you may expect to find useful sources in both business-focused (e.g., Business Source Premier, Business and Company Resource Center, ABI/INFORM) and technically focused databases (e.g., ACM Digital Library, IEEE, Gartner.com, NIST, ISO). The annotated bibliography will consist of 100 to 150 words per article describing the main ideas of the article, a discussion of the usefulness of such an article in understanding various aspects of your report, and other comments you might have after reading the article. For each article, there should be a complete reference in APA format.
Once approved, your annotated bibliography will form the basis of the sources for your report. You may also add materials as you develop your report.
Step 6: Identify Vulnerabilities and Threats in Your Subject Company
Share your observations thus far with your colleagues. Note the company you have selected and provide insight to the vulnerabilities you have detected. Based on what you’ve learned about your chosen company, its field, and the assets you have chosen to focus on, post the following:
· at least one vulnerability (i.e., weakness) in each asset;
· possible threats; and
· the business functions impacted by the threats if realized, and in what ways (e.g., availability of a key database, confidentiality of a customer data).
STEP 7
Risk assessment is a top-down approach. The process of creating a detailed or formal risk assessment is as follows:
1. Identify assets.
2. Determine threats and vulnerabilities for each asset.
3. Estimate likelihood of a threat exploiting a vulnerability resulting in an attack.
4. Estimate the impact (individually and collectively) if each attack were to occur.
5. Derive overall (qualitative) risk rating for each asset.
6. Survey applicable controls and their costs to prevent the attack and choose the controls.
You will use a scale of 1 to 3 (low, medium, and high, respectively) for likelihood, impact, and risk. Review
risk analysis, security control, and security plans
and the
provided template
for an overview of the process. NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations, specifies NIST’s approach to applying security measures.
Security controls, as you may know, are not standalone countermeasures. They are put in place using two related architecture concepts:
·
layering
·
defense-in-depth
Step 8: Devise a Security Plan
You receive an email with directives from
Commander Garrett
.
From: Commander Karen Garrett
Subject: Switch Gears to Security Controls
Thank you for the risk assessment and for identifying key controls that are missing. Now, I need you to shift your focus to developing a security plan.
A security plan identifies and organizes the security activities of an enterprise. The plan is a description of where the enterprise is on meeting its information security needs, where it should be, and a clear course of action to get there. The security plan also includes prioritization of risks and controls of each asset, a description of resources (human, capital, etc.) needed to implement the controls, and a schedule.
The security plan should:
· Describe risk analysis methodologies and techniques, specifically from NIST.
· Apply a risk methodology and techniques to selected businesses or systems in the organization.
· Propose a realistic security plan to fix vulnerabilities and/or apply controls (technical, management, and operational) to minimize the risk exposure.
· Explain the risk analysis outcome and actions to be taken for buy-in and a path forward
Please also begin thinking about ways to present this information to the leadership team, as I expect we will be asked to do so in the near future. I’ll keep you posted on that.
I appreciate your efforts in creating a well-designed plan.
Commander Garrett
Step 9: Develop Your Risk Assessment Report
As a cyber warrior, it is your responsibility to report honestly about potential threats. Additionally, you are responsible for proposing realistic security plans to fix vulnerabilities and/or apply controls (technical, management, and operational) to minimize the risk exposure. Your experience with cyber solutions may have earned you a spot in the Cyber Attack Response and Strategy Unit; but your honesty, reliability, and responsibility are of equal importance in your career.
Based on your work and findings in the previous steps, assemble your formal risk assessment report. The report includes
· your completed risk assessment,
· controls you recommend,
· and the security plan to put thfe controls in place.
In addition to being a standalone report, this document will inform the next deliverable: a presentation to the executive leadership team at CARS. In the next step, you will create a slide deck and script for that presentation.
You will submit the report and the presentation at the end of this project.
STEP 10
From: Commander Karen Garrett
Subject: Presentation to Stakeholders
Thank you again for the formal report. As anticipated, we are now being asked to present this assessment and plan to executive leadership at the company that was the focus of your plan.
Please create a slide deck and presentation script that cover the main points of your report, including the most salient facts, figures, and findings. The goals are to get the leadership team’s buy-in of your security plan, and to give them with an overview of cybersecurity risk and mitigation recommendations.
The presentation should be about 7 slides, plus a presentation script (put the script in the Notes section of the slides). Bear in mind that the people you’re presenting to are not cyber experts, so make sure the content isn’t overly technical. Minimize the text on screen, and expand upon the concepts in your script.
Here’s an outline to use as a guide:
· Slide 1 (title slide): Identify the organization (your audience), the focus of the presentation (Risk Analysis), your name, and the date.
· Slide 2: Identify the organization’s mission and security strategy, and the need for and scope of the security plan.
· Slides 3–6: Focus on the vulnerabilities to IT assets, systems, and security identified in the risk analysis; the likelihood and impact of identified risks; and controls recommended in the security plan.
· Slide 7: Reiterate the main points and any action items/recommended controls.
I will need to review the slides and script before you present, so please send it to me once you have finalized it.
Thank you.
When creating a presentation for stakeholders, it is important to address how cybersecurity supports the mission and security plan of the organization, and to detail the factors that create potential risks to these plans.
Build your presentation using the information and deliverables you have already completed. You will submit the presentation file with your Risk Assessment Report in the next step.
Running Head: Risk Assessment –
Risk Assessment on
UMGC
Abstract
The purpose of your abstract is to provide a brief yet thorough overview of your paper. The APA standards suggest that your abstract should function much like your title page—it should allow the person reading it too quickly determine what your paper is about – think of it much like the conclusion, but with the added intent to address the who/what/why of what follows.
Table of Contents
1. Introduction
1.1 Purpose…
1.2 Scope…
1.3 Objective…
1.4 Background…
2. Risk Assessment Approach
2.1 The participants (e.g., risk assessment team members)
Role
Name
Table-2.1 Risk Assessment Team Members
2.2 The Risk Model
Identify the methodology and/or framework used for this risk assessment (e.g., NIST SP800-30r1, 800-39, etc.). Describe whether the assessment will be quantitative or qualitative (or both).
3. Risk Assessment
3.1 STEP 1: System Characterization
3.1.1 Information gathering techniques
3.1.2 System-Related Information
Component
Description
Applications
Databases
Server Configurations/Operating Systems
Interconnections
Protocols
Table-3.1.2 System-Related Information
3.1.3 Data Held/Used in the System
Data
Description
Table 3.1.3 Information Assets
3.1.4 System Users
Users
Description
Table 3.1.4 System Users
3.1.5 Flow Diagram
3.2 STEP 2: Threat Identification
< Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to mission. The following table is provided as a list of sample threat sources. Use this table to determine relevant threats to the system.>
TYPE OF THREAT SOURCE
DESCRIPTION
ADVERSARIAL
· Individual (outsider, insider, trusted, privileged)
· Group (ad-hoc or established)
· Organization (competitor, supplier, partner, customer)
· Nation state
Individuals, groups, organizations, or states that seek to exploit the organization’s dependence on cyber resources (e.g., information in electronic form, information and communications, and the communications and information-handling capabilities provided by those technologies.
ADVERSARIAL
· Standard user
· Privileged user/Administrator
Erroneous actions taken by individuals in the course of executing everyday responsibilities.
STRUCTURAL
· IT Equipment (storage, processing, comm., display, sensor, controller)
· Environmental conditions
· Temperature/humidity controls
· Power supply
· Software
· Operating system
· Networking
· General-purpose application
· Mission-specific application
Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances which exceed expected operating parameters.
ENVIRONMENTAL
· Natural or man-made (fire, flood, earthquake, etc.)
· Unusual natural event (e.g., sunspots)
· Infrastructure failure/outage (electrical, telecomm)
Natural disasters and failures of critical infrastructures on which the organization depends, but is outside the control of the organization. Can be characterized in terms of severity and duration.
Table 3.2 Sample Threat Sources (see NIST SP 800-30 for complete list)
3.3 STEP 3: Vulnerability Identification
3.3.1 Vulnerability Sources
Vulnerability
Threat-Source
Threat Action
Table 3.3.1 Vulnerability Identification
3.3.2 System Security Testing
3.3.3 Development of Security Requirements Checklist
Security Area
Security Criteria
Management Security
Operational Security
Technical Security
Table 3.3.3 Security Requirements Checklist
3.4 STEP 4: Control Analysis
· What security controls are needed to adequately protect the information systems that support the operations and assets of the organization and allow for organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals? · Have the selected security controls been implemented or is there a realistic plan for their implementation? · What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective5 in their application?>
3.4.1 Control Methods
· Reducing risk changes in enterprise system design and management, · Reducing risk through improved risk information management, · Neutralizing risk through diversification across enterprises, space, and time, and · Retain risk (accepting risks as they exist).>
3.4.2 Control Categories
3.5 STEP 5: Likelihood Determination
Qualitative Values Semi-Quantitative Values Description Very High 96-100 10 Adversary is almost certain to initiate the threat event. High 80-95 8 Adversary is highly likely to initiate the threat event. Moderate 21-79 5 Adversary is somewhat likely to initiate the threat event. Low 5-20 2 Adversary is unlikely to initiate the threat event. Very Low 0-4 0 Adversary is highly unlikely to initiate the threat event
Table 3.5.1 Assessment Scale – Likelihood of Threat Event Initiation (Adversarial)
Qualitative Values Semi-Quantitative Values Description Very High 96-100 10 Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times per year. High 80-95 8 Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times per year. Moderate 21-79 5 Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times per year. Low 5-20 2 Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years. Very Low 0-4 0 Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years.
Table 3.5.2 Assessment Scale – Likelihood of Threat Event Occurrence (Non-adversarial)
3.6 STEP 6: Impact Analysis
Qualitative Values Semi-Quantitative Values Description Very High 96-100 10 The threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. High 80-95 8 The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A severe or catastrophic adverse effect means that, for example, the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Moderate 21-79 5 The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A serious adverse effect means that, for example, the threat event might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. Low 5-20 2 The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. Very Low 0-4 0 The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation.
Table 6.1: Assessment Scale – Impact of Threat Events
3.7 STEP 7: Risk Determination
Qualitative Values Semi-Quantitative Values Description Very High 96-100 10 Threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. High 80-95 8 Threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. Moderate 21-79 5 Threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. Low 5-20 2 Threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. Very Low 0-4 0 Threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation.
Table 7.1 Assessment Scale – Level of Risk
Likelihood (That Occurrence Results in Adverse Impact) Level of Impact Very Low Low Moderate High Very High Very High Very Low Low Moderate High Very High High Very Low Low Moderate High Very High Moderate Very Low Low Moderate Moderate High Low Very Low Low Low Low Moderate Very Low Very Low Very Low Very Low Low Low
Table 7.2: Assessment Scale – Level of Risk (Combination of Likelihood and Impact)
3.7.1 Description of Risk Level
Threat Event Vulnerabilities / Predisposing Characteristics Mitigating Factors Likelihood (Tbl 3.5.1 or 3.5.2) Impact (Table 6.1) Risk e.g. Hurricane Power Outage Backup generators Moderate Low Low
Table 7.3 Risk Assessment Results
* Likelihood / Impact / Risk = Very High, High, Moderate, Low, or Very Low
3.8 STEP 8: Control Recommendations
3.9 STEP 9: Results Documentation
< This section provides the results of the risk assessment that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.>
References
Sources: NIST SP800-30r1; Guide for Conducting Risk Assessments NIST SP800-53r4; Security and Privacy Controls for Information Systems and Organizations
(Tbl 7.1 & 7.2)