Insuring your future: Cybersecurity and the insurance industry
Outsourcing Critical Data Risk Assessment
1. Citadel100
Outsourcing
“The Security Perspective”
Keeping Your Business Always Online
Page 1 of 6
2. Outsourcing critical data
Outsourcing critical data – the security perspective
The terrorist attacks of September 11, 2001 made security an urgent issue
worldwide.
It was an event that made many high profile companies take security from the
“watchman” level to the level of senior management, playing a pro-active part in
decision-making, policy and procedures.
Any company that plays a role in critical infrastructure, information technology,
communications, banking, power supply, etc., is seeing a new level of threat.
Analysts indicate that future attacks could involve an attack on computer networks.
Many organizations, including national computer networks, are adopting a managed
services approach as a means to counter this growing threat.
By locating critical Data in purpose built secure environments, concerns regarding
unauthorized access, uninterrupted power and constant monitoring can be placed in
the hands of dedicated professionals.
Identification of a weakness in your company is critical and a risk assessment should
be carried out at the earliest possible stage.
A risk assessment identifies weaknesses in an organization and puts in place the
required countermeasures to minimize the risks associated with the weakness.
Simply stated, risk assessment is the systematic process by which an organization
identifies, reduces, and controls its potential risks and losses. This process allows
organizations to determine the magnitude and effect of the potential loss, the
likelihood of such a loss actually happening, and countermeasures that could lower
the probability or magnitude of loss.
Many Irish companies faced with serious weaknesses in their organizations are
realizing that the best option is to out-source their Data storage to a managed
service provider who will provide a package that best meets their needs.
Risk is the potential for an event that could have a negative impact on business to
occur. Such an event can be loss of information, finances, reputation or unauthorized
access to your I.T. department.
The likelihood of the potentially damaging event occurring depends upon (a) threat
and (b) vulnerability.
(a) Threat is the potential to carry out actions that are harmful to an organization’s
assets.
(b) Vulnerability is any weakness that can be exploited by a rival or competitor to
cause damage to an organization’s interests. The level of vulnerability, and hence
level of risk, can be reduced by implementing appropriate countermeasures.
An asset is anything of value (people, information, hardware, software, facilities,
reputation, activities, and operations). The more critical an asset is to an
organization, the greater the impact its loss would mean to business. Take for
example the loss of an organization’s main server/servers. This loss would
significantly reduce an organization’s ability to access data. The loss would have
greater consequences if it occurred during a key business transaction or if the server
was not backed up.
Keeping Your Business Always Online
Page 2 of 6
3. Outsourcing critical data
Prior to beginning a risk assessment some time should be spent in preparation.
Management should be consulted to identify any constraints, determine operating
parameters and expectations. Management will best know what and where their
assets are and their importance to the organization. The risk assessor should also
identify other organizations that have a vested interest in the protection of critical
elements of the organization. For example, although an organization’s Chief
Technology Officer may have responsibility for his or her company’s network,
department heads may also have an interest in the availability and integrity of that
network.
RISK ASSESSMENT
VULNERABILITY
Burglary Loss of power Malicious Fire
damage
THREAT
SITE A SITE B SITE C
A recent report identified a number of steps required to draw up a risk assessment.
1. Assets.
Identifies and focuses on resources vital to the organizations operation.
Most assets are tangible e.g., people, facilities, equipment, others are not e.g.,
information, processes, reputation.
In a communications organization, information and automated processes may be
more important than many tangible assets. Organizations need to protect sensitive
information including information about the functions of the organization and its
employees as well as critical processes such as power generation, environment, and
financial status. For each individual resource, identify the effect that the loss,
damage, or destruction of that resource would have on the organization. The overall
value is based upon the severity of this effect.
2. Threat.
This focuses on the opposition or events that can negatively affect the previously
identified assets. The assessor must rely on data and information obtained from
management interviews. The threat is considered in terms of adversaries. Common
types of adversaries include business competitors, hackers, criminals, hostile
intelligence services, terrorists, and others. In order to assess whether an adversary
poses a threat you must determine if they have the level of intent to cause an
unwanted event.
Keeping Your Business Always Online
Page 3 of 6
4. Outsourcing critical data
Just as natural disasters and accidents are treated as threats even though they do
not possess intent, cyber events (e.g. viruses and denial-of-service attacks) should
also be treated as threats. Any organization that connects critical networks to the
Internet must be aware of events in the larger world.
When periods of politically motivated protests take place, such as the recent anti-war
demonstrations, the infrastructure community may be attacked, physically or via the
Internet, regardless of the individual organization’s involvement in the event being
protested. Protesters often view multi-national companies as part of the government.
Companies or banks may also be attacked as symbols of globalization. Even
protests between two foreign nations can spill over into neutral states. Irelands close
ties and support for the United States could be regarded as hostile towards states
engaged in conflict with the U.S. or aligned nations.
Because Ireland is fast becoming a multicultural nation with a large global presence,
Irish organizations may suffer from attacks for any number of misguided reasons.
3. Vulnerability.
Identifies and characterizes vulnerabilities related to specific assets or undesirable
events. The assessor is looking for exploitable situations created by lack of adequate
physical / information security, personal behavior, working practice, and insufficient
security procedures. Examples of typical vulnerabilities include:
• The absence of manned guarding.
• Poor access controls.
• Lack of updated security patches.
• Unscreened employees / visitors.
When designing and installing security systems organizations should not count on
suppliers alone to build appropriate levels of security. An assessment provided by an
independent contractor can provide the organization with an objective description of
its vulnerabilities. It is essential that the company I.T. security specialist be involved
in the process.
This step requires the gamekeeper to take on the role of the poacher. Specifically,
the assessor should begin by studying the asset and asking questions such as: “how
would I get in there?” Each vulnerability, when considered against who might exploit
them, and the assets they may attack, will determine the risk value.
4. Risk.
This is where all of the earlier assessments (asset, threat, and vulnerability) are
combined and evaluated in order to give a complete picture of the risks to an asset
or group of assets.
1. What would our business impact be, if an asset is lost or harmed by an
unwanted event?
2. How likely is it that an adversary will attack those identified assets?
3. What are the most likely vulnerabilities that the adversary will use to target the
identified assets?
By answering these questions we can begin to make an informed judgment of how
“at risk” an organization is from unwanted events. We should be able to determine
where the major vulnerabilities and threats lie. At this point, we should be able to
determine the major physical and cyber risks as well as which of these risks require
immediate attention.
Keeping Your Business Always Online
Page 4 of 6
5. Outsourcing critical data
The risk assessment may lead ultimately to the conclusion that the organization in its
present location can simply not meet the recommendations needed to adhere to
accepted practice codes.
In a world where International standards have become the guiding factor for
business operating procedures, non-compliance can be a costly option.
Outsourcing as a Countermeasure Option.
100
90
80
70
60 Facility
50
Power
40
30 Security
20
10
0
Present site Site 2 Site 3
The objective of a risk assessment is to provide the company with countermeasures,
or groups of countermeasures, which will lower the overall risk to the asset to an
acceptable level. By evaluating the effectiveness of possible countermeasures
against specific adversaries, you can determine the most cost effective option. In
presenting findings to a company, the risk assessor should provide at least two
countermeasure packages as options. Each option should also include the expected
costs. Upon conducting a cost assessment it may be found that, although initially
more expensive, relocation of critical data would save money whereas option B
would actually lead to loosing money, critical data and subsequent loss of public
confidence.
Faced with unattainable requirements regarding power supply, building management
and security, the only viable option open to many companies responsible for the
supply of critical services is to re-locate their main servers and information
technology in a Data Centre offering instant secure access 24x7.
The objective of locating in a secure facility is to lower the overall risk to the
minimum level. Managed services can identify which vulnerabilities need to be
addressed. By evaluating the effectiveness of possible countermeasures against
specific adversaries, they will determine the most cost-effective options.
Organizations that embrace an in-house approach to risk management need to
constantly monitor any changes in their assets, the threat, and their vulnerabilities.
As changes appear, so too the need for a new risk assessment, and
recommendations for new countermeasure options. The continuous nature of risk
assessment demands organizations to develop a risk-aware culture that
understands, validates, and implements the security recommendations and
countermeasures. New threats will emerge, some from new sources, which may be
low-tech as well as high-tech. The resulting risks may appear too quickly to be
addressed in a company without the services of a full time security consultant.
Keeping Your Business Always Online
Page 5 of 6
6. Outsourcing critical data
Organizations outsourcing their critical Data will be free from the need to manage
these new risks. Risk management is a regular process to determine the likelihood
that a threat will harm a resource and to identify actions that reduce the risk and
mitigate the consequences of an attack. Risk management principles recognize that
while risk cannot be eliminated, enhancing protection from potential threats and
constant monitoring can greatly reduce it.
Keeping Your Business Always Online
Page 6 of 6