This is an additional post regarding IP and least privilege access
Intellectual Property, IP, loss, what is the real threat?
There are four major risk areas, the loss of IP through attrition (former employees), and theft from foreign and domestic competitors, contractors/vendors. Attrition is outside of the realm of most of IT security controls, but some are clearly beneficial to this type of loss. These will be discussed in more detail below. Then there is outright theft, whether from internal theft or external theft. These two situations will also be discussed below. It is thought that 70% or more of a company’s market value is in its intellectual property. Any significant loss to IP is a significant loss to the market value of your company. Unfortunately, most companies have not done their homework in quantifying the valuation of their IP, and therefore do not have risk quantified. Using valuation and risk models based on likelyhood of loss must be done to determine the best controls.
Loss through Attrition
IT Security controls that can minimize the loss of IP through attrition. Users should only have access to what they need to accomplish their work. Establishing and developing a culture and technical controls that enables the Least Privilege Access method, LPA, is the single most effective way to minimize this risk. If a user does not have access to sensitive information they do not need, they cannot take it with them when they leave the organization.
Theft
External threats against theft are weak security perimeters, inadequate controls on content submission to externally facing websites. See warning from UK officials here.
Insider threats are much harder to deal with, and is occuring more frequently than what has been the case in the past. This has a direct correlation to the hardening of the perimeter surrounding companies IT infrastructure and the change from hacking being a past time for technically savvy individuals to individuals with a financial motiv. This threat should be mitigated for by implementing better human resource programs and applying the principal of least privilege access
Technical Controls and Least Privilege Access
LPA on the other hand is difficult to use in practice. It is really hard to keep up on what users need, and if too restrictive, collaboration and productivity suffers. Roles based access can alleviate some of these problems, and new advances in user management makes it easier. For example Microsoft’s Active Directory ™allows for easier organization of users in their respective roles. However, it does not get you the last mile towards true LPA. In the end, users who create sensitive information is the one’s who have to decide on what needs to be published, and to whom. In today’s environments, this information lives in structured repositories such as data bases and management systesm, and as unstructured data such as word documents, spreadsheets, presentations etc. Unstructured information is the hardest to place controls around, but you can use classification schemes to mitigate the risk. Unfortunately, Least Privilege Access is too complex of a solution to be discussed within a paragraph, so I will discuss LPA separately in a later article.
Saturday, December 02, 2006
Sensitive information Risk, how to quantify
A financial risk analysis helps business decision makers to make the right choice for information security solutions based on internal risks, industry data, cost of the solution and return on the investment (ROI). This framework is used to evaluate current and future risks to loss of sensitive information in an organization. The risk assessment framework should be used to determine the legal, financial and business risk exposure of an organization regarding their handling of digitized sensitive data. The assessment would measure the legal liability, potential financial losses against the cost of implementing controls. A proper financial risk assessment would give ROI and NPV predictions based on actual findings, trends, projected success rate of the controls and mitigations. This is achieved by using Monte Carlo simulations based on internal and external data sets. ROI will be based on Annualized Loss Expectancy (ALE) with current controls and ALE with new controls with the costs associated with the new controls.
Risk is inherent in any business undertaking. Businesses continuously manage risk at all levels of the organization. How the risk is managed differs from company to company, and is often based on organizational culture, the maturity of the organization, and how regulated the industry is. Financial risk analysis is the norm for any larger company irrespective of the industry they operate in. Their IT organizations on the other hand are more often than not fully utilizing the potential of using a financial risk analysis approach to IT risk management. Risk is often determined by experts in IT security based on their domain knowledge. However, many IT security experts are not fully looking at the business impact when they make their determination of what risks to accept, reduce, or transfer.
A financial risk analysis helps business decision makers to make the right choice for information security solutions based on internal risks, industry data, cost of the solution and return on the investment (ROI). This framework is used to evaluate current and future risks to loss of sensitive information in an organization. The risk assessment framework should be used to determine the legal, financial and business risk exposure of an organization regarding their handling of digitized sensitive data. The assessment would measure the legal liability, potential financial losses against the cost of implementing controls. A proper financial risk assessment would give ROI and NPV predictions based on actual findings, trends, projected success rate of the controls and mitigations. This is achieved by using Monte Carlo simulations based on internal and external data sets. ROI will be based on Annualized Loss Expectancy (ALE) with current controls and ALE with new controls with the costs associated with the new controls.
Risk is inherent in any business undertaking. Businesses continuously manage risk at all levels of the organization. How the risk is managed differs from company to company, and is often based on organizational culture, the maturity of the organization, and how regulated the industry is. Financial risk analysis is the norm for any larger company irrespective of the industry they operate in. Their IT organizations on the other hand are more often than not fully utilizing the potential of using a financial risk analysis approach to IT risk management. Risk is often determined by experts in IT security based on their domain knowledge. However, many IT security experts are not fully looking at the business impact when they make their determination of what risks to accept, reduce, or transfer.
Subscribe to:
Posts (Atom)
