CERT PODCAST SERIES: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

A Taxonomy of Operational Risks for Cyber Security

Key Message: Use a taxonomy to increase confidence that your organization is identifying cyber security risks.

Executive Summary

"Organizations of all sizes in both the public and private sectors are increasingly reliant on information and technology assets, supported by people and facility assets, to successfully execute business processes that, in turn, support the delivery of services. Failure of these assets has a direct, negative impact on the business processes they support. This, in turn, can cascade into an inability to deliver services, which ultimately impacts the organizational mission. Given these relationships, the management of operational cybersecurity-related risks to these assets is a key factor in positioning the organization for success."[1]

In this podcast, Jim Cebula, the Technical Manager of CERT’s Cybersecurity Risk Management Team, discusses a taxonomy that provides organizations with a common language and terminology they can use to discuss, document, and mitigate operational cybersecurity risks. The taxonomy identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. This podcast is based on an SEI technical report and blog that are listed in Resources.

PART 1: INCREASED CONFIDENCE IN IDENTIFYING CYBER SECURITY RISKS

Operational risks are those arising due to the actions of people, systems and technology failures, failed internal processes, and external events.

Operational cyber security risks are operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.

Tying risks to specific consequences is a key consideration when discussing and identifying risk.

Jim’s SEI blog post on the risk taxonomy provides examples of high profile cybersecurity breaches that have occurred over the past 12 months, such as the Target and Home Depot breaches.

A taxonomy provides a common way to talk about risks and their impacts across the organization. This helps everyone to be on the same page with respect to detecting and responding to these risks.

Given that operational risk is a complex and challenging topic, a taxonomy can provide a foundational structure for identifying and potentially prioritizing these risks:

• to consider all topics the might occur in each of the taxonomy subcategories
• to better understand the breadth of the problem (systems, technology, people, process, external events)
• to better discuss and identify the consequences that are of greatest concern to senior leaders
• to identify investments in controls and protective measures to mitigate risks

Using such a taxonomy can provide increased confidence that the majority of cyber security risks have been identified. That said, security is a journey, not a destination and risks are always changing. Increased confidence arises from:

• evaluating a broad spectrum of operational risks across the organization
• using evaluation results to drive risk management activities
• having performed due diligence
• potentially identifying related risks not specifically documented in the taxonomy

PART 2: FOUR CATEGORIES OF OPERATIONAL RISK

The taxonomy is structured into 4 general categories, each of which has classes, subclasses, and elements.

The categories are:

• actions of people
• systems and technology failures
• failed internal processes
• external events

"Actions of people" describes a class of operational risk characterized by problems caused by the action taken or not taken by individuals in a given situation. This class covers actions by both insiders and outsiders. Its supporting subclasses and elements include:

• inadvertent actions (mistakes, errors, omissions)
• deliberate actions (fraud, theft, sabotage, vandalism)
• inaction (lack of appropriate skills, knowledge, guidance, staff availability)

With respect to staff availability, some example risks may emerge when asking these questions:

• Are we properly resourced to evaluate and respond to all security alerts?
• Are we reviewing logs frequently enough?

"Systems and technology failures" describes a class of operational risk characterized by problematic abnormal or unexpected functioning of technology assets. Its supporting subclasses and elements include failures of:

• hardware (performance, maintenance, appropriate capacity, obsolescence)
• software (configuration management, change control, appropriate security settings, testing and coding practices)
• integrated systems (design, specifications, integration, complexity)

Some of the recent retailer credit card breaches result from complex networks and the use of vendor remote access credentials.

"Failed internal processes" describes a class of operational risk associated with problematic failures of internal processes to perform as needed or expected. Its supporting subclasses and some elements include:

• process design or execution (such as notifications and alerts and escalation of issues)
• process controls (such as status monitoring and periodic review)
• supporting processes (such as funding, procurement, and training and development)

Examples for process design and controls include those processes required to

• filter security alerts and notifications to make sure the important ones get through
• activate the full incident response process
• escalate as required

An example of a supporting process is ensuring the procurement process is structured to obtain appropriate system and software licenses and materials in a timely manner.

It is important to understand which assets are critical to the delivery of key services. This is one means for prioritizing risk, focusing on those services and the assets on which they depend. Such assets need to be available and productive.

"External events" describes a class of operational risk associated with events generally outside the organization’s control. Often the timing or occurrence of such events cannot be planned or predicted. The supporting subclasses and some elements of this class include:

• disasters (weather, fire, flood, earthquake, political unrest)
• legal issues (regulatory compliance, litigation)
• business issues (supplier failure and market and economic conditions)
• service dependencies (utilities, emergency services, fuel, transportation)

An example of a legal issue is the need to maintain electronic documents, communications, email, and instant messages in support of litigation.

Examples of service dependencies include:

• the lack of availability of fuel during Hurricane Sandy. This affected transportation and the ability to operate backup generators and data centers.
• power outages affecting the ability to charge mobile devices

Civil unrest resulting in cyber attacks and other malicious activity is an example of a business issue. Civil unrest can also affect supply chains.

PART 3: APPLICATION AND PRIORITIZATION

The operational risk taxonomy report includes a mapping to NIST Special Publication 800-53 Revision 4 , Security and Privacy Controls for Federal Information Systems and Organizations. This information can be used to determine if all potential operational risks described in the taxonomy are addressed by NIST controls.

In addition, the taxonomy can be used to help determine which risks, and thus which controls, need to be added or updated.

The taxonomy can also be used to compliment the use of the SEI’s OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) risk assessment method for identifying cyber security operational risks

With respect to prioritization, the taxonomy can be used in concert with other organizational processes such as those that prioritize key services and assets (people, information, technology, facilities) based on the organization’s mission.

You can then identify risks specific to the most critical assets and the pain points if they fail or are not available, which can lead to the identification of risk thresholds.

Resources

[1] Cebula, James, et al. “A Taxonomy of Operational Cyber Security Risks Version 2.” (CMU/SEI-2014-TN-006). Software Engineering Institute: Carnegie Mellon University.

Cebula, James. “A Taxonomy for Managing Operational Risk.” SEI blog post, August 2014.