Reporte Ejecutivo del Analisis Activos.pdf

8/11/2019 Reporte Ejecutivo del Analisis Activos.pdf

1/17

Risk Management

Executive Analysis Report

01 Proyecto

PRJR13011

Issued:

The information in this document and any attachments is intended for users of Modulo RiskManager, a product developed by Modulo Security LLC. If you do not have permission to access this

information, know that it is prohibited to read, release, or copy this information. Improper use will be subjectto the legislation in effect based on the confidentiality agreements.

The controls in the knowledge bases created by Modulo Security LLCare protected by copyright andownership laws.

The full or partial unauthorized reproduction of the information in this report shall result in civil andcriminal punishments.

06/11/2013 7:58:08


2/17

[email protected]

The information in this document and any attachments is intended for users ofModulo Risk Manager, a product developed by Modulo Security LLC. If you do not havepermission to access this information, know that it is prohibited to read, release, or copythis information. Improper use will be subject to the legislation in effect based on theconfidentiality agreements.

The controls in the knowledge bases created by Modulo Security LLC areprotected by copyright and ownership laws.

The full or partial unauthorized reproduction of the information in this reportshall result in civil and criminal punishments.

ATTENTION

www.modulo.com

Modulo Security LLC

Copyright 2013 Modulo Solutions for GRC2 of 17

PRJR13011

http://localhost/var/www/apps/conversion/tmp/scratch_2/[email protected]://www.modulo.com.br/http://www.modulo.com.br/http://www.modulo.com.br/http://www.modulo.com.br/http://localhost/var/www/apps/conversion/tmp/scratch_2/[email protected]


3/17

1. INTRODUCTION

This report presents the results of the risk analysis carried out in the 01 Proyecto project. Theinvestigations included the organization's assets and may have used various methods for collectingevidence, such as: automated collectors, documental analyses, interviews, facility inspections,

and others.

Some of the main issues address in this report include:

1) What are the major threats to the business?

2) What are the risk levels of the non-implemented controls?

3) What are the recommendations to reduce these risks?

4) How can the security actions to be taken be prioritized?

More detailed information and technical recommendations can be found in the Risk Analysis Report

and in the Operational Risks Report, which are generated by Modulo Risk Manager, the systemdesigned by Modulo Security LLC based on the GRC Metaframework methodology. Thismethodology is in compliance with the guidelines provided in the ISO/IEC 27001, ISO/IEC 27002,ISO/IEC 27005, ISO 31000, and ISO Guide 73 standards. Thus, Modulo Risk Manager providesincreased productivity, control, and standardization in activities and helps the organizationachieve the desired results.

Abierto

The following table displays the project data, as shown below:

Name:

Administrator

usuario1

01 Proyecto

Substitute Leader:

If the project is open when the report is issued, only partial results will be presented.

Status:

Author:

Leader:

PRJR13011

06/04/2013

06/04/2013

Code:

Project Created:

usuario1 Analysis End Date:

Project Closed:

Analysis Start Date:


PRJR13011



4/17

Risk = Probability x Severity x Relevance

The probability and severity factors are scored during technical analyses, whereas the relevancefactor is scored according to the importance of the asset to the organization.

1.1 Calculating the PSR

This is the degree of importance theasset holds to the organization, whichmay take into consideration the business

components it supports.

This severity scores the level of impacton the organization if the riskmaterializes. This means that if the

incident occurs, the severity will scorethe degree the performance, reliability,or quality of the asset will becompromised.

This is the probability that vulnerabilitiesor weaknesses are exploited by one ormore threats due to the absence of

controls.

RELEVANCESEVERITYPROBABILITY

Probability x Severity x Relevance

ISO Guide 73 states that risk is expressed as the value of the combination of the score of anevent and its consequences. Modulo Risk Manager considers the PSR to calculate the risk, whichrepresents the estimate of these combined factors. These factors are scored on a scale from 1 to

5. The PSR then represents the degree of risk associated with the absence of a control, and iscalculated through the following formula:


PRJR13011



5/17

1.2 Risk Indices

Awareness of the risks and their assessment is no longer a technical need. It has become astrategy for organizations to meet the requirements set by the market, the government,regulatory agencies, and others.

To provide a risk estimate, Modulo Risk Manageruses the following indices:

PSR: Calculated by summing the PSR scores of the controls. The product of the P, S, and R factorsof each control is calculated and the results are then summed. The PSR can be consolidated byasset, asset type, perimeter, control grouping, knowledge base, questionnaire, businesscomponent, etc., and may vary between 0 and 100%.

Risk Index: Calculated by dividing the PSR of the non-implemented controls (identified risks) bythe PSR of the applicable controls. It's expressed as a percentage and may vary from 0 to 100%.

Security Index: Calculated by dividing the PSR of the implemented controls (avoided risk) by the

PSR of the applicable controls, thus complementing the Risk Index. It's also expressed as apercentage and may vary from 0 to 100%.

Control Index: Calculated by dividing the number of implemented controls by the number ofapplicable controls. It's expressed as a percentage and may vary from 0 to 100%.

Gap Index: Calculated by dividing the number of non-implemented controls by the number ofapplicable controls, thus complementing the Control Index. It's also expressed as a percentage andmay vary from 0 to 100%.


PRJR13011



6/17

2.1 Gap Analysis (by Number of Controls)

From a list of 329 controls investigated, 99 were considered applicable. From this total, 62controls were identified as implemented (Control Index1of 62,63%) and 37 controls were identifiedas non-implemented (Gap Index2 of 37,37%).

Note that the higher the control index, the greater the number of controls in accordance with therecommendations in the knowledge bases used in the analysis.

2. SUMMARY

Figure 1 - Number of Controls by Status


PRJR13011



7/17


PRJR13011



8/17

Considering the risk with a total PSR3 of 14209, 4322 were considered applicable. Of this total,3024 can be considered controlled risks (implemented controls), representing a Security Index4of69,97%. In addition, the 1298 risk related to the non-implemented controls (identified risk)

represent a Risk Index of 30,03%.

Note that the higher the Security Index, the lower the risk level in the assets in question.

2.2 Risk Analysis (by PSR)

Figure 2 - PSR Index by Risk Analysis Status

(1)TheControlIndexiscalculatedbydividingthenumberofimplementedcontrolsbythenumberofapplicablecontrols.(2)TheGapIndexiscalculatedbydividingthenumberofnon-implementedcontrolsbythenumberofapplicablecontrols.(3)ThePSRrepresentsthedegreeofriskassociatedwiththeabsenceofacontrol,andiscalculatedbymultiplyingtheProbabilityxSeverityxRelevance.(4)TheSecurity Indexiscalculatedbydividingthecontrolledrisks(PSR)bytheapplicablerisks.(5)TheRiskIndexiscalculatedbydividingtheidentifiedrisks(PSR)bytheapplicablerisks.

IMPORTANT: When the Security Index is greater than the Control Index, it can be inferred that there isgreater effectiveness in the risk management process, since the implemented controls correspond tothose with higher risks (higher PSRs). Otherwise, it can be inferred that there is less effectiveness in therisk management process, since most of the implemented controls correspond to the lower risks (withlower PSRs). If the values are similar, it can be concluded that there is a homogenous distributionbetween the level of risk and the priority given to the implemented controls.


PRJR13011



9/17

30,03% of identified risksRISK INDEX

69,97% of controlled risksSECURITY INDEX

Figure 3 - Distribution of Risks (PSR) by Risk Level

The risks considered applicable in the analysis can be divided into:

2.3 Distribution of Risks (PSR) by Risk Level


PRJR13011



10/17

Table 3 below presents the consolidated results by threat. It shows the absolute values andpercentages of the controlled and identified risks for the 10 threats with the highest risk indices,presenting in descending order of this index.

The identified risk (PSR) associated with each threat (potential incident) is calculated by summingthe PSR scores of all the non-implemented controls associated with this threat. The Risk Index iscalculated by dividing the value of the identified risks by the value of the applicable risks for eachcontrol associated with the threats.

2.4 Risks by Threat

Risk IndexIdentifiedRisk (PSR)

SecurityIndex

ControlledRisk (PSR)

ApplicableRisk (PSR)

Threat

100,0%400,0%040Repudiation

75,0%21625,0%72288Drop in Performance

57,1%4042,9%3070Non-Compliance with Regulations

53,0%62047,0%5491169Loss of Traceability

27,7%56872,3%14842052Unavailability of Services or Information

13,2%38186,8%25062887Unauthorized Logical Access

13,1%5486,9%359413Errors, Omissions, or Improper Use

0,6%1099,4%16241634Fraud or Sabotage

0,0%00,0%00Administrative Sanctions

0,0%0100,0%6060Copyright Infringement

Table 3 - Risks by Threat

These results should be used to prioritize the actions for the most critical business componentsand assets, in terms of the risks resulting from the main threats to the organization (see Figure 4):

Figure 4 - RIsks by Threat


PRJR13011



11/17

The risks identified in the assets, which support the organizations business components, wereconsolidated in the two levels that categorize these components: strategic and tactical levels.

2.5 Risks by Business Component


PRJR13011



12/17

Table 4 below presents the consolidated indices by strategic business component. It shows theabsolute values and percentages of the risks for the 0 components with the highest risk indices.

2.5.1 Strategic-Level Risks

RiskIndex

SecurityIndex

IdentifiedRisk (PSR)

ControlledRisk (PSR)

Gap IndexControl IndexNon-

ImplementedControls

ImplementedControls

RelevanceComponent

Table 4 - Risks per Strategic Level

The value of the identified risk for each strategic business component is composed of the sum ofthe identified risk (PSR of the non-implemented controls) for all the assets that support it.

The Risk Index is calculated by dividing the value of the identified risk by the value of theapplicable risk, for each business component as well as for all the components.

These results should be used to prioritize actions in the assets supporting the strategic businesscomponents with the highest risk indices (see Figure 5):

Figure 5: Risk Index for Strategic Business Components


PRJR13011



13/17

2.5.2 Tactical-Level Risks

Table 5 below presents the consolidated risks by tactical business component. It shows theabsolute values and percentages for the 1 component(s) with the highest risk indices.

RiskIndex

SecurityIndex

IdentifiedRisk

ControlledRisk

Gap IndexControl IndexNon-

ImplementedControls

ImplementedControls

RelevanceOrganizational

System

30,03%69,97%1298302437,37%62,63%3762Medium01_PC_Banking_e

mpresasTable 5 - Tactical-Level Risks

The value of the identified risk for each tactical business component is comprised of the sum ofthe identified risks (PSR) of all the assets support it.

The Risk Index for each business component is calculated by dividing the value of the identifiedrisks by the value of the applicable risk, in each business component as well as in all thecomponents.

These results should be used to prioritize actions in the assets that support the tactical businesscomponents with the highest risk indices (see Figure 6).

Table 6 - Risk Index in Tactical Business Components


PRJR13011



14/17

2.6 Risks by Asset (PSR)

The 2 assets listed in the following table correspond to 30,03% of the total of applicable risks.These assets should be prioritized for treatment in order to reduce the risks identified.

Contribution toRisk Index

Risk IndexIdentified

PSRSecurity

IndexControlled

PSRApplicable

PSRRelevanceAsset TypeAsset

22,4%27,5%97072,5%25603530Very HighTecnologa01 Servidor Back End

7,6%41,4%32858,6%464792HighTecnologa01 Firewall

30,03%34,4%129865,6%30244322Consolidated (2)

Table 6 - Risks Identified in the Assets (by PSR)


PRJR13011



15/17

2.7 Risk Levels of Non-Implemented Controls

Table 7 below presents the number and percentage of each risk level for the non-implementedcontrols in both the quantitative and qualitative overviews.

TotalVery LowLowMediumHighVery HighOverview

RISKS LEVELS

100%0,00%2,00%53,00%15,18%29,82%%

1298026688197387PSRQualitative

100,00%0,00%5,41%64,86%13,51%16,22%%

37022456ControlsQuantitative

Table 7 - Risk Levels of Non-Implemented Controls

According to the table above, it can be noted that 16,22%of the non-implemented controls represent29,82%of the risks considered Very High in the organization.


PRJR13011



16/17

3. NEXT STEPS

This analysis identified the main asset risks, and its results will assist the decision-making processto address the situations that affect the organization's objectives. The risk levels and theinterpretations for each value are presented in the table below:

The results of the analysis provide important information for the next steps: risk evaluation andtreatment. Using Modulo Risk Manager to evaluate risks and monitor their treatment allows forincreased productivity and the use of additional tools, such as the What-If treatment simulator,which allows results to be evaluated in different possible scenarios.

In addition, the evaluation and treatment phases are also integrated with the analysis phase inModulo Risk Manager, allowing for the proper use of the results. Thus, when it is decided that acertain risk will be sent for treatment, the system will allow treatment events to be created,

which can be monitored and which allow for the evolution of the results found in the analysis.

For the next steps, the evaluation phase of the system should be used and the following approachshould be adopted:

Identify the controls with "Very High" and "High" risk levels;

Evaluate the possible impacts of implementing these controls in the assets, systems, andbusiness operations;

Send the controls with "Very High" and "High" risk levels for immediate treatment;

Identify the controls with "Medium" risk levels;Evaluate the need to implement, in the short term, controls with "Medium" risk levels;

Identify the benefits of reducing the risks in the organization, using the Risk Index;

1, 2, 3, 4, 5, 6These are acceptable risks, and asset managers should be informed of them.Very Low

8, 9, 10, 12, 15, 16These are risks which may be acceptable once reviewed and confirmed by the

asset managers.Low

18, 20, 24, 25, 27, 30These are risks which may be acceptable once reviewed and confirmed by the

asset managers; however, their acceptance should be done formally.Medium

32, 36, 40, 45, 48, 50These are unacceptable risks, and asset managers should at least be oriented

on how to control them.High

60, 64, 75, 80, 100, 125These are unacceptable risks, and asset managers should be oriented on how

to minimize them immediately.Very High

PSR ValuesDefinitionRisk Level

Table 8 - Possible PSR Values

Risk Management Process


PRJR13011



17/17

Verify if the residual risks of the evaluation are satisfactory;

Evaluate the impacts of accepting the controls with lower risk levels;

Accept the risks for controls with lower risk levels;

If the residual risks are not satisfactory, continue the process for controls with "Low"

and "Very Low" risk levels;Close the project and constantly monitor the residual risk during the treatments.

PRJR13011


Reporte Ejecutivo del Analisis Activos.pdf

Documents

Transcript of Reporte Ejecutivo del Analisis Activos.pdf