Over the last 20 years organisations have adopted IT in most of their business functions to the extent that they cannot operate without them. IT services store the most sensitive details of an organisation. The prospect of those services being unavailable, or that the data is inaccurate, or even compromised by hackers would severely affect the ability to do business and tarnish their reputations.
Large organisations typically have hundreds or even thousands of IT services. Even knowing which services are being used can be a challenge.
IT services are dependent on other, underpinning, services. Issues with underpinning services can affect other services. Understanding the inter-operability is very difficult.
IT services have physical dependencies on data centres or are dependent on cloud suppliers. Issues with power, cooling or connectivity may have major impacts on service delivery.
ServiceView offers a platform to manage meta data concerning the IT services running at an organisation. The web interface allows diverse service owners to enter and maintain detail about their services.
Using ServiceView service owners can register a new service, set service dependencies on other, underpinning, services and set data centre dependencies and failover capabilities.
Meta data includes departments and individuals responsible for the service. The purpose of the service. The technology and data used, as well as many other fields relating to the operation of the service.
Some of the meta data fields allow risk to be assessed.
Risks are divided into 3 categories:
|Confidentiality||: - The risk of unauthorised access to data|
|Integrity||: - The risk of data being changed or incorrect|
|Availability||: - The risk of the service or data not being available when needed|
This C.I.A classification is a common way of representing risks in security standards such as ISO-27001
The risk of confidentiality is gauged by the type of data stored in, or captured by the service.
For instance at a university, course & subject information may be a 1. Whereas student identity information might be a 7
The integrity requirements for the data depends on the system that is using it.
Getting a student name wrong in the student portal may be embarrassing, but it is far more important it is correct when printing their diploma.
Availability, or uptime will vary for each service. The e-Learning system might need to be up 24x7, whilst the time sheeting system doesn't have to be as reliable.
The inherent risk is the risk before controls are taken into account. Questions about a service can contribute towards setting the inherent risk. for instance:
A control is a measure put in place to reduce the risk. Questions are asked to determine the controls that are in place and their effectiveness. In other what controls are in place to protect the service in the three areas. For instance:
In all 35 items of meta data are captures for each service as well as its dependencies on other services and data centres.
By processing the data captured for each service we can calculate the inherent and residual values for Confidentiality, Integrity and Availability (CIA).
The inherent confidentiality is determined by looking at the data stored by the service and using the value of the most confidential. Each data type is classified for confidentiality using a central lookup table.
By looking at the security measures in place we can determine how well the data being protected. Each control in place adds to a score giving an residual confidentiality value.
The same is done for inherent and residual integrity. Looking at the answers to the questions we can determine the integrity requirement as well as the controls in place to protect the integrity of the data.
We can also determine the inherent and residual availability risk.
Some services are more important to the organisation than other services. Services are classified by importance to the business. The most important services are classified as "Tier 1", then "Tier 2" etc.
Underpinning services are taken into consideration and elevated to the right tier.
By combining "how well we are running a service" with "how important the service is" we can calculate the residual risk Low, moderate, high or significant
However, when it comes to data confidentiality we can't rely on hackers only targeting Tier 1 services. So we need to use "how well are we running this service" with "what data does the service use" to determine the confidentiality residual risk.
There are several ways to extract the information in a meaningful way. Information collected about each service can be charted graphically.
ServiceView can also generate a data centre dependency and recovery plan. A list of possible disaster scenarios are modelled by the technology For each disaster scenario the affected services are listed and a service restoration plan is automatically compiled.
By combining all the services, the service dependencies, the inherent CIA's, the residual CIA's, the data stored and the priority of each service, ServiceView can generate a complete risk report containing.
UQ is a $1.6 billion organisation heavily reliant on IT. This presentation outlines the process of assessing risk.