The CISO’s Perspective
“It’s not important because it’s policy, its policy because it’s important.” — Gary Declute
After working on it for about a year, we are in the end stages of walking the Cybersecurity Risk Management Policy through the emerging IT Governance structure. And, with great hope and anticipation, we should have it published in a few months as a UW-Madison wide policy.
It’s time to think about what changes we can expect from implementing the Risk Management Framework established in the policy. The level of understanding we have in our systems and the inherent risk issues that come with operating one of the most complex and diverse information enterprises will increase.
Not that we are necessarily increasing risk, more like we will know what the risk is in a quantified and qualified way. As Bruce Maas has been leading us toward measuring and managing risk under the FAIR (Factor Analysis of Information Risk) model, the need to understand how to count and establish trends associated with the day-to-day events is critically important. Our soon to be Interim Chief Information Officer, Michael Lehman, tells us that you can’t manage what you do not measure. As of the first week in March, our Risk Register shows 55 packages of which 39 are initially labeled as “High” or “Unknown” risk. This means they may not be fully evaluated due to resource issues or they are missing important information. Of the packages that have been fully evaluated, nine are labeled as High risk with specific actions identified on a formal plan of action and milestones guiding them to lower risk levels, as represented in the graphic.
(L x I)
|UW-Madison Defined Risk Levels|
| CRITICAL Risk
| Likelihood: Evidence of exploitation of a vulnerability by a threat actor against the asset has been discovered or enough evidence is seen to suspect exploitation has occurred in the past.
Mission Impact: Political, financial, legal, operational or reputational impacts will be felt for two or more years. Damages impact at least an entire UW-Madison Division, or multiple departments across divisions.
Action: Immediate action is required to reduce the risk. Systems designated with CRITICAL risk exposure may be required to be disconnected until resolutions or mitigations are found. CRITICAL risks found during a security risk assessment must be communicated upon discovery.
| HIGH Risk
|Likelihood: Exploitation of a vulnerability by a threat actor against the asset is highly likely, although evidence to suggest exploitation has occurred has not been found.
Mission Impact: Political, financial, legal, operational or reputational impacts will be felt for 6 months, up to two years OR damages impact at least an entire UW-Madison Division, or multiple departments across divisions.
Action: Prompt action is required to reduce the risk. All HIGH risks must be reduced before the close of the next semester of instruction.
| MEDIUM Risk
|Likelihood: Exploitation of a vulnerability by a threat actor against the asset is likely in general; some controls are in place to reduce the likelihood of occurrence against the specific asset.
Mission Impact: Political, financial, legal, operational or reputational impacts may be felt for a month or more, but less than a year AND damages would impact three of fewer departments contained in a single UW-Madison division.
Action: Prioritization of remediation efforts is required for all MEDIUM risks. Prioritization must be completed in less than three months. Execution of remediation efforts for MEDIUM risks is based on prioritization relative to other MEDIUM rated risks for the same system or environment.
| LOW Risk
| Likelihood: Exploitation of a vulnerability by a threat actor is difficult in general requiring expertise beyond one person with advanced computer skills or resources beyond those generally possessed by an individual. If exploitation is within reach of individuals, then our systems have controls to make it unlikely to experience an incident, in a defined time frame.
Mission Impact: Political, financial, legal, operational or reputational impacts will be minimal. Operational impacts include: short term reallocation of current IT professionals and resources with localized or minor interruption of project work and non-mission critical services; the data custodian will be inconvenienced for some hours, but definitely less than one week.
Action: Required action is limited to making the data custodians and their leadership aware of the risk. The risk must be tracked and reviewed at the next risk assessment, or sooner if changes to the likelihood or impact become apparent.
| No Risk
| Likelihood: Exploitation of this risk is not expected over the course of a defined time frame. The difficulty or expense of exploitation of the documented vulnerability is beyond most known organized crime groups.
Mission Impact: No noticeable impact to any part of UW-Madison is predicted if the exploitation occurs.
Action: Documentation in the risk register is required. Included the findings of NO RISK for the asset, from the specified threat-vulnerabilty.
The risk level is expected to spike as we perform more initial risk assessments. As we are starting with higher risk data such as human resources, student information and financial related information systems with more stringent security controls applied, we expect an overall risk rating to be High with eventual settling of risk to lower levels as more systems are evaluated and appropriate controls are applied. We also have the opportunity to reevaluate where “Restricted” and “Sensitive” information is stored as we discover more about the information systems and architecture.
Good cybersecurity is a journey, not a destination. This is a popular mantra and makes for a good bumper sticker. Of course a bumper sticker could easily say “my other car is low risk.” Knowing that the Office of Cybersecurity is committed to reducing risk, understanding where your leadership wants to draw that line of cost effectiveness and return on investment becomes a daily discussion. Do you know what direction your IT services group is heading?
As always, I appreciate your feedback. Simple rules – be nice, be fair and be honest.
Please e-mail your thoughts to firstname.lastname@example.org and we will periodically post them with helpful answers.
Next Blog: What does Copernicus know about cybersecurity operations?