The IT GRaCkle Podcast #2 - Operational Risk Taxonomies
powers-old-account 270000NC1K Visits (2555)
On this episode, a new Operational Risk Taxonomy from CMU's SEI, the Bastardization of Cyberspace, and Cloud Computing as Data Protection Control.
CMU SEI recently released a paper outlining a proposed risk taxonomy for operational cyber security risks which has sparked a fair amount of debate and chatter about whether we really need another risk taxonomy in the world. I want to briefly review a couple of the more well known ones then talk about the new one from CMU.
Basel III is in the works and as I understand will start being phased in to enforcement in 2013. I have not been following it closely, but I don't think it makes any major changes to operational risk calculations.
Operational risk is defined as the risk of loss resulting from inadequate or failed, internal processes, people and systems or from external events. This definition includes legal risk,but excludes strategic and reputation risk.
See the famous Annex 9 of the Basel II Comprehensive Framework for the Basel II Risk Event Types, which is their version of an operational risk taxonomy.
Basel II Encourages Banks to develop their own set of operational risk categories that match the unique nature of the bank. So these event types aren't prescriptive or normative.
COSO Enterprise Risk Management Framework
Does not define a specific taxonomy. But the Framework does list a set of Internal and External factors that drive risk events:
The COSO documents provide several non-normative examples or risk event categories and its worth flipping through them to see if any of them would be useful in your operational risk taxonomy.
Carnegie Mellon's Software Engineering Institute paper on Taxonomy of Operational Cyber Security Risks
Acknowledges that it starts from the Basel II Framework
It's top level hierarchy of risks reads almost word for word the same as Basel II.
Actions of People
Systems and Technology Failures
Failed Internal Processes
Looking at the level two categories in the CMU hierarchy, you get the sense that they've removed the banking focus from the Basel II event types and filled in some around the edges.
The result is something that's more general purpose than the Basel II risk event types and more complete and specific than the COSO ERM standard.
What's important is not the your starting point in the framework, but what you fill in the categories with. My suggestion is to pick any of the frameworks I've discussed or look at all three and put a rough set of first and second level category hierarchies in place and start populating the hierarchies with actual identified risks to your organization and slot them in to the appropriate categories. Whenever you get a category that has more than about 7 events in it, consider splitting the category into some sub categories.
One of the things to consider is that hierarchy of categories is likely to be used as an approach to dividing up work to assess and make proposals for mitigation plans. So it helps to keep the potential division of responsibilities in mind when devising your categories. In fact you may even want to consider using the management structure of your organization as one of the organizing principles in your risk taxonomy.
The Bastardization of Cyberspace
William Gibson, from Neuromancer
Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding.
William Gibson has since said many times that the term is essentially meaningless, a nice sounding buzzword.
But the term took hold and the vacuum of meaning was eventually filled in by a community of cyberpunk writers. Many people agree that Bruce Sterling wrote the best definition of cyberspace in the introdcution to The Hacker Crackdown:
Cyberspace is the "place" where a telephone conversation appears to occur. Not inside your actual phone, the plastic device on your desk. Not inside the other person's phone, in some other city. The place between the phones. [...] in the past twenty years, this electrical "space," which was once thin and dark and one-
In short, it's the place we all co-exist in when we are participating in online activities.
So it amuses me that today, the term cyberspace has turned into almost exactly the opposite of what it was intended to mean, thanks to governments adopting the term Cyber this and Cyber that in their initiatives.
In the original Bruce Sterling definition, he was very clear to indicate that cyberspace was not the phone or the computer or the wires and switches that connect the two telephones. It is a meeting of the minds. It's a locus of attention tha the two share.
But today when you hear the term cybersecurity used in the context of national security programs of various sorts, what they are really talking about is the phone wires. Or more broadly, the broad set of infrastructure necessary to keep a nation moving and make a government work. Power grids, water supplies, transportation systems.
In the United States this stuff is generally known as critical infrastructure and the US Patriot Act is defines the set of critical infrastructure categories.
Agriculture and food – Departments of Agriculture and Health and Human Services
Water – Environmental Protection Agency
Public Health – Department of Health and Human Services
Emergency Services – Department of Homeland Security
Government – Department of Homeland Security
Defense Industrial Base – Department of Defense
Information and Telecommunications – Department of Commerce
Energy – Department of Energy
Transportation and Shipping – Department of Transportation
Banking and Finance – Department of the Treasury
Chemical Industry and Hazardous Materials – Department of Homeland Security
Post – Department of Homeland Security
National Monuments and icons - Department of the Interior
Critical Manufacturing - Department of Homeland Security (14th sector announced 03-Mar-2008; recorded 30-Apr-2008)
But no one liked the the term "infrastructure". Even putting the term "critical" in front of it did not make it sexy enough. So Federal agencies rushed wholesale into coopting the term cybersecurity.
The FBI has a cyber crime unit,
The DOD has a Cyber command
The DHS has a Securing Cyberspace initiative and Cyber incident response plans.
And all these things have to do with the stuff, not the idea.
I think it's far too late to try to push back the tide. There's no way we're going to stop agencies from using the term Cyber when they shouldn't.
But my question is, what word are we going to use for the original meaning of the term cyberspace, that place where we go to when we have a phone call or participate in an online activity. Because it's an important idea that shouldn't be lost.
Got a suggestion, send it to calv
Cloud Computing as a Data Protection Control
Recently attended CloudCamp RDU. As far as I know it was the first such unconference devoted to cloud computing in the Raleigh-Durham area. And amazingly, it was held about 5 minutes from my house in Carrboro NC.
If you aren't familiar, unconferences are run like traditional industry conferences. They are focused on a topic or theme. They have presentations and discussion panels. They have lots of meet and greet time and hall talk time. But instead of having a fixed set of panels determined by a committee, the attendees propose panels there at the beginning of the event and the participants vote on which panels they want to attend. It's like corwdsourcing the agenda.
One of the most interesting talks was a presentation by Stuart Jeffreys, Phd, from the University of North Carolina at Chapel Hill Lineberger Cancer Center.
His talk was "The Genomics Data Crisis." Sadly. his presentation has not been posted online. So I'll have to summarize. He walked through the amount of storage needed to store genomic sequencing samples and the IT challenges it presents. We're talking crazy big amounts of data and then he walked through some very rough back of the envelope math about the IT costs associated with that much data. Then he proceeded to show the rates of growth in the amount of genomic data that's being collected and stored and it's very easy to see a crisis coming.
This reminds me of a brief analysis I did a long time ago when I was looking at whether or not it was cost effective to store the MP3 files associated with my podcasts in Amazon S3. My conclusion then was essentially the same, The transfer costs to download files out of S3 dwarfed all other considerations by almost an order of magnitude and Amazon S3 was not a viable option for storing media files for my podcast.
So what's the solution? Bigger pipes to the data repositories? Sure. Well, Maybe. Never say no to more bandwidth, that's my motto. But I chatted with Stuart during a break and he said that they are looking at ways to avoid the huge transfer costs. The bottom line is, they are looking to take the application to the data, not the data to the application.
And so the PC/internet revolution gives away to the era of Big Data and Cloud Computing. A purpose built cloud platform that envelopes the huge data repository, standardizes how the data is accessed, provides a standard, well documented application environment developers can work with, and provides metered billing for running applications can be a more cost effective way to run the research.
Sure, cloud computing has many security challenges associated with protecting the platform from outside attacks as well as making sure co-tenants are protected from each other. This is often seen as a drawback of cloud computing. But when you step back and look at the some of the big picture issues, cloud computing also becomes a key strategy in saving money and a primary security control for protecting Big Data.
The call of the grackle was contributed to the public domain by G. McGrane and is hosted in the WikiCommons. This podcasts is hosted by IBM developerworks but the opions expressed are only those of the hosts and guests.
visit www.itgrackle.com for more episodes of the podcast and to sign up for the free weekly newsletter.