'Risk Based Approach' (RBA)
has been the recommended way to address Information Security as per the initial
standards on the subject - BS 25999 which was subsequently incorporated into
ISO 27001. It has been also recommended as a foundational principle by most
standards on Information Security which have emerged subsequently such as the
ones put forth by ISF, COBIT etc. Although it has been so for a while, actual
adoption of the risk based approach has been a rather recent phenomenon. There
are many good reasons for it, the primary ones being the lack of apparent cost
benefit from Information Security investments and the growing body of
compliance mandates around the subject leading to a predominantly compliance
approach becoming in vogue.
But with the predominance
of crippling breaches despite significant compliance oriented investments and
acknowledgement of Information Risk (more fancifully referred to as Cyber Risk
in recent times) as top 5 risks to global corporations, understanding of
Information Security in corporations and adoption of a risk based approach has
rapidly gained favour. Such an approach follows a cyclic pattern as under:
· Risks inherent in an
enterprise entity (service, process, asset etc.) are assessed by discerning the
probability and frequency of various types of threats exploiting
vulnerabilities inherent in the service/process/asset
· Effectiveness of existing
controls is evaluated and residual risk is computed by subtracting the control
effectiveness from the inherent risk
· Residual risks are
mitigated through various measures - avoidance, transference, acceptance or
mitigation
· Once some progress is made
in risk mitigation, the cycle is repeated all over again starting with risk
assessment.
A similar cyclic patterned
but 'Incident based approach' (IBA) can be taken of Cyber Security wherein incident prevention is intended as the
primary objective of the existing Cyber Security framework. Once an incident
occurs, as it always does despite all preventive controls, incident triage is
undertaken, followed by incident investigation, doing root cause analysis (RCA), taking corrective and
preventive action (CAPA), and controls are
enhanced by ploughing the learnings back into the incident prevention oriented Cyber Security framework.
In this 'Incident based approach' to Cyber Security, Digital Forensics plays an anchoring role at all the stages of the process:
· It is essential at the
triage stage to have an idea of Digital Forensics to be able to preserve
incident parameters while taking down infected/compromised systems and getting
back essential systems and services.
· During incident
investigation, Digital Forensics is of central relevance and paramount
importance as investigation relies primarily relies on forensics.
· It can contribute in no
small manner during CAPA and RCA.
· And finally, Digital
Forensics can provide insights into designing more effective controls.
Even during the times when
it appears to be business as usual, Digital Forensics has several contributions
to make in setting up and running the day to day operations of Cyber Security
apparatus. It needs to be taken into consideration while deciding the type of
access that administrators have to systems as this can be a vital factor to
having the capability to pick up the trail of a hacker who assumes
administrative privilege or a malicious insider who mis-utilizes the same.
Digital Forensics considerations are also very important while considering
remote investigations on systems.
For a Cyber Security
function, it may not always make sense to create a very highly developed
internal capability on Digital Forensics. While a minimum and potent capability
such as disk imaging, limited Network packet capture and mining of logs and
other data etc. would be deemed appropriate/necessary, advanced capabilities
such as forensic analysis of disk images, pattern & link analysis,
heuristics analysis of suspect logs and other data etc. could be planned for
being availed as outsourced services. Such services should be identified as
appropriate for the specific industry/ business segment an enterprise belongs
to, pre-configured as per the management or regulatory specifications/
expectations and contractually negotiated and sanctified, so that they can be
availed without any loss of time and within pre-set SLAs after the occurrence
of an incident which requires Digital Forensic investigation. Return on
investment would be a key consideration while configuring the above and each
enterprise would need to find its own balance with due consideration to its
unique impacting factors. An optimum model comprising of limited essential
in-house capability and bulk outsourced capability often finds greater
acceptance from management and brings maximum benefits as it leverages
competence of Digital Forensic specialists for the detailed forensics
investigations.
