Security - Telenor
Security - Telenor
Security - Telenor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Consequence<br />
72<br />
Insignificant<br />
Substantial<br />
Serious<br />
Disastrous<br />
Figure 3 An example of a risk<br />
matrix with decision criteria<br />
Frequency<br />
Improbable Possible Usual Common<br />
• The risk exposure is too high; in which case it<br />
is necessary to prevent loss. A loss reduction<br />
measure is an action taken or a physical safeguard<br />
installed before a loss occurs.<br />
• The risk exposure is acceptable; in which case<br />
one should monitor the risk. No loss reduction<br />
measures should be recommended for an<br />
acceptable risk.<br />
• The risk exposure is too low; in which case<br />
one should consider removing unnecessary<br />
loss prevention measures. The argument for<br />
this is to shift a resource from unnecessary<br />
measures to more productive risk reduction<br />
measures.<br />
The recommended loss reduction measures<br />
should be grouped according to the risk mitigation<br />
strategies (avoid, prevent, reduce, transfer).<br />
<strong>Telenor</strong>’s Corporate Framework<br />
for <strong>Security</strong> Risk Analysis<br />
<strong>Telenor</strong>’s senior management has formally<br />
approved company-wide policies making risk<br />
analysis mandatory. So risk analysis is supported<br />
by senior management. The challenge to the<br />
practitioner is to balance the depth of analysis<br />
with the expected benefits of performing the<br />
analysis, and to avoid “paralysis by analysis”.<br />
<strong>Telenor</strong>’s risk analysis framework is twofold.<br />
On the one hand it consists of corporate-wide<br />
policies, guidelines and tools. On the other hand<br />
there are the policies, guidelines and tools<br />
unique to each business area. Below, we outline<br />
the corporate risk analysis tools, biased towards<br />
the security domain.<br />
<strong>Security</strong> Risk Analysis<br />
The corporate policy for systems security [6]<br />
instructs all owners of information systems to<br />
perform a security categorisation of their system,<br />
and perform a risk analysis according to the<br />
security category. The three security categories,<br />
with corresponding depth of analysis, are<br />
A Especially security critical<br />
– a thorough risk analysis is required, possibly<br />
with a series of focused risk analysis of specific<br />
vulnerabilities.<br />
B <strong>Security</strong> critical<br />
– a Standard risk analysis is required.<br />
C Not security critical<br />
– a Minimal risk analysis is required.<br />
This categorisation offers a win-win situation<br />
where managers can use the security category to<br />
filter and prioritise information, and the owner<br />
of an especially security critical system will get<br />
management’s attention while managers of other<br />
systems are relieved of unnecessarily detailed<br />
reporting. Thus the total effort a system owner<br />
must put into a security risk analysis is also minimised<br />
since the bulk of <strong>Telenor</strong>’s systems falls<br />
into category C or B.<br />
In practice, the categorisation is a simple and<br />
straightforward task, requiring an interdisciplinary<br />
team which assesses the security profile<br />
of the system according to the assessment procedure.<br />
The procedure explores five domains;<br />
economy, marketplace, dependencies, the legal<br />
framework and the security profile of the system.<br />
These five domains are explored from both<br />
the customers’ and <strong>Telenor</strong>’s point of view<br />
through a number of questions. Each domain<br />
is assigned an integer value between 1 and 5,<br />
the values are added and, depending on the sum,<br />
the security category is either A, B or C.<br />
The current security categorisation system was<br />
deployed in late spring 1999 and has given some<br />
surprises. The biggest surprise is that users generally<br />
perform a categorisation faster in real life<br />
than expected, while the quality of work meets<br />
or exceeds the expectations.<br />
An interesting result is that the categorisation<br />
procedure which translates the security attributes<br />
confidentiality, integrity and availability into the<br />
five domains appears to be an eye-opener for<br />
users unfamiliar with security.<br />
There are interesting variations in how the users<br />
perform the categorisation. Some users meticulously<br />
work through the full set of questions for<br />
each of the five domains, document all answers<br />
in detail and then work out a “correct” value for<br />
each domain and finally select the appropriate<br />
security category. Other users skip questions<br />
they do not like, slap an integer value they are<br />
happy with on each domain, and summarily<br />
select the appropriate category – and are done<br />
with the job. In one case users in different business<br />
areas have categorised almost identical sys-<br />
Telektronikk 3.2000