Security Risk Assessment
“Successful businesses understand the value of timely, accurate information, good communications and secrecy. Information security is as much about exploiting the opportunities of our interconnected world as it is about risk management”
- Cost, especially unbudgeted costs. Regardless, business and even IT units do not want to spend money on security controls unless they are absolutely necessary and usually tied to regulatory compliance or an audit citation. The business unit will minimize the privacy or security risk to avoid spending the money.
- Unplanned activity, Any unplanned activity, whether it is part of a project or part of a yearly operating plan, will generate, at minimum, tension or push back. Project teams and management in general are inherently averse to doing any tasks they did not plan for.
- Miscommunication: Many times, security managers communicate in terms of missing control risks or a policy non-compliance risk, not in terms of the operations or educational risk. As a result, it’s hard to achieve consensus to mitigate the risk(s), regardless of what control should be implemented.
- User or customer impact: Any security control that changes the user experience will create resistance. Even if it’s as benign such as increasing the length of passwords, it creates anxieties for business managers. Therefore, they will likely overstate implementation costs and try to delay implementation.
- Incorrect estimating the costs of security controls. Sometimes the business or IT unit is uncertain about the implementation cost, and will incorrectly estimate the cost of the security controls.
- Improperly relying on mitigating controls that do not effectively address the risk. A good example might be to rely on a manual review of system event logs instead of implementing an event monitoring system.
“In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties acknowledge that the goal is to study security and identify improvements to secure the systems. An assessment is potentially the most useful of all security tests, but it is also the hardest to define”
“To help understand threats and their impact on assets, a mapping of threats with impact is necessary. The following four impact categories lists threats, both direct and indirect, and indicates areas where a given threat may have an impact.”
- Security requirements and objectives
- System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected
- Information available to the public or accessible from the universities’ web site
- Physical assets, such as hardware, including those in the data centre, network, and communication components and peripherals (e.g., desktop, laptop, smartphone even BYOD)
- Operating systems, such as PC and server operating systems, and network management systems
- Data repositories, such as database management systems and files
- Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring
- Governance and compliance pertaining to minimum security control requirements
- Identify business needs and changes to requirements that may affect overall IT and security direction.
- Review adequacy of existing security policies, standards, guidelines and procedures.
- Analyze assets, threats and vulnerabilities, including their impacts and likelihood.
- Assess physical protection applied to computing equipment and other network components.
- Conduct technical and procedural review and analysis of the network architecture, protocols and components to ensure that they are implemented according to the security policies.
- Review and check the configuration, implementation and usage of remote access systems, servers, firewalls and external network connections, including the client Internet connection.
- Review logical access and other authentication mechanisms.
- Review current level of security awareness and commitment of staff within the organization.
- Review agreements involving services or products from vendors and contractors.
- Develop practical technical recommendations to address the vulnerabilities identified, and reduce the level of security risk.
“When considering the impact of a successful attack, it's important to realize that there are two kinds of impacts. The first is the "technical impact" on the application, the data it uses, and the functions it provides. The other is the "business impact" on the business and company operating the application.” OWASP Risk Rating13.
An impact assessment (also known as impact analysis or consequence assessment) estimates the degree of overall harm or loss that could occur as a result of the exploitation of security vulnerability. Quantifiable elements of impact are those on revenues, profits, cost, service levels, regulations and reputation. It is necessary to consider the level of risk that can be tolerated and how, what and when assets could be affected by such risks. The more severe the consequences of a threat, the higher the risk. For example, if the research IP are compromised, the cost to the university would be a plagiarism from the original research work and the loss of intellectual property work.
A likelihood assessment estimates the probability of a threat occurring. In this type of assessment, it is necessary to determine the circumstances that will affect the likelihood of the risk occurring. Normally, the likelihood of a threat increases with the number of authorized users.
A systems example is the high likelihood of an attempt to exploit a new vulnerability to an installed operating system as soon as the vulnerability is published. If the system affected is classified as critical, the impact is also high. As a result, the risk of this threat is high.
For each identified risk, its impact and likelihood must be determined to give an overall estimated level of risk. Assumptions should be clearly defined when making the estimation. This twodimensional measurement of risk makes for an easy visual representation of the conclusions of the assessment. See figure 1 for an example risk map.
“At Notre Dame University,.
What makes the group different from many management teams is how it looks at risks, and how it reacts to risks. This diverse group has created a simple process of yearly assessments
- A way to ensure that security risks are managed in a cost-effective manner
- A process framework for the implementation and management of controls to ensure that the specific security objectives of an university are met
- A definition of new information security management processes
- Use by management to determine the status of information security management activities
- Use by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by the university
- For implementation of businessenabling information security
- To provide relevant information about information security to customer
- "ISO/IEC 27001:2013, Information Technology – Security Techniques – Information Security Management Systems, 2nd Edition" 25 SEPT 2013, WEB, 13 February 2015
- "ISO/IEC 27002:2013, Information Technology – Security Techniques – Code of Practice for Information Security Management, 1st Edition" 13 OCT 2013, PDF, 13 February 2015.
- "NISTIR 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment" SEPT 2007, PDF, 13 February 2015.
- "NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans" JUN 2010, PDF, 13 February 2015.
- "Technical Guide to Information Security Testing and Assessment" SEPT 2008, PDF, 13 February 2015.
- "Implementing a Successful Security Assessment Process" AUG 2001, PDF, 13 February 2015.
- "Prioritizing Information Security Risk with Threat Agent Risk Assessment" DEC 2009, PDF, 13 February 2015.
- "Critical Security Controls: From Adoption to Implementation" SEPT 2014, PDF, 13 February 2015.
- "Security Assessment" WEB, 13 February 2015
- "The transformation of IT Risk Management" PDF, 13 February 2015
- “Security-Risk-Assessment-Process-a-Team-Effort-at-Notre-Dame” WEB, 13 February 2015
- “A Perspective on Threats in the Risk Analysis Process” PDF, 13 February 2015
- “Using Risk Assessment To Prioritize Security Tasks And Processes” WEB, 13 February 2015