198
A Practical Guide to Security Assessments
the process of assigning values to the criteria is not an exact science and that some
judgment will be required. The next two sections will discuss each of these concepts
in detail and provide criteria for assigning numerical values to each of the variables.
Business Impact
Business impact is a combination of the potential impact to the business if there is
a security breach and the probability that a security breach could occur. In this
methodology, business impact is calculated without the consideration of any internal
controls or security measures that might be in place. The existing security measures
and internal controls will be accounted for when the “level of control” is determined.
As a result, in determining the business impact, only the probability of a security
breach and the potential impacts of a security breach are examined.
To quantify these characteristics, Table 8.1 and Table 8.2 offer guidance for the
potential impact to the business and the probability that a security breach could
occur. Each table contains guidance for determining a high, medium, or low score
for each of the characteristics. The high, medium, and low scores translate to scores
of 3, 2, and 1 respectively. This numerical value will be used in the calculation of
business impact.
Table 8.1 addresses the potential impacts to the business. This is information
that should have been gathered in previous meetings with business process and
technology owners. If needed, the client subject matter experts should be consulted
with again to thoroughly understand the impacts of the security risks identified.
Table 8.1 lists criteria for assigning numerical values for potential impact to the
business. Note that this is a guideline — it can be modified if needed for a given
client as different clients may have different criteria. Note: When doing this analysis,
finalize this criteria first so that all findings are measured based on the same criteria.
The examples of potential impacts are there to help you determine the best classi-
fication of a given risk.
The criteria above should help you classify impact of your findings in a consistent
manner. Note that a given finding does not have to meet all of the items listed in a
particular category. For example, you could have a finding that you classify as having
a “high” business impact because of the cost to address the security breach even
though an effective workaround exists. You might also classify this risk as a
“medium” because there was an effective workaround. This is where your judgment
comes in and why there is a fair degree of subjectivity to this process. The key is
to apply your judgment as consistently as possible.
Table 8.2 defines the criteria for assigning values to the probability that a breach
could occur. In this methodology, probability is thought of as a high, medium, or
low likelihood that the vulnerability associated with a finding can be exploited. Like
the last one, this is a highly subjective calculation and will require judgment and a
good knowledge of the business. Also, you must apply your judgment consistently
across all findings. This probability combined with the potential impact will be used
to calculate the business impact.
As you can see, both components that determine the business impact are highly
subjective and require judgment. The second component, the probability of a security
AU1706_book.fm Page 198 Tuesday, August 17, 2004 11:02 AM