Risk Analysis and Final Presentation
203
• The score associated with the level of control is higher as the level of
control becomes worse.
• The level of control should be determined for each finding and its asso-
ciated risk.
• When determining the level of control, remember that the criteria above
are only guidance to help come up with a score. All of the items listed
for each level of control might not be applicable, so some judgment must
be exercised.
• One item that is addressed in each level of control is whether appropriate
security measures are in place. Related to this, there are two key points
to consider:
– Do not forget about mitigating controls. Although there may not be
any security measures in place to directly address the risk, there might
be other mitigating controls in place later in the process that can reduce
the given risk. This is where having a good understanding of the
business process is so essential. Mitigating controls tend to be controls
that are detective in nature, i.e., you find out something happened after
the fact. Depending on the risk, this might be appropriate.
TABLE 8.4
Level of Control
Level of Control Criteria
1 Appropriate security measures in place
Security procedures consistently followed
Documented security policy and procedure in place
Continuous auditing in place to facilitate ongoing enforcement and updates to the
process as required
2 Appropriate security measures in place
Security procedures consistently followed
Documented security policy and procedure in place
Mitigating controls in place
No consistent enforcement
3 Appropriate security measures in place
Documented security policy and procedure in place
Security procedures not consistently followed
Weak mitigating controls in place
No enforcement
4 Appropriate security measures in place
Security policy and procedure exist but are not documented
Security procedures are done on an ad-hoc basis — i.e., when someone feels
like doing it
No mitigating controls
No enforcement
5
Nothing is being done to address the security risk
No security processes or policies or procedures in place
No mitigating controls in place
AU1706_book.fm Page 203 Tuesday, August 17, 2004 11:02 AM
204
A Practical Guide to Security Assessments
– Note that the wording used in the criterion is “appropriate” security
measures. The foundation of this methodology is that security measures
must be aligned with business processes and that these security mea-
sures should be appropriate and cost effective based on the given risk.
As you review what security measures are in place, you may find that
too much or too little security is in place, indicating a potentially
inefficient use of resources. This might be an opportunity to provide
recommendations to make better use of these resources and potentially
streamline the security process associated with the risk.
Determination of Risk Score
The risk score is basically a quantification of the risks uncovered during the course
of the security assessment. Recall that one of the primary objectives of conducting
a security assessment was to provide clients an information security roadmap that
contains prioritized security initiatives. The risk score, which quantifies the risk
associated with the findings, provides a method to help prioritize the next steps using
a consistent and objective methodology.
A risk score should be determined for all of the findings and associated risks
identified during the security assessment. It is calculated by multiplying the business
impact and the level of control, which were determined in the previous sections.
The risk score is calculated as follows:
Risk Score = Business Impact
×
Level of Control
Once you calculate the risk score, you can review Table 8.5 to determine where it
rates on a high, medium, low scale.
The risk score, for simplicity’s sake, can be classified as noted in the table below.
This table can be used to quickly determine the classification for a given finding
and associated risk.
TABLE 8.5
Risk Score
Business Impact
Level of Control
1 2345
High 9 9 — Low 18 — Medium 27 — Medium 36 — High 45 — High
88 — Low 16 — Medium 24 — Medium 32 — High 40 — High
77 — Low 14 — Low 21 — Medium 28 — Medium 35 — High
Medium 6 6 — Low 12 — Low 18 — Medium 24 — Medium 30 — Medium
55 — Low 10 — Low 15 — Low 20 — Medium 25 — Medium
44 — Low 8 — Low 12 — Low 16 — Medium 20 — Medium
Low 3 3 — Low 6 — Low 9 — Low 12 — Low 15 — Low
22 — Low 4 — Low 6 — Low 8 — Low 10 — Low
11 — Low 2 — Low 3 — Low 4 — Low 5 — Low
AU1706_book.fm Page 204 Tuesday, August 17, 2004 11:02 AM
Risk Analysis and Final Presentation
205
Note that there are only a few scenarios where the risk score is high, indicating
findings that are top priority, which should be addressed quickly. This is intentionally
done so that “high risk” is not diluted. The “high” risk score scenario is where the
business impact is high (i.e., potential impact is high) and where either the level of
control is nonexistent or some control exists on an ad-hoc basis. Different clients
will look at these risk scores differently. Some clients might want to immediately
address situations where there is even a medium risk score because they are very
control conscious. Other clients may have a very limited budget and decide to only
address the high risk score items and do the rest on a long-term basis. This mea-
surement scheme helps them prioritize the findings and put some perspective around
next steps.
To use the risk score effectively, you must educate the client about how it works
and how the risk score is derived. Understanding the methodology will help them
use this information to make good judgments. In addition, you should be able to
talk about any of the findings and be able to show how you reached your conclusions.
FINALIZE FINDINGS AND RISKS
Now that you have done the risk analysis, you need to finalize the wording of the
findings and associated risks (Figure 8.2). If you were diligent in documenting them
in the report, this should not take much time. As you document the findings and
risks, you should try to maintain some consistency in how you present the findings,
risks, and recommendations (discussed in the next step) so they have the same “look
and feel.” The next two sections will provide some guidelines for documenting
findings and risks.
F
INALIZE
W
ORDING
FOR
F
INDINGS
The first draft of the findings should already be documented, as this was something
that was done throughout the assessment. The reason for devoting a separate section
to documenting findings is because it is very important how findings are presented
to the client. Although you went over the findings with the client during the assess-
ment, the report you are preparing will probably go to a larger audience. In many
cases, the final report may go to senior management. When these individuals see
the findings, it will probably be for the first time.
With this in mind, you have to be very careful how you word the findings. The
same finding worded in different ways can have the same message but affect people
differently. For example, let us assume that you find a company where the executives
of the company, who deal with highly sensitive information, routinely keep sensitive
documents just lying around on their desks. Some of the sensitive documents are kept
in locked cabinets, but some are out in the open. These executives have administrative
Risk Score Range
Low 1 to 15
Medium 16 to 30
High 31 to 45
AU1706_book.fm Page 205 Tuesday, August 17, 2004 11:02 AM
206
A Practical Guide to Security Assessments
FIGURE 8.2
Finalize findings and risks.
Risk Analysis
and Final
Presentation
Risk analysis &
Risk Score
calculation
Finalize
findings and
risks
Develop
recommendations
and prepare draft
report
Discuss draft
report with client
Present final
report to
management
AU1706_book.fm Page 206 Tuesday, August 17, 2004 11:02 AM
Risk Analysis and Final Presentation
207
assistants who watch the offices for the most part, but there are times when the
offices are left unattended. In addition, although physical security measures exist
upon entering the building, no physical security measures are present once in the
building. Because of the sensitivity of the documents that these executives have, this
is an issue for the company. This finding can be worded in different ways and each
would have a different effect.
First, it can be worded as follows:
•
Ver sion 1:
In offices of key executives, sensitive documents are routinely
out in the open on desks. These documents are often not locked in cabinets.
Offices are not locked when executives are not present, resulting in anyone
being able to gain unauthorized access to sensitive documents.
•
Ver sion 2:
Sensitive documents are not properly locked up in key offices
of the company. These offices are often left open where anyone can gain
unauthorized access to these documents.
•
Ver sion 3:
In key offices, not all sensitive documents are properly secured
in locked cabinets. Although assistants or other support people normally
watch these offices, some brief instances occur where the offices are left
open and unattended, allowing anyone to walk in and access the sensitive
documents. Although physical security exists at the perimeter to control
who can enter the building, once in the building, people can walk relatively
freely.
Each of the three findings above illustrates the core point that sensitive docu-
ments are left exposed. However, each of the findings would probably be received
differently. Let us critique each one and note the differences:
•
Ver sion 1 —
Although this one communicates the point, it openly singles
out a group of people — the ones who are the final audience of the report.
It is possible that they
probably did not observe the whole company and
cannot say definitively that it is only the executives that are guilty of this.
In addition, the wording makes it sound as though all of the documents
are left out in the open and nothing is locked up, which is not true. Finally,
the finding also says that anyone can gain access to these offices and
ignores the fact that these offices are mostly watched and that physical
security measures control who can enter the building.
•
Ver sion 2 —
Like the first finding, this one also communicates the issue
of sensitive documents being at risk. This one, however, in the first
sentence, acknowledges that it is not all documents that are not locked
up. Like the first finding, this wording does not account for the fact that
these offices are mostly watched and that physical security measures
control access into the building.
•
Ver sion 3 —
This is the most appropriately worded of the three. The
wording of this finding not only communicates the nature of the finding —
that unauthorized individuals can gain access to sensitive documents — it
AU1706_book.fm Page 207 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.