Assessing and Managing Security Risk in IT Systems

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Table 5.1 Detailed Outline of the Risk Assessment Process

1. Identify business process:

a. The risk methodology determines risk for a particular business process. It is the business processes that are the foundation of the company’s business and therefore risk should be defined in regard to these processes.

b. This methodology will tie the business processes to the assets they rely on, to the architecture that supports the assets, and to the vulnerabilities of the architecture. Together this will lead to a determination of the risks of the business process.

2. Determine operational concerns:

a. There are three operational concerns to be considered:

i. Confidentiality—the privacy and protection of data from unauthorized access or exposure.

ii. Integrity—the accuracy of the data or systems used by your organization.

iii. Availability—the accessibility of an asset for its intended use at a given point in time.

b. These operational concerns apply to the business process, not to each individual asset. The operational concerns are defined with regard to the output of the business process.

3. Identify or define assets:

a. Each business process relies on multiple assets—identify the assets and data items that are part of this business process.

b. Although the majority of assets that will be identified will be informational, an asset can be of the following types:

i. Informational—most assets that are defined will be informational; they will be data objects.

ii. Functional—for example, an Internet connection can be a functional asset.

iii. Physical—any physical component or equipment can be an asset.

4. For each asset determine:

Business role.

Logical data flow.

User population.

Access rights and controls:

i. Physical access.

ii. Logical access.

a. Supporting architecture:

i. System and network hardware.

ii. System and network operating systems.

iii. System and network applications.

iv. Network protocol

v. System connectivity.

vi. Physical environment.

5. Assign asset measurements:

a. Each asset will be rated for sensitivity and criticality with regard to the critical process in question.

b. The two asset measurements will be rated on a scale of 1 to 5 (1—not important, 5—extremely important):

i. Sensitivity—the relative measurement of damage to the business process if the asset was disclosed to unauthorized users, such as competitors.

ii. Criticality—the relative measurement of how crucial the asset is to the accomplishment of the business process.

6. Determine importance:

a. Importance is a subjective rating of high, rnedium, low, or none assigned to each asset.

b. This rating determines the importance of the asset to the business process.

c. The importance rating is determined from the asset measurements assigned in the previous step and a subjective analysis of those values.

i. Although the value assigned to each asset measurement will be independent of the operational concerns of the business process, the importance rating will have to consider the operational concerns.

A. For example, an asset with a sensitivity value of 4 and a criticality value of 1 may have an importance rating of high, if sensitivity is more of a concern to the process than criticality. On the other hand, if sensitivity is of low concern and criticality is of higher concern, then the importance rating will be low.

B. There is no mathematical way to determine the importance rating; the factors above have to be combined with an awareness of the organization’s business and operations to determine the rating that makes the most sense.

7. Identify vulnerabilities:

a. Based on the supporting architecture vulnerabilities can be determined.

b. Vulnerabilities can be determined in several ways:

i. Combination of tools and information gathering techniques:

A. Scanner—host/network scanning tool.

B. Vulnerability advisories—review CERT (http://www.cert.org/), CIAC (www.ciac.org/ciac/index), or other organization advisories for vulnerability information.

C. Vendor support—contact the vendors of each network component to determine known vulnerabilities of that component.

ii. Use of risk assessment tool containing vulnerability library and systems components.

8. Determine significant vulnerabilities using the following factors:

a. Risk contribution—each vulnerability will contribute to the total risk of the system.

i. Assets/components affected by the vulnerability—certain vulnerabilities may only affect one asset, others may affect multiple assets. Certain vulnerabilities may affect assets that are critical to the process, although another may affect assets that are not critical. The risk contribution will depend on the number importance of the assets affected.

ii. Associated operational concerns—each vulnerability will have an impact on one or more of the operational concerns. The risk contribution will depend on the operational concerns affected as well as the rating of those concerns.

9. Identify threat categories:

a. Define the three general types of threats:

i. Internal versus external threats.

ii. Hostile versus nonhostile threats.

iii. Structured versus unstructured threats.

b. These threats can be group into eight threat categories (see Chapter 4):

i. Internal hostile structured.

ii. Internal hostile unstructured.

iii. Internal nonhostile structured.

iv. Internal nonhostile unstructured.

v. External hostile structured.

vi. External hostile unstructured.

vii. External nonhostile structured.

viii. External nonhostile unstructured.

c. Depending on those threat types that are of concern to the organization a subset of threat categories will be selected. (E.g., if only Internal threats are of concern, then the four external threat categories will be eliminated from the assessment process.)

d. The remaining threat categories will be ranked based on threat measurement factors:

i. Physical and electronic access—does the threat category have physical or electronic access to the system?

ii. Capability—the level of capability required for the threat to exploit any vulnerabilities in the system.

iii. Motivation—the level of motivation of a threat category.

iv. Occurrence measurement—the probability that a threat category will exploit the system.

10. Identify current safeguards:

a. Determine the safeguards that are currently in place. This determination will be used to determine the baseline risk.

11. Determine mitigated vulnerabilities:

a. A subset of vulnerabilities will be eliminated several reasons:

i. No threat to exploit the vulnerability.

ii. Current safeguards mitigate the vulnerability.

iii. The vulnerability does not apply to a particular component because the service or software that creates that vulnerability is not present in this particular component.

12. Determine impact:

a. Impact is a subjective rating of high, medium, or low assigned to each vulnerability

b. This rating determines the impact of the vulnerability on the business process.

c. The impact rating is determined from a subjective analysis of the importance of the asset affected, the operational concerns to which the vulnerability applies, and the relative rating of the applicable operational concerns.

13. Safeguard recommendations:

a. For each vulnerability, a set of safeguards will be identified that will either reduce or mitigate the vulnerability.

b. Each safeguard will have an associated cost that can either be a dollar amount or a relative cost of high, medium, or low.

14. Determine residual impact:

a. Each safeguard will either reduce or mitigate the impact of the vulnerability.

b. Each safeguard will be analyzed to determine the impact remaining if or when the safeguard is applied—this will be the residual impact.

c. The residual impact and cost of each safeguard together with business and operational priorities will be considered by the asset and process owners in determining those safeguards that will be applied to reduce the impact to an acceptable level.

15. Establish risk:

a. Risk is a binary value based on the residual impact ratings remaining after all safeguards have been identified.

b. If there are any vulnerabilities with a high impact the risk will be high.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Assessing and Managing Security Risk in IT Systems

Create new playlist

Sign In

Sign Up

Table of Contents for
Assessing and Managing Security Risk in IT Systems