Risk Management

Managing and understanding risk is a key operating component of any organization. Risk is about uncertainty. Yet, there will always be uncertainties across organizations. Uncertainty presents both challenges and opportunities for companies. Risk management provides a method for dealing with uncertainty. This includes identifying which ones to accept and which ones to control. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which provides a framework for enterprise risk management (ERM), identifies the following key components of ERM:

• Aligning risk appetite and strategy—This helps the organization manage the uncertainty by considering the goals of the organization.

• Enhancing risk response decisions—This improves the organization’s ability to make decisions about how to better manage risk.

• Reducing operational surprises and losses—This enhances the organization’s ability to identify potential events or threats and react appropriately.

• Identifying and managing multiple and cross-enterprise risks—This helps the organization consider related risks from across the organization and provides a unified response across the varying risks.

• Seizing opportunities—This helps the organization recognize events from which new opportunities can be pursued.

• Improving deployment of capital—This improves how organizations divide their financial resources to enhance performance and profitability.

How do you implement risk management? For risk management to be effective, it must be systematic, structured, collaborative, and cross-organizational. Risk management relies on each business unit to contribute to a larger and holistic view of risk. For risk management to be effective, there must be a common set of processes each business unit can execute against. At the very least, the following risk management processes need to be implemented across the organization.

Threat Versus Vulnerability Versus Risk

The terms threat, vulnerability, and risk are too often used interchangeably. There are distinct differences and care should be used when applying them. A common set of definitions is as follows:

• A threat is anything that can exploit a vulnerability, intentionally or accidentally that can lead to an adverse impact on the organization. For example, a hurricane might wipe out your data center.

• A vulnerability is a weakness or control gap that can be exploited by threats, such as locating your data center in a building that cannot withstand high winds.

• A risk is a potential for loss, damage, or impact to the organization as a result of the vulnerability occurring due to the threat. For example, if a hurricane occurs and the data center building collapsed, what would be the impact on the organization?

The key component of risk management includes a risk assessment. Planning an audit of IT infrastructure depends on this assessment. The audit plan should be prepared only after a risk assessment is complete. The key reason for this is that the audit will focus on those areas with the highest risk.

There are several methodologies for assessing risk specific to IT environments. NIST 800-30, “Guide for Conducting Risk Assessments,” is one such example. This guide provides a practical nine-step process as follows:

• System characterization—Identify and understand the systems and their operating environment.

• Threat identification—Identify potential methods or situations that could exploit a weakness.

• Vulnerability identification—Identify flaws or weaknesses that can be triggered or exploited, which might result in a breach.

• Control analysis—Analyze controls to reduce the likelihood of a threat successfully exploiting a vulnerability.

• Likelihood determination—Determine the likelihood of an attack by considering the motivation and capability of the threat source along with the nature of the vulnerability in relation to the current controls.

• Impact analysis—Determine the impact of a successful attack on a vulnerability by a threat. Consider the mission of a system, data criticality, and data sensitivity.

• Risk determination—Consider the likelihood, magnitude of impact, and adequacy of controls as an equation of risk.

• Control recommendations—Consider controls to reduce the level of risk to an acceptable level.

• Results documentation—Document to manage the observations on threats and vulnerabilities as well as risks overall and recommended controls.

Evaluating risk requires looking at the different parts of the risk equation. Effective risk management starts with identifying the IT assets and their value. Next, organizations need to identify the threats and vulnerabilities to these assets. An analysis or assessment of both threats and vulnerabilities is a key part of the risk-management process. Next, organizations need to identify the likelihood each threat will exploit a vulnerability. Finally, organizations need to consider the impact of the risk. Risks should then be prioritized. This enables organizations to give attention to the most severe. Different methodologies are available, which provide clear frameworks for evaluating risk.

Part of the risk-assessment process requires an examination of those activities that represent danger. Threats to IT are numerous and can affect the loss of confidentiality, integrity, and availability in a number of ways. Analyzing the potential threats requires the identification of all possible threats first. This is called threat identification.

Vulnerability Analysis

After performing a threat analysis, you need to identify weaknesses or flaws. Specifically, you need to identify vulnerabilities that can be exploited by the previously identified threats. This is known as vulnerability analysis. There are many ways to identify vulnerabilities, such as the following:

• Vulnerability lists and databases published by industry organizations

• Security advisories

• Software and security analysis using automated tools

It is important to consider threats relative to vulnerabilities. Think about operating system patches issued by Microsoft or Apple. Typically, these fix potential vulnerabilities, which were previously unknown and have since been discovered. In most cases, these vulnerabilities affect a particular piece of the system. Say, for example, Microsoft issues a patch to fix a vulnerability for a particular service of the operating system. However, what if you don’t use this service or the service is turned off? In this case, the vulnerability is not really vulnerable. What if the particular system you use does not and will never be connected to the Internet? In this case, the threat in question does not exist. This is why it is important to pair threats with vulnerabilities. Threats are matched with existing vulnerabilities to further understand the risk. Finally, likelihood and impact must be considered. What is the likelihood that a particular threat can exploit a specific vulnerability? If that occurs, what would be the impact?

Consideration of all these elements involves trade-offs. For example, you can do many things to remove or reduce specific threats and vulnerabilities in your personal life, but you might choose not to. You might even choose not to apply specific controls that can reduce the risks. Many of these decisions are based on your goals and personal trade-offs. As you consider these concepts, think about the following:

• Why do some people live in areas with higher crime rates?

• Why doesn’t everyone wear a bulletproof vest?

• Why do you ride in or drive vehicles when there are approximately 40,000 vehicle deaths per year in the United States?

• Why do some people spend more money on home security systems than others?

Risk Assessment Analysis: Defining an Acceptable Security Baseline Definition

Given the previous inputs, the final step is to determine the level of risk. When pairing threats and vulnerabilities, risk is determined primarily by three functions:

• The likelihood of a threat to exploit a given vulnerability

• The impact on the organization if that threat against the vulnerability is achieved

• The sufficiency of controls to either eliminate or reduce the risk

At this point, matrixes and other mechanisms are useful for qualitatively understanding risk. Such matrixes typically categorize the impact and likelihood of threats as low, medium, or high. The product of this results in a risk being low, medium, or high.

An alternative approach is to analyze impact and likelihood quantitatively. Such matrixes might use percentage values or a numerical count instead of defining what is high versus medium. Quantitative risk analysis, while more accurate and objective, can also be more time-consuming and expensive.

Applying controls to a system helps eliminate or reduce the risks. In many cases, the goal is not to eliminate the risk. Rather, what’s important is to reduce the risk to an acceptable level. Applying controls is a direct result of the risk-assessment process combined with an analysis of the trade-offs. Several examples of the trade-offs include the following:

• Cost—Are the costs of a control justified by the reduction of risk?

• Operational impact—Does the control have an adverse effect on system performance?

• Feasibility—Is the control technically feasible? Will the control be feasible for end users?

An effective risk-assessment process helps establish known good baselines for IT systems. A baseline is the system in a known good state, with the applied minimum controls relative to the accepted risk. Baselines provide a solid and simple method from which to audit a system. Comparing a system against a baseline can help identify nonexistent controls that should be applied as well as controls that have been removed or disabled. Additionally, a baseline audit can help identify a system that has been compromised or otherwise altered.