Most Security Professionals typically recommend and use a four-phase approach to implementing a comprehensive, enterprise-wide security management program:
Risk Management is an Issue for Management, not Technology
The first phase identifies the critical information assets in order to understand the nature and severity of security risks and exposures to those assets. Types of exposures include:
▪ Confidentiality the exposure if information gets into the wrong hands
▪ Integrity the exposure if the wrong information is used to make decisions
▪ Availability the exposure if information is not available for use when needed
This Business Value Assessment identifies owners of critical information assets, evaluates security classification levels, and documents the usage and residence of critical information. The deliverable, an Information Asset Profile, provides a control book that highlights which information requires protection, what kind of security is important for the business use of that information, who has ownership responsibility, and how and where the information is primarily used. This enables an information security program to be tailored over the next three phases in order to provide the right types of controls and mechanisms for the most critical information to the business.
The second phase determines how information assets should be protected. In this phase, the management philosophy and results of the Business Value Assessment are used as guides in defining the guiding security principles for the organization. Where needed, existing security policies and
standards are updated and new ones developed. In conjunction with a standard of best practices for security management (ISO17799/27001), all relevant aspects are addressed to produce a customized security architecture that effectively aligns to strategic IT and business needs.
The third phase is where the organization should specific security architecture as a model, map current processes to the defined security processes in the organization's security architecture, and identify gaps. International Standard ISO1799 is often used as the model by many security consultants in lieu of one provided. Security assessment activities should include a comprehensive review of an organization's policies, procedures, and information protection mechanisms. Recommendations are developed that specify actions to close the gaps with an implementation strategy based on the organization's unique business needs.
In the final phase, recommendations are implemented. Implementation requires overall project and transition management, evaluation and recommendation of products and tools, the conducting of employee awareness training, and assisting with migrations and conversions. Properly implemented process feedback mechanisms will ensure continuous improvement in security management quality.
Security should be commensurate with risks. The process to determine which security controls are appropriate and cost effective, is quite often complex and subjective. The prime function of security risk analysis is to put this process onto a more objective basis.
As stated above, there are a number of distinct approaches to risk analysis. These may be defined in two types: quantitative and qualitative.