4. Risk-Assessment Methodologies
In the previous chapter, the goals and objectives for conducting a risk assessment were presented. These goals and objectives provide many reasons why an organization should conduct a risk assessment on its IT and network infrastructure. In some cases, new laws, mandates, and regulations such as HIPAA, GLBA, FISMA, and SOX require organizations to conduct periodic risk and vulnerability assessments and implement defined security controls. This, coupled with the creation and implementation of an IT security architecture and framework, provides the necessary foundation for an organization to properly manage and mitigate the risks caused by threats and vulnerabilities to an IT and network infrastructure.
This chapter first presents risk-assessment terminology commonly used when discussing risk management and risk-assessment topics. After these terms and definitions are presented, the chapter will present to the reader the different methodologies and approaches for conducting a risk assessment on an IT infrastructure and its assets. The reader will learn the steps needed to conduct a risk assessment using different methodologies or approaches. However, no matter what methodology or approach is used, it is important that the organization address how asset management and proper inventorying of the organizations IT assets are to be handled. After the IT systems, applications, and data assets are inventoried, the organization must prioritize them based on importance to the organization. This prioritization is critical because many organizations do not have unlimited funds to implement proper security controls and security countermeasures to mitigate the identified risk from threats and vulnerabilities. This prioritization is typically aligned to the organization's business drivers, goals, and objectives. Then, assessing the risk of threats and vulnerabilities on an organization's IT hardware, software, and assets can be done qualitatively, quantitatively, or via a hybrid approach.
In the previous chapter, the basic elements of risk in an IT infrastructure were identified as assets, threats, and vulnerabilities. Assets typically are items of quantitative or qualitative value to an organization. This can include computers, network equipment, hardware, software, applications, and data assets. One of the most important reasons for conducting a risk assessment on an IT infrastructure and its assets is to assist the organization in adequately managing risk. Risk assessments are a critical component of an overall risk-management strategy for an IT infrastructure and its assets. Developing a risk-management strategy helps organizations manage and mitigate risk to threats and vulnerabilities that are uncovered and identified during the risk and vulnerability assessment. Thus, a risk assessment is a major component of an organization's overall risk-management strategy. Because IT infrastructures grow and evolve, risk management for an organization must include periodic risk assessments. As more and more IT systems, applications, and data assets are implemented, mitigating risk for these production IT assets becomes increasingly important.
Risk-assessment and risk-management terminology include the following terms and definitions:
Risk-Management and Risk-Assessment Requirements
As defined previously, risk management is a process for reducing risk to IT infrastructures and IT assets by identifying and eliminating threats through the deployment of security controls and security countermeasures. Risk management is an ongoing and everyday responsibility for an IT infrastructure and its assets. Because risk assessments are usually done after the fact and on an existing IT infrastructure and its production systems, applications, and data, many organizations attempt to address risk management early in the development life cycle, prior to IT systems, applications, and data being implemented in production. This is the best way to mitigate risk in production IT systems, applications, and data, given the many software vulnerabilities that exist. One approach to risk management is to incorporate it into the system design and system architecture phases of development. By mitigating the bugs and flaws in firmware, operating systems, and applications, exposure to risk from software vulnerabilities can be minimized. Mitigating bugs in software requires incorporating security controls in the software development life cycle (SDLC) as described in the previous chapter.
Ongoing risk management includes conducting periodic risk and vulnerability assessments on an organization's IT infrastructure and assets. Risk and vulnerability assessments can be approached in different ways, depending on the environment and the IT infrastructure. Risk-assessment approaches are best looked at by understanding the landscape first. This landscape is depicted in the sevenareas of information security responsibility described in the previous chapter in Figure 3.4. These seven areas require proper security controls and security countermeasures within each area to mitigate risk from threats and vulnerabilities to the overall IT infrastructure. By conducting a periodic risk assessment, the IT organization will know exactly how vulnerable the IT infrastructure and its assets are, and proper remediation can be planned.
Each of the seven areas of information security responsibility has its own risk-mitigation issues that must be analyzed uniquely as well as collectively from an organizational perspective. When identifying and locating an organization's assets, the entire IT infrastructure must be examined, including the end users and IT support staff. By conducting a risk assessment, an organization will be able to align its minimum acceptable level of risk for the IT infrastructure and its mission-critical IT assets with proper risk-mitigation techniques, security controls, and security countermeasures.
Defense-in-Depth Approach for Risk Assessments
Another way of looking at the IT infrastructure and its risk mitigation is to examine the security of an IT infrastructure in a layered fashion. This layered approach to risk mitigation is referred to as defense-in-depth. Defense-in-depth is the practice of layering, like an onion, the defenses and security countermeasures into zones, thus distributing the responsibility and accountability for information security over the seven areas of information security responsibility. This multilayered approach to information security provides layers of additional security controls and security countermeasures to slow down as well as mitigate the risk of an internal or external attack. A layered IT security infrastructure plan allows for compartmentalized safeguards and security countermeasures. The overall aggregate security level would be a combination of the defense-in-depth layers, provided they were implemented properly. The security controls and security countermeasures that are implemented throughout the IT infrastructure should be designed so that a failure in one safeguard is covered by another—hence, the layered approach to security. This defense-in-depth approach truly combines the capabilities of people, operations, and security technologies to establish multiple layers of protection, eliminate single lines of defense, and enhance the overall security of the IT infrastructure and its assets.
These layers of protection extend to specific, critical defensive zones commonly found in defense-in-depth risk mitigation approaches:
Figure 4.1 shows the defense-in-depth or layered approach to information security controls and security countermeasures.
Figure 4.1. Defense-in-depth approach to information security.
The defense-in-depth approach to risk mitigation can best be supported by conducting periodic risk assessments within each layer of the defense-in-depth information security implementation. Conducting a risk assessment on an IT infrastructure that incorporates defense-in-depth strategies allows the IT security professional to focus the assessment on each layer or area within the overall IT infrastructure. Risk assessments are a critical function for the proper implementation and deployment of a defense-in-depth strategy because an organization may knowingly be able to implement security controls and security countermeasures only in specific locations within the IT infrastructure. Conducting a risk assessment will assist the IT organization in addressing the gaps and voids that are uncovered during the assessment, and proper risk-mitigation techniques can be deployed strategically throughout the defense-in-depth layered infrastructure.
Risk Analysis Approach for Risk Assessments
After an IT infrastructure's systems, applications, data, and assets are identified, inventoried, and prioritized by the organization, conducting a risk analysis on those IT assets is required. The process of determining the objective and subjective value of IT assets, the identification of specific threats to them, and the loss or impact to the organization if a threat to the IT asset is realized is part of the risk analysis. This loss or impact to the organization is calculated using either a quantitative or qualitative risk-assessment approach. The results will be a report to management identifying the elements of greatest risk to an IT infrastructure and its assets. This will allow management to make sound business decisions pertaining to the deployment of security controls and security countermeasures to achieve the confidentiality, integrity, and availability goals of the organization.
The following list summarizes the risk-analysis life cycle, which is part of the overall process for conducting a risk assessment on an IT infrastructure and its assets:
Asset Valuation Approach for Risk Assessments
Risk analysis requires the identification of an IT infrastructure's assets, including data assets and their valuation. Asset valuation is an important task to conduct as part of an organization's ongoing risk management strategy. Asset valuation is important for the following reasons:
There are two methods for conducting an asset valuation. Deciding which one to use is important because it also represents the foundation for which risk-assessment approach an organization will use. Asset valuation for an IT infrastructure and its assets can be approached either qualitatively or quantitatively.
At this stage in the risk analysis, identifying all the possible threats to the IT assets can be completed next. It is important that at this stage, all threats are considered and listed. Threats may be categorized in many ways. The best categorization is one that readily fits the needs of the organization. Within these categories will be more specific threats. Information may be available from users, auditors, system administrators with trust relationships, and information sites such as www.cert.org. After the threats have been identified, they must be ranked in order of the magnitude of the impact if they are realized, as well as the likelihood. Because there are so many threats in the IT environment, this ranking may be facilitated by associating the threats that are relevant to vulnerabilities in your particular IT assets. Known vulnerabilities in your software are examples of this.