|
Risk analysis is the process of determining where you most need to focus your time, efforts, and financial resources to develop a security implementation. This process will include the analysis of the threats, the impacts of those threats, and the corresponding risks. Once you have executed this process, significant business risks and weaknesses will be more evident, and this will help you develop counterstrategies.
The formula to determine risk is: Risk = Impact + Threats + Likelihood
As you perform your risk analysis, you will determine what is most important to the business in terms of security. You will also review the potential impacts to the business, which will be business-specific results of a particular attack. One significant part of the analysis is to understand the service level agreements (SLAs). If you cannot support your business requirements say, due to a service outage then you may suffer a significant loss of revenue.
As you walk through the risk analysis process, you will be introduced to the following tools: the technology security review (TSR), the control directory (CD), and the environment risk table (ERT). These tools will help you develop a strategy to accomplish the following goals:
Eliminate risk
Reduce risk to an acceptable level
Minimize the damage from an incident
Create the countermeasures needed for each incident type.
You should include at least the following factors when you perform your risk analysis.
Physical network architecture
Firewalls
Routers
Messaging servers
Web servers
Operating systems
Application services
Application servers
Server level protocols and data flow
Authentication and authorization infrastructures
Nonrepudiation
Application implementation
We will focus on five steps for risk analysis:
Asset identification
Threat identification
Estimation of likelihood of occurrence (this is the TSR document)
Analysis of applicable controls and their costs (this is the CD document)
Implementation of countermeasures (this is the ERT document)
The first step of risk assessment is to take inventory of all the components of your computing infrastructure, including hardware, software, data, information, and knowledge. Understand the value of what you are protecting before you try to protect it.
Next, review the inventory from step one and determine how and to what extent each component is vulnerable. See the next section of this chapter for details.
The TSR document will guide you through the process of documenting the likelihood of an incident. We devote a complete section to the TSR in this chapter.
This step is where you assign the control to each potential incident and estimate the cost of each control.
Finally, we have arrived. This step is where the rubber hits the road. The ERT will combine the data from the TSR and the CD. This is when you decide which controls are most cost-effective and/or required.
|