Best Practices for Quantitative and Qualitative Risk Assessment
Many organizations prefer to do a quantitative risk assessment because it aligns the financial impact of risk so that a return on investment (ROI) or cost-benefit analysis and justification can be presented to management. Many organizations use this quantitative risk assessment to assist in creating budgets for information security controls and security countermeasures. As these controls and countermeasures are implemented, the overall risk is mitigated to the organization's minimum acceptable level of risk. Quantitative risk assessments require accurate IT asset inventories, accurate IT asset valuations, and a consistent method for defining exposure factors for known threats.
For those organizations that do not have accurate IT asset inventory documentation or financial data, conducting a qualitative risk assessment for IT assets is a quick and easy way to prioritize IT assets and their exposure to known threats and vulnerabilities. This still accomplishes the same goal as the quantitative risk assessmentto identify IT assets, prioritize them based on importance to the organization, and assess the risk of known threats and vulnerabilities and their likelihood of occurrence. Either risk-assessment approach will allow an organization to make sound business decisions pertaining to the prioritization and investment of funds towards security controls and security countermeasures.
Quantitative Risk-Assessment Best Practices
When performing a quantitative risk assessment, the following best practices should be followed to maintain accuracy and consistency in the calculations of the AV, EF, SLE, ARO, and ALE:
- Determine the Asset Value (AV) for each IT asset by identifying the purchase price, incorporating labor, maintenance, and support, and the value of any data assets.
- Define a consistent scale for the Exposure Factor (EF). Build a table with the threats and vulnerabilities ranked from high to low. This table will act as a consistent EF table for all IT assets. Be sure to define all assumptions and justify your assumptions with supporting historical trends or data.
- When calculating Single Loss Expectancy (SLE), verify and validate that your business liability and insurance policy can cover a single occurrence of that IT asset being compromised in a calendar year.
- Define the Annualized Rate of Occurrence (ARO). Depending on what the threat or vulnerability is, use historical data going back in time to get a history or feel for rate of occurrence. For example, how many times has the organization been attacked by a virus, worm, or Trojan in the past five years? This type of data will assist in defining the ARO value for malicious code and malicious software attacks on the organization. Build a table of ARO values for the different threats or vulnerabilities to maintain consistent ARO values. Be sure to define all assumptions and justify your assumptions with supporting historical trends or data.
- When calculating the Annualized Loss Expectancy (ALE), use this value tojustify the cost of investment in security controls and security countermeasures. This ALE investment value is typically used as a cost-benefit justification to invest in proper security controls and security countermeasures to achieve the confidentiality, integrity, and availability goals.
Qualitative Risk-Assessment Best Practices
When you perform a qualitative risk assessment, use the following best practices to maintain accuracy and consistency in assessing the IT assets risk exposure:
- List all of the organization's critical IT assets in a spreadsheet.
- Specify the critical threats and vulnerabilities for each IT asset in the spreadsheet. Remember, there may be more than one critical threat or vulnerability for a given IT asset.
- Develop a consistent exposure severity scale for each asset and its known threats and vulnerabilities. This exposure severity scale should cover critical, high, medium, and low exposure and be assigned accordingly to the IT asset and the specific threat or vulnerability that can be exploited.
- Organize and prioritize the risk-assessment results from the most critical IT assets and critical exposures first. This will immediately bring to the top those IT assets that have the greatest risk to exploitation from a threat or vulnerability.
- Prioritize the investment of funds for security controls and security countermeasures for those IT assets that have the greatest importance to the organization with the greatest exposure to risk.
- Ensure that the organization's critical IT assets achieve the appropriate confidentiality, integrity, and availability goals and objectives.
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
EAN: 2147483647
Pages: 138
