Choosing the Best Risk-Assessment Approach
Every organization is unique in how it operates and maintains the confidentiality, integrity, and availability of its IT infrastructure and assets. The following are three basic approaches to conducting a risk and vulnerability assessment on an IT infrastructure and its assets:
- Top-down approach A top-down approach requires the existence of the corporate IT policies, standards, procedures, and guidelines. In addition, baseline configurations or minimum acceptable baseline configurations that have incorporated the minimum standard for security are required. With a security framework in place, it is easiest to commence with the vulnerability assessment, starting with these foundational documents. From here, the IT policies, standards, procedures, and guidelines can be reviewed, and then the IT infrastructure and the domains of security responsibility can be assessed according to the defined IT security framework.
Figure 4.2 depicts a top-down risk and vulnerability assessment approach. Top-down refers to an examination of the organization's business drivers and goals and objectives for conducting the risk assessment. This top-down risk and vulnerability assessment approach is dependent on documented organizational business drivers, goals, and objectives for the risk and vulnerability assessment, and an existing IT security architecture and framework or IT security policies, standards, procedures, and guidelines.
Figure 4.2. Top-down risk-assessment approach.
- Bottom-up approach If there are no IT security policies, standards, procedures, and guidelines in place, the risk and vulnerability assessment typically begins in the trenches by examining the IT infrastructure in areas such as the seven areas of information security responsibility. IT assets, configurations, and risk and threat analysis is done on the current production IT infrastructure and its assets. The risk and vulnerability assessment continues upward, meaning that the IT security architecture and framework typically becomes an important next step, deliverable as part of the riskassessment recommendations. A bottom-up risk or vulnerability assessment process can be difficult if it does not gain the support of senior management; without that support, you're attempting to work up from the trenches with little help from above.
Figure 4.3 depicts a bottom-up risk-assessment approach. In many cases, organizations may not have the necessary documentation that the risk and vulnerability assessment can be compared to. In cases like this, conducting a bottom-up risk assessment is common. Prior to beginning the bottom-up risk assessment, the project usually requires the creation of business drivers, goals, and objectives of the risk assessment, and then the creation of an IT security architecture framework. This provides both a baseline definition for the IT infrastructure information security definition as well as the high-level policies, standards, procedures, and guidelines that are needed to implement proper security controls.
Figure 4.3. Bottom-up risk-assessment approach.
- Hybrid approach In some cases, organizations have some IT security framework in place, but lack the rock-solid implementation of that framework. The risk and vulnerability assessment can proceed in a hybrid approach. This would be the best solution where an organization has some IT security policies, standards, procedures, guidelines, and baselines in place. The vulnerability assessment would begin by examining whatever IT security framework exists and simultaneously conducting the asset valuation and risk and threat analysis steps.
Figure 4.4 depicts a hybrid approach to risk management. In this case, both a top-down and bottom-up approach to risk management is conducted in parallel. This will assist in the gap analysis for the provided IT security architecture and framework and an assessment of what is really happening with the security controls and security countermeasures, as defined in the organization's policies, standards, procedures, and guidelines. The hybrid approach to risk management is typical for those organizations that have some IT security policies, standards, procedures, and guidelines, and some network configuration, network documentation, and IT asset inventory data.
Figure 4.4. Hybrid risk-assessment approach.
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
EAN: 2147483647
Pages: 138
