Relational Security Assessment Model: Controls

The second part of the Relational Security Risk Assessment delves into the degree to which we want to protect objects. For each object, we need to define a minimum level of protection based on risk level. Objects that are of greater risk will most likely have higher control requirements than objects with no security risk.

Now expanded, the basic components of the Relational Security Risk Assessment are:

• Risk levels (already discussed)

• Risk factors (already discussed)

• Controls

• Control levels

• Risk control policies

Controls

There are various types of controls an organization may standardize on and different types of objects have different types of controls. Servers and routers, for example, provide logging and monitoring controls. A room has entrance controls such as a key-lock or biometric device. As shown in Table 8.11, every object has a series of controls that will help ensure its security:

Control Levels

For each type of control, there are various degrees in which the control can be executed (see Table 8.12). One version of the control may be more secure than another version. If we take the example of a server room, we can adjust the strength of the control used to protect the room based on its risk level. We could require rooms with low risk levels to implement a single key-lock, while rooms with higher risk levels implement key-card access or biometrics.

Risk Control Policies

In most organizations, it will not be possible to apply the highest level of control to all objects. We may not have the resources or the budget to place biometrics at every server room door, or to monitor every server on an hourly basis. It thus becomes important to tailor security to place the strongest controls where they are most required. By forming a control policy, we can specify that objects of a certain risk level will require some minimum degree of control to protect them. Through this we can tailor security to maximize resources.

Since we have already worked to define different levels of risks and controls, we simply need to combine the two to form policies. Risk control policies designate the minimal level of control for devices of a specific risk level. The security control for any given object should be at least as high as its risk level dictates, as shown in Table 8.13:

Scoring an Object

After a risk control policy has been developed, it is easy to score different objects. The score of any object is derived by comparing its required controls to the controls that are actually implemented. Each time an object's control does not meet the minimum policy standard, it is considered a violation. Violations are totaled to give the object a violation score (see Table 8.14). Systems with higher scores are further out of compliance than systems with low or no score.

Scoring an object helps to see which objects are in violation of risk control policies as well as which objects have more violations and need to be given a higher priority. It also allows us to average scores for different facilities or departments and compare them with each other. Scores help to pinpoint trouble areas in the organization and track progress over time.