Chapter 9: What are we Doing Here?

9.1 Risk analysis

Risk analysis is the process of determining where you most need to focus your time, efforts, and financial resources to develop a security implementation. This process will include the analysis of the threats, the impacts of those threats, and the corresponding risks. Once you have executed this process, significant business risks and weaknesses will be more evident, and this will help you develop counterstrategies.

The formula to determine risk is: Risk = Impact + Threats + Likelihood

As you perform your risk analysis, you will determine what is most important to the business in terms of security. You will also review the potential impacts to the business, which will be business-specific results of a particular attack. One significant part of the analysis is to understand the service level agreements (SLAs). If you cannot support your business requirements say, due to a service outage then you may suffer a significant loss of revenue.

As you walk through the risk analysis process, you will be introduced to the following tools: the technology security review (TSR), the control directory (CD), and the environment risk table (ERT). These tools will help you develop a strategy to accomplish the following goals:

  1. Eliminate risk

  2. Reduce risk to an acceptable level

  3. Minimize the damage from an incident

  4. Create the countermeasures needed for each incident type.

You should include at least the following factors when you perform your risk analysis.

  • Physical network architecture

  • Firewalls

  • Routers

  • Messaging servers

  • Web servers

  • Operating systems

  • Application services

  • Application servers

  • Server level protocols and data flow

  • Authentication and authorization infrastructures

  • Nonrepudiation

  • Application implementation

We will focus on five steps for risk analysis:

  1. Asset identification

  2. Threat identification

  3. Estimation of likelihood of occurrence (this is the TSR document)

  4. Analysis of applicable controls and their costs (this is the CD document)

  5. Implementation of countermeasures (this is the ERT document)

9.1.1 Asset identification

The first step of risk assessment is to take inventory of all the components of your computing infrastructure, including hardware, software, data, information, and knowledge. Understand the value of what you are protecting before you try to protect it.

9.1.2 Threat identification

Next, review the inventory from step one and determine how and to what extent each component is vulnerable. See the next section of this chapter for details.

9.1.3 Estimation of likelihood of occurrence (TSR)

The TSR document will guide you through the process of documenting the likelihood of an incident. We devote a complete section to the TSR in this chapter.

9.1.4 Analysis of applicable controls and their costs (CD)

This step is where you assign the control to each potential incident and estimate the cost of each control.

9.1.5 Implementation of countermeasures (ERT)

Finally, we have arrived. This step is where the rubber hits the road. The ERT will combine the data from the TSR and the CD. This is when you decide which controls are most cost-effective and/or required.

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103
Authors: Tim Speed, Juanita Ellis
BUY ON AMAZON © 2008-2017.
If you may any questions please contact us: