Risk Assessment

Risk is defined as the possibility of losing something of value. Risk is only the potential for loss and does not mean the loss is certain. The risk assessment process attempts to identify the risks inherent in a system to give the organization an opportunity to mitigate the risks before a loss occurs. This proactive approach to addressing risk minimizes the loss an organization will experience.

During this process, the security team identifies those pieces of information that are mission critical to the organization. They then analyze threats, both internal and external to the organization, that may pose a risk to information assets. Each risk may have a different impact on the organization due to the severity of the threat and the value of the assets. Figure 3.3 shows the relationship between threats, vulnerabilities, the value of the assets, and the risks to those assets.


Figure 3.3: Risk Relationship Pyramid

  1. Identify the sensitivity and criticality of the system.

    All organizations exist for a reason. This reason is defined in their mission statement and should be common sense to most individuals that work for the organization. Certain types of information are required, by an organization in order to function and accomplish their mission. Some of these information types are considered critical to the organization, while some are not. The systems that process, transmit, and store critical information also become critical to the organization.

    Unless working directly for an organization it is difficult to define what information is critical to the organization. A customer can define the information assets but will often need the guidance of a security professional to realize the total impact to the organization. The identification of the most critical information in an organization is a required skill by all SSCP professionals.

  2. Identify the risks to which the system is exposed.

    Risk to critical systems comes from a combination of other issues. Vulnerabilities must exist within the system in order for risk to exist. But that is not enough by itself to say that a critical information system is in danger. There must also be a threat to the system. Threats can be human, environmental, internal, external, intentional, or accidental.

    Natural storms pose a risk to information systems. Electrical storms can cause power surges in electrical lines that can burn out vital systems on the network. Floods can ruin a data center full of operational critical systems. These things are a threat because the systems are not waterproof and are vulnerable to sudden surges of electrical power.

    Other risks are often human in nature and can come from either internal to an organization or from the outside world. For example, viruses and worms usually originate from an external source and can infect a company quickly and ruin information that is critical for the organization to carry out its mission. From an internal perspective, normal users make mistakes that could cause problems to an organization. Accidental deletion of critical databases or flat files could cause downtime for an entire organization.

    When the possible risks that exist have been defined and the threat level to the system has been determined, the actual value of the information assets comes into question. If the asset (information or system) has very little value to the organization, then the risk is low for that asset even if a known vulnerability exists there. Value can be financial or otherwise. For example, a server that has been written off against taxes for five years is said to have no value that can be deducted. However, if the primary database for the mission resides on that server, it has tremendous value to an organization.

    A risk assessment helps to quantify these things and identify the risks. Security administrators typically consider the CIA of security and how the loss of any of those attributes would affect the organization. When an organization loses the integrity of their information what impact does it have on the organization? The same question can be asked in relation to the confidentiality and availability of the information. Each answer to these questions helps prioritize the findings of the risk assessment in order of impact to the organization.

  3. Identify the available security controls.

    Once the risks to the system are identified, administrators can begin looking at methods for mitigation or elimination of the finding. Not all risks can be completely eliminated. Some solutions may simply be too expensive to implement. Others may be impractical because of their impact on the operational environment.

    The appropriate security solutions and controls take risk into account while still working around the other constraints a customer may be subject to while implementing those solutions. Technical solutions may be as simple as adding a new rule to a firewall to block traffic on an offending port. Other more process-oriented solutions may require an update to the organization's security policy. Regardless of the actual solution, it must help control the risk and it must fit the risk.

  4. Identify the cost of an incident.

    When considering the actual cost of a security incident to an organization, many people immediately think in terms of financial loss. While this is indeed an important aspect, there are still other things that must be considered. Consider these costs typically associated with a security incident:

    • Monetary (fees, fines, lost resources and revenue, and legal settlements)

    • Reputation (public relations and public opinion of the organization)

    • Legal (federal, state and local laws)

    The monetary losses associated with security incidents get the most press. Organizations see huge losses from the time and money paid by the company to replace the damaged asset or the loss of revenue while the systems are down for repairs. For those industries that fall under specific market regulations, such as utility companies (Presidential decision directive 63 [PDD-63]), banking and finance (GLB), or the healthcare industry (HIPAA), there are fines associated with non-compliance with federal security guidelines. In some cases, an organization may end up paying legal fees and an eventual settlement to an upset customer base in the event of a security incident.

    Financial estimates can be determined by using statistics provided by local law enforcement, federal law enforcement agencies, news agencies, or managed security services firms. Using these statistics, the Annualized Rate of Occurrence (ARO) can be determined. For instance, the average number of security incidents, per year, for e-commerce sites may be twice per year. The downtime expected per incident might be two hours. The organization determines that the Single Loss Expectancy (SLE) is $15,000 per hour lost in customer orders and resources utilized to respond to the activity. Using these numbers together we find that the Annualized Loss Expectancy (ALE) for the e-commerce company is $60,000 for attacks on the Web site.

    Reputation is also an asset to an organization. The reputation of an organization often depends on the public perception of the organization. Company X may have security processes in place that are just as reliable as Company Z, but if Company X has had a serious security incident, public opinion will tend to look down upon them. At this point, the organization goes into "damage control" mode and the public relations machine sets to work to sway public opinion back in their favor. Security incidents can cost an organization customers and resources.

    Also included in the costs associated with security incidents are the legal ramifications. Those same federal regulations that levy harsh penalties on companies that fail to meet standards can also provide for other forms of legal recourse against the company. Customers that feel they have lost something due to the security incident may file a lawsuit against the company. And recently, there was talk of executives at an organization being held liable for security incidents if the proper controls were not in place at the time of the incident.

  5. Establish acceptable levels of loss.

    As mentioned before, some information assets may not have the same value of critical information. It is important to work with the customer to define the value of various information assets within the organization. The level of mitigation for each finding should not cost more than the estimated value of the information asset. Customers will always be the final determination of what level of loss they are willing to accept for each information asset.

  6. Develop a plan to address this risk.

    The goal of a risk assessment is to develop a comprehensive and useful risk management plan. The plan must exist somewhere in between the point where the risk can be completely contained or eliminated and the point where management feels the level of risk is acceptable to the organization. Again, the potential solutions that can be laid out in the risk management plan will range from very little cost to extreme cost, but must always consider what is best for the customer organization.

start sidebar
Damage & Defense…
NSA INFOSEC Assessment Methodology

When you are performing a risk assessment, try to follow a best practices approach for each step of the assessment. The goal is to create a useful assessment plan using a standardized process. The problem is that there is no real definition for "best practices." They exist within the personal experiences of each security analyst and can vary from person to person.

For this reason, the US National Security Agency (NSA) has developed a standardized methodology for conducting organizational risk assessments, called the INFOSEC Assessment Methodology (IAM). The IAM takes the NSA's years of experience conducting these assessments on federal and military assets and transfers it to a methodology that performs equally well in the commercial sector. And the IAM methodology helps the security analyst walk a customer through the process of defining what is really important to their organization and what impact the loss of integrity, confidentiality, and availability will have on the organization. Once this is done, the security administrator can determine what systems process those types of information and focus on them more intently during the assessment process.

The IAM is based on the Information Assurance Capability Maturity Model, also created by the NSA. For more information on either of these, visit their Web site at www.iatrp.com. Working with customers to define these things is one of the most difficult aspects of performing a risk assessment. Using a standard methodology and achieving repeatable results helps ensure that everyone is on the same page.

end sidebar



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net