Risk Analysis and Risk Audit

Reasons/Rationale for Performing a Security Risk Assessment

Organizations have many reasons for taking a proactive and repetitive approach to addressing information security concerns. Legal and regulatory requirements aimed at protecting sensitive or personal data, as well as general public security requirements, create an expectation for companies of all sizes to devote the utmost attention and priority to information security risks. An IT security risk assessment takes on many names and can vary greatly in terms of method, rigor and scope, but the core goal remains the same: identify and quantify the risks to the organization’s information assets. This information is used to determine how best to mitigate those risks and effectively preserve the organization’s mission.

Some areas of rationale for performing an enterprise security risk assessment include:

• Cost justification—Added security usually involves additional expense. Since this does not generate easily identifiable income, justifying the expense is often difficult. An effective IT security risk assessment process should educate key business managers on the most critical risks associated with the use of technology, and automatically and directly provide justification for security investments.
• Productivity—Enterprise security risk assessments should improve the productivity of IT operations, security and audit. By taking steps to formalize a review, create a review structure, collect security knowledge within the system’s knowledge base and implement self-analysis features, the risk assessment can boost productivity.
• Breaking barriers—To be most effective, security must be addressed by organizational management as well as the IT staff. Organizational management is responsible for making decisions that relate to the appropriate level of security for the organization. The IT staff, on the other hand, is responsible for making decisions that relate to the implementation of the specific security requirements for systems, applications, data and controls.
• Self-analysis—The enterprise security risk assessment system must always be simple enough to use, without the need for any security knowledge or IT expertise. This will allow management to take ownership of security for the organization’s systems, applications and data. It also enables security to become a more significant part of an organization’s culture.
• Communication—By acquiring information from multiple parts of an organization, an enterprise security risk assessment boosts communication and expedites decision making

Process

The objective of a risk assessment is to understand the existing system and environment, and identify risks through analysis of the information/data collected. By default, all relevant information should be considered, irrespective of storage format. Several types of information that are often collected include:

• Security requirements and objectives
• System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected
• Information available to the public or accessible from the organization’s web site
• Physical assets, such as hardware, including those in the data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
• Operating systems, such as PC and server operating systems, and network management systems
• Data repositories, such as database management systems and files
• A listing of all applications
• Network details, such as supported protocols and network services offered
• Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring
• Security components deployed, such as firewalls and intrusion detection systems
• Processes, such as a business process, computer operation process, network operation process and application operation process
• Identification and authentication mechanisms
• Government laws and regulations pertaining to minimum security control requirements
• Documented or informal policies, procedures and guidelines

The project scope and objectives can influence the style of analysis and types of deliverables of the enterprise security risk assessment. The scope of an enterprise security risk assessment may cover the connection of the internal network with the Internet, the security protection for a computer center, a specific department’s use of the IT infrastructure or the IT security of the entire organization. Thus, the corresponding objectives should identify all relevant security requirements, such as protection when connecting to the Internet, identifying high-risk areas in a computer room or assessing the overall information security level of a department. The security requirements should be based on business needs, which are typically driven by senior management, to identify the desired level of security protection. A key component of any risk assessment should be the relevant regulatory requirements, such as Sarbanes-Oxley, HIPAA, the US Gramm-Leach-Bliley Act and the European Data Protection Directive.

The following are common tasks that should be performed in an enterprise security risk assessment (Please note that these are listed for reference only. The actual tasks performed will depend on each organization’s assessment scope and user requirements.):

• Identify business needs and changes to requirements that may affect overall IT and security direction.
• Review adequacy of existing security policies, standards, guidelines and procedures.
• Analyze assets, threats and vulnerabilities, including their impacts and likelihood.
• Assess physical protection applied to computing equipment and other network components.
• Conduct technical and procedural review and analysis of the network architecture, protocols and components to ensure that they are implemented according to the security policies.
• Review and check the configuration, implementation and usage of remote access systems, servers, firewalls and external network connections, including the client Internet connection.
• Review logical access and other authentication mechanisms.
• Review current level of security awareness and commitment of staff within the organization.
• Review agreements involving services or products from vendors and contractors.
• Develop practical technical recommendations to address the vulnerabilities identified, and reduce the level of security risk.

Mapping threats to assets and vulnerabilities can help identify their possible combinations. Each threat can be associated with a specific vulnerability, or even multiple vulnerabilities. Unless a threat can exploit a vulnerability, it is not a risk to an asset.

The range of all possible combinations should be reduced prior to performing a risk analysis. Some combinations may not make sense or are not feasible. This interrelationship of assets, threats and vulnerabilities is critical to the analysis of security risks, but factors such as project scope, budget and constraints may also affect the levels and magnitude of mappings.

Once the assets, threats and vulnerabilities are identified, it is possible to determine the impact and likelihood of security risks.