1. IT SECURITY MANAGEMENT AND
RISK ASSESSMENT
Mr. RAJASEKAR RAMALINGAM
Department of IT, College of Applied
Sciences, Sur.
Sultanate of Oman.
http://vrrsekar.wixsite.com/raja
Based on
William Stallings, Lawrie Brown,
Computer Security: Principles and
Practice, Third Edition
2. Content
10.1 Terminology
10.2 Security Risk Assessment
10.3 Detailed Risk Analysis Process
10.3.1 Asset Identification / System Characterizations
10.3.2 Threat Identification
10.3.3 Vulnerability Identification
10.3.4 Analyze Risks / Control Analysis
10.3.5 Likelihood Determination
10.3.6 Impact analysis / Consequence determination
10.3.7 Risk determination
10.3.8 Control Recommendation & Result Documentation
2ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
3. 3
10.1 Terminology
Asset: Anything that has value to the organization
Threat: A potential cause of an unwanted incident which may
result in harm to a system or organization.
Vulnerability: A Weakness in an asset or group of assets
which can be exploited by a threat.
Risk: The potential that a given threat will exploit
vulnerabilities of an asset or group of assets to cause loss or
damage to the assets.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
4. 4
10.2 SECURITY RISK ASSESSMENT
Critical component of process
Else may have vulnerabilities or waste money
Ideally examine every asset verses risk
Not feasible in practice
Choose one of possible alternatives based on orgs
resources and risk profile
Baseline
Informal
Formal
Combined
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
5. 5
10.2.1 Baseline Approach
Use “industry best practice”
Easy, cheap, can be replicated
But gives no special consideration to org
May give too much or too little security
Implement safeguards against most common threats
Baseline recommendations and checklist documents
available from various bodies
Alone only suitable for small organizations
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
7. 7
10.2.2 Informal Approach
Conduct informal, pragmatic risk analysis on organization’s IT
systems
Exploits knowledge and expertise of analyst
Fairly quick and cheap
Does address some org specific issues
Some risks may be incorrectly assessed
Skewed by analysts views, varies over time
Suitable for small to medium sized orgs
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
8. 8
10.2.3 Detailed / Formal Risk Analysis
Most comprehensive alternative
Assess using formal structured process
With a number of stages
Identify likelihood of risk and consequences
Hence have confidence controls appropriate
Costly and slow, requires expert analysts
May be a legal requirement to use
Suitable for large organizations with IT systems
critical to their business objectives
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
9. 9
10.2.4 Combined Approach
Combines elements of other approaches
Initial baseline on all systems
Informal analysis to identify critical risks
Formal assessment on these systems
Iterated and extended over time
Better use of time and money resources
Better security earlier that evolves
May miss some risks early
Recommended alternative for most orgs
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
10. 10
10.3 Detailed Risk Analysis Process
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
11. 11
10.3.1 Asset Identification / System Characterizations
Identify assets
“Anything which needs to be protected”
Of value to organization to meet its objectives
Tangible or intangible
In practice try to identify significant assets
Draw on expertise of people in relevant areas of
organization to identify key assets
Identify and interview such personnel
See checklists in various standards
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
12. 12
10.3.2 Threat Identification
To identify threats or risks to assets ask
1. Who or what could cause it harm?
2. How could this occur?
Threats are anything that hinders or prevents an
asset providing appropriate levels of the key
security services:
Confidentiality, Integrity, Availability,
Accountability, Authenticity and Reliability
Assets may have multiple threats
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
13. 13
10.3.2 a) Threat Sources
Threats may be
Natural “acts of god”
Man-made and either accidental or deliberate
Should consider human attackers:
Motivation
Capability
Resources
Probability of attack
Deterrence
Any previous history of attack on organization
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
14. 14
10.3.3 Vulnerability Identification
Identify exploitable flaws or weaknesses in organization’s IT
systems or processes
Hence determine applicability and significance of threat to
organization
Note need combination of threat and vulnerability to create a
risk to an asset
Again can use lists of potential vulnerabilities in standards etc.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
15. 15
10.3.4 Analyze Risks / Control Analysis
Specify likelihood of occurrence of each identified threat
to asset given existing controls
Management, operational, technical processes and
procedures to reduce exposure of org to some risks
Specify consequence should threat occur
Hence derive overall risk rating for each threat
Risk = probability threat occurs x cost to organization
In practice very hard to determine exactly
Use qualitative not quantitative, ratings for each
Aim to order resulting risks in order to treat them
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
16. 16
10.3.5 Likelihood Determination
Rating Likelihood
Description
Expanded Definition
1 Rare May occur in exceptional circumstances and may
deemed as “lucky” or very unlikely.
2 Unlikely Could occur at sometime but not expected given
current controls, circumstances and recent events.
3 Possible Might occur at sometime, but just as likely as not.
It may be difficult to control its occurrence due to
external influence
4 Likely Will probably occur in some circumstance and
one should not be surprised if it occurred.
5 Almost
Certain
Is expected to occur in most circumstances and
certainly sooner or later.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK
ASSESSMENT
17. 17
10.3.6 Impact analysis / Consequence determination
Rating Consequence Expanded Definition
1 Insignificant
Result of a minor security breach in a single area.
Impact is likely to last less than several days.
Require only minor expenditure to rectify.
2 Minor
Result of security breach in one or two areas.
Impact is likely to last less than a week.
Can be rectified within project or team resources.
3 Moderate
Limited systemic security breaches.
Impact is likely to last up to 2 weeks.
Requires management intervention.
4 Major
Ongoing systemic security breach.
Impact will likely last 4-8 weeks.
Requires significant management intervention and
resources.
Loss of business or organizational outcomes if possible.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
18. 18
Rating Consequence Expanded Definition
5 Catastrophic
Major Systemic security breach.
Impact will last for 3 months or more.
Senior Management will be required to intervene.
Compliance costs are expected to be very substantial.
Possible criminal or disciplinary action is likely.
6 Doomsday
Multiple instances of major systemic security breaches.
Impact duration cannot be determined.
Senior management will be required to place the company
under voluntary administration.
Criminal Proceedings against senior management is
expected.
Substantial loss of business and failure to meet company’s
objective.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
19. 19
10.3.7 Risk determination
• Once the likelihood and consequence of each specific threat
have been identified, a final level of risk can be assigned.
• This is typically determined using a table that maps these
values to a risk level, such as those shown in next Table.
• The below table details the risk level assigned to each
combination.
• Such a table provides the qualitative equivalent of
performing the ideal risk calculation using quantitative
values.
• It also indicates the interpretation of these assigned levels.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
20. 20
Consequences
Likelihood Dooms
day
Catastrophic Major Moderate Minor Insignificant
Almost
Certain
E E E E H H
Likely E E E H H M
Possible E E E H M L
Unlikely E E H M L L
Rare E H H M L L
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
21. 21
Risk Level Description
Extreme (E) Require detailed research and management.
Planning at executive / director level.
Planning and Monitoring required.
High (H) Require management attention.
Planning at senior project or team leaders.
Planning and Monitoring required.
Medium (M) Can be managed by existing specific.
Monitoring and response procedures.
Management by employees.
Low (L) Can be managed through routing procedures.
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
22. 22
10.3.8 Control Recommendation & Result Documentation
Asset Threat/
Vulnerability
Existing
Controls
Likelihood Consequence Level of
Risk
Risk
Priority
Internet Router Outside Hacker
attack
Admin
password only
Possible Moderate High 1
Destruction of Data
Center
Accidental Fire or
Flood
None (no
disaster
recovery plan)
Unlikely Major High 2
Document in Risk Register and Evaluate Risks
ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND
RISK ASSESSMENT
Notas do Editor
The results of the risk analysis process should be documented in a risk register. This should include a summary table such that shown in Table 16.5 from the text. The risks are usually sorted in decreasing order of level. This would be supported by details of how the various items were determined, including the rationale, justification, and supporting evidence used. The aim of this documentation is to provide senior management with the information they need to make appropriate decisions as how to best manage the identified risks. It also provides evidence that a formal risk assessment process has been followed if needed, and a record of decisions taken with their reasons.
Once the details of potentially significant risks are determined, management needs to decide whether it needs to take action in response. This would take into account the risk profile of the organization, and its willingness to accept a certain level of risk, as determined in the initial “Establishing the Context” phase of this process. Those items with risk levels below the acceptable level would usually be accepted with no further action required. Those items with risks above this will need to be considered for treatment. Typically the risks with the higher ratings are those that need most urgently action. However, it is likely that some risks will be easier, faster, and cheaper to action than others. In the example shown, both risks were rated High. Further investigation reveals that a relatively simple and cheap treatment exists for the first risk, by tightening the router configuration to further restrict possible accesses. Treating the second risk requires the development of a full disaster recovery plan, a much slower and more costly process. Hence management would take the simple action first, to improve the organization’s overall risk profile as quickly as possible.