Information Asset Management Part 3 – Identifying Threats to Assets
Steve Simpson CISSP
Identifying threats to Information Assets
Introduction OK, so we have identified all the information assets within the organisation and have associated impact values to those assets. What do we need to do now in order to bring the organisation to a level where it can perform a risk assessment on its valuable information assets? In order to assess risk we need to establish what threats are posing risks for our information assets.
What is a threat? ‘A threat is a scenario or event which, if occurred would result in the loss, damage or compromise of an asset.’
Identifying the threats Like our previous stages, the identification of the threats to our assets is best achieved through collaborative process including representatives of the different organisational departments and asset owners. Each of these representatives is likely to have a clear idea of what they consider to be the greatest threat to their information assets. Each of these identified threats needs to be documented so that at the end of the process the nominator of each can be assured that their concerns are being addressed.
Types of threat When establishing the threats to your information assets, the following types of threat need to be considered. Technical threats – The use of technological means to circumvent established security. This group includes all the possible electronic type attacks such as eavesdropping, hacking, virus/Trojan activity and misuse of computing facilities. Threats that fall into this grouping must be considered in both malicious and accidental form for example: o
The accidental mis-configuration of system access rights could result in the compromise of sensitive information. Or.
o
System user deliberately copies business information to thumb drive for use after leaving the organisation.
Personnel threats – Persons internal or external to the organisation posing a threat to information assets. This group of threats will include disgruntled employees, site visitors and social engineering type attacks. Also include the threat of losing personnel key to the running of the business. Again, we need to look at both the malicious and accidental possibilities of this type of threat. Do not forget to consider those indispensable persons that we highlighted during our ‘identifying assets’ stage as having valuable information assets in their heads. The threat of losing one of these persons to the organisation by whatever means, needs to be considered, in order for a risk mitigation strategy to be established.
Page 2 of 6 Steve Simpson – Principal Consultant Infosec Plus Consulting
Natural threats – Natural occurrences that pose a threat to information assets. Earthquakes, floods, fire and lightning strike can all be a threat to information assets. It is very worthwhile involving the individual or team that is responsible within your organisation for business continuity and disaster recovery as they will have already documented some specific threats to your organisation. They will have specifically documented such threats as natural disasters and localised external threats. With natural threats it is not necessary to consider malicious threats. The goal of this stage in the process is to have a documented list of hopefully no more than around 20 threat scenarios. These scenarios should between them cover the concerns of all of the asset owners and departmental representatives. To achieve a list this short requires the grouping of all concerns into generic threats. For example: Concerns that data could be removed using a removable DVD writer, and concerns that information could be copied to a USB flash drive for removal can (if agreed by all parties) be grouped into a threat such as: ‘The deliberate removal of information assets via removable media means.’ Or Concerns that users may take it upon themselves to upgrade the software on their terminals without approval or having the vulnerabilities of that software assessed, and concerns that users could download and install additional utility software or even games from outside the organisation on to their terminals can be grouped into a threat such as: ‘The introduction or substitution of unauthorised software.’ Through the repeating of this process, it should be possible to establish the necessary list of identified threats.
Additional threats In addition to the standard threats and concerns of the members of the different departments, it is important to gain a holistic view of the system. There is a need to try and mentally step out of the organisation and attempt to visualise it from above as if it were a 2 dimensional object. Examine where information comes into or leaves the organisation, what are the processes that the information follows? This is where it is really useful to have a good security consultant on call; from an independent viewpoint it is possible for the consultant to identify threats that may not have been obvious to those within the organisation.
Preparation for risk Assessment For the final stage of preparations in order for the security risk assessment to take place your security consultant needs to establish the potential attack groups for the threats and match the threats to the asset groups. Then with the impact levels already established during the second stage of this piece of work the probability of the likelihood of the threats being realised can be assessed and used to perform a quantities calculation on the risks posed to each asset group. The entire process for the risk assessment needs to be documented and retained for future reference. The resulting documentation will provide CIO’s and risk owners with the details that they need to make an informed judgement on whether or not a risk is acceptable or if further mitigation needs to be employed. Page 3 of 6 Steve Simpson – Principal Consultant Infosec Plus Consulting
Conclusion Throughout the three sections of this document set, you have established the extent and quantity of the information assets that you have a responsibility to protect. You have been able to assess the value of the information and where necessary developed a labelling taxonomy to easily identify information assets of a similar value. And finally in this document we have identified the threats that put our assets at risk. As an organisation you now have much more control over the information assets you own and for those on loan to you. The risk assessment process that follows will allow you to implement the precise controls needed to maintain the confidentiality, integrity and availability of that information. Because the risk assessment is so well informed the targeting of controls can be specific and will therefore be the most cost effective possible for your organisation.
Page 4 of 6 Steve Simpson – Principal Consultant Infosec Plus Consulting
Page intentionally blank
Page 5 of 6 Steve Simpson – Principal Consultant Infosec Plus Consulting
Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored, vender neutral information security business advisory services. Services include:
Data Loss Assessments – Data loss is a serious concern for all organisations. Many organisations each year never manage to recover from a security breach. Infosec Plus can provide you with assurance through a holistic review of your business policies, processes and procedures to establish where you may be susceptible to data loss allowing you to establish where you may be susceptible to dat loss allowing you to access the risks and apply targeted risk mitigation controls.
Holistic Security Review – A holistic review of your organisations information security including, technology, procedural, physical and personnel security measures.
Risk Assessment/Management – Assessing the risk from specific threats will give you the ability to apply the most efficient and cost effective security measures. The introduction of a risk management program can considerably reduce operational costs.
PCI Compliance Review – All organisations that store, process or transmit credit card information must comply with the Payment Card Industries Data Security Standard (PCI-DSS). Infosec Plus can guide you through this process and provide you with the information you need to gain and maintain compliance with this exacting standard.
Security Awareness – The single most effective way to reduce data loss and increase the security standing of your organisation is through the introduction of a security awareness program. Infosec Plus can guide you through the development of an awareness program and can provide one to one or one to many training sessions to get the security message across.
Network Access Control – All organisations need to protect their valuable business and personal data from the ever increasing need for system interconnectivity. Infosec Plus can guide you through the process for developing a Network Access Control policy that will allow day to day business continue in the safest possible manner.
Project Augmentation – If you are running or planning a project that needs to include security representation, Infosec Plus can provide a consultant to join your team providing expert security advice to ensure that the project provides the security that your business information assets require.
Page 6 of 6 Steve Simpson – Principal Consultant Infosec Plus Consulting