Page 1 of 3
PRINT
------------------------------------------------------------
Article Title: The underdog of security implementation -----------------------------------------------------------BANGALORE, INDIA: Information Security Risk Assessment (IS-RA) is identified as the first step for effective security implementation - be it the Information Security Management Systems as per ISO 27001 or NIST SP 80030 or the OECD Guidelines on Network Security or implementation of advanced security models like Security Process Maturity Model (SPMM). IS-RA can be defined as a structured approach for identifying, measuring and analyzing security risks – an essential approach to implement any information security management framework in organizations. “Identifying” includes the process of identifying the critical assets and their threats while measuring includes the process of prioritizing the risks based on the impact of possible outcome and probability of that event (generally into High/Medium/Low) and analyzing risks includes the strategy for prioritizing risks so that resources are optimally used. Impact = Threat X Vulnerability Risk= Impact of outcome X Probability of event of occurrence Some challenges during conducting a Risk Assessment: Identification of Critical Assets. z
Most security implementers would agree that the biggest challenge of risk assessment is identification of assets in a conclusive manner. The danger of identifying too many assets is that it would consume too much of resources in mitigating with no return on investment. The worst is not identifying a critical asset itself which would, in the end be left unprotected.
z
The other challenge in identification of critical asset is the process that you would employ for identification itself. This process would involve identification of the right people, who should be involved in the identification, the standard approach for the basis of their identification and the people inside the organization who should able to finalize on the same. It should not end up that each department head gives the list of assets ranging from their mouse to their keyboard as an asset and the CISO consolidates these assets and finally makes a list of assets running into thousands of assets. This would end up making the asset list lengthy with not only impossible to maintain but also making it non-purposeful.
http://www.ciol.com/cgi-bin/printernew.asp?id=99399
04-Dec-07
Page 2 of 3
Identification of all threats z
The other challenge is, there are so many sources and outcomes of threats. Ensuring that all threats are understood threadbare and are identified is a challenging task.
Measurement of Risks z
The common problem faced by organizations is how they ensure that there is uniform and scientific measurement of risks in terms of high/medium or low.
z
Who decides what is low or high. A risk which is high can be considered medium or low by another person. So how do you ensure the uniformity of assessments? So that it doesn’t have people questioning the entire fundamentals of your results. If you are a security implementer, you could also be complaining of the length of time that you are taking as the project has got into a loop which is quite common and hence making its results obsolete with changing business environment. You could also be complaining how to keep technology vulnerabilities in the context of enterprise security risk assessments. The list of challenges just goes on.
In my experience, I have seen organizations follow the approach of assets being identified by department managers who have not been given any idea of how assets should be identified. These lists are finally consolidated in an excel sheet running into multiple sheets with number of assets running into thousands. Such risk assessments is what I term as ‘adhoc security’. This ends up identifying unimportant assets and making the task of maintaining your assets daunting to your security representative. So the solution lies in following a structured risk assessment approach like OCTAVE (Operationally Critical Threat Asset Vulnerability Approach) or NIST SP 800-30 or any other equivalent methodology. OCTAVE approach is by Software Engineering Institute, Carnegie Mellon University and is one of the most scientific and easily implementable approaches. Some organizations also implement tools like SMART (Security Management
http://www.ciol.com/cgi-bin/printernew.asp?id=99399
04-Dec-07
Page 3 of 3
and Risk Assessment Tool) for their security implementation. SMART follows the OCTAVE Criteria and is a multi compliance tool enabling compliance to ISO 27001, PCI-DSS, GLBA, HIPAA, FIDS, etc. The structured risk assessment methodology helps organizations in avoiding the learning curve and having the implementations faster and effective. Tools such as SMART help in your implementation being quicker and efficient. Effective because methodology ensures that you follow the right process and efficient because it saves your precious time in documentation and management of all artifacts during risk assessment. Both SMART and CRAMM help organizations implement ISO 27001. However SMART goes a step ahead by being a multi-compliance tool enabling organizations manage all security compliance standards. To conclude risk assessments should not only be a document giving deep insight into you risks but it should determine the level of controls required for mitigating the same. Hence it should be purposeful and not merely a document created for certification purposes. The author is Chief Consultant in global security audit firm SISA Information Security holding CISA, CISSP, OCTAVE Trainer/Advisor, CEH certifications. He can be reached on
[email protected] -----------------------------------------------------------Copyright (c) 2007 CyberMedia India Online Ltd . All rights reserved. Additional reproduction in whole or in part or in any form or medium without express written permission of CIOL is prohibited. Send your questions to
[email protected] PRINT
Close this window
http://www.ciol.com/cgi-bin/printernew.asp?id=99399
04-Dec-07