Simple Security Risk Assessment

Thursday, July 1, 2010 @ 04:07 PM gHale

When it comes to security, sometimes it is all about understanding the risk and how well you manage it. With botnets, malware, worms and hacking just a few of the threat vectors facing security professionals on a daily basis, every company should have a strategy written down and in place.
Too many organizations either suffer from a “security paralysis,” in which it is impossible to prioritize areas for remediation with their limited resources, or attempt to apply a few “best practices” in the hope that what worked for another organization will work for them. Neither of these approaches is a rational strategy for protecting information assets or maximizing the value returned from investments in security.
Technology products and services provider, CDW, offers organizations five steps to develop a solid foundation for the organization’s security strategy. [private]
These steps offer simple guidance on getting started. Organizations should also invest the time and effort into developing meaningful results, as well as understanding any existing risk assessment requirements.
The first step is to bring together decision makers from across the organization. A group of five to seven people works best, but the goal is to have all departments represented.
• Identify information assets. Consider the primary types of information the organization handles, and make a priority list of what the company needs to protect. Plan to spend no more than one to two hours on this step.
• Locate information assets. Identify and list where each item on the information asset list resides within the organization.
• Classify information assets. Assign a rating to your information asset list. Consider a 1-5 scale, with the following categories:
1 – Public information (marketing campaigns, contact information, finalized financial reports)
2 – Internal, but not secret, information (phone lists, organizational charts, office policies)
3 – Sensitive internal information (business plans, strategic initiatives, items subject to non-disclosure agreements)
4 – Compartmentalized internal information (compensation information, merger and acquisition plans, layoff plans)
5 – Regulated information (patient data, classified information)
This classification scheme enables the organization to rank information assets based on the amount of harm caused if the information became public or changed. The team should strive to be realistic here, and aim for consensus.
• Conduct a threat modeling exercise. Rate the threats that top-rated information assets face. One option is to use Microsoft’s STRIDE method, which is simple, clear, and covers most of the top threats. Develop a spreadsheet for each asset, listing the STRIDE categories on the X axis:
Spoofing of Identity
Tampering with Data
Repudiation of Transactions
Information Disclosure
Denial of Service
Elevation of Privilege
On the Y axis, list the data locations identified in Step 2. For each cell, make estimates of the following:
1. The probability of this threat actually happening against this asset at the location in question.
2. The impact that a successful exploitation of a weakness would have on the organization.
Use a 1-10 scale for each of the above (1 is “not very likely” or “this would not have a large impact,” 10 is “quite probable” or “catastrophic”). Then multiply those two numbers together and fill them into the cells. The spreadsheet should end up with numbers from 1 to 100. This activity will likely take a full day for smaller organizations and several days for larger ones.
• Finalize data and start planning. Multiply all the cells in each of the worksheets by the classification rating assigned to the asset in Step 3. The result is a rational and comprehensive ranking of threats to the organization. It includes both the importance of the assets at stake and a broad spectrum of possible contingencies. A reasonable security plan will start tackling the risks identified with the highest numbers.
Organizations will set thresholds as follows:
1-250: Will not focus on threats at this level; 250-350: Will focus on these threats as time and budget allow; 350-450: Will address these threats by the end of the next budget year, and 450-500: Will focus immediate attention on these threats.
These thresholds are just examples, and in practice, the results will likely skew either toward the top or bottom of the scale, so organizations should adjust responses accordingly. The goal of the risk assessment exercise is to lay a foundation for sensible security planning. Going through a risk assessment exercise alone will not actually fix security problems; the real work – building protective, risk-reducing solutions – still lies ahead.[/private]

Leave a Reply

You must be logged in to post a comment.