Page 1 of 3
Article Title: The underdog of security implementation
BANGALORE, INDIA: Information Security Risk Assessment (IS-RA) is
identified as the first step for effective security implementation - be it the
Information Security Management Systems as per ISO 27001 or NIST SP 800-
30 or the OECD Guidelines on Network Security or implementation of
advanced security models like Security Process Maturity Model (SPMM).
IS-RA can be defined as a structured approach for identifying, measuring and
analyzing security risks – an essential approach to implement any information
security management framework in organizations.
“Identifying” includes the process of identifying the critical assets and their
threats while measuring includes the process of prioritizing the risks based on
the impact of possible outcome and probability of that event (generally into
High/Medium/Low) and analyzing risks includes the strategy for prioritizing
risks so that resources are optimally used.
Impact = Threat X Vulnerability
Risk= Impact of outcome X Probability of event of occurrence
Some challenges during conducting a Risk Assessment:
Identification of Critical Assets.
Most security implementers would agree that the biggest challenge of
risk assessment is identification of assets in a conclusive manner. The
danger of identifying too many assets is that it would consume too much
of resources in mitigating with no return on investment. The worst is not
identifying a critical asset itself which would, in the end be left
The other challenge in identification of critical asset is the process that
you would employ for identification itself. This process would involve
identification of the right people, who should be involved in the
identification, the standard approach for the basis of their identification
and the people inside the organization who should able to finalize on the
same. It should not end up that each department head gives the list of
assets ranging from their mouse to their keyboard as an asset and the
CISO consolidates these assets and finally makes a list of assets running
into thousands of assets. This would end up making the asset list lengthy
with not only impossible to maintain but also making it non-purposeful.
Page 2 of 3
Identification of all threats
The other challenge is, there are so many sources and outcomes of
threats. Ensuring that all threats are understood threadbare and are
identified is a challenging task.
Measurement of Risks
The common problem faced by organizations is how they ensure that
there is uniform and scientific measurement of risks in terms of
high/medium or low.
Who decides what is low or high. A risk which is high can be considered
medium or low by another person. So how do you ensure the uniformity
of assessments? So that it doesn’t have people questioning the entire
fundamentals of your results.
If you are a security implementer, you could
also be complaining of the length of time that
you are taking as the project has got into a
loop which is quite common and hence
making its results obsolete with changing
You could also be complaining how to keep
technology vulnerabilities in the context of
enterprise security risk assessments. The list of
challenges just goes on.
In my experience, I have seen organizations
follow the approach of assets being identified by department managers who
have not been given any idea of how assets should be identified. These lists are
finally consolidated in an excel sheet running into multiple sheets with number
of assets running into thousands.
Such risk assessments is what I term as ‘adhoc security’. This ends up
identifying unimportant assets and making the task of maintaining your assets
daunting to your security representative. So the solution lies in following a
structured risk assessment approach like OCTAVE (Operationally Critical
Threat Asset Vulnerability Approach) or NIST SP 800-30 or any other
OCTAVE approach is by Software Engineering Institute, Carnegie Mellon
University and is one of the most scientific and easily implementable
Some organizations also implement tools like SMART (Security Management
Page 3 of 3
and Risk Assessment Tool) for their security implementation. SMART follows
the OCTAVE Criteria and is a multi compliance tool enabling compliance to
ISO 27001, PCI-DSS, GLBA, HIPAA, FIDS, etc.
The structured risk assessment methodology helps organizations in avoiding
the learning curve and having the implementations faster and effective. Tools
such as SMART help in your implementation being quicker and efficient.
Effective because methodology ensures that you follow the right process and
efficient because it saves your precious time in documentation and
management of all artifacts during risk assessment. Both SMART and
CRAMM help organizations implement ISO 27001. However SMART goes a
step ahead by being a multi-compliance tool enabling organizations manage all
security compliance standards.
To conclude risk assessments should not only be a document giving deep
insight into you risks but it should determine the level of controls required for
mitigating the same. Hence it should be purposeful and not merely a document
created for certification purposes.
The author is Chief Consultant in global security audit firm SISA
Information Security holding CISA, CISSP, OCTAVE Trainer/Advisor, CEH
certifications. He can be reached on email@example.com
Copyright (c) 2007 CyberMedia India Online Ltd . All rights reserved.
Additional reproduction in whole or in part or in any form or medium without
express written permission of CIOL is prohibited.
Send your questions to firstname.lastname@example.org
Close this window