IT Risk Assessment Process and Methodology

2 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:07

3 of 24
Introduction
Abstract

4 of 24
Introduction
Abstract

5 of 24
Introduction
Objective
 To ensure that IT related risks are
identified, analyzed and presented in order
to ensure information security for the
organization.
 To identify measures or controls to be
taken to mitigate the risk to an acceptable
level.
1
2
3
4

6 of 24

7 of 24
RiskManagement
Generic Approach

8 of 24
RiskManagement
Generic Process
Risk Decision Point 2
Treatment satisfactory
Assessmentsatisfactory
Context Establishment
Reduction Retention Avoidance Transfer
RiskMonitoringandReview
RiskAssessment
Risk
Treatment
Reference: ISO/IEC 27005
Risk Acceptance
RiskCommunication
Risk Evaluation
Risk Estimation
Risk Identification
RiskAnalysis
Yes
No
Yes
No

9 of 24

10 of 24
RiskAssessment
Methodology

11 of 24
Likelihood
The goal is to identify the potential threat-sources and develop a list of system
vulnerabilities that could be exploited by the potential threat-sources.
RiskAssessment
Likelihood Description Score
Rare Rarely happen or very unlikely to happen 1
Unlikely Not seen within last 5 years or unlikely to happen 2
Moderate Seen within last 5 years but not within last year or likely to happen 3
Likely Seen within last year or very likely to happen 4
Most likely Happens on a regular basis or most likely to happen 5

12 of 24
Impact Level and Scoring – Mission Critical Scenario
The goal is to measure level of risk and determine the adverse impact resulting from a successful
threat exercise of a vulnerability.
RiskAssessment
Impact Level Description Score
Insignificant
Impact that would not cause any exposure of information, any effects to national security, any injury,
any unauthorized entry, any asset loss, or no system or operation disruption.
1
Minor
Impact that would cause exposure of Restricted information, “undesirable effects” to national security,
less than minor injury, undetected or delay in the detection of unauthorized entry with no asset loss or
access to sensitive materials, or no system or operation disruption.
2
Major
Impact that would cause exposure of Confidential information, “damage” or be “prejudicial” to national
security, or harmful to national interest, national reputation, Government activities or to individual, or
cause embarrassment or difficulty to administration, or give benefits to foreign powers, bringing limited
financial losses to the Organization, minor injury not requiring hospitalization, undetected or delay in the
detection of unauthorized entry resulting in limited access to assets or sensitive materials, or no mission
impairment, or minor system and operation disruption.
3
Material
Impact that would cause exposure of Secret information, “serious damage” to national security, interest
and reputation, give great benefits to foreign powers, bringing significant financial losses to the
Organization, severe injury to human resources, loss of valuable asset resulting from undetected or
unauthorized access, unacceptable mission delays, or unacceptable system and operation disruption.
4
Catastrophic
Impact that would cause exposure of Top Secret information, “exceptionally grave damage” to national
security, bringing physical or financial losses to the Organization, loss of life, loss of critical assets,
significant impairment of mission over extended period of time, or catastrophic or widespread loss of
systems services.
5

13 of 24
Risk Matrix and Impact Level
RiskAssessment
 Low risk
 No mitigation required
 Action must be taken to maintain the risk
level and implemented in long-term plan
 Critical risk, immediate action required
 Risk mitigation is required to lower the risk to an
acceptable level
 Action must be taken ASAP
 High risk, management attention needed.
 Risk mitigation is required to lower the risk to an
acceptable level
 Implementation plan must be developed and
included in short-term plan
 Medium risk
 Risk mitigation may required to maintain or
reduce the risk level
 Implementation plan must be developed and
included in mid-term plan

14 of 24
RiskAssessment
Risk Treatment Process
Risk Assessment Results
Reduction Retention Avoidance Transfer
Risk Treatment Options
Satisfactory
Assessment
Residual Risk
Satisfactory
Treatment
RiskTreatment

15 of 24
RiskAssessment
Risk Treatment Process – continue
Risk reduction involves approaches that reduce the probability of the vulnerability being
triggered or reduce the impact when the vulnerability is triggered. Reducing a risk most often
involves putting in place controls.
Reduce
Risk retention means accepting the loss when it occurs. Risk retention is a viable strategy for
small-impact risks where the cost of insuring against the risk would be greater over time than
the total losses sustained. Plans should be put in place to manage the consequences of these
risks if they should occur, including identifying a means of financing the risk. Risks can also be
retained by default, i.e. when there is a failure to identify and/or appropriately transfer or
otherwise treat risks.
Retain
Risk avoidance means simply not performing the activity that carries the risk. Risk avoidance
can occur inappropriately if individuals or organizations are unnecessarily risk-averse.
Inappropriate risk avoidance may increase the significance of other risks or may lead to the
loss of opportunities for gain.
Avoidance
Risk transfer means passing the risk on to another party that is willing to accept the risk,
typically by contract, partnership and/or joint ventures. Insurance is an example of risk
transfer using contracts. The transfer of a risk to other parties, or physical transfer to other
places, will reduce the risk for the original organization, but may not diminish the overall level
of risk to society. Where risks are transferred in whole or in part, the organization transferring
the risk has acquired a new risk, in that the organization to which the risk has been
transferred, may not manage the risk effectively.
Transfer

16 of 24
RiskAssessment
Risk Acceptance
Risk acceptance can be defined as the decision and approval by high
authority party to accept the remaining risk after the treatment process is
concluded. Once accepted, residual risks are considered as risks that the
high authority party knowingly takes. The level and extent of accepted risks
comprise one of the major parameters of the Risk Management process. In
other words, the higher the accepted residual risks, the less the work
involved in managing risks (and inversely).
Assess Treatment Options Develop Treatment Plan Implementation Plan
A number of options may be considered
and applied either individually or in
combination. Selection of the most
appropriate option involves balancing the
cost of implementing each option against
the benefits derived from it. In general,
the cost of managing risks needs to be
commensurate with the benefits obtained.
Plans should document how the chosen
options shall be implemented. The
treatment plan should identify
responsibilities, schedules, expected
outcome of treatments, budgeting,
performance measures and the review
process to be set in place.
Implementation treatment plan should
document how the chosen options shall
be implemented and approve by the
management and/or project sponsors.

17 of 24
RiskAssessment
Risk Communication
Perceptions of risk can vary due to differences in assumptions, concepts and the needs, issues
and concerns of stakeholders as they relate to risk or the issues under discussion.
Risk communication should be carried out in order to achieve the following:
 To provide assurance of the outcome of the organization's risk management.
 To collect risk information.
 To share the results from the risk assessment and present the risk treatment plan.
 To avoid or reduce both occurrence and consequence of information security breaches due to the
lack of mutual understanding among decision makers and stakeholders.
 To support decision-making.
 To obtain new information security knowledge.
 To co-ordinate with other parties and plan responses to reduce consequences of any incident.
 To give decision makers and stakeholders a sense of responsibility about risks.
 To improve awareness.

18 of 24
RiskAssessment
Risk Communication
Risks are not static. Threats, vulnerabilities, likelihood or consequences may change abruptly without any
indication. Therefore constant monitoring is necessary to detect these changes
This monitoring and review activities should continuously monitored and addressed (but not limited to):
 New assets that have been included in the risk management scope.
 Necessary modification of asset values, e.g. due to changed business requirements.
 New threats that could be active both outside and inside the organization and that have not been assessed.
 Possibility that new or increased vulnerabilities could allow threats to exploit these new or changed
vulnerabilities.
 Identified vulnerabilities to determine those becoming exposed to new or re-emerging threats.
 Increased impact or consequences of assessed threats, vulnerabilities and risks In aggregation resulting in
an unacceptable level of risk
 Information security incidents.
 Legal and environmental.
 Impact criteria.
 Risk acceptance criteria.
 Necessary resources.

19 of 24

20 of 24
Risk Identification Example
RiskAssessment
No/ID
Asset
Owner
Threat
Vulnerabilities
Current
Control
Planned
Control
Primary
Security
Concern
Likelihood
Impact
Score
A1 Central DB Ahmed –
business
function A
Abuse
of rights
There are 8 administrator
account which may allow
user to log on using these
account and knowingly or
unknowingly perform
damaging actions.
None Limit
administrator
account to at
least 1 or 2
account only.
N
(None-
repudiation)
3 5 15
A2 Web Portal
A
Ahmed –
business
function A
Sabotage Ineffective user registration,
deregistration and logging
functionalities
Syslog None I
(Integrity)
1 4 4
A3 Router John –
business
function B
Passwd
cracking
Network device may
configured with common,
default and/or weak
passwords configuration.
Policy and
procedure
None C
(Confidentiality)
2 4 8

21 of 24
Risk Treatment Options Example
RiskAssessment
No/ID Risk Treatment Justification Risk Owner
A1 15 Reduce a) There are 8 administrator account which may allow
user to log on using these account and knowingly or
unknowingly perform damaging actions.
b) Logging management system is not sufficient to detect
changes in the central DB.
c) There are no database firewall implemented to
monitor administrator access and activities.
Ahmed – business
function A
A2 4 Avoid a) Implement NAC or similar security control.
b) Logging management system is not sufficient to detect
changes in the central DB.
c) There are no database firewall implemented to
monitor administrator access and activities.
Ahmed – business
function A
A3 8 Retain a) Current default password is not an ‘easy to guess’
password.
b) Last incident was 8 years back.
John – business
function B

22 of 24
Risk Treatment Plan Example
RiskAssessment
No/ID Risk Treatment Plan Risk Owner Resolve By
A1 15 Reduce Limit administrator account to at least 1 or 2
account only:
a) Setup a test server to simulate the requirement
and observe the impact to the systems.
b) Develop a proper access control matrix.
Ahmed – business
function A
ASAP
30/09/2013
A2 4 Avoid a) Replace logging management system with
sufficient security control to detect changes in
the central DB.
b) Implement database firewall.
c) Implement data integrity solution such as
tripwire.
Ahmed – business
function A
Long-term
A3 8 Retain Conduct security audit, vulnerability assessment and
hardening exercise.
John – business
function B
Mid-term
01/01/2014

23 of 24
Risk Implementation Treatment Plan Example
RiskAssessment
No/ID Plan Risk Owner
Resource
Required
Resolve
By
Expected Outcome Cost
A1 Limit administrator account to at
least 1 or 2 account only:
a) Setup a test server to simulate
the requirement and observe
the impact to the systems.
b) Develop a proper access
control matrix.
Ahmed –
business function
A
1 x Server
administrator
1 x DB
administrator
1 x Technical
Security Engineer
ASAP
30/09/2013
Administrator is limit
to 1 or 2 account only
and other users are
only allow based on
their roles.
MYR 5k
A2 a) Replace logging management
system with sufficient security
control to detect changes in
the central DB.
b) Implement database firewall.
c) Implement data integrity
solution such as tripwire.
Ahmed –
business function
A
1 x Technical
Security
Consultant
Long-term The system is
effectively monitor
user registration,
deregistration and
logging functionalities
MYR
150k
A3 Conduct security audit,
vulnerability assessment and
hardening exercise.
John – business
function B
1 x Technical
Security
Consultant
1 x Technical
Security Engineer
Mid-term
01/01/2014
Hardened network
device, al passwords
are set and comply
to security policy, and
password cracking
attempt should be
logged and
monitored.
MYR
200k

IT Risk Assessment Process and Methodology

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to IT Risk Assessment Process and Methodology

Similar to IT Risk Assessment Process and Methodology (20)

Recently uploaded

Recently uploaded (20)

IT Risk Assessment Process and Methodology