Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Significance of IT Security Management & Risk Assessment


Published on

The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Significance of IT Security Management & Risk Assessment

  1. 1. 1The Significance of IT Security Management & Risk AssessmentAn overview of IT Security Management, which is comprised of standards, policies, plans, andprocedures as well as risk assessment and the various techniques and approaches to minimize anorganization’s financial impact due to the exploitation of numerous organizational assets. Submitted by Brent Mohring & Bradley Susser Information Security & Controls / InformationSecurity Management April 20, 2012
  2. 2. 2Table of Contents Summary…..….................................................................................................................................3 Introduction………………………………………………………………………………………………………………………………..3 Fundamentals of IT Security Management…..................................................................................3 Organizational Context and Security Policy…................................................................................10 Developing a Security Policy….......................................................................................................12 Case Study ING: Making use of COBIT and Other Standards…......................................................14 Security Risk Assessment…............................................................................................................15 Risk Assessment Approaches…......................................................................................................16 Quantitative and Qualitative Risk Analysis….................................................................................18 Detailed Security Risk Analysis.......................................................................................................20 Case Study Barrick Gold…..............................................................................................................25 Conclusion…...................................................................................................................................27 Works Cited….................................................................................................................................29
  3. 3. 3 Summary The proliferation of the increasing number of attacks on organizational networks and systemshas created a global phenomenon, one which was not foreseeable by many information technologypioneers. This is evident by the Kaspersky lab data - in particular, the report stated that the number ofbrowser attacks in 2011 increased from 580 million to around 946 million (Namestnikov) . Due to thisparadigm, IT Security Management and risk assessment have become an essential element that must beincorporated across all non-governmental organizations as well as those in public sector. In this paper,we will analyzeIT Security Management, Organizational Policies, and Risk Assessment. Introduction IT Security Management encompasses how different organizations select, plan, implement, andreview their IT security methods.In taking this a step further, it is essential to align IT security riskassessment with business objectives as well as organizational size. Risk assessment is the analysis andidentification of specific threats and vulnerabilities of an organization’s assets to help determine levelsof risk. Therefore, this paper will encompass the various approaches in ISO 13335, inclusive is thebaseline approach, the informal approach, the detailed risk analysis approach, and the combinedapproach. Furthermore, we will provide a brief overview of both quantitative and qualitative paradigmsalong with a case study that will help to provide why risk analysis is significant and essential to allorganizations spanning all industry segments. Finally, you’ll be able to decipher how organizations canminimize risk while maximizing profits by implementing the proper countermeasures along with industrybest practices. Fundamentals of IT Security Management IT Security Management is the formal process of answering three fundamental questions: Whatassets do we need to protect? What are the threats to these assets? What countermeasures can be
  4. 4. 4used? (Stallings, 467). To answer the first question, an asset must be defined. An asset is anything thatan organization has or owns. It can be something physical like a computer, a server, or a database. Itcan also be something like a competitive advantage or a company’s reputation amongst their customers.These are intangible assets. The second question addresses the threats to those assets. A computernetwork might be threatened by something that could harm it, like a virus, or by another competitoranalyzing their network to make determinations about how the company operates. A physical assetmay be computer servers that are threatened by physical world events like power outages or floods.Once an organization has identified the threats to their assets, they will need to understand whatcountermeasures they can employ to protect their assets or mitigate the damage to their assets. Thesecountermeasures can be computer security products like firewalls or software protection, or physicalprotection like biometric locks. Another important term is vulnerability. Vulnerability is a weakness inan asset or group of assets which can be exploited by a threat, like an unsecured network, or a buildingwith a high level of foot traffic near secure systems. The basics of IT security management include determining the security objectives & general riskprofile of the company, performing an IT Security Risk Assessment on each asset in the organization,creating management, operational and technical controls, identifying if risks can be reduced to anacceptable level or if risks can just be accepted, selecting controls, writing plans and procedures forimplementing the controls, determining if the plan meets the security objectives, and planning tomaintain, adapt and upgrade the controls(Stallings, 470) . For risk profile, every company is different, sodepending on a number of factors, such as their size, their industry, their location, their technology, etc.,they need to determine what their objectives are. What security they need, and how much securitythey want to take on and how much risk they are willing to take. A large, established company with a lotto lose might want to take on more security and have a lower risk. A startup company might not havethe resources for a full security suite and may try to go without some proper security to save money and
  5. 5. 5gain a competitive advantage in their market. For the asset risk assessment, ideally, every asset in thecompany, or at least every asset that is critical to the organization’s business objectives should have arisk assessment to determine the most cost-effective way to protect the asset with an acceptableamount of risk to the company. For identification of risks, there might be a risk that is a low threat ormay have a low impact on the company if it happens, and it may cost a lot to try to protect thevulnerability. So a company may strategically choose to not protect against a risk. The next step is forthe organization to select what controls they will use, and write up the plans and procedures for howtheir security will work. Some examples of management controls are planning, assessments andservices. Some examples of operational controls are maintenance, protections implemented, andtraining programs. And technical controls are security services, audits, and access control (Stallings,482-483). These controls combine to ensure appropriate levels of security. Once the plan is written, itcan be compared to the security objectives to make sure that the goals are met.The company will thencreate a plan to keep the system constantly working and upgrading. The security management processwill be cyclic; it will circle around in that the company’s assets and security concerns will constantly bechanging due to changes in business, the rapid advancement of technology, and the changing riskenvironment. The company will have to keep reevaluating their security plans and changing them. When deciding on how to plan IT Management, a company can first look at InternationalStandards of IT security. As companies can be audited on their security, it is best for them to examinethe standards and their best practices. One important standard is from the ISO – the InternationalStandards Organization has consolidated their standards into ISO 27000. Specifically, ISO/IEC27000:2009 provides an overview of information security management systems.
  6. 6. 6ISO Security Standards (Stallings, 468):The above table displays recently adopted standards. Another standards group is NIST – NationalInstitute of Standards and Technology. They have standards on IT security management in NIST02 &NIST09. Organizations are being audited more frequently now after corporate governance issues likethe Enron collapse and government organizations losing personal data. These standards are especiallyimportant today as organizations are expected to follow these standards to protect against losing theirdata. Recently, a company called Stratfor was hacked, and this intelligence report company is havingtheir private documents leaked to the press (Perlroth). MasterCard and Visa also had their databases ofcustomer information hacked (Pepitone). So organizations need to strictly adhere to these standards.One important standard is ISO 13335, comprising Security techniques on IT network security and
  7. 7. 7Management of information and communications technology security. It has chapters on topics likesecuring remote access,securing communications across networks using virtual private networks,selection of safeguards, and guidance on network security. After reviewing international standards, let’s review the full definition of IT SecurityManagement - A process used to achieve and maintain appropriate levels of confidentiality, integrity,availability, accountability, authenticity, and reliability. The functions of it are to (Stallings, 471-472): • Determine objectives, strategies, policies • Determine security requirements • Identify and analyze threats, risks • Specify and monitor safeguards or countermeasures • Monitor implementation and operation to protect information and services in a cost-effective manner • Detect and react to incidents • Develop a security awareness programAs with all business and IT projects, security implementations will need the backing of high levelcorporate employees, like the CIO. Without that support, they won’t have the funding, resources, orattention needed to be implemented. In instances like this, an IT employee may have to lobby andconvince them of the necessary work to be done. And the best way to do this is to tie the security to theorganization’s key business objectives, and show how the cost of not implementing the security, therisk, is greater than the cost of implementing the security. This will be shown coming up in riskassessment. There will always be a need in the security process for management. It won’t end once allof the controls are set up and the systems are running. Delving further into how to approach management, a process model can be used to show theprocesses of IT security management. It: establishes security policy, objectives, processes and
  8. 8. 8procedures; performs risk assessment; creates an inclusive risk treatment plan with selection of controlsand acceptance of risk; implements the risk treatment plan; and maintains and improves theimplementation plan in response to risk incidences. The process works in a security framework, like theone below (Stallings, 469):At the top, you have the organizational aspects coupled with the IT security policy, which defines anddrives the rest of the process. There are four different security risk analyses listed here for theorganization to choose from. Once an assessment type is selected, the company selects the controls tobe used, and begins to develop the security plan and procedures that are shaped from all of theprevious selections. The next stage is the Implementation, with the implementation controls as well as
  9. 9. 9security awareness and training. The last phase does not end the process, but it is the phase that thecompany will spend a lot of time in. The follow-up phase contains the maintenance on the systems, thechanging of the processes to match new security compliances, and the incidence handlings when threatsarrive. That includes detection, response, recovery, and documenting the incident for the future. Wewant to point out that the Follow-Up has an arrow that shows that it eventually leads back to the rest ofthe process as the security policy gets revised and the implementation starts over. In addition,management is significant and must be proactive in incorporating standards, policies, and guidelines tooptimize the system to align with and meet business objectives. This in turn will effectively make theorganization more efficient by minimizing risk and maximizing profits. Getting to an actual processmodel, the process model we’ll be looking at is shown below (Stallings, 470):In the textbook, this is described as Plan-Do-Check-Act Process Model. This model is from the ISO 27000series standards and it is for managing information security. It’s similar to the framework graphdisplayed previously. The first step is Plan. The Interested Parties, the executives or experts who aredeciding the information security needs of the organization, will plan for possible and probable events.
  10. 10. 10They establish a security policy, objectives, processes and procedures that are relevant to managing therisk and improving information security to deliver results in accordance with an organization’s overallpolicies and objectives. The second phase is Do – this is the main implementation phase, when youimplement and operate the security policy, controls, processes and procedures.The third phase is Check– you assess and, where applicable, measure process performance against security policy, objectivesand practical experience and report the results to management for review. The fourth phase is Act - youtake corrective and preventive actions, based on the results of the internal security audit andmanagement review or other relevant information, to achieve continual improvement of the securitymanagement process. The process model fits in to the framework model. You can see that everythingin the process - the policy, organization risk analysis, control selection and development of security planand procedures is all of the Plan phase, and the Implementation controls and training is all the Do phase.The Follow-Up Maintenance, security compliance, change management and incident handling are thecheck act.The feedback from the Follow-Up becomes the Act phase as you go back and change thesecurity framework based on the results from the Follow-Up. Organizational Context and Security Policy Relating security with the role it plays within an organization and examining that role is part ofthe Organizational Context section. The organizational security policy describes what the objectives andstrategies are, and the process used to achieve them. The intent of the policy is to provide a clearoverview of how an organization’s IT infrastructure supports its overall business objectives in general,and more specifically what security requirements must be provided in order to do this most effectively.The organizational or corporate security policy can be a single large document, or a set of relateddocuments. The objectives are IT Security outcomes, and the strategies are how to meet the objectives.The policiesidentify the processes to be done, and must be maintained and updated regularly withperiodic reviews of security. An IT systems’ role in organization may change over time.Costs of IT
  11. 11. 11Security should lower business risks to increase profitability for the organization, even if that has toentail additional capital expenditures. SANS defines the terms: “A policy is typically a document thatoutlines specific requirements or rules that must be met. In the information/network security realm,policies are usually point-specific, covering a single area.A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone.A guideline is typically acollection of system specific or procedural specific "suggestions" for best practice. They are notrequirements to be met, but are strongly recommended” (Information SecurityPolicy Templates). Wewill be focusing on policy in this presentation as the chart branches down to the subset of the functionalpolicy branch (Watson, 7):The above Security Policy Map is from Purdue University. Policies are statements of managementintentions and goals, and this is a chart to show how policies affect the organization’s processes. This isan example of Security Governance. You can see how the laws, regulations, security requirements, the
  12. 12. 12organizational goals and the business objectives all come together to influence and create the GeneralOrganizational Policies that leads down to the functional policies of the decided-upon Procedures,Standards, Guidelines and Baselines. Procedures are detailed steps to perform a specific taskthat isdictated by policy: handling resources, adding and deleting user accounts, change management, etc.(Watson, 9). Standards specify the use of specific technologies in a uniform manner and requireuniformity throughout the organization. Examples include operating systems, applications, server tools,and router configurations (Watson, 10). Guidelines are recommended methods for performing a task,they are not required. Examples are malware cleanup, spyware removal, data conversion, andsanitization (Watson, 11). Baselines are similar to standards but account for differences in technologiesand versions from different vendors like different operating systems or system versions (Watson, 12). Developing a Security Policy To develop a security policy, you would first list the key organization security objectives.Forexample, a large company that already has a lot of data might be a big target as people want to accessthat data, so they might want tighter security controls, while a newer or smaller company may not be animmediate target, and it would not make as much sense for them to try to develop elaborate securitycontrols. Next you would develop broad strategy statements such as “How will objectives be met?” and“How will we maintain consistency across our organization?” Finally, you will factor in identifiedobjectives, as well as other key points such as the size of the organization. Some important questions toask during the development of the security policy are: “What are the aspects of the organization thatrequire IT support to function efficiently?”, “What are the tasks that can only be performed with ITsupport?”, “Which essential decisions depend on accuracy, currency, integrity, or availability of datamanaged by IT systems?”, “What data that is created, managed, processed and stored by the IT systemsneeds protection?”, and “What are the consequences to the company of an IT system security failure?”(Stallings, 471). You’ll need to tie these questions to the critical business objectives of the organization.
  13. 13. 13For example, a retail web site relies on its online order processing system to make money, so that is acritical process, and the organization will need to know how much money they could lose for each timeperiod that the site is down. The security policy should address the following points (Stallings, 471-472): Scope and purpose including relation of objectives to business, legal, regulatory requirements IT security requirements - confidentiality, integrity, availability, accountability, authenticity and reliability Assignment of responsibilities for security employees Risk management approach of organization Security awareness and training General personnel issues and any legal sanctions for those in positions with trust Integration of security into systems development, procurement Information classification scheme to be used across an organization Incident detection and handling processes How when policy reviewed, and change control to itLastly, I’d like to touch on the Organizational Security IT Officer. A company should have a single personfor overall supervision of security – an Organizational Security IT Officer.Because the responsibility for ITsecurity is shared across the organization, there is a risk of inconsistent implementation of security, anda loss of central monitoring and control. The various standards strongly recommend that overallresponsibility for the organization’s IT security be assigned to a single person, the Organizational ITsecurity officer.This position will have the key responsibilities of:oversight and management of ITsecurity process, be a liaison with senior management,be in charge of maintenance, response toincidents, interaction with IT project management security officers, investigation of incidents anddevelopment of IT security awareness and training programs (Stallings, 473). The officer should
  14. 14. 14keeppolicies consistent.As the company grows, the Officer may manage teams who manage processes intheir areas. Case Study ING: Making use of COBIT and Other Standards In further making a case about how significant standards can minimize an organization’s riskprofile, we have explored and examined the initiatives taken by ING Group (Le Bie) and their use ofapplying information technology governance and tools along with strong IT security managementcommitment to safeguard against attacks while meeting regulatory compliance, inclusive with Sarbanes-Oxley and Basel II. ING Group, a financial services company that provides banking, investment, lifeinsurance and retirement services on a global scale. In a case study that was written in 2006 by the ITGovernance Institute, an organization established in 1998 to advance international thinking in standardsfor IT goes on to write in detail how ING Group was able to successfully execute what ITGI describes asVal IT initiative along with control objectives for information-related technology. One of the processesthat encompasses Val IT or the Val IT framework is investment management, which in turn should comeat an affordable cost with an acceptable level of risk. This particular process, along with the other twothat encompass Val IT are backed up by empirical research, a common methodology, supportingpublications and services. ING then integrated Val IT with COBIT which incorporates best practicesenabled by key controls measured by outcome and performance metrics and key management whichprovides a disciplined approach at addressing information security issues. In simple terms, Val IT asksthe strategic question “Are we doing the right things?” and the value question “Are we getting thebenefits?” and the COBIT framework asks the architectural question “Are we doing them the right way?”and the delivery question “Are we doing them well?” Both methodologies, if used correctly, can aid inhaving a firm’s IT infrastructure support business objectives, maximize business investment in IT, andmost importantly, administer IT-related risks which as you will soon see is distinctively the case whenreferencing the ING organization. At the time of this study, ING reported in its 2005 annual financials a
  15. 15. 15profit before taxes compared to full-year 2004 results of 19.4% to 18.5 million euros while earnings-per-share rose 22.7%. ING places extreme importance on IT security by implementing a hierarchy offeringchecks and balances where at the top is the executive board, second from the top is the procurementpolicy board, and third from the top an information risk steering committee which examines securitymeasures and is more aligned with the topic of this paper. Looking further ahead, the global economicdownturn did impact ING’s operations and market capitalization, but with the company’s proper ITsecurity management in place it faired far better than many of its peers. That is to say they were notadversely impacted significantly due to lack of any compliance issues due to their strict IT security policyand procedures and in looking at the organization as a whole we were unable to see any evidence thatING’s networks or critical data was exploited in any way. The standards that were put in place by thisfinancial institution also aided in implementing a stringent risk policy that spanned across the entirefirm, inclusive resulting in improved risk assessment, which reduced the need for costly provisions.ING’s active management in the area of IT security deserves to be commended, which is why to date,the company has not been exploited and has continued to remain profitable with annual gross profit ofaround 12.47 billion dollars and total topline numbers at around 70 billion dollars. Security Risk Assessment After creating a framework for an organization’s IT Security Management policies, standards andprocedures, the most integral part of IT security is assessing risk to the overall organization’s assets.Therefore assessing security resources is essential at mitigating financial loss, some risks will beaddressed while others will not be addressed properly. Therefore, it is imperative that an organizationmakes use of an approach that also must align IT security objectives with the overall businessorganizational objectives. Before further discussing the various approaches towards risk analysis, wemust define what risk is. Risk is the potential that a given threat will exploit vulnerabilities of an asset orgroup of assets to cause loss or damage to the assets.In simple terms, risk is the probability of a threat
  16. 16. 16occurrencemultiplied by the cost to the organization or risk=probability*cost. In practice, it is difficult todetermine, but there are many approaches that can be used. We must further emphasize that beforedescribing these various approaches, each of these risk assessment methodologies need to addressrapid changes in IT technology as well as the risk environment by incorporating a cyclic process. In otherwords, the process of risk analysis is never ending. Risk Assessment Approaches There are a number of organizations such as NIST and ISO that have developed over the yearsnumerous standards for IT assessment. In this paper, we will focus on those that encompass the ISO13335 series. This includes the baseline approach, the informal approach, the detailed risk analysisapproach, and the combined approach. The baseline approach measures information security in several categories, to analyze the gapbetween current status and necessary level of status. A baseline approach implements safeguards toprotect against the most common threats. It contains generalized standards and “best industrypractices.”This approach implements basic general level security controls, and is best for smallorganizations (Stallings, 474). Some advantages are that capital expenditures are reduced due tominimizing the use of resources, and that this approach can be duplicated over a range of systems (it iseasy, cheap, and easily replicated). The disadvantages are that no special consideration is given tovariations in the organization’s risk exposure (such as who they are, how systems are used).As a result ofno special consideration to the organization, the baseline approach can be set too high leading tounnecessary capital expenditures, or too low, leading to increased security risks and opening up morevulnerabilities. The informal approach implements risk analysis by exploiting individual knowledge andexperience. This approach is suitable to small and mid-size organizations. The advantages of thisapproach are that it usually does not require a lot of resources or time.Individuals who perform this
  17. 17. 17analysis do not require additional skills or training, therefore informal risk assessment can be performedfairly quickly and cheaply.This approach, unlike the baseline approach, does address the organization’sspecific systems and issues allowing for more targeted controls. The disadvantages to this approach arethat it is highly dependent on the skills of person in charge and the likelihood of missing some importantdetails will leave the organization vulnerable. Also, particular prejudices of the individuals may influencethe results, and this may also cause an increase in additional capital expenditures that may beunnecessary.Based on the above disadvantages, informal approach may not be effective for manyorganizations. Detailed analysis involves in-depth identification and valuation of all information assets, theassessment of threats to those assets, and assessment of vulnerabilities. This is a more comprehensiveapproach, including numerous stages and is suitable for large organizations with IT objectives that arecritical to their business objectives or governmental agencies. Also, legal requirements may require adetailed risk analysis.DRA has continued to evolve due to the development of trusted computer systemsand a number of standards encompass this approach, which we will not elaborate on. This is the mostcomprehensive approach, and this approach provides the most detailed examination of anorganization’s security risks.It has the strongest justification for expenditure on controls. Fordisadvantages, it has significant cost, time, resources and expertise needed to perform the analysis. Andthe analysis taking too much time may take away time from other vulnerabilities. This type of analysis istypically performed as a legal requirement for government organizations and businesses providing keyservices to them. The combined approach is a combination of the baseline approach and the detailed analysisapproach. It has many advantages, including an initial high-level analysis rather than a full-detailed riskanalysis of all systems which may be easier to sell management. The use of the baseline and informalanalysis in this approach ensures that a basic level of security protection is implemented early on. And
  18. 18. 18due to the speed of this process, resources are likely to be applied where they are most needed andsystems most at risk are likely to be examined further early in the process. The disadvantages are that ahigh level analysis can be inaccurate, which is in contrast to detailed risk analysis, which can cause agreater chance for vulnerability. But for most organizations, the change of the above disadvantage isvery minimal therefore this approach is the one that should be and is in fact most commonly used. Quantitative and Qualitative Risk Analysis There are a number of approaches as viewed above and for obvious reasons we will comparethe detail risk analysis approach later on in this paper but one must also understand that many of theseapproaches can make use of either quantitative or qualitative metrics to compliment these variousstandards to assess threats and vulnerabilities. Quantitative analysis is being able to come up withactual costs associated with organizational risks whereby in contrast qualitative analysis is more of anintangible assessment based on the priority of identified risks using their probability of occurring, thecorresponding impact as well as other factors such as the time frame and risk tolerance. In giving asimplified example between quantitative and qualitative analysis, we will use an example of a possiblehospital exploit. In this scenario, a hospital has 1,000 electronic medical records. If this wascompromised, we would have to come up with a cost-benefit analysis or a monetary value. One way ofdoing this is that if these records were compromised you would need to determine the cost associatedwith the compromise. To assess the actual costsassociated with a compromise, we could first getincontact with the patients, create new identification numbers for the files, and create and reissue new IDcards. You would now know the cost, which under meticulous examination you come up with the figureof $30 per record. The cost of this compromise would come out to $30,000 just based on one thousandrecords. Here, you were just multiplying the cost of each record multiplied by the number of exploitedrecords, which is where you would come up with the number $30,000. Pretty simplistic, except this isonly 1-dimensional as if you had 500,000 records it would be a cost of 15 million dollars and
  19. 19. 19wouldinvolve greater complexity which is why now you must incorporate a qualitative approach. Withinthe above example, in addition, you now have an auditor walk through the door who says that you have90 days to deploy the appropriate countermeasures due to the vulnerability he/she viewed on thesystem, which was stated as having no encryption mechanism between the database and the webserver or encryption on the database itself, and therefore is not in compliance with HIPAA standards.We then begin through further analysis to take a look at additional vulnerabilities such as a code review,in which we discover that our assets are prone to an SQL injection attack (an appended message toexploit the system and the data within it). Hence, there has to be controls in place to filter out such anattack. Currently, we have the cost associated with the vulnerabilities in the system, and now thelikelihood of discoverability must be assessed. Using quantitative analysis, the worst-case scenariowould be that the compromise of 500,000 records comes to a cost of 15 million dollars. Going byquantitative analysis, this is again a 1-dimensional evaluation. We must have a way to assign risk levelto vulnerabilities that take other factors into consideration. To keep it simple, we will use a qualitativeweighting scale that consists of high-medium-low ratings. The information that we’ve gathered thus faris the number of records that could be compromised is from 1,000 to 500,000 and the records arevalued at $30 each. The data is not encrypted in transit or at rest, multiple business units could accessand modify the data, and systems are maintained by the operations group. Lastly, we have an auditrequirement to document encryption and apply mitigation controls. Let’s incorporate one additionalpiece to our assessment: reputation. Reputation encompasses impact on earnings, consumerconfidence, and publicity. We can easily assign a qualitative risk level of high as an SQL injection attackis not often detected by system logs and intrusion detection services. Reputation is at risk from thehospital going public with a loss of 500,000 medical records and that once this vulnerability is knownthere will be an increase in this type of attack on hospital systems. We now have the qualitative costand the quantitative cost, both of which have a high risk factor. Now here is where management plays
  20. 20. 20an important role in why we incorporate the single loss expectancy (SLE) formula. In using this example,we take the value of the asset ($30 in this case), and the exposure level (500,000) and multiply the assetvalue by the exposure level. We have a SLE of 15 million dollars. We now calculate the annual lossexpectancy (ALE). Which determines how many times per year this will occur. To do this, you will takethe SLE and multiply it by the annual rate of occurrence (ARO). In this scenario the database is verynew, so we can’t use historical examples. Going back to a qualitative approach, we can’t come up withan appropriate cost-benefit analysis. So, we would come up with a way to mitigate this risk bycustomizing intrusion detection signatures for traffic analysis that poses a threat to the database andhost intrusion detection software installed on both the web server and database server. Due to theseinitiatives, we now feel comfortable reducing the risk rating from high to medium. Furthermore, wecould reduce the threat level to low via additional code testing. Inclusive is HIPS (Hosted IntrusionPrevention Software) and IDS tools being properly configured. The above is an example of how differentorganizations need to have a risk assessment initiated that aligns with its business objectives. We mustemphasize that although both quantitative and qualitative analysis are useful, most organizations use aqualitative approach. This is why in the next section we will focus our attention on describing a detailedrisk analysis approach that primarily focuses on qualitative metrics. Detailed Security Risk Analysis Although the majority of organizations make use of the combination approach, for educationalpurposes and to cover all areas of risk assessment we have chosen to describe in greater depth thedetailed risk analysis approach along with techniques and models as this approach comprises of all theessential elements to optimize IT security safeguards and minimize risk exposure for any corporation.When first starting to examine an organization’s risk profile using this approach the first area weexamine is a firm’s perimeter. Inclusive is system boundaries, system functions, system/data criticality,and system/data sensitivity. After looking at the system’s boundaries, the last step within the first
  21. 21. 21process of this approach and probably the most significant is to identify the assets that need to beanalyzed. As described above, this addresses the first three fundamental questions: “What assets do weneed to protect?” An asset is “anything which needs to be protected” because it has value to theorganization and contributes to the successful attainment of the organization’s objectives, and may beeither tangible or intangible (Stallings, 480). It includes computer and communications hardwareinfrastructure, software including applications, information/data held on these systems, thedocumentation on these systems, and the people who manage and maintain these systems. Within theboundaries identified for the risk assessment, these assets need to be identified, and their value to theorganization assessed. It is important to emphasize again, that whilst the ideal is to consider everyconceivable asset; in practice this is not possible. Rather the goal here is to identify all assets thatcontribute significantly to attaining the organization’s objectives, and whose compromise or loss wouldseriously impact on the organizations operation (Stallings, 480). Whilst the risk assessment process ismost likely being managed by security experts, they will not necessarily have a high degree of familiaritywith the organization’s operation and structures. Thus they need to draw on the expertise of the peoplein the relevant areas of the organization to identify key assets and their value to the organization. A keyelement of this process step is identifying and interviewing such personnel. Many of the standardslisted previously include checklists of types of assets and suggestions for mechanisms for gathering thenecessary information. These should be consulted and used. The outcome of this step should be a list ofassets, with brief descriptions of their use by, and value to, the organization. The next area we need to focus on is threat sources, which many times can be taken from pastexperiences. So a threat source can be a natural disaster, a human agent – either acting directly (i.e.insider retrieving and selling information, or a hacker targeting a server over the internet) or indirectly(i.e. the result of an accident perhaps through the misconfiguration of various routers). The third areato focus on is threat identification. This addresses the questions “What could cause the organization
  22. 22. 22harm?” and “How could this occur?” (Stallings, 481). Threats to the assets need to be identified as wellas the ways that the threats could affect the systems. To complement this, the next area to beexamined is vulnerabilities. We would identify exploitable flaws or weaknesses in the organization’s ITsystems or processes and determine the applicability and the significance of threat to the organization.There is a need of a combination of the threat and the vulnerability to create a risk to an asset. We canuse lists of potential vulnerabilities in standards to help determine our own vulnerabilities. After thisstep is examined, one must take it upon themselves to determine what controls are already in existenceto reduce redundancy and eliminate wasteful spending. Determining Overall Risk Exposure by Making Use of Qualitative Risk Rating TablesThe first table that will be applied will consist of a rating, a likelihood description, and an expandeddefinition to determine the overall likelihood that an asset will be compromised. This can be seen in thefollowing table (Stallings, 483):Table 1.The next essential step is to create a table that determines the consequence if a specified asset oranumber of assets are exploited. This table would comprise of a rating, the rating of the consequence tothe organization (from insignificant to a Doomsday scenario), and an expanded definition that would
  23. 23. 23briefly describe the magnitude of the impact and the repercussions to the overall organization. See thebelow example (Stallings, 484-485):Table 2.Finally, due to meticulous examination and analysis based on the likelihood a threat will occur and theimpact it will have on an organization we can create another table by correlating the two previousvariables to qualitatively detail the risk level assigned to each combination. The title of this table will bedeemed Risk Level Determination and Meaning, which can be found below (Stallings, 486):
  24. 24. 24Table 3.In our final table, we will create what is known as the Risk Register, which will allow management todetermine the assets that require treatment against the assets that do not require treatment. The RiskRegister should consist of the identified asset, the threat/vulnerability, the existing controls that arealready in place, the likelihood that each identified threat could occur and cause harm to an identifiedasset, the consequence - which indicates the impact on the organization should a particular asset orassets be compromised, the level of risk, and the priority of the risk (Stallings, 486):
  25. 25. 25Table 4.The Risk Register would then allow executive management to accept the risk, avoid the risk, transfer therisk, reduce the consequences, or reduce the likelihood. By making use of these models and techniquesallows for an organization to more efficiently and effectively handle any attacks by mitigating its riskprofile while incorporating best practices. Case Study Barrick Gold In further discussing risk assessment we decided to take a detailed look at a well-known publiclytraded organization primarily because it makes use of Supervisory Control And Data Acquisition (SCADA)system (Barrick Goldstrike Wireless Presentation). The use of SCADA is more pronounced and prevalentamong many organizational systems that are vital to the United States’ infrastructure. Prior to 9/11, thismay not have been seen as a high priority, but because we are in the midst of potential cyber warfareamong various countries around the globe, any attack on such systems can cause significant economicimpact to the US. To give a few examples, SCADA is deployed to monitor and control our electric powergeneration, transmission and distribution, water and sewage, mass transit, traffic signals and othervarious industrial systems. Typically, mining companies have a much greater risk tolerance, but due tothe growing number of attacks on a multitude of corporations and governments around the world,Barrick Gold has taken this threat quite seriously, especially when it comes to the safety of allemployees. Barrick Gold trades on the NYSE under the ticker ABX and is a Canadian-based companyformed in 1983. It engages in sale and production of gold and copper with production in explorationand development projects located in North and South America, the Australia-pacific region and Africa,and it currently has 26 operating mines with annual revenues around 14.31 billion dollars with total cashon hand of 2.74 billion dollars and a debt of 13.37 billion dollars. Its current stock trades at a multiple ofaround 10.9 times earnings, and it is anticipated to trade over the next year and a half at 8 timesearnings. In April 2011, Barrick acquired Equinox Minerals at around 7.3 billion Canadian. This
  26. 26. 26acquisition, along with other acquisitions adds further complexity to the organization. Therefore, riskanalysis is of extreme significance due to disparate systems and need to be integrated together withappropriate assessment of IT security issues. In making use of the combined approach, we must notforget that detailed risk analysis is an important part of this technique. Therefore, instead of going in togreat detail on the identification of assets, threats, and vulnerabilities and so forth, below we haveprovided a hypothetical risk register model that we believe would address many of the company’s ITsecurity concerns which in turn would aid Barrick in analyzing and driving action to minimize thelikelihood of a risk occurring, reduce the visibility of the risk, increase the ability to handle the risk if itshould occur and reduce the impact of the risk. One added thing is that as you can see in the riskregister viewable below the reliability of the SCADA nodes and network was of the highest risk prioritydue primarily to the safety of the workers in the mine as the SCADA systems among other thingsmonitors temperature control by placing various sensors throughout the mine and if say for example thesystem went down and the miners had no access to oxygen than there could be a significant amount offatalities. On the other end of the spectrum are emails which were viewed as the least significant. Oneother thing to take not of is the integrity of the stored file and database information we believed wassecond as far as risk priority. One reason for this was it was of extreme importance not to allow accessto any opponent who may want information on let’s say company specific M&A activity by which theycan retrieve insider information to benefit financially. See the table below (Stallings, 490):
  27. 27. 27Table 6. Conclusion As we begin to turn from centralized systems to more distributed systems the potential forattacks to propagate has increased dramatically. Furthermore, as technology has continued its’ rapidadvancement, so too has the technology created and deployed by attackers or opponents. Therefore, itis an absolute necessity to create checks and balances in governance by using a systematic approach toalleviate these threats. IT security management and risk assessment helps to mitigate this problem. Allorganizations must use best practices in the area of IT security management and risk assessment. Ifdone successfully through the number of policies, procedures and standards described in this paper,organizations and governments will effectively safeguard their assets. It must be further stated that it isvirtually impossible to safeguard and protect every type of vulnerability. However, deploying andimplementing the proper framework, along with a thorough risk assessment on all assets,vulnerabilities, threats, and countermeasures will vastly decrease the risk of exploitation. This will allowsovereigns and organizations around the world to place and use the appropriate controls, some whichinclude antivirus software, antispyware software, firewalls, encryption of data in transit and rest,intrusion detection systems, intrusion prevention systems, and so on. In a recent Bloomberg
  28. 28. 28government study, it found that spies, criminals, and hacker activists are stepping assaults on USgovernment and corporate systems (Englemen and Strohm). This study also stated that companies,including utilities, banks, and phone companies will have to spend almost 9 times more on cybersecurity to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financialsystem, or cutting communications. The article cited above is a clear indication thatIT securitymanagement and risk analysis must be an essential ongoing process to counter such an event fromoccurring.
  29. 29. 29 References1. Ameerally, Imran. "Risk Assessment: An Overview." Republic of Mauritius. Ministry of IT and Telecommunications, 01 Dec. 2006. Web. 20 Feb. 2012. <>.2. "Barrick Goldstrike Wireless Presentation." WMEA Technical Papers. Western Mining Electrical Association. Web. 20 Feb. 2012. < n.pdf>.3. De Bie, Veronique. "IT Security Management Standards for Today’s Businesses." L-SEC, 20 Jan. 2006. Web. 20 Apr. 2012. <>.4. Engleman, Eric, and Chris Strohm. "Cybersecurity Disaster Seen in U.S. Survey Citing Spending Gaps." Bloomberg. Bloomberg, 31 Jan. 2012. Web. 20 Apr. 2012. < citing-spending-gaps.html>.5. "How Business and Entrepreneurship Can Shine Your Life." Risk Analysis Business Basics. Business Basics, 21 Oct. 2010. Web. 17 Apr. 2012. <>.6. "Information Security Policy Templates." SANS. Web. 20 Feb. 2012. < resources/policies/>.7. "ISO - International Organization for Standardization." International Organization for Standardization. International Organization for Standardization. Web. 20 Feb. 2012. <>.
  30. 30. 30 References (continued)8. Namestnikov, Yury. "Kaspersky Security Bulletin. Statistics 2011." Kaspersky Lab ZAO, 1 Mar. 2012. Web. 18 Apr. 2012. < 11>.9. Pepitone, Julianne. "Massive Credit Card Data Breach Involves All Major Brands." CNNMoney. Cable News Network, 30 Mar. 2012. Web. 18 Apr. 2012. <>.10. Perlroth, Nicole. "Inside the Stratfor Attack." Bits Blog. New York Times, 12 Mar. 2012. Web. 18 Apr. 2012. <>.11. "Risk Assessment Case Study." The Security Risk Management Toolkit. Web. 20 Feb. 2012. <>.12. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 16 IT Security Management and Risk Assessment." Computer Security: Principles and Practice. Upper Saddle River, NJ: Prentice Hall, 2008. Print.13. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 14 IT Security Management and Risk Assessment." Computer Security: Principles and Practice. 2nd ed. Upper Saddle River, NJ: Prentice Hall, 2011. Print.14. Verheul, Eric. "Practical Implementation of ISO 27001 / 27002." Security in Organizations. Radboud University, 2011. Web. 20 Feb. 2012. Watson, Keith A. "Security Management Practices." Secure Purdue. Purdue University. Web. 20 Feb. 2012. <>.