Security Risk Assessment

11 Key excerpts on "Security Risk Assessment"

• 

  eBook - ePub

  Security Risk Assessment

  Managing Physical and Operational Security

  • John M. White(Author)
  • 2014(Publication Date)
  • Butterworth-Heinemann

    (Publisher)

  Chapter 1

  Introduction to Security Risk Assessments

  Abstract

  There are many names given to the term Security Risk Assessment. In fact, the actual process of identifying security issues has been called physical security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. This chapter will help to define the intent of an assessment, who will conduct it, and how to remain objective and unbiased throughout the project.

  Keywords

  Defining security risks; Physical security review; Security deficiencies or excesses; Security Risk Assessment; Security vulnerabilities

  What Is a Security Risk Assessment?

  There are many definitions given to the term Security Risk Assessment . According to ASIS International’s manual, Protection of Assets: Physical Security , a Security Risk Assessment is “a fundamental examination that can include review of documentation, policies, facilities, technology, protection strategies, staffing, training, and other key indicators to determine the present state of the protection program (security) in an effort to identify deficiencies and even excesses, in order to make recommendations for improvement based on proven methods.” 1

  In fact, the actual process of identifying security issues has been called many different things. Some of the more common names assigned to this subject have been security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. Regardless of the title, they are all going after similar goals of identifying security weaknesses, risks, deficiencies, and even excesses, and then formulating a plan to address the findings with detailed recommendations based on industry accepted standards and best practices.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Risk Management for Computer Security

  Protecting Your Network and Information Assets

  • Andy Jones, Debi Ashenden(Authors)
  • 2005(Publication Date)
  • Butterworth-Heinemann

    (Publisher)

  Section IV The Risk Process This Page Intentionally Left Blank 11 What Is Risk Assessment? A central part of understanding risk and making sure it works for us is in being able to align it with business strategy. This involves looking outside as well as inside the organization, making the most of business opportunities but in a con-trolled evaluated way in the fast-moving business environment. It is also impor-tant to consider that risk can be positive in the business environment and that organizations increasingly have to take more risks in an effort to become proac-tive rather than reactive in their activities to achieve a competitive advantage. The information security risk manager needs to find a balance between the advances offered by information systems and the security necessary to minimize the risk to which systems, processes, and people are vulnerable. In this chapter we consider the risk assessment process and the issues that must be addressed from a corporate perspective if risk is to be addressed holisti-cally. We also discuss why the risks are greater now than ever before. Security requirements come out of risk assessments, statutory and contrac-tual requirements, business principles and objectives, and requirements for infor-mation processing that form part of an organization’s culture. Generally, it is accepted that information security will address the areas of confidentiality, integrity, availability, and non-repudiation: ● Confidentiality means that information is protected from being read or copied by anyone who does not have the permission of the owner of that information. ● Integrity means that information is not deleted or altered in a way that will cause damage or disruption. ● Availability means that information should be protected so that it is not degraded or made unavailable without authorization. 185 ● Non-repudiation means that an individual should not be able to deny having received or having sent information.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  The Security Risk Handbook

  Assess, Survey, Audit

  • Charles Swanson(Author)
  • 2023(Publication Date)
  • Routledge

    (Publisher)

  Fischer (2013 ) when discussing risk analysis make a number of good arguments relevant to this book when he says that the first step in risk analysis is identifying the threats and vulnerabilities. Many threats to business are important to security, but some are more obvious than others. That is applicable when you look at the individual and diverse environments in part two of this chapter.

  Let us refresh our memories before we move on.

  The six-step Security Risk Assessment process

  1. Identify the organisation’s assets.
     This has to be the first step in the Security Risk Assessment process because if we do not understand what requires protection, the remaining steps of the assessment will be pointless. Before an attack, the first step the aggressor takes is to identify those entities and functions that are key to us and the organisation, namely the assets.
  2. What are the threats to the organisation? Step two is the identification of the threats pertinent to the organisation by way of a credible threat assessment. Who and what do we anticipate defending ourselves and the organisation against?
  3. What vulnerabilitiesor weaknesses have been identified?
     The criminal or terrorist will forensically examine all of our security systems in an effort to identify a weakness, or exposure, through which he or she may be able to carry out their attack (s). We must be on the front foot by identifying such vulnerabilities before an attack.
  4. What is the likelihood of an attack? This is by far the most difficult task in the Security Risk Assessment, and it is a phase when we must be in a position to foster the thoughts of any Subject Matter Expert relevant to the threat.
  5. What would be the impact? Once we have knowledge of the assets, threats, vulnerabilities, and likelihood of an attack, we will be in a position to calculate any possible impact. Once again it is critical to consult experts.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Logistics and Transportation Security

  A Strategic, Tactical, and Operational Guide to Resilience

  • Maria G. Burns(Author)
  • 2015(Publication Date)
  • CRC Press

    (Publisher)

  (From the author.) 279 Security Risk Analysis 6. Risk mitigation and crisis management While risk management primarily aims to be proactive, in order to avoid risks, crisis management tools and processes are also in position to be used during emergency response, i.e., in case the risk cannot be avoided, and hence has to be addressed and overcome. 7. Building resilient systems These are systems that have the capacity, resources, and strength to recover fast after a security attack. 8. Building sustainable systems Sustainability moves beyond resilience, as the system is robust enough to withstand security attacks, with minimum vulnerabilities and/or the capacity to recover with minimum disruptions and losses. Concurrently, these elements address the three key aspects of hazard: (i) probability, (ii) consequences, and (iii) impacts. In the last few years, the approach to risk analysis has been progressively improved and refined from segmented procedures and company performance to a holistic approach encompassing a group of allied companies, supply chains, an industry, or a nation. The practices of risk analysis are anticipated to further develop and expand in order to encircle the global trade activities and the increasingly complex supply chains. Risk assessment and risk management support both nations and industries in evalu-ating and comprehending the possible risks, and vulnerabilities exist. When a proactive culture is adopted, risks can be predicted and can therefore be prevented or reduced before they severely affect the national or commercial security. 9.1.2.2 Risk Assessment Risk assessment can be defined as the methodical procedure for pinpointing and ana-lyzing occurrences such as probable risks and possibilities that may impact the desired results in a negative or positive manner.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Cyber Security Management

  A Governance, Risk and Compliance Framework

  • Peter Trim, Yang-Im Lee(Authors)
  • 2016(Publication Date)
  • Routledge

    (Publisher)

  CHAPTER 6

  Risk Assessment Policy and its Strategic Context

  6.0 Introduction

  Mont and Brown (2011: 1) make a number of relevant points when stating that:

  Security decision-makers need to assess the risks their companies are exposed to (due to current and foreseeable threat environments) and how current security policies effectively address them; the priorities of various stakeholders and business objectives need to be taken into account; they need to understand the implications, at the operational level, of mandating or changing specific policies; they need to decide which investments (e.g., automation, education, better monitoring/compliance, etc.) are necessary and most suitable in order to support these policies.

  This chapter starts with understanding what risk involves (Section 6.1) and continues with defining the term vulnerability (Section 6.2). Reference is then made to risk assessment policy (Section 6.3) and a strategic management framework is included (Section 6.4). Cyber security strategy (Section 6.5) is given prominence and this is followed by cloud computing (Section 6.6). A conclusion is provided (Section 6.7).

  6.1 Understanding what Risk Involves

  There are different methods of risk assessment and some may be more suitable than others. Some involve mathematical formulas and some are more qualitative and involve the use of score cards for example. In order to better understand the complications associated with risk, it is important for senior management to know what type of business model is in place and what type of exposure the organization is confronted with; more importantly the size and complexity of the organization itself; management’s attitude to change and innovation; a consideration of the non-human factors and human factors (both internal and external); and an appreciation of the fact that those who might launch an attack on the organization have the resources to do so. They should also have an overall appreciation of the complexity of the IT resources, the internal and external use of the Internet, the access that the organization’s partners (outsourced service providers) have to the organization’s IT networks and resources, the extent to which employees engage in home working and remote working, and other considerations such as legal and regulatory requirements and possible breaches; the consequences of an organization not being able to access business critical information from the organization’s information systems, changes being made to business critical information on an organization’s information systems without the knowledge of staff or authorisation, and the likely impact on the organization should, for example, the confidentiality of the business critical information on the organization’s systems be compromised (ENISA, 2007–2008: 4–8). Other considerations that top management need to take into account are the significance of the organization’s information systems with respect to it achieving its business objectives and what the impact on various stakeholders might be should a disaster occur with the organization’s information systems (ENISA, 2007–2008: 8).

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Business Continuity and Disaster Recovery for InfoSec Managers

  • John Rittinghouse PhD CISM, James F. Ransome PhD CISM CISSP, John Rittinghouse, PhD, CISM, James F. Ransome, PhD, CISM, CISSP(Authors)
  • 2011(Publication Date)
  • Digital Press

    (Publisher)

  It is important that organizations are fully aware of their legal duties and of the rights of their employees. 2.6 Bu siness R is k A ssess m ent 65 C hap te r 2 2.6 Business Risk Assessment A key part of the BCP process is the assessment of the potential risks to the business that could result from potential disasters or emergency situations. This section will examine the possibility of serious situations disrupting the business operations and the potential impact of such events. Risk assess-ment is the exercise of identifying and analyzing the potential vulnerabili-ties and threats. It is necessary to consider all the types of possible incidents and the impact each may have on the organization’s ability to deliver its normal business services. The sources of risks could be community-wide hazardous events, accidents, or sabotage, causing extreme material disaster, security threats, network and communication failures, or disastrous applica-tion errors. Each of these areas should be examined in the light of the busi-ness and the exact possible source located. 2.6.1 Asset Characterization For each source identified, the magnitude of the risk and the probability of its occurrence must be evaluated to judge the extent of risk exposure. Risk exposure is the easiest way to know how much attention needs to be paid to a source of risk. Planning is done for both prevention and control. Acci-dents and sabotage can be prevented using measures of physical security and personnel practices. Vulnerability assessment and reviews of existing security measures can expose areas where access control, software and data security, or backups are required. Application errors can be prevented by effective reviews and testing during the software releases.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Security Software Development

  Assessing and Managing Security Risks

  • CISSP, Douglas A. Ashbaugh(Authors)
  • 2008(Publication Date)
  • Auerbach Publications

    (Publisher)

  As changes to the 276 n Security Software Development organization’s IT systems occur, IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard all of the organiza-tion’s IT systems. Security/Subject Matter Professionals. n All of the organization’s personnel and customers are users of the IT systems. Use of the IT systems and data accord-ing to the organization’s policies, procedures, guidelines, and standards is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assess-ment into training programs to educate the end users. 9.8.11 Risk Assessment Risk assessment is the first process in the risk management methodology. The [ORGANIZATIONAL NAME] will use the risk assessment process to determine the extent of the potential threats and the risks associated with its assets. Regardless of the methodology used in actually performing the risk assessment, a number of key factors are required for success. They include: Getting senior management sponsorship n . Successful evaluation requires the time of people in the department. If senior management does not support the process, staff support for the evaluation will dissipate quickly. Setting the appropriate scope n . The evaluation should include important opera-tional areas but the scope cannot get too big. Areas of the organization that are critical to achieving its mission should be selected. Selecting participants. n Staff members from multiple organizational levels will contribute their knowledge about the organization.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Information Security Management

  Concepts and Practice

  • Bel G. Raggad(Author)
  • 2010(Publication Date)
  • CRC Press

    (Publisher)

  Preparation procedures a. It is recommended that the organization performs security surveys of information resources prior to conducting risk analysis to understand the computing environment, threats, and the present defense system. The results of the surveys determine the scope of the risk analysis effort. b. Prior to the start of the risk analysis, the team leader schedules a project presentation to upper management to seek its support and provide infor-mation so that all company personnel are aware of the risk analysis team’s efforts. The briefing provides an overview of the risk analysis process and addresses the following: i. The team’s goals during the risk analysis process ii. The level of participation expected from relevant personnel iii. The risk scope, life cycle, and end results of the risk analysis process and its management c. The risk analysis team members conduct a kickoff meeting to discuss their approach to the risk analysis process. Areas of consideration for the meeting include division of work, assignment of individual respon-sibilities, and categories of assets and threats on which to concentrate during risk analysis interviews. The team also reviews documentation such as system security survey, security plan, previous risk analysis find-ings, etc. Interviews may be conducted to gather data pertinent to the system operating envi-ronment. The data are used to complete the risk analysis documentation. The level of detail depends on the risk analysis method used and the size of the system being analyzed. 320 ◾ Information Security Management: Concepts and Practice 7.10.2.4.2 Asset Analysis This phase aims at valuing the current system. It analyzes the security of the existing system by identifying and analyzing each asset or asset group and comparing its cur-rent operating costs to its annual revenues in terms of the relevant economic parameters and noneconomic factors (social, technical, operational, and legal/ethical attributes).

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Information Security Risk Assessment Toolkit

  Practical Assessments through Data Collection and Data Analysis

  • Mark Talabis, Jason Martin(Authors)
  • 2012(Publication Date)
  • Syngress

    (Publisher)

  Chapter 5

  Information Security Risk Assessment: Risk Assessment

  Information in this chapter:

  • System Risk Analysis • Organizational/Strategic Risk Analysis

  Introduction

  So, we have collected the data in our data collection phase and we have structured the data in the data analysis phase. At this point you may be asking yourself, “What is the difference between the previous phase of the process and this one?” The fundamental difference is that the data analysis phase deals with structuring and organizing the data that was collected. Think of it as putting unstructured data, like a survey, into an organized format, such as a table. This phase is really focused on going through the organized data and interpreting it in order to derive and support our conclusions.

  At this point of our process, we should have relatively organized data that can be used for a more practical analysis of risk. In the previous phase, we used the data we collected in quantitative analysis to derive figures and various “scores.” These scores will be essential inputs as we move into more of a qualitative analysis.

  During this risk analysis phase, we will interpret the data, gather findings, and ultimately form conclusions that will be the end result of all our activities so far. At the end of this chapter, the assessor should be able to answer the question “What are our organizational and system specific risks?”

  In this chapter we will introduce two related but distinct levels of risk analysis. One is the system risk analysis, where we focus on the risk to a specific system. Many of the activities conducted in the data analysis phase are focused on system risk. The second type of risk analysis that we will be performing is an organizational or “strategic” analysis that provides an overall view of risks as they pertain to the organization. Organizational risk analysis is the most qualitative of the two and the outcome of this analysis is more subject to interpretation and is more heavily influenced by the experience of the practitioner.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Principles of Information Security

  • Michael Whitman, Herbert Mattord(Authors)
  • 2017(Publication Date)
  • Cengage Learning EMEA

    (Publisher)

  risk control The application of controls that reduce the risks to an organization ’ s information assets to an acceptable level. risk identification The recognition, enumeration, and documentation of risks to an organization ’ s information assets. risk management The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. In Chapter 1, you learned about the C.I.A. triangle. Each of the three elements in the triangle is an essential part of every IT organization ’ s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security 5 An Overview of Risk Management 255 Copyright 2018 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-300 and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of apply-ing information system controls and the benefits of using secured, available systems. Risk management involves three major undertakings: risk identification , risk assessment , and risk control . Initially, the organization must identify and understand the risk it faces, especially the risk to information assets. Once identified, risk must be assessed, measured, and evaluated. The key determination is whether the risk an organization faces exceeds its comfort level. If not, the organization is satisfied with the risk management process. Otherwise, the organiza-tion needs to do something to reduce risk to an acceptable level. The various components of risk management and their relationships to each other are shown in Figure 5-1. An observation made over 2,500 years ago by Chinese general Sun Tzu Wu has direct rele-vance to information security today (see Figure 5-2). If you know the enemy and know yourself, you need not fear the result of a hun-dred battles.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Management of Information Security

  • Michael Whitman, Herbert Mattord(Authors)
  • 2018(Publication Date)
  • Cengage Learning EMEA

    (Publisher)

  CHAPTER 6 Risk Management: Assessing Risk 317 community collaborate to be actively involved in RM process activities. This process uses the specific knowledge and perspective of the team to complete the following tasks: • Establishing the context , which includes understanding both the organization’s internal and external operating environments and other factors that could impact the RM process. • Identifying risk, which includes: • Creating an inventory of information assets • Classifying and organizing those assets meaningfully • Assigning a value to each information asset • Identifying threats to the cataloged assets • Pinpointing vulnerable assets by tying specific threats to specific assets • Analyzing risk, which includes: • Determining the likelihood that vulnerable systems will be attacked by specific threats • Assessing the relative risk facing the organization’s information assets, so that risk management and control activities can focus on assets that require the most urgent and immediate attention • Calculating the risks to which assets are exposed in their current setting • Looking in a general way at controls that might come into play for identified vulnerabilities and ways to control the risks that the assets face • Documenting and reporting the findings of risk identification and assessment • Evaluating the risk to the organization’s key assets and comparing identified uncontrolled risks against its risk appetite: • Identifying individual risk tolerances for each information asset • Combining or synthesizing these individual risk tolerances into a coherent risk appetite statement • Treating the unacceptable risk: • Determining which treatment/control strategy is best considering the value of the information asset and which control options are cost effective • Acquiring or installing the appropriate controls • Overseeing processes to ensure that the controls remain effective • Summarizing the findings , which involves stating the conclusions of the identification, analysis, and evaluation stages of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to further mitigate risk where applicable or desired RM Process Preparation—Establishing the Context As the RM process team convenes, it is initially

  Sign up to read

  Learn more about book