Docs: Project Definition

Mon, 13 Jan 2020 22:48:10 -0500

Creating a risk assessment project requires knowledge of the budget, objective, scope, and level of rigor of analysis expected.

Success cannot be achieved until the meaning of success is defined. For a risk assessment project, success is defined as achieving customer satisfaction, quality technical work, and project completion within budget.

Customer

The customer is primarily the project sponsor. The secondary customers include any other stakeholders in the process, including:

security officer or security team
business unit managers
compliance officer legal department
risk assessment method
risk assessment team
objective review
security professionals
technicians, operators, and administrators

Quality

The quality of work is very important, since most customers will view the success of the project based on the final report.

Quality Expected in Any Report:

grammatically correct
visually pleasing
addresses its intended audience

Quality Expected in Technical Reports:

technically accurate
describes approach
clearly presented conclusions

Quality Expected in Security Risk Assessment Reports:

clear and accurate indentification of risk
adequate and relevant evidence
clear and relevant recommendations
clear compliance results

Budget

The budget helps define the rigor of the risk assessment. A $250,000 risk assessment will need more rigor than a $50,000 risk assessment. Some factors include the organization size, geographic separation, complexity, and threat environment

Objective

The objective needs to be set at the beginning of the project. Example – “accurate analysis of the effectiveness of current security control that protect an organization's assets.

Limiting the Scope

The boundaries of a security risk assessment are determined by the sponsor of the security risk assessment. Identifying the security risk assessment boundaries is essential for the security risk assessment team to ensure that neither underscoping nor overscoping occurs.

Security Controls and Assets

Group controls by Management-Operational-Technical (MOT). Group assets by Tangible and Intangible.

Identifying System Boundaries

There are many ways to set the boundary for a risk assessment such as physical (workstations, firewalls) or logical (don't assess functions from another assessment).

Specifying the Rigor

The rigor should be based on the maturity of the security program. The risk assessment could last 1 week to 6 months.

Project Description

Set the scope, boundaries, and rigor. Have a statement of work that specifies the work to be performed, including threats, assets, controls, and tasks of the security risk assessment. The “service” can/should be described as

an objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability if losses to those assets. Such analysis shall consist of an identification of tangible and intangible assets under protection, an identification of the threats to and vulneravility likelihood, the impact of the threat to the identified assets, and recommendations for security controls to mitigate the risks.

Docs: Information Security Risk Assessment Basics

Mon, 13 Jan 2020 22:48:00 -0500

The risk assessment process:

Project Definition

Project scope

Budget
Objective
Assets
Controls
Boundaries

Project Preperation

Team preperation

Select team
Introduce team

Project preperation

Obtain permission
Review business mission
Identify crital applications
Map assets
Identify threats
Determine expected controls

Data Gathering

Administration

Policy reivew
Procedure review
Training review
Organization review
Interviews
Observation

Technical

Design review
Configuration review
Architectural review
Security testing

Physical

Policy review
Procedure review
Observation
Inspection

Risk Analysis

Determine risk

Asset valuation
Threat and vulnerability mapping
Calculate risk
Create risk statements
Obtain team consensus

Risk Mitigation

Safeguard selection

Safeguard cost
Safeguard effectiveness
Solution sets

Recommendations

Risk recommendation

Risk acceptance
Risk mitigation
Risk assignment

Documentation

Executive summary
Report
Appendices
Presentation

Phase 1: Project Definition is discussed more in Chapter 3. Phase 2: Project Preparation is discussed more in Chapter 4. Phase 3: Data Gathering is discussed more in Chapter 5.

Phase 4: Risk Analysis

The risk analysis phase involves a review of the data gathered and an analysis of the resulting risk to the organization. Several elements of the risk analysis phase are considered key concepts within security risk assessments: assets, threats, vulnerabilities, and security risk.

Assets are the information and resources that have value to an organization. Assets are to risk assessments because the enumeration of assets helps to scope the risk assessment and the valuation of assets helps to determine the countermeasures deployed.

Threat agents cause threats to happen. Threats help scope the vulnerabilities of the system being assessed. Threat agents could be nature, employees, malicious hackers, industrial spies, foreign government spies. Threats could be errors/omissions, fraud/theft, sabotage, loss of physical and infrastructure support, espionage, malicious code, disclosure.

A vulnerability is a flaw or oversight in an existing control that may allow a threat agent to exploit it. Vulnerabilities are important elements of a securit risk assesment because they are instrumental in determining existing and residual risk.

Security risk is the loss potential to an organization's assets that will likely occur if a threat is able to exploit a vulnerability. Security risk can be either quantitative or qualitative. Quantitative means the risk calculation relies on specific formulas. This means the calculation is objective and is terms of dollars, but the calculations are complex and accurate values are difficult to obtain. Qualitativee means the risk calculation relies on subjective measuring. This may be easy to understand, but may not be trusted by some in management.

Phase 5: Risk Mitigation

The risk mitigation phase depends on safeguard selection and residual risk.

A safeguard is a technique, activity, or technology employed to reduce the risk to the organization;s assets. A safeguard may prevent, detect, or minimize the potential loss to an organization's assets. Safeguards are classified as preventative (deter attacks from happening), detective (indicate that an attack has happened), or corrective (correct the damaage caused by an attack).

Residual security risk is the risk that remains after implementation of recommended safeguards. This risk is defined as static (the risk always exists) or dynamic (the risk may be reduced through the controls).

Phase 6: Risk Reporting and Resolution

The final report should provide clear information for executive, management, and technical personnel.

Risk resolution is the decision by senior management of how to resolve the risk resented to them.

Risk reduction - the reduction of risk to an acceptable level through the adoption of additional controls of the improvement of existing controls.
Risk acceptance - the deliberate decision by senior management to accept an identified risk based on business objectives
Risk transference - the contractual transfer of risk to another organization through outsourcing or insurance.

Carter Codell – Module 2