Thursday, January 10, 2008

Risk Assessment and Management - A Life Cycle Approach

1 Executive Summary

Information Security Risk Management has gained momentum across the industry verticals. The CXOs across the industry segment are now focusing more and more on the ways and means of containing the troika of threat, vulnerabilities and risks to acceptable levels.

Various vendors have introduced tools and various service providers have come up with various services covering the entire mindscape of the Risk Assessment and Management.

Mantra for all these development is – “All the Information Security Risks a faced by the organization should be known and measurable Risks. There should be no Out of the Blue surprise for the IT work force and the CXOs to deal with”

This paper, the team tries to highlight the approach followed for the various assignments and projects handled. The overall concept that has been taken in for the Risk Assessment and Management is – Risk Assessment and Management undergoes a Life-cycle of Risk Identification to Risk Reduction and then again Risk Measurement and treatment.

2 The Risk Life-cycle

Information Security Risk Assessment and Management can be best approached as a "life-cycle" of stages, one logically leading to the next. What we need to understand here is that the Risks are evolutionary, which means that the stages be continuously repeated and must be refined at each repetition. The various stages for the life-cycle approach and the related framework are as given below –

n Identify Assets

n Assess Risks

n Prioritize Risks

n Identify and Assess Countermeasures

n Deploy Countermeasures

n Review and Update Business Continuity Plan

n Monitor Threats and Vulnerabilities

n Detect Attacks and Manage Vulnerabilities

n Respond to Incidents

2.1 Identify Assets

Logically the first stage of Information Risk Assessment and Management is to identify the assets, as one can’t protect the assets whose existence is not known. The stage includes steps of identification, classification and valuation of assets to measure and establish the Asset Criticality in terms of CIA (Confidentiality, Integrity and Availability) ratings. Usually the CISOs or the CTOs are the custodians of the information and not owners, which means they are not the people who would be able to highlight the asset criticality without input from the Business Functions.

It is thus required to work with the departmental and business unit leaders to determine the value / criticality of various Information Assets.

2.2 Assess Risks

Assessment of Risks is quite a comprehensive and difficult of the various stages. It involves selection of risk analysis methods including qualitative and quantitative risk analysis. Steps in this stage include threat and vulnerability identification, threat and vulnerability mapping, asset-wise risk determination etc.

One practical and better approach to address this stage is use of a hybrid method using the Qualitative approach to identify and establish the Risk Vector and then using Quantitative method to identify the Cost variance. This provides with both the Risk Spectrum and the Associated Cost to the organization should the risk materialize.

2.3 Prioritize Risks

Risk Prioritization is an extended practical stage to the Risk Assessment Stage. This stage deals with segregation of the Risks on the basis of their Impact to the Organization. During this stage the Risks are categorized as High, Medium and Low Risks based on the Risk Vector and the Cost Variance as calculated / measured during the previous stage. It’s a certain logic that the Risks categorized High get Higher priority for treatment then the Medium and Low Category Risks.

The also includes development of Risk Treatment Plan

2.4 Identify and Assess Countermeasures

This stage includes identification of the various countermeasures that could be deployed as per the Risk Treatment Plan developed during previous stage. The Countermeasures could be both technical and operational, using a blend of network, systems and data controls--everything from system hardening to network partitioning to AAA to database encryption. The controls could also be process driven that might be required to institute the practice of security in the work culture of the organization.

It is important here to assess the viability of the countermeasures being identified and evaluated. The assessment just does not include the technical viability of support and service, but also the cost factor. Countermeasures to be deployed should be selected on both the Technical criteria and the Cost Variance of the Risks they are to be mitigating. One can’t deploy controls costing more than the loss due to risk. The requirement here would be to conduct the Return non Investment rather than the normal Cost Benefit Analysis.

2.5 Deploy Countermeasures

This stage as suggests is focuses on the deployment of countermeasures selected during previous stage. The stage includes steps like planning the deployment exercise, assigning responsibilities, establishing criteria to be met, measuring deviation from the defined plan, identifying the logic and cost for deviation and updating the deployment plan accordingly.

2.6 Review and Update Business Continuity Plan

Change in the Information Security Infrastructure requires Revision and Updation of the Business Continuity Plan and the related framework. It is well understood that the plan for the older infrastructure might not succeed post the introduction of changes.

This stage includes performing a business impact analysis, setting the framework for incident response and conducting tests for updated framework and plan

2.7 Monitor Threats and Vulnerabilities

Planning and deploying controls and countermeasures does not mean secure. What was secure yesterday or what is secure today may be vulnerable at present or tomorrow. It is hence a practical requirement to monitor the Information Security Infrastructure to establish the threat levels and measure the vulnerability exposure. The monitoring mechanism should be supported with an effective Change Control process

2.8 Manage Vulnerabilities and Detect Attacks

Effectiveness of motoring activities need to be aptly supported by an efficient Vulnerability Management Program. The focus of this stage is to manage and contain the vulnerabilities and the attacks therein. Deployment / Fine-tuning of network sensors both on periphery and in the internal segments, logging and correlation practice, patch management and effective threat escalation matrix are some of the areas to be focused on during this stage.

2.9 Respond to Incidents

Regular monitoring and management would always require apt support from the Incident Response (IR) Plan as devised under Business Continuity Plan (BCP). This stage requires clarity on matrix for the processes to be undertaken following identification / reporting of an incident. The IR plan and the involvement of various personnel would depend on the severity of attack / breach and the Organization’s Risk appetite.

In this stage its quite vital to select from the two option of “Patch and Proceed” or “Pursue and Prosecute”


Mayank Trivedi

ISSPCS-Practitioner, CISSP, CISA, ICSP, MMS


Being Proactive results in Timely Risk Mitigation

No comments: