Risk Assessment Handbook - Chapter 1

Introduction

The Need for an Information Security Program

As more critical and personal information is stored, transmitted, and processed on information systems, more information security regulations are being developed and applied. Since 1995 there has been a surge of new legislation including the Gramm Leach Bliley Act (GLBA) and the Sarbanes-Oxley Act. All of these regulations call for the implementation of an adequate set of information security practices.

The U.S. Federal Government has decided to step in and police agencies and corporations in certain industries. To avoid fines and jail, affected agencies and corporations have to implement minimum security practices.

While these regulations have different requirements, one similarity is that each require the organization to perform an information security risk assessment.

Elements of an Information Security Program

There are a multitude of threats and safeguards, but the answer to threats is not to enact every countermeasure available. An organization should take a risk-based approach to determining the security controls that reduce their threat to a reasonable level. Reasonable is set by guidelines and regulations as well as how much risk an organization is will to accept. Controls can be identified as administrative, physical, and technical. An information security program is a set of controls and its objective is to protect organizational assets from security threats.

Common Core Information Security Practices

A high-level analysis of the core information security practices described above shows a considerable amount of overlap. This overlap defines “information security core practices”.

Unanimous Core Security Practices

  • Security Responsibility – Security responsibility should be assigned to an individual or entity with the proper authority, visibility, and expertise to perform the job adequately.
  • Risk Management – The organization's management needs to have an understanding of the risk to its assets and have an approach for addressing those risks.
  • Risk Assessment – An organization needs a periodic and objective analysis of the effectiveness of the current security controls that protect an organization's assets.
  • Network Security – An organization must ensure the confidentiality, integrity, and availability of information assets and resources while in transit, processing, or storage.
  • Security Awareness Training – An effective security awareness training program should be developed and administered to all those who will be given access to the organization's facilities or information systems.
  • Incident Management – The organization should have a process in place that identifies security incidents in progress or evidence of such incidents in the past. Incident management includes identification, investigation, and reporting.

Majority Core Security Practices

  • Information Security Policies – The basis of any information security program is the definition of security.
  • Access Control – Mechanisms must be in place to ensure that only authorized individuals will have access to sensitive information and resources.
  • Physical Security – Mechanisms must be in place to physically protect organizational equipment, locations, and employees.
  • BCP and DRP – Business continuity planning and disaster recovery planning ensures that the organization has identified its critical processes and assets, developed a plan for minimizing the loss in the event of a disaster, and periodically tests the plan.
  • Secure Development Life Cycle – The best way to ensure that an information system or information system component enforces its security policy is to design it securely from the start.
  • Accountability – The security-relevant actions of users must be recorded and reviewed by security personnel.
  • Secure Media Handling – Sensitive information stored on media must be handled appropriately to ensure that unauthorized users do not gain access to the data stored on the media.
  • Oversight of Third Parties – Many organizations allow other service organizations to access or process their sensitive information.

Security Risk Assessment

The security risk assessment measures the strength of the overall security program and provides the information necessary to make planned improvements based on information security risks.

The Role of the Security Risk Assessment

There are four stages of the security risk management process:

  1. Security Risk Assessment – This is an objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability of losses to those assets.
  2. Test and Review – Security testing is the examination of the security controls against the security requirements.
  3. Risk Mitigations – Risks to an organziation's assets are reduced through the implementation of new security controls or the improvement of existing controls.
  4. Operational Security – The implementation and operation of most security controls are performed by operational personnel.

Definition of a Security Risk Assessment

An objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability of losses to those assets.

The Need for a Security Risk Assessment

  1. Checks and Balances
  2. Periodic Review
  3. Risk-Based Spending
  4. Requirement

A security risk assessment can provide some additional, secondary benefits:

  • the transfer of knowledge from the security assessment team to the organziation's staff,
  • increased communications regarding security among buiness units,
  • increased security awareness within the organization, and
  • the results of the security risk assessment may be used as a measure of the security posture.
  • Gap Assessment - a review of what exists against an interpretation of what the regulation or guideline requires. Performed at the beginning of the organization's compliance pursuit with a standard or regulation.
  • Compliance Audit - an objective review of the organization's compliance with a security standard.
  • Security Audit - a verification that the security controls that have been specified are properly implemented.
  • Vulnerability Scanning - the testing of the external or internal interfaces of a system in order to identify obvious vulnerabilities.
  • Penetration Testing - a service provided by an objective team who attempt to penetrate the defenses of an organization in order to demonstrate the effectiveness of the current controls.
  • Ad Hoc Testing - a search for less obvois vulnerabilities.
  • Social Engineering - an assessment of the security training, policies, and procedures of the organization by attempting to gain unauthorized access through the human element.
  • Wardialing - attempting to gain access to information systems through unprotecting modems.
Last modified January 7, 2020