Page 1 of 3

PRINT

------------------------------------------------------------

Article Title: The underdog of security implementation

------------------------------------------------------------

BANGALORE, INDIA: Information Security Risk Assessment (IS-RA) is

identified as the first step for effective security implementation - be it the
Information Security Management Systems as per ISO 27001 or NIST SP 800-
30 or the OECD Guidelines on Network Security or implementation of
advanced security models like Security Process Maturity Model (SPMM).

IS-RA can be defined as a structured approach for identifying, measuring and

analyzing security risks – an essential approach to implement any information
security management framework in organizations.

“Identifying” includes the process of identifying the critical assets and their
threats while measuring includes the process of prioritizing the risks based on
the impact of possible outcome and probability of that event (generally into
High/Medium/Low) and analyzing risks includes the strategy for prioritizing
risks so that resources are optimally used.

Impact = Threat X Vulnerability

Risk= Impact of outcome X Probability of event of occurrence

Some challenges during conducting a Risk Assessment:

Identification of Critical Assets.

z Most security implementers would agree that the biggest challenge of

risk assessment is identification of assets in a conclusive manner. The
danger of identifying too many assets is that it would consume too much
of resources in mitigating with no return on investment. The worst is not
identifying a critical asset itself which would, in the end be left
unprotected.

z The other challenge in identification of critical asset is the process that

you would employ for identification itself. This process would involve
identification of the right people, who should be involved in the
identification, the standard approach for the basis of their identification
and the people inside the organization who should able to finalize on the
same. It should not end up that each department head gives the list of
assets ranging from their mouse to their keyboard as an asset and the
CISO consolidates these assets and finally makes a list of assets running
into thousands of assets. This would end up making the asset list lengthy
with not only impossible to maintain but also making it non-purposeful.

http://www.ciol.com/cgi-bin/printernew.asp?id=99399 04-Dec-07
 Page 2 of 3

Identification of all threats

z The other challenge is, there are so many sources and outcomes of
threats. Ensuring that all threats are understood threadbare and are
identified is a challenging task.

Measurement of Risks

z The common problem faced by organizations is how they ensure that

there is uniform and scientific measurement of risks in terms of
high/medium or low.

z Who decides what is low or high. A risk which is high can be considered
medium or low by another person. So how do you ensure the uniformity
of assessments? So that it doesn’t have people questioning the entire
fundamentals of your results.

If you are a security implementer, you could

also be complaining of the length of time that
you are taking as the project has got into a
loop which is quite common and hence
making its results obsolete with changing
business environment.

You could also be complaining how to keep

technology vulnerabilities in the context of
enterprise security risk assessments. The list of
challenges just goes on.

In my experience, I have seen organizations

follow the approach of assets being identified by department managers who
have not been given any idea of how assets should be identified. These lists are
finally consolidated in an excel sheet running into multiple sheets with number
of assets running into thousands.

Such risk assessments is what I term as ‘adhoc security’. This ends up

identifying unimportant assets and making the task of maintaining your assets
daunting to your security representative. So the solution lies in following a
structured risk assessment approach like OCTAVE (Operationally Critical
Threat Asset Vulnerability Approach) or NIST SP 800-30 or any other
equivalent methodology.

OCTAVE approach is by Software Engineering Institute, Carnegie Mellon

University and is one of the most scientific and easily implementable
approaches.

Some organizations also implement tools like SMART (Security Management

http://www.ciol.com/cgi-bin/printernew.asp?id=99399 04-Dec-07
 Page 3 of 3

and Risk Assessment Tool) for their security implementation. SMART follows
the OCTAVE Criteria and is a multi compliance tool enabling compliance to
ISO 27001, PCI-DSS, GLBA, HIPAA, FIDS, etc.

The structured risk assessment methodology helps organizations in avoiding

the learning curve and having the implementations faster and effective. Tools
such as SMART help in your implementation being quicker and efficient.
Effective because methodology ensures that you follow the right process and
efficient because it saves your precious time in documentation and
management of all artifacts during risk assessment. Both SMART and
CRAMM help organizations implement ISO 27001. However SMART goes a
step ahead by being a multi-compliance tool enabling organizations manage all
security compliance standards.

To conclude risk assessments should not only be a document giving deep

insight into you risks but it should determine the level of controls required for
mitigating the same. Hence it should be purposeful and not merely a document
created for certification purposes.

The author is Chief Consultant in global security audit firm SISA

Information Security holding CISA, CISSP, OCTAVE Trainer/Advisor, CEH
certifications. He can be reached on dbs@sisa.co.in

------------------------------------------------------------

Copyright (c) 2007 CyberMedia India Online Ltd . All rights reserved.
Additional reproduction in whole or in part or in any form or medium without
express written permission of CIOL is prohibited.
Send your questions to webmasterciol@cybermedia.co.in

PRINT

Close this window

http://www.ciol.com/cgi-bin/printernew.asp?id=99399 04-Dec-07