IT security risk management is best approached as a "lifecycle" of activities, one logically leading into the next. The most important thing to remember is that risk is evolutionary, which means these activities must be continuously repeated and refined. Here's a basic framework of critical steps.
You can't secure an asset if you don't know it exists. The first step in risk management involves asset identification, classification and valuation. CISOs are the custodians of information, not the owners. Make sure you work with departmental and business unit leaders to determine an asset's value to the organization.
Next comes the difficult part: assessing the overall risk to the asset. There are several formal methods for doing this, including qualitative and quantitative risk analysis. To assess an asset's risk, you have to evaluate three variables: the overall threat to the asset (both inside and outside the organization); its inherent and environmental vulnerability levels; and the cost of loss, downtime and recovery should it be compromised. A practical equation to calculate risk is:
Risk = vulnerability x threat x cost
Plan and Deploy Countermeasures
Once you've determined an asset's value, you can plan appropriate countermeasures. Countermeasures should be both technical and operational, using a blend of network, systems and data controls--everything from system hardening to network partitioning to AAA to database encryption. Remember: never buy a $10 fence to corral a $5 horse!
Implement Business Continuity Plan
You can accept, ignore, mitigate or transfer risk, but you can't prevent it. Always expect the unexpected, and carefully plan what you'll do in the event that a resource is compromised. On a practical level, this step includes performing a business impact analysis and setting the framework for incident response.
Monitor for Threats, and Manage Vulnerabilities
What was "secure" yesterday may be vulnerable today. The only way to know how and where you're vulnerable is to constantly monitor networks and systems for new threats--both "internal" and "external." On a basic level, create a management process for patching critical systems and updating gateway, server and desktop AV. Also, develop and enforce change management procedures.
Deploy intrusion detection sensors on critical segments of your network. Use a blend of host- and network-based IDSes as well as both signature- and anomaly-based scanners. Correlate events across the infrastructure, and refine your threat escalation procedure by matching alerts against your actual, not theoretical, exposures.
Respond to Incidents
This is where the incident response plan formulated under the BCP gets implemented. An IR plan kicks in at different levels depending on the severity of attack and your organization's "pain threshold." You've got two main response options: "pursue and prosecute" or "patch and proceed."
This outline only scratches the surface of the activities involved in the risk lifecycle. Each of these steps seems intuitive, but the devil is in the details. Few organizations effectively execute on all of these steps at any given time. Remember: The security chain is only as strong as the weakest link.
Andrew Briney, CISSP, is editor-in-chief of Information Security.