A big question that companies have to deal with is, "What is enough security?" This can be restated as, "What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security unless you know your necessary baseline risk level.
To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company's acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.
Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:
- Identify company assets
- Assign a value to each asset
- Identify each asset's vulnerabilities and associated threats
- Calculate the risk for the identified assets
Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.
Senior management can then choose one of the following activities pertaining to each of the identified risks:
- Mitigate the risk by implementing the recommended countermeasure
- Accept the risk
- Avoid the risk
- Transfer the risk by purchasing insurance
Many times senior management will follow the advice of the risk analysis team and allocate the necessary funds to implement the suggested countermeasures. Countermeasures can come in many different forms: firewalls, IDS, training, written policies and procedures, and so on. What is important to understand is that no countermeasure can completely eliminate risk – there is always some risk. This is called residual risk. The question is if this residual risk is still too high or if it is below the organization's acceptable risk level.
The acceptable risk level revolves around the business impact that would be experienced if certain risks became realized. For example, employees in Company ABC are allowed to use instant messaging to communicate to each other and to customers. This is a vulnerability because it opens the door to viruses and other types of malware. The company has to weigh the necessity of this type of communication and how it relates to business needs, and determine if its benefits outweigh the corresponding risks. The company can carry out qualitative or quantitative processes to determine the business value of this type of communication and the cost of a virus infection.
If Company ABC is a stock brokerage firm, it may determine that time sensitive communication must be available between the customers and employees to allow the timely selling and purchasing of stocks. So the business impact of not being able to purchase and sell stocks in a restricted timeframe outweighs the business impact of a virus infection. As a software developer, Company EFG does not have a need for dynamic communication. This business risk is unacceptable and the company could choose to disallow any instant messaging traffic through its border devices. So in this example, Company ABC may choose to accept this specific risk and Company EFG may choose to avoid this risk. Risk avoidance means to not permit the actual activity that allows this risk to exist.
Company LMN may choose to implement a countermeasure for this type of situation. The company could choose to implement an internal instant messaging server, which allows their internal employees to use instant messaging. The border firewalls block instant messaging traffic from entering or leaving the network, which reduces the potential of obtaining virus infections through this medium.
I will go into all of the possible insurance policy types pertaining to information security that are available, but for now note that this is a way of transferring the burden of carrying so much risk. Currently this is the least most used way of dealing with information security risk because of its "newness" and cost, but this trend may change over time as companies are currently faced with risks that cannot be tamed with their available countermeasures.
RISK MANAGEMENT GUIDE
- Introduction: Understanding risk
- An overview of the risk management process
- How to define an acceptable level of risk
- How to write an information risk management policy
- How to implement an effective risk management team
- Information risk management: Defining the scope, methodology and tools
- How to conduct a risk analysis
About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.
This was first published in January 2006