Risk assessment is the process of analyzing threats to, and vulnerabilities of, an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line.
Using the Information Security Protection Matrix and the risk assessment process referenced in the Week 20 column, break down the 10-step process, focusing this week on steps nine (estimate expected loss) and 10 (publish the report).
To compute expected loss, use the formula of threat plus vulnerability and likelihood versus consequence. To have risk, there must be a weakness and the potential to be harmed. For example, without password protection (vulnerability) and the existence of hackers (potential to cause harm), there is risk that data can be stolen.
The likelihood of an attack can be determined by looking at history (Does a person or group have a pattern of attempting to or successfully exploiting a specific vulnerability?), capability (Does a person or group have the capability and desire to pose the threat?) and intention/motivation (Does a person or group have the intention/motivation to exploit a vulnerability?).
Once the threat levels have been determined, quantify the vulnerability by asking if it's one or one of many; if it's difficult/costly to exploit; and whether the asset is being protected by security countermeasures. Also consider the likelihood of an attack and its probable consequences. Countermeasures can then be applied to those areas to reduce risk to an acceptable level. Note that even when safeguards are applied, there probably is going to be some residual risk.
Upon completing the assessment, leave a draft report with recommendations onsite and discuss items needing further research.
The report should include: a one- to two-page executive summary; a description of the organization and its operating environment; a short company profile; threats as defined by the organization; system descriptions; assumptions going into the survey; workflow diagrams; and a list of participants, including titles and phone numbers. Each vulnerability, including details about the flaw, the threat and risk, and any recommendations, should be discussed on its own page in the report.
Research any other information necessary for the final report, which should be completed and filed within two weeks. The draft and final reports are proprietary -- classify and mark them accordingly.
Those with government-specific considerations should maintain a copy of the risk assessment for record purposes and protected as appropriate. Specific findings will be classified as For Official Use Only (FOUO) or higher if warranted by the sensitivity of the asset or degree of vulnerability. Risk assessment or analysis contents may be released only as specifically authorized by the DAA, ISSM or cognizant ISSM/NSM.
NIST offers the Security Self-Assessment Guide, NIST SP 800-26, located on its Web site. It uses questionnaires with specific control objectives and techniques to test an unclassified system or group of interconnected systems.
About the author
Shelly Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Last week: Identify current countermeasures and estimate likelihood of exploitation
Next week: Contingency planning