It is the formal process of answering:
- What assets need protecting?
- How are those assets threatened?
- What can be done to counter those threats?
Ensure that critical assets are protected in a cost effective manner.
Security Risk Assessment is needed for each asset in the organization that requires protection!
A process used to achieve and maintain appropriate levels of CIAAA (confidentiality, integrity, availability, accountability, and authenticity)
Some IT Security Management functions include:
- Determining organizational IT security objectives, strategies, and policies.
- Determining organizational IT security requirements
- Identifying and analyzing risks
- Specifying appropriate safe guards
- Monitoring the implementation of these safeguards
- Developing and implementing security awareness program
- Detecting and reacting to incidents
Organizational security objectives define which IT security outcomes need to be achieved.
They need to be maintained and updated regularly using periodic reviews & reflecting on changes and technical risk assessments.
First, we need to examine the organization’s IT security:
| Objectives | wanted IT security outcomes |
|---|---|
| Strategies | how to meet those objectives |
| Policies | identify what needs to be done |
Security policies need to address:
- Scope and purpose including relations of objectives to business, legal, and regulatory requirements.
- IT security requirements
- Assignment of responsibilities
- Risk management approach
- Security awareness and training
- General personnel issues and legal sanctions
- Integration of security into systems development
- Information classification schemes
- Contingency plans
- Incident detection (and handling)
- How and when to change policies
IT security policies need to be supported by upper/senior management
IT security officers need to:
- provide overall supervision
- liaison with senior management
- maintenance of security obj, strategies and policies
- handle incidents
- management of incident awareness and training programs
- interact with IT project security officers
Large organizations need separate IT officers associated with major projects and systems.
Ideally examines each organizational asset.
There are 4 approaches:
- Baseline
- Informal
- Detailed Risk
- Combined
“Aims to implement most basic general level of security by using baseline documents, codes of practice and industry best practices.”
- Forms a good base for further security measures.
- Easy, cheap, and can be replicated.
- Only recommended for small organizations without the resources to implement a more structured approach.
“Involves conduction some sort of informal, pragmatic risk analysis for organizations IT system.”
- There is no formal structured way of conducting, but rather, we exploit the existing knowledge and expertise of individuals performing the analysis.
- Fairly quick and cheap
- Some risks can be incorrectly assessed
- Skewed by analyst’s views, varies over time
- Suitable for small to medium sized organizations (where IT systems are not as essential)
“Most comprehensive approach to conduct organization’s IT system risk assessment using formal structured process.”
- May be legal requirement to use
- Assessed using formal structured process: num of stages, identify threats and vulnerabilities, and likelihood of risk occurring.
- Significant cost and time required
- Suitable for large organizations where IT systems are critical to business objectives.
“Combines elements of baseline, informal, and detailed risk analysis approaches.”
- Aim is to provide reasonable levels of protection ASAP then examine and adjust protection controls over time.
- first, we start with implementation of baseline security recommendations on all systems.
- next, we expose them to high risk levels critical to the business objectives.
- then, we decide if we want to conduct an immediate informal risk assessments on key systems so we can tailor more specific controls to the business reqs.
- lastly, we can then perform a detailed security risk analysis.
Overtime, this can result in most appropriate and cost-effective security controls being selected and implemented.