Risk Assessment Discovering the Weak Spot In Your Armor
It’s been said that things are only as strong as their weakest spot in their defense or armor. This statement also applies to security, compliance and the overall security posture of an organization. However, determining where this “weak spot in your security armor” is within the environment can sometimes prove difficult.
One of the things we have found helpful in identifying weak links and maintaining a proactive approach to security is to conduct annual Risk Assessments. Done correctly, an annual Risk Assessment will not only allow the identification of gaps in your security program, but also provide you with valuable time to prepare for and address these potential vulnerabilities.
Regulatory compliance mandates such as PCI DSS and HIPAA now require annual risk assessments as part of their compliance requirements, and in fact the U.S. Department of Defense is shifting their entire Certification & Accreditation process (formerly known as DIACAP) to a “true” Risk-Management Framework (RMF) complete with annual risk assessments. While the official roll-out dates for RMF has yet to be determined, I view it as a positive shift away from stagnant security as we know it, to a much more practical and responsible approach of threat detection and elimination.
Intrusion and hacking techniques have become more sophisticated over the years, and numerous reports indicate that automated operations and electronic data are inadequately protected from these risks. Anyone in the field of IT Security would agree that risk assessments play a key role in threat detection and mitigation of vulnerabilities, but I would take it even a step further. I contend that Risk Assessments are the foundation to an effective Risk Management Program. Given the fact that risks and threats change over time, it becomes absolutely imperative for organizations to assess, reassess, and ultimately reconsider the effectiveness of security policies and security controls in place for protecting critical data.
#1 Preparing for Risk Assessment?
One of the keys to an effectively preparing for risk assessment is determining the objectives you wish to gain from performing the assessment and the security requirements you wish to maintain through the process. In addition, regulatory compliance (as mentioned previously) often plays a pertinent role in the risk assessment activities and should be leveraged to ensure the results can be mapped directly to business needs and operational requirements. According to NIST 800-30 preparing for a risk assessment includes the following:
- Identify the purpose of the assessment;
- Identify the scope of the assessment;
- Identify the assumptions and constraints associated with the assessment;
- Identify the sources of information to be used as inputs to the assessment; and
- Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment.
#2 What Information Is Needed to Begin Risk Assessment?
Generally speaking, there are several models and methods for assessing risk and the amount of analysis and resources utilized is dependent upon the scope of your assessment. Without performing a deep-dive into the various methodologies, suffice it to say that almost all information technology security risk assessments require the following information prior to commencement:
- Network and/or system(s) architecture diagrams
- An accurate listing of hardware and software in-scope
- Ports, Protocols, and Services being utilized
- Current Disaster Recovery capabilities
- Security Systems in use (e.g., firewalls, IDS, HIDS, anti-virus and anti-malware, etc.)
- Organizational compliance, federal, state, and local requirements
- Business processes, application processes, operational processes, etc.
- Internal policies, procedures, and guidelines in practice
#3 Conducting Risk Assessment
Once this information has been gathered and organized, you should be prepared to start the actual analysis portion of the assessment. Keep in mind that it is generally considered “best practice” to have a third-party perform the actual risk assessment as it provides an objective review of the environment. Common things to focus on during the risk assessment according to NIST 800-30 are:
- Identify threat sources that are relevant to organizations;
- Identify threat events that could be produced by those sources;
- Identify vulnerabilities within organizations that could be exploited by threat sources through specific threat events and the predisposing conditions that could affect successful exploitation;
- Determine the likelihood that the identified threat sources would initiate specific threat events and the likelihood that the threat events would be successful;
- Determine the adverse impacts to organizational operations and assets, individuals, other organizations, and cusotmers resulting from the exploitation of vulnerabilities by threat sources (through specific threat events);
- Determine information security risks as a combination of likelihood of threat exploitation of vulnerabilities and the impact of such exploitation, including any uncertainties associated with the risk determinations.
Focusing on the above items during a risk assessment should provide sufficient information for mapping threats and vulnerabilities to assets within the organization. Remember, that unless a threat can actually exploit a vulnerability, it is not considered an actual risk to any particular asset.
#4 Reporting, Communicate The Risks Within Your Organization
Having identified the threats and vulnerabilities for assets in your environment, the next step would be to determine the impact and likelihood of these security risks. Without going into too much detail, performing an analysis of the impact and likelihood is required in order to truly factor the appropriate risk level, and ultimately populate the risk matrix your assessment should produce.
In the end, your periodic risk assessment should provide practical information about the security risks to your operating environment, IT assets, personnel, physical property, and policies surrounding your business. This will provide stakeholders information about threats and weaknesses within your organization that can be used to align budgets for defensive measures and prioritize remediation that truly impact risk.
Praetorian Secure, LLC provides our clients with Risk Assessment services in support of regulatory compliance requirements and validation of overall security practices. To learn more about our services please contact us at 855-519-7328 or click here to fill out our online form.