Chapter 14

IT Security Management
and Risk Assessment
 Formal process of answering the
questions:

What assets How are those What can be

need to be assets done to counter
protected threatened those threats

• Ensures that critical assets are sufficiently protected in a cost-

effective manner
• Security risk assessment is needed for each asset in the
organization that requires protection
• Provides the information necessary to decide what
management, operational, and technical controls are
needed to reduce the risks identified
 Table 14.1
ISO/IEC 27000 Series of Standards on IT Security Techniques
 IT SECURITY MANAGEMENT: A process used to achieve and
maintain appropriate levels of confidentiality, integrity,
availability, accountability, authenticity, and reliability. IT
security management functions include:

Monitoring the
implementation
and operation
Determining Identifying and of safeguards Developing
organizational Determining analyzing Identifying that are and Detecting
Specifying
IT security organizationa security threats and necessary in implementing and
appropriate
objectives, l IT security to IT assets analyzing order to cost a security reacting to
safeguards effectively
strategies, and requirements within the risks awareness incidents
policies organization protect the program
information and
services within
the organization
 Organizational
IT Security Policy
Aspects

Risk Analysis Options

Security Risk Analysis

Baseline Informal Formal Combined

Selection of Controls

Development of Security Plan

and Procedures

Implementation

Implement Security Awareness

Controls & Training

Follow-Up

Security
Maintenance
Compliance

Change Incident
Management Handling

Figure 14.1 Overview of IT Security Management

Interested Interested
Parties Parties
Act

Plan Check

Information
Security Do Managed
Needs Security

Figure 14.2 The Plan - Do - Check - Act Process Model

 First examine
• Maintained and updated organization’s IT
regularly security:
o Using periodic security reviews
Objectives - wanted
o Reflect changing technical/risk
IT security outcomes
environments

• Examine role and

importance of IT systems Strategies - how to
meet objectives
in organization
Policies - identify
what needs to be done
 Needs to address:
• Scope and purpose including relation of objectives to business,
legal, regulatory requirements
• IT security requirements
• Assignment of responsibilities
• Risk management approach
• Security awareness and training
• General personnel issues and any legal sanctions
• Integration of security into systems development
• Information classification scheme
• Contingency and business continuity planning
• Incident detection and handling processes
• How and when policy reviewed, and change control to it
 Management Support
• IT security policy must be supported by senior
management
• Need IT security officer
o To provide consistent overall supervision
o Liaison with senior management
o Maintenance of IT security objectives, strategies, policies
o Handle incidents
o Management of IT security awareness and training programs
o Interaction with IT project security officers

• Large organizations need separate IT project

security officers associated with major projects and
systems
o Manage security policies within their area
Security Risk Assessment
Critical component of process

Ideally examine every organizational

asset
•Not feasible in practice

Approaches to identifying and

mitigating risks to an organization’s IT
infrastructure:
•Baseline
•Informal
•Detailed risk
•Combined
 Baseline Approach
• Goal is to implement agreed controls to provide
protection against the most common threats
• Forms a good base for further security measures
• Use “industry best practice”
o Easy, cheap, can be replicated
o Gives no special consideration to variations in risk exposure
o May give too much or too little security

• Generally recommended only for small

organizations without the resources to implement
more structured approaches
Involves conducting an
informal, pragmatic risk
Exploits knowledge and
analysis on Fairly quick and cheap
expertise of analyst
organization’s IT
systems

Judgments can be
made about
Some risks may be Skewed by analyst’s
vulnerabilities and risks
incorrectly assessed views, varies over time
that baseline approach
would not address

Suitable for small to

medium sized
organizations where IT
systems are not
necessarily essential
 Most May be a
comprehensive legal
approach requirement
Significant to use
cost in time,
resources,
expertise

Assess using
formal Suitable for large
structured organizations
process with IT systems
•Number of stages critical to their
•Identify threats and business
vulnerabilities to assets
•Identify likelihood of objectives
risk occurring and
consequences
Combined Approach
Results in the development
of a strategic picture of the IT
resources and where major
risks are likely to occur

Combines Ensures that a basic level of

elements of other security protection is
approaches implemented early

• Initial baseline on all

systems
For most organizations this
• Informal analysis to approach is the most cost
identify critical risks effective
• Formal assessment on
these systems

Use is highly recommended

 Detailed Security Risk
Analysis
Provides the most accurate evaluation of an
organization's IT system’s security risks

Highest cost

Initially focused on addressing defense

security concerns

Often mandated by government

organizations and associated businesses
 Step 1: Prepare for Assessment
Derived from Organizational Aspects

Step 2: Conduct Risk Analysis

Step 4: Maintain Assessment

Identify Threat Sources and Events
Step 3:Communicate Results

Identify Vulnerabilities and

Predisposing Conditions

Determine Likelihood of Occurance

Determine Magnitude of Impact

Determine Risk

Figure 14.3 Risk Assessment Process

 Establishing the Context
• Initial step
o Determine the basic parameters of the risk assessment
o Identify the assets to be examined

• Explores political and social environment in which

the organization operates
o Legal and regulatory constraints
o Provide baseline for organization’s risk exposure

• Risk appetite
o The level of risk the organization views as acceptable
 Media Utilities Banking &
Finance

Construction Retail Health Care

Less Vulnerable More Vulnerable

Agriculture Communications Transportation

Education Manufacturing Government

Figure 14.4 Generic Organizational Risk Context

 Asset Identification
• Last component is to identify assets to examine
• Draw on expertise of people in relevant areas of
organization to identify key assets
o Identify and interview such personnel

Asset

• “anything which needs to be protected” has value

to organization to meet its objectives tangible or
intangible whose compromise or loss would
seriously impact the operation of the organization
• A threat is:

Anything that
might hinder or
prevent an asset
from providing
appropriate
levels of the key
security services
• Threats may be
o Natural “acts of God”
o Man-made
o Accidental or deliberate

Evaluation of human threat sources should consider:

•Motivation
•Capability
•Resources
•Probability of attack
•Deterrence

• Any previous experience of attacks seen by the

organization also needs to be considered
 Vulnerability
Identification
• Identify exploitable flaws or weaknesses in
organization’s IT systems or processes
o Determines applicability and significance of threat to organization

• Need combination of threat and vulnerability to

create a risk to an asset
• Outcome should be a list of threats and
vulnerabilities with brief descriptions of how
and why they might occur
 Analyze Risks
• Specify likelihood of occurrence of each
identified threat to asset given existing
controls
• Specify consequence should threat occur
• Derive overall risk rating for each threat
o Risk = probability threat occurs x cost to organization
• Hard to determine accurate probabilities
and realistic cost consequences
• Use qualitative, not quantitative,
ratings
Analyze Existing Controls
• Existing controls used to attempt to minimize threats
need to be identified
• Security controls include:
• Management
• Operational
• Technical processes and procedures

• Use checklists of existing controls and interview key

organizational staff to solicit information
(Table can be found on pages
503-504 in textbook)
 Extreme Implement
Treatment

Risk Level Judgement

Needed

Uneconomic
so accept
Low
$ Cost of Treatment $$$$$

Figure 14.5 Judgment About Risk Treatment

Risk Treatment Alternatives
Choosing to accept a
Risk risk level greater
than normal for
acceptance business reasons

Not proceeding
Risk with the activity
or system that
avoidance creates this risk

Sharing
Risk responsibility for
the risk with a
transfer third party

Modifying the structure or use of

Reduce the assets at risk to reduce the
impact on the organization should
consequence the risk occur

Reduce Implement suitable controls to

lower the chance of the
likelihood vulnerability being exploited
 Case Study: Silver Star
Mines
• Fictional operation of global mining company
• Large IT infrastructure
o Both common and specific software
o Some directly relates to health and safety
o Formerly isolated systems now networked
• Decided on combined approach
• Mining industry less risky end of spectrum
• Subject to legal/regulatory requirements
• Management accepts moderate or low risk
 Assets
Reliability and integrity of SCADA
nodes and net

Integrity of stored file and database

information

Availability, integrity of financial system

Availability, integrity of procurement

system

Availability, integrity of
maintenance/production system

Availability, integrity and confidentiality

of mail services
 Summary
• IT security
management
• Organizational context
and security policy
• Security risk
assessment
o Baseline approach
o Informal approach
o Detailed risk analysis
o Combined approach
• Detailed security
risk analysis
o Context and system
characterization
o Identification of
threats/risks/vulnerabilitie
s
o Analyze risks
o Evaluate risks
o Risk treatment
• Case study: Silver
Star Mines