Security Risk Assessment Process

During the security risk assessment process, both the business and technical experts must be involved. The management must support the effort and appoint the risk management team members. Assessments should look at specific systems rather than the entire business at one time so the team is not overwhelmed. For instance, the security and stability of the business IT network can be considered, the threats to it, and what can mitigate those threats. For example, viruses threaten a network every time they infect a workstation because an attacker could use an infected computer to attack servers from the trusted side of your network or they could sniff passwords being sent through the network. Other examples of parts of the business to evaluate include mail servers, web servers, and systems, projects, and applications specific to known business functions.

Some recommended risk assessment process steps:

  1. Management defines scope of risk assessment and creates the risk assessment team with a focal point person to guide the process. The focal point person should have some risk assessment experience.
  2. If risk assessment procedures are not defined, the team should define them. This document can be used as a guide. The proper time and method of communicating the selected risk treatment options to the affected IT and business management should be included in the risk assessment process.
  3. Evaluate the system - Evaluate the system and what it encompasses including the building, IT systems, and data. This will help you determine risks since you will know what can be threatened. Determine if the system is critical to the organization's business processes and determine system characteristics and needs using the following steps.
    1. Planning - Prepare a checklist of questions and items related to information technology for the project including overall system concerns, concerns specific to the servers, the application, the data, and the users. Determine what organizational policies apply to the project.
    2. Meet with the system owners - Discuss the checklist and answer all possible questions.
    3. Continue to meet privately or in specialized groups to complete answering all questions on the checklist.
  4. List the threats - Determining what the threats to the business and IT infrastructure are including threats to compromise of data. Two items to help in this area include the list of security threats and the data assessment process. The list of security threats list helps by listing methods that can be used to attack. Items not on the list unrelated to computer security security such as natural disasters should also be considered. The data assessment process helps by determining what may be threatened and also helps with the next step as the potential damage is determined. List possible threat sources such as an exploitation of a vulnerability. Are there policies or plans in place to mitigate the threats?
  5. Identify vulnerabilities - Vulnerabilities may be through operating systems, application programs, improper configuration, and many areas. Examine your systems and determine where those systems are vulnerable to any listed or non listed threats. Use system scans, logs, and test results to help find vulnerabilities. Consider non IT related vulnerabilities when they may affect the system or business. Consider current mitigating controls that eliminate or reduce vulnerabilities.
  6. Evaluate security controls - Determine the effectiveness of current security controls in reducing or eliminating the threat impact or probability of occurance. Determine additional controls and possible reduction of threat impact or probability.
  7. Identify probabilities - Determine probabilities of each of the threats materializing considering vulnerabilities and mitigating controls that are currently in place. Base the likelihood of occurrence on judgement of experts and historical evidence.
    • Frequent - Incidents are likely to be repeated
    • Probable - Incidents are likely to be isolated
    • Occasional - Possible but not likely
    • Remote - Not likely
    • Improbable - Almost impossible
  8. Quantify damage (impact analysis) - Determine the possible damage that may occur for each threat in the event that the threat materialized. The data assessment process documentation may help since the possible damage due to data compromise, unauthorized data modification, or loss of data access is categorized during this process. Consider the criticality of the systems involved. Categorize the damage and possibly place a dollar amount on the damage where possible. Determine whether loss of life could occur. This will help when looking at cost of controls to reduce the risk.
  9. Determine risk level - Use likelihood times impact to quantify the amount of risk. Consider loss of life to be of either extreme cost or unacceptable.
  10. Evaluate and recommend controls to reduce or eliminate risk - Identify existing controls and those that may further reduce probabilities or mitigate specific vulnerabilities. List specific vulnerabilities for the system and threats to help identify mitigating controls.
    • Identify where current controls or policies are not being followed.
    • Assess whether the current controls are adequate.
    • Determine whether more controls should be added.
    • Summarize action items.
  11. Create risk assessment report - List recommended controls to be added to mitigate the risks or continue essential business operations in the event of a threat materializing. This report may include a risk action plan which defines actions to be taken which will reduce or transfer risk. The following should occur:
    1. Prepare a security assessment results report and include:
      • Summary - including purpose and scope of the assessment
      • Findings
      • Recommendations
      • Conclusions
    2. Report review - The report should be reviewed by the system owner.
  12. Implementation - Take recommended risk mitigation actions. Controls and recommendations should be put in place as specified in the report in appropriate locations and timeframes as specified in the security assessment report.
  13. Monitor effectiveness of risk mitigation actions and document results - Regularly monitor the risk controls and their effectiveness based on incidents and other factors including expert judgements. Document results to allow additional policies or procedures to be developed as necessary or allow management to budget money for additional risk mitigation actions.