Risk Assessment: Policies, Processes, and Technologies

Organizational Information Security Risk Management

Organizations must stay up-to-date on their vulnerabilities and protection measures. Once vulnerabilities have been evaluated, the organization uses this information to develop a risk assessment plan. This plan should consider the perspectives of owners, shareholders, employees, policy makers, suppliers, and customers.

In this project, "Risk Assessment," use the previous findings from Project 1, "Vulnerability and Threat Assessment Report," to recommend an action plan for the risk assessment assigned in this project. The final assignment is a five- to seven-page review or summary of the risk assessment. Note that this is not a complete risk management report, but a "what if" report outlining potentials in both attacks and possible responses.

For this particular project, grades are based on the ability to clearly and accurately assess policies, processes, and technologies to identify and assess risk and articulate effective mitigation strategies to achieve the appropriate security needed for the enterprise.

As the first step in preparing the risk assessment, review the risk management implementation framework and the risk management technologies that you might use in your assessment.

In the subsequent sections of this project, you will write a risk assessment summary report that can be used in addressing cybersecurity threats through risk management.

Risk Management Implementation

Information security risk management (RM) is implemented at three organizational tiers: organization, business, and information system.

Three-Tiered Approach to Risk Management 

Organizational information security RM is the responsibility of the organization's risk manager and concerns financial, market, and reputational risks. These guide RM at the business tier, managed by the chief information officer (CIO) and risk manager, who are concerned with risks to the organization's internal processes and business functions. These processes and functions include risks to internal/external and external/internal information flows.

Information system (also referred to as Tier 3) risks, managed by the information system security manager, CIO, and risk manager, derive more directly from information system (IS) threats and vulnerabilities.

An information system security engineering (ISSE) approach to IS design at Tier 3 identifies risks to the IS from within the IS boundary (internal) and from outside the boundary (external) during requirements definition (ISO, n.d.). Internal risks are often derived from IS vulnerabilities—for example, poorly designed access controls. External IS risks are often threats, such as malicious actors guessing passwords by brute force.

Tier 3 RM considers the IS (inside the system or authorization boundary, including internal information flows) and its context (outside the boundary, including information flows across boundaries).

Three-Tiered Approach to Risk Management

An ISO 27001 gap analysis, conducted during the design of internal security controls or while architecting information flows across the authorization boundary, assesses conformance with the standard. A gap analysis may identify acceptable risk, or may point to the need for compensating controls.

According to Special Publication 800-53 on information security from the National Institute of Standards and Technology: "Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept."

Risk Management Technologies

In general, every organization must provide physical security, personnel security, information security, and some form of contingency planning (Kovacich & Halibozek, 2003). These security building blocks can be combined under a single, overarching security program, or they can be separated into highly focused subordinate programs. The figure below shows a simplified design for an organization-wide security program.

Design for an Organization's Security Program

Physical security measures provide controlled access to buildings or areas within those buildings to ensure that company assets are protected against unauthorized access, theft, or destruction. Physical security is accomplished in layers, using barrier defenses such as fences, guards, resistant doors, locks, and glass, and other measures, including monitoring and surveillance capabilities.

Physical security includes providing administrative, operational, and technical systems that protect the facility—both its contents and the underlying infrastructure—against damage resulting from fire, flood, wind, and other types of natural disasters. Physical security measures must ensure the continued availability of critical facility functions (power, water, heat, air conditioning, access control) in the event of a disaster or security incident that compromises the facility's operations.

Personnel security is one of the most important goal of any cybersecurity practitioner. In fact, it is one of the most important canons of the code of ethics of the International Information System Security Consortium, known as ISC2. Personal security has two primary requirements:

• First, the organization must ensure that the people it hires and employs are trustworthy.
• Second, the organization must provide for the protection of employees, contractors, guests, and other visitors while they are present in its facilities. Organizations must also provide protection for employees while they are traveling on business or working off-site.

Personnel security programs must also provide administrative security policies, plans, and procedures for:

• disciplinary proceedings for compliance failures or deliberate acts against the organization by insiders
• security education, training, and awareness for employees, contractors, and others who access or use the organization's facilities and assets (including information and information systems)

Information security includes providing protection for the information that an organization creates, collects, processes, transmits, and stores. Protecting information requires, in turn, that the organization implement administrative, operational, and technical security measures to protect the information systems (hardware, software, and networks) used to manage information. Federal, state, and local laws establish requirements for the protection of information and information systems.

Special security programs are established on an as-needed basis to facilitate the management and oversight of security for highly vulnerable or high-value information, processes, or technologies. The three most common types of special security programs are:

Contractor security: The organization's security program must include policies, plans, and procedures that address contractual requirements and provide direction to employees as to how the required security measures will be implemented, monitored, and controlled. Contract security requirements may be stated explicitly in the contract or incorporated by reference (to another document—usually a regulation or standard). Government contracts usually include statements requiring compliance with specific provisions from laws, regulations, standards, and government-issued policies or directives.

Contract security: In the twenty-first century, outsourcing has become the norm; therefore, an organization must include in its contract documents explicit requirements allowing the customer or its representatives to inspect and monitor the contractor's compliance with contract security requirements during the period of performance. Contract closeout activities should include a security audit to identify unresolved issues or incidents that need to be addressed prior to the end of the contract. Finally, contracts should include financial incentives or penalties that are large enough to ensure that the contractor and its employees comply with the stated security requirements.

Control system security: One notable area in which special security programs are used is control systems security. Responsibility for implementing a control systems security program may be assigned to a physical security program or to an information systems security program.