Risk Identification and Risk AssessmentBikash Bhattarai

Risk Management •Risk management is the process of

dentifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.

•Risk management involves three major undertakings

Risk identification Risk assessment Risk control

Cont… •Risk identification is the examination and

documentation of the security posture of an organization’s information technology and the risks it faces.

•Risk assessment is the determination of the extent to which the organization’s information assets are exposed or at risk.

•Risk control is the application of controls to reduce the risks to an organization’s data and information systems.

Know Yourself•To protect assets, which are defined here

as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible.

•Once you know what you have, you can identify what you are already doing to protect it.

Know the Enemy•This means identifying, examining, and

understanding the threats facing the organization.

•You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.

The Roles of the Communities of Interest•IT community in organization take

leadership•Management and users, when properly

trained and kept aware of the threats the organization faces, play a part in the early detection and response process.

•Management must also ensure that sufficient resources (money and personnel) are allocated

Risk Identification•A risk management strategy requires that

information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them.

Organizational Assets• People

▫Employee Trusted(Greater authority and accountability) Other (Without special privileges )

▫Non-Employee (contractors and consultants, partner and strangers.

• Procedures ▫IT and business standard procedures▫IT and business sensitive procedures.

threat agent to craft an attack against the organization or that have some other content or feature that may introduce risk to the organization.

•Data▫At all states (Storage, Transmit, Process)

•Software▫Applications▫Operating systems▫Security Components

•Hardware and Networking Components ▫Router, Switch, Firewall, UTM, IPS/IDS etc

Attributes for People, Procedures, and Data Assets• People

▫ Position name/number/ID ▫ Supervisor name/number/ID ▫ Security clearance level ▫ Special skills

• Procedures ▫ Description ▫ Intended purpose ▫ Software/hardware/networking elements to which it is tied ▫ Location where it is stored for reference ▫ Location where it is stored for update purposes

Cont…•Data

▫Classification ▫Owner/creator/manager ▫Size of data structure ▫Data structure used ▫Online or offline ▫Location ▫Backup procedures

Cont…• Networking Assets

▫Name▫IP address▫MAC address▫Asset type▫Serial number▫Manufacturer name▫Manufacturer’s model or part number▫Software version or update revision▫Physical location▫Logical location▫Controlling entity

Data Classification Example

Assessing Values for Information Assets• As each information asset is identified, categorized, and

classified, assign a relative value.• Relative values are comparative judgments made to ensure

that the most valuable information assets are given the highest priority, for example:▫ Which information asset is the most critical to the success of

the organization?▫ Which information asset generates the most revenue?▫ Which information asset generates the highest profitability?▫ Which information asset is the most expensive to replace?▫ Which information asset is the most expensive to protect?▫ Which information asset’s loss or compromise would be the

most embarrassing or cause the greatest liability?

Information Asset Prioritization

Critical Factor

Threat Identification•Any organization typically faces a wide

variety of threats.•If you assume that every threat can and

will attack every information asset, then the project scope becomes too complex.

•To make the process less cumbersome, each step in the threat identification and vulnerability identification process is managed separately and then coordinated at the end.

Identify and Prioritize Threats and Threat Agents• Each threat presents an unique challenge to

information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy.

• Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset .

• In general, this process is referred to as a threat assessment.

Threat to Information Security

Threat Assessment •Not all threats have the potential to affect

every organization. (12th floor building and flood ?)

•Which threats represent the most danger to the organization’s information?

•Cost to recover •Which of the threats would require the

greatest expenditure to prevent ?

CIO Survey Report (1000)

Vulnerability Assessment• Once you have identified the information assets of the

organization and documented some threat assessment criteria, you can begin to review every information asset for each threat.

• This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization.

• Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset.

• At the end of the risk identification process, a list of assets and their vulnerabilities has been developed.

• This list serves as the starting point for the next step in the risk management process: risk assessment.

Vulnerability Assessment of DMZ Router