1
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and
procedures as well as risk assessment and the various techniques and approaches to minimize an
organization’s financial impact due to the exploitation of numerous organizational assets.
Submitted by Brent Mohring & Bradley Susser
Information Security & Controls / Information Security Management
April 20, 2012
2
Table of Contents
Summary…..….................................................................................................................................3
Introduction………………………………………………………………………………………………………………………………..3
Fundamentals of IT Security Management…..................................................................................3
Organizational Context and Security Policy…................................................................................10
Developing a Security Policy….......................................................................................................12
Case Study ING: Making use of COBIT and Other Standards…......................................................14
Security Risk Assessment…............................................................................................................15
Risk Assessment Approaches…......................................................................................................16
Quantitative and Qualitative Risk Analysis….................................................................................18
Detailed Security Risk Analysis.......................................................................................................20
Case Study Barrick Gold…..............................................................................................................25
Conclusion…...................................................................................................................................27
Works Cited….................................................................................................................................29
3
Summary
The proliferation of the increasing number of attacks on organizational networks and systems
has created a global phenomenon, one which was not foreseeable by many information technology
pioneers. This is evident by the Kaspersky lab data - in particular, the report stated that the number of
browser attacks in 2011 increased from 580 million to around 946 million (Namestnikov) . Due to this
paradigm, IT Security Management and risk assessment have become an essential element that must be
incorporated across all non-governmental organizations as well as those in public sector. In this paper,
we will analyze IT Security Management, Organizational Policies, and Risk Assessment.
Introduction
IT Security Management encompasses how different organizations select, plan, implement, and
review their IT security methods. In taking this a step further, it is essential to align IT security risk
assessment with business objectives as well as organizational size. Risk assessment is the analysis and
identification of specific threats and vulnerabilities of an organization’s assets to help determine levels
of risk. Therefore, this paper will encompass the various approaches in ISO 13335, inclusive is the
baseline approach, the informal approach, the detailed risk analysis approach, and the combined
approach. Furthermore, we will provide a brief overview of both quantitative and qualitative paradigms
along with a case study that will help to provide why risk analysis is significant and essential to all
organizations spanning all industry segments. Finally, you’ll be able to decipher how organizations can
minimize risk while maximizing profits by implementing the proper countermeasures along with industry
best practices.
Fundamentals of IT Security Management
IT Security Management is the formal process of answering three fundamental questions: What
assets do we need to protect? What are the threats to these assets? What countermeasures can be
4
used? (Stallings, 467). To answer the first question, an asset must be defined. An asset is anything that
an organization has or owns. It can be something physical like a computer, a server, or a database. It
can also be something like a competitive advantage or a company’s reputation amongst their customers.
These are intangible assets. The second question addresses the threats to those assets. A computer
network might be threatened by something that could harm it, like a virus, or by another competitor
analyzing their network to make determinations about how the company operates. A physical asset
may be computer servers that are threatened by physical world events like power outages or floods.
Once an organization has identified the threats to their assets, they will need to understand what
countermeasures they can employ to protect their assets or mitigate the damage to their assets. These
countermeasures can be computer security products like firewalls or software protection, or physical
protection like biometric locks. Another important term is vulnerability. Vulnerability is a weakness in
an asset or group of assets which can be exploited by a threat, like an unsecured network, or a building
with a high level of foot traffic near secure systems.
The basics of IT security management include determining the security objectives & general risk
profile of the company, performing an IT Security Risk Assessment on each asset in the organization,
creating management, operational and technical controls, identifying if risks can be reduced to an
acceptable level or if risks can just be accepted, selecting controls, writing plans and procedures for
implementing the controls, determining if the plan meets the security objectives, and planning to
maintain, adapt and upgrade the controls (Stallings, 470) . For risk profile, every company is different,
so depending on a number of factors, such as their size, their industry, their location, their technology,
etc., they need to determine what their objectives are. What security they need, and how much
security they want to take on and how much risk they are willing to take. A large, established company
with a lot to lose might want to take on more security and have a lower risk. A startup company might
not have the resources for a full security suite and may try to go without some proper security to save
5
money and gain a competitive advantage in their market. For the asset risk assessment, ideally, every
asset in the company, or at least every asset that is critical to the organization’s business objectives
should have a risk assessment to determine the most cost-effective way to protect the asset with an
acceptable amount of risk to the company. For identification of risks, there might be a risk that is a low
threat or may have a low impact on the company if it happens, and it may cost a lot to try to protect the
vulnerability. So a company may strategically choose to not protect against a risk. The next step is for
the organization to select what controls they will use, and write up the plans and procedures for how
their security will work. Some examples of management controls are planning, assessments and
services. Some examples of operational controls are maintenance, protections implemented, and
training programs. And technical controls are security services, audits, and access control (Stallings,
482-483). These controls combine to ensure appropriate levels of security. Once the plan is written, it
can be compared to the security objectives to make sure that the goals are met. The company will then
create a plan to keep the system constantly working and upgrading. The security management process
will be cyclic; it will circle around in that the company’s assets and security concerns will constantly be
changing due to changes in business, the rapid advancement of technology, and the changing risk
environment. The company will have to keep reevaluating their security plans and changing them.
When deciding on how to plan IT Management, a company can first look at International
Standards of IT security. As companies can be audited on their security, it is best for them to examine
the standards and their best practices. One important standard is from the ISO – the International
Standards Organization has consolidated their standards into ISO 27000. Specifically, ISO/IEC
27000:2009 provides an overview of information security management systems.
6
ISO Security Standards (Stallings, 468):
The above table displays recently adopted standards. Another standards group is NIST – National
Institute of Standards and Technology. They have standards on IT security management in NIST02 &
NIST09. Organizations are being audited more frequently now after corporate governance issues like
the Enron collapse and government organizations losing personal data. These standards are especially
important today as organizations are expected to follow these standards to protect against losing their
data. Recently, a company called Stratfor was hacked, and this intelligence report company is having
their private documents leaked to the press (Perlroth). MasterCard and Visa also had their databases of
customer information hacked (Pepitone). So organizations need to strictly adhere to these standards.
One important standard is ISO 13335, comprising Security techniques on IT network security and
7
Management of information and communications technology security. It has chapters on topics like
securing remote access, securing communications across networks using virtual private networks,
selection of safeguards, and guidance on network security.
After reviewing international standards, let’s review the full definition of IT Security
Management - A process used to achieve and maintain appropriate levels of confidentiality, integrity,
availability, accountability, authenticity, and reliability. The functions of it are to (Stallings, 471-472):
• Determine objectives, strategies, policies
• Determine security requirements
• Identify and analyze threats, risks
• Specify and monitor safeguards or countermeasures
• Monitor implementation and operation to protect information and services in a cost-effective
manner
• Detect and react to incidents
• Develop a security awareness program
As with all business and IT projects, security implementations will need the backing of high level
corporate employees, like the CIO. Without that support, they won’t have the funding, resources, or
attention needed to be implemented. In instances like this, an IT employee may have to lobby and
convince them of the necessary work to be done. And the best way to do this is to tie the security to the
organization’s key business objectives, and show how the cost of not implementing the security, the risk,
is greater than the cost of implementing the security. This will be shown coming up in risk assessment.
There will always be a need in the security process for management. It won’t end once all of the
controls are set up and the systems are running.
Delving further into how to approach management, a process model can be used to show the
processes of IT security management. It: establishes security policy, objectives, processes and
8
procedures; performs risk assessment; creates an inclusive risk treatment plan with selection of controls
and acceptance of risk; implements the risk treatment plan; and maintains and improves the
implementation plan in response to risk incidences. The process works in a security framework, like the
one below (Stallings, 469):
At the top, you have the organizational aspects coupled with the IT security policy, which defines and
drives the rest of the process. There are four different security risk analyses listed here for the
organization to choose from. Once an assessment type is selected, the company selects the controls to
be used, and begins to develop the security plan and procedures that are shaped from all of the
previous selections. The next stage is the Implementation, with the implementation controls as well as
9
security awareness and training. The last phase does not end the process, but it is the phase that the
company will spend a lot of time in. The follow-up phase contains the maintenance on the systems, the
changing of the processes to match new security compliances, and the incidence handlings when threats
arrive. That includes detection, response, recovery, and documenting the incident for the future. We
want to point out that the Follow-Up has an arrow that shows that it eventually leads back to the rest of
the process as the security policy gets revised and the implementation starts over. In addition,
management is significant and must be proactive in incorporating standards, policies, and guidelines to
optimize the system to align with and meet business objectives. This in turn will effectively make the
organization more efficient by minimizing risk and maximizing profits. Getting to an actual process
model, the process model we’ll be looking at is shown below (Stallings, 470):
In the textbook, this is described as Plan-Do-Check-Act Process Model. This model is from the ISO 27000
series standards and it is for managing information security. It’s similar to the framework graph
displayed previously. The first step is Plan. The Interested Parties, the executives or experts who are
deciding the information security needs of the organization, will plan for possible and probable events.
10
They establish a security policy, objectives, processes and procedures that are relevant to managing the
risk and improving information security to deliver results in accordance with an organization’s overall
policies and objectives. The second phase is Do – this is the main implementation phase, when you
implement and operate the security policy, controls, processes and procedures. The third phase is
Check – you assess and, where applicable, measure process performance against security policy,
objectives and practical experience and report the results to management for review. The fourth phase
is Act - you take corrective and preventive actions, based on the results of the internal security audit and
management review or other relevant information, to achieve continual improvement of the security
management process. The process model fits in to the framework model. You can see that everything
in the process - the policy, organization risk analysis, control selection and development of security plan
and procedures is all of the Plan phase, and the Implementation controls and training is all the Do phase.
The Follow-Up Maintenance, security compliance, change management and incident handling are the
check act. The feedback from the Follow-Up becomes the Act phase as you go back and change the
security framework based on the results from the Follow-Up.
Organizational Context and Security Policy
Relating security with the role it plays within an organization and examining that role is part of
the Organizational Context section. The organizational security policy describes what the objectives and
strategies are, and the process used to achieve them. The intent of the policy is to provide a clear
overview of how an organization’s IT infrastructure supports its overall business objectives in general,
and more specifically what security requirements must be provided in order to do this most effectively.
The organizational or corporate security policy can be a single large document, or a set of related
documents. The objectives are IT Security outcomes, and the strategies are how to meet the objectives.
The policies identify the processes to be done, and must be maintained and updated regularly with
periodic reviews of security. An IT systems’ role in organization may change over time. Costs of IT
11
Security should lower business risks to increase profitability for the organization, even if that has to
entail additional capital expenditures. SANS defines the terms: “A policy is typically a document that
outlines specific requirements or rules that must be met. In the information/network security realm,
policies are usually point-specific, covering a single area. A standard is typically collections of system-
specific or procedural-specific requirements that must be met by everyone. A guideline is typically a
collection of system specific or procedural specific "suggestions" for best practice. They are not
requirements to be met, but are strongly recommended” (Information Security Policy Templates). We
will be focusing on policy in this presentation as the chart branches down to the subset of the functional
policy branch (Watson, 7):
The above Security Policy Map is from Purdue University. Policies are statements of management
intentions and goals, and this is a chart to show how policies affect the organization’s processes. This is
an example of Security Governance. You can see how the laws, regulations, security requirements, the
12
organizational goals and the business objectives all come together to influence and create the General
Organizational Policies that leads down to the functional policies of the decided-upon Procedures,
Standards, Guidelines and Baselines. Procedures are detailed steps to perform a specific task that is
dictated by policy: handling resources, adding and deleting user accounts, change management, etc.
(Watson, 9). Standards specify the use of specific technologies in a uniform manner and require
uniformity throughout the organization. Examples include operating systems, applications, server tools,
and router configurations (Watson, 10). Guidelines are recommended methods for performing a task,
they are not required. Examples are malware cleanup, spyware removal, data conversion, and
sanitization (Watson, 11). Baselines are similar to standards but account for differences in technologies
and versions from different vendors like different operating systems or system versions (Watson, 12).
Developing a Security Policy
To develop a security policy, you would first list the key organization security objectives. For
example, a large company that already has a lot of data might be a big target as people want to access
that data, so they might want tighter security controls, while a newer or smaller company may not be an
immediate target, and it would not make as much sense for them to try to develop elaborate security
controls. Next you would develop broad strategy statements such as “How will objectives be met?” and
“How will we maintain consistency across our organization?” Finally, you will factor in identified
objectives, as well as other key points such as the size of the organization. Some important questions to
ask during the development of the security policy are: “What are the aspects of the organization that
require IT support to function efficiently?”, “What are the tasks that can only be performed with IT
support?”, “Which essential decisions depend on accuracy, currency, integrity, or availability of data
managed by IT systems?”, “What data that is created, managed, processed and stored by the IT systems
needs protection?”, and “What are the consequences to the company of an IT system security failure?”
(Stallings, 471). You’ll need to tie these questions to the critical business objectives of the organization.
13
For example, a retail web site relies on its online order processing system to make money, so that is a
critical process, and the organization will need to know how much money they could lose for each time
period that the site is down. The security policy should address the following points (Stallings, 471-472):
Scope and purpose including relation of objectives to business, legal, regulatory requirements
IT security requirements - confidentiality, integrity, availability, accountability, authenticity and
reliability
Assignment of responsibilities for security employees
Risk management approach of organization
Security awareness and training
General personnel issues and any legal sanctions for those in positions with trust
Integration of security into systems development, procurement
Information classification scheme to be used across an organization
Incident detection and handling processes
How when policy reviewed, and change control to it
Lastly, I’d like to touch on the Organizational Security IT Officer. A company should have a single person
for overall supervision of security – an Organizational Security IT Officer. Because the responsibility for
IT security is shared across the organization, there is a risk of inconsistent implementation of security,
and a loss of central monitoring and control. The various standards strongly recommend that overall
responsibility for the organization’s IT security be assigned to a single person, the Organizational IT
security officer. This position will have the key responsibilities of: oversight and management of IT
security process, be a liaison with senior management, be in charge of maintenance, response to
incidents, interaction with IT project management security officers, investigation of incidents and
development of IT security awareness and training programs (Stallings, 473). The officer should keep
14
policies consistent. As the company grows, the Officer may manage teams who manage processes in
their areas.
Case Study ING: Making use of COBIT and Other Standards
In further making a case about how significant standards can minimize an organization’s risk
profile, we have explored and examined the initiatives taken by ING Group (Le Bie) and their use of
applying information technology governance and tools along with strong IT security management
commitment to safeguard against attacks while meeting regulatory compliance, inclusive with Sarbanes-
Oxley and Basel II. ING Group, a financial services company that provides banking, investment, life
insurance and retirement services on a global scale. In a case study that was written in 2006 by the IT
Governance Institute, an organization established in 1998 to advance international thinking in standards
for IT goes on to write in detail how ING Group was able to successfully execute what ITGI describes as
Val IT initiative along with control objectives for information-related technology. One of the processes
that encompasses Val IT or the Val IT framework is investment management, which in turn should come
at an affordable cost with an acceptable level of risk. This particular process, along with the other two
that encompass Val IT are backed up by empirical research, a common methodology, supporting
publications and services. ING then integrated Val IT with COBIT which incorporates best practices
enabled by key controls measured by outcome and performance metrics and key management which
provides a disciplined approach at addressing information security issues. In simple terms, Val IT asks
the strategic question “Are we doing the right things?” and the value question “Are we getting the
benefits?” and the COBIT framework asks the architectural question “Are we doing them the right way?”
and the delivery question “Are we doing them well?” Both methodologies, if used correctly, can aid in
having a firm’s IT infrastructure support business objectives, maximize business investment in IT, and
most importantly, administer IT-related risks which as you will soon see is distinctively the case when
referencing the ING organization. At the time of this study, ING reported in its 2005 annual financials a
15
profit before taxes compared to full-year 2004 results of 19.4% to 18.5 million euros while earnings-per-
share rose 22.7%. ING places extreme importance on IT security by implementing a hierarchy offering
checks and balances where at the top is the executive board, second from the top is the procurement
policy board, and third from the top an information risk steering committee which examines security
measures and is more aligned with the topic of this paper. Looking further ahead, the global economic
downturn did impact ING’s operations and market capitalization, but with the company’s proper IT
security management in place it faired far better than many of its peers. That is to say they were not
adversely impacted significantly due to lack of any compliance issues due to their strict IT security policy
and procedures and in looking at the organization as a whole we were unable to see any evidence that
ING’s networks or critical data was exploited in any way. The standards that were put in place by this
financial institution also aided in implementing a stringent risk policy that spanned across the entire
firm, inclusive resulting in improved risk assessment, which reduced the need for costly provisions.
ING’s active management in the area of IT security deserves to be commended, which is why to date,
the company has not been exploited and has continued to remain profitable with annual gross profit of
around 12.47 billion dollars and total topline numbers at around 70 billion dollars.
Security Risk Assessment
After creating a framework for an organization’s IT Security Management policies, standards and
procedures, the most integral part of IT security is assessing risk to the overall organization’s assets.
Therefore assessing security resources is essential at mitigating financial loss, some risks will be
addressed while others will not be addressed properly. Therefore, it is imperative that an organization
makes use of an approach that also must align IT security objectives with the overall business
organizational objectives. Before further discussing the various approaches towards risk analysis, we
must define what risk is. Risk is the potential that a given threat will exploit vulnerabilities of an asset or
group of assets to cause loss or damage to the assets. In simple terms, risk is the probability of a threat
16
occurrence multiplied by the cost to the organization or risk=probability*cost. In practice, it is difficult
to determine, but there are many approaches that can be used. We must further emphasize that before
describing these various approaches, each of these risk assessment methodologies need to address
rapid changes in IT technology as well as the risk environment by incorporating a cyclic process. In other
words, the process of risk analysis is never ending.
Risk Assessment Approaches
There are a number of organizations such as NIST and ISO that have developed over the years
numerous standards for IT assessment. In this paper, we will focus on those that encompass the ISO
13335 series. This includes the baseline approach, the informal approach, the detailed risk analysis
approach, and the combined approach.
The baseline approach measures information security in several categories, to analyze the gap
between current status and necessary level of status. A baseline approach implements safeguards to
protect against the most common threats. It contains generalized standards and “best industry
practices.” This approach implements basic general level security controls, and is best for small
organizations (Stallings, 474). Some advantages are that capital expenditures are reduced due to
minimizing the use of resources, and that this approach can be duplicated over a range of systems (it is
easy, cheap, and easily replicated). The disadvantages are that no special consideration is given to
variations in the organization’s risk exposure (such as who they are, how systems are used). As a result
of no special consideration to the organization, the baseline approach can be set too high leading to
unnecessary capital expenditures, or too low, leading to increased security risks and opening up more
vulnerabilities.
The informal approach implements risk analysis by exploiting individual knowledge and
experience. This approach is suitable to small and mid-size organizations. The advantages of this
approach are that it usually does not require a lot of resources or time. Individuals who perform this
17
analysis do not require additional skills or training, therefore informal risk assessment can be performed
fairly quickly and cheaply. This approach, unlike the baseline approach, does address the organization’s
specific systems and issues allowing for more targeted controls. The disadvantages to this approach are
that it is highly dependent on the skills of person in charge and the likelihood of missing some important
details will leave the organization vulnerable. Also, particular prejudices of the individuals may influence
the results, and this may also cause an increase in additional capital expenditures that may be
unnecessary. Based on the above disadvantages, informal approach may not be effective for many
organizations.
Detailed analysis involves in-depth identification and valuation of all information assets, the
assessment of threats to those assets, and assessment of vulnerabilities. This is a more comprehensive
approach, including numerous stages and is suitable for large organizations with IT objectives that are
critical to their business objectives or governmental agencies. Also, legal requirements may require a
detailed risk analysis. DRA has continued to evolve due to the development of trusted computer
systems and a number of standards encompass this approach, which we will not elaborate on. This is
the most comprehensive approach, and this approach provides the most detailed examination of an
organization’s security risks. It has the strongest justification for expenditure on controls. For
disadvantages, it has significant cost, time, resources and expertise needed to perform the analysis. And
the analysis taking too much time may take away time from other vulnerabilities. This type of analysis is
typically performed as a legal requirement for government organizations and businesses providing key
services to them.
The combined approach is a combination of the baseline approach and the detailed analysis
approach. It has many advantages, including an initial high-level analysis rather than a full-detailed risk
analysis of all systems which may be easier to sell management. The use of the baseline and informal
analysis in this approach ensures that a basic level of security protection is implemented early on. And
18
due to the speed of this process, resources are likely to be applied where they are most needed and
systems most at risk are likely to be examined further early in the process. The disadvantages are that a
high level analysis can be inaccurate, which is in contrast to detailed risk analysis, which can cause a
greater chance for vulnerability. But for most organizations, the change of the above disadvantage is
very minimal therefore this approach is the one that should be and is in fact most commonly used.
Quantitative and Qualitative Risk Analysis
There are a number of approaches as viewed above and for obvious reasons we will compare
the detail risk analysis approach later on in this paper but one must also understand that many of these
approaches can make use of either quantitative or qualitative metrics to compliment these various
standards to assess threats and vulnerabilities. Quantitative analysis is being able to come up with
actual costs associated with organizational risks whereby in contrast qualitative analysis is more of an
intangible assessment based on the priority of identified risks using their probability of occurring, the
corresponding impact as well as other factors such as the time frame and risk tolerance. In giving a
simplified example between quantitative and qualitative analysis, we will use an example of a possible
hospital exploit. In this scenario, a hospital has 1,000 electronic medical records. If this was
compromised, we would have to come up with a cost-benefit analysis or a monetary value. One way of
doing this is that if these records were compromised you would need to determine the cost associated
with the compromise. To assess the actual costs associated with a compromise, we could first get in
contact with the patients, create new identification numbers for the files, and create and reissue new ID
cards. You would now know the cost, which under meticulous examination you come up with the figure
of $30 per record. The cost of this compromise would come out to $30,000 just based on one thousand
records. Here, you were just multiplying the cost of each record multiplied by the number of exploited
records, which is where you would come up with the number $30,000. Pretty simplistic, except this is
only 1-dimensional as if you had 500,000 records it would be a cost of 15 million dollars and would
19
involve greater complexity which is why now you must incorporate a qualitative approach. Within the
above example, in addition, you now have an auditor walk through the door who says that you have 90
days to deploy the appropriate countermeasures due to the vulnerability he/she viewed on the system,
which was stated as having no encryption mechanism between the database and the web server or
encryption on the database itself, and therefore is not in compliance with HIPAA standards. We then
begin through further analysis to take a look at additional vulnerabilities such as a code review, in which
we discover that our assets are prone to an SQL injection attack (an appended message to exploit the
system and the data within it). Hence, there has to be controls in place to filter out such an attack.
Currently, we have the cost associated with the vulnerabilities in the system, and now the likelihood of
discoverability must be assessed. Using quantitative analysis, the worst-case scenario would be that the
compromise of 500,000 records comes to a cost of 15 million dollars. Going by quantitative analysis, this
is again a 1-dimensional evaluation. We must have a way to assign risk level to vulnerabilities that take
other factors into consideration. To keep it simple, we will use a qualitative weighting scale that consists
of high-medium-low ratings. The information that we’ve gathered thus far is the number of records that
could be compromised is from 1,000 to 500,000 and the records are valued at $30 each. The data is not
encrypted in transit or at rest, multiple business units could access and modify the data, and systems are
maintained by the operations group. Lastly, we have an audit requirement to document encryption and
apply mitigation controls. Let’s incorporate one additional piece to our assessment: reputation.
Reputation encompasses impact on earnings, consumer confidence, and publicity. We can easily assign
a qualitative risk level of high as an SQL injection attack is not often detected by system logs and
intrusion detection services. Reputation is at risk from the hospital going public with a loss of 500,000
medical records and that once this vulnerability is known there will be an increase in this type of attack
on hospital systems. We now have the qualitative cost and the quantitative cost, both of which have a
high risk factor. Now here is where management plays an important role in why we incorporate the
20
single loss expectancy (SLE) formula. In using this example, we take the value of the asset ($30 in this
case), and the exposure level (500,000) and multiply the asset value by the exposure level. We have a
SLE of 15 million dollars. We now calculate the annual loss expectancy (ALE). Which determines how
many times per year this will occur. To do this, you will take the SLE and multiply it by the annual rate of
occurrence (ARO). In this scenario the database is very new, so we can’t use historical examples. Going
back to a qualitative approach, we can’t come up with an appropriate cost-benefit analysis. So, we
would come up with a way to mitigate this risk by customizing intrusion detection signatures for traffic
analysis that poses a threat to the database and host intrusion detection software installed on both the
web server and database server. Due to these initiatives, we now feel comfortable reducing the risk
rating from high to medium. Furthermore, we could reduce the threat level to low via additional code
testing. Inclusive is HIPS (Hosted Intrusion Prevention Software) and IDS tools being properly
configured. The above is an example of how different organizations need to have a risk assessment
initiated that aligns with its business objectives. We must emphasize that although both quantitative
and qualitative analysis are useful, most organizations use a qualitative approach. This is why in the
next section we will focus our attention on describing a detailed risk analysis approach that primarily
focuses on qualitative metrics.
Detailed Security Risk Analysis
Although the majority of organizations make use of the combination approach, for educational
purposes and to cover all areas of risk assessment we have chosen to describe in greater depth the
detailed risk analysis approach along with techniques and models as this approach comprises of all the
essential elements to optimize IT security safeguards and minimize risk exposure for any corporation.
When first starting to examine an organization’s risk profile using this approach the first area we
examine is a firm’s perimeter. Inclusive is system boundaries, system functions, system/data criticality,
and system/data sensitivity. After looking at the system’s boundaries, the last step within the first
21
process of this approach and probably the most significant is to identify the assets that need to be
analyzed. As described above, this addresses the first three fundamental questions: “What assets do we
need to protect?” An asset is “anything which needs to be protected” because it has value to the
organization and contributes to the successful attainment of the organization’s objectives, and may be
either tangible or intangible (Stallings, 480). It includes computer and communications hardware
infrastructure, software including applications, information/data held on these systems, the
documentation on these systems, and the people who manage and maintain these systems. Within the
boundaries identified for the risk assessment, these assets need to be identified, and their value to the
organization assessed. It is important to emphasize again, that whilst the ideal is to consider every
conceivable asset; in practice this is not possible. Rather the goal here is to identify all assets that
contribute significantly to attaining the organization’s objectives, and whose compromise or loss would
seriously impact on the organizations operation (Stallings, 480). Whilst the risk assessment process is
most likely being managed by security experts, they will not necessarily have a high degree of familiarity
with the organization’s operation and structures. Thus they need to draw on the expertise of the people
in the relevant areas of the organization to identify key assets and their value to the organization. A key
element of this process step is identifying and interviewing such personnel. Many of the standards
listed previously include checklists of types of assets and suggestions for mechanisms for gathering the
necessary information. These should be consulted and used. The outcome of this step should be a list of
assets, with brief descriptions of their use by, and value to, the organization.
The next area we need to focus on is threat sources, which many times can be taken from past
experiences. So a threat source can be a natural disaster, a human agent – either acting directly (i.e.
insider retrieving and selling information, or a hacker targeting a server over the internet) or indirectly
(i.e. the result of an accident perhaps through the misconfiguration of various routers). The third area
to focus on is threat identification. This addresses the questions “What could cause the organization
22
harm?” and “How could this occur?” (Stallings, 481). Threats to the assets need to be identified as well
as the ways that the threats could affect the systems. To complement this, the next area to be
examined is vulnerabilities. We would identify exploitable flaws or weaknesses in the organization’s IT
systems or processes and determine the applicability and the significance of threat to the organization.
There is a need of a combination of the threat and the vulnerability to create a risk to an asset. We can
use lists of potential vulnerabilities in standards to help determine our own vulnerabilities. After this
step is examined, one must take it upon themselves to determine what controls are already in existence
to reduce redundancy and eliminate wasteful spending.
Determining Overall Risk Exposure by Making Use of Qualitative Risk Rating Tables
The first table that will be applied will consist of a rating, a likelihood description, and an expanded
definition to determine the overall likelihood that an asset will be compromised. This can be seen in the
following table (Stallings, 483):
Table 1.
The next essential step is to create a table that determines the consequence if a specified asset or a
number of assets are exploited. This table would comprise of a rating, the rating of the consequence to
the organization (from insignificant to a Doomsday scenario), and an expanded definition that would
23
briefly describe the magnitude of the impact and the repercussions to the overall organization. See the
below example (Stallings, 484-485):
Table 2.
Finally, due to meticulous examination and analysis based on the likelihood a threat will occur and the
impact it will have on an organization we can create another table by correlating the two previous
variables to qualitatively detail the risk level assigned to each combination. The title of this table will be
deemed Risk Level Determination and Meaning, which can be found below (Stallings, 486):
24
Table 3.
In our final table, we will create what is known as the Risk Register, which will allow management to
determine the assets that require treatment against the assets that do not require treatment. The Risk
Register should consist of the identified asset, the threat/vulnerability, the existing controls that are
already in place, the likelihood that each identified threat could occur and cause harm to an identified
asset, the consequence - which indicates the impact on the organization should a particular asset or
assets be compromised, the level of risk, and the priority of the risk (Stallings, 486):
Table 4.
25
The Risk Register would then allow executive management to accept the risk, avoid the risk, transfer the
risk, reduce the consequences, or reduce the likelihood. By making use of these models and techniques
allows for an organization to more efficiently and effectively handle any attacks by mitigating its risk
profile while incorporating best practices.
Case Study Barrick Gold
In further discussing risk assessment we decided to take a detailed look at a well-known publicly
traded organization primarily because it makes use of Supervisory Control And Data Acquisition (SCADA)
system (Barrick Goldstrike Wireless Presentation). The use of SCADA is more pronounced and prevalent
among many organizational systems that are vital to the United States’ infrastructure. Prior to 9/11, this
may not have been seen as a high priority, but because we are in the midst of potential cyber warfare
among various countries around the globe, any attack on such systems can cause significant economic
impact to the US. To give a few examples, SCADA is deployed to monitor and control our electric power
generation, transmission and distribution, water and sewage, mass transit, traffic signals and other
various industrial systems. Typically, mining companies have a much greater risk tolerance, but due to
the growing number of attacks on a multitude of corporations and governments around the world,
Barrick Gold has taken this threat quite seriously, especially when it comes to the safety of all
employees. Barrick Gold trades on the NYSE under the ticker ABX and is a Canadian-based company
formed in 1983. It engages in sale and production of gold and copper with production in exploration
and development projects located in North and South America, the Australia-pacific region and Africa,
and it currently has 26 operating mines with annual revenues around 14.31 billion dollars with total cash
on hand of 2.74 billion dollars and a debt of 13.37 billion dollars. Its current stock trades at a multiple of
around 10.9 times earnings, and it is anticipated to trade over the next year and a half at 8 times
earnings. In April 2011, Barrick acquired Equinox Minerals at around 7.3 billion Canadian. This
acquisition, along with other acquisitions adds further complexity to the organization. Therefore, risk
26
analysis is of extreme significance due to disparate systems and need to be integrated together with
appropriate assessment of IT security issues. In making use of the combined approach, we must not
forget that detailed risk analysis is an important part of this technique. Therefore, instead of going in to
great detail on the identification of assets, threats, and vulnerabilities and so forth, below we have
provided a hypothetical risk register model that we believe would address many of the company’s IT
security concerns which in turn would aid Barrick in analyzing and driving action to minimize the
likelihood of a risk occurring, reduce the visibility of the risk, increase the ability to handle the risk if it
should occur and reduce the impact of the risk. One added thing is that as you can see in the risk
register viewable below the reliability of the SCADA nodes and network was of the highest risk priority
due primarily to the safety of the workers in the mine as the SCADA systems among other things
monitors temperature control by placing various sensors throughout the mine and if say for example the
system went down and the miners had no access to oxygen than there could be a significant amount of
fatalities. On the other end of the spectrum are emails which were viewed as the least significant. One
other thing to take not of is the integrity of the stored file and database information we believed was
second as far as risk priority. One reason for this was it was of extreme importance not to allow access
to any opponent who may want information on let’s say company specific M&A activity by which they
can retrieve insider information to benefit financially. See the table below (Stallings, 490):
27
Table 6.
Conclusion
As we begin to turn from centralized systems to more distributed systems the potential for
attacks to propagate has increased dramatically. Furthermore, as technology has continued its’ rapid
advancement, so too has the technology created and deployed by attackers or opponents. Therefore, it
is an absolute necessity to create checks and balances in governance by using a systematic approach to
alleviate these threats. IT security management and risk assessment helps to mitigate this problem. All
organizations must use best practices in the area of IT security management and risk assessment. If
done successfully through the number of policies, procedures and standards described in this paper,
organizations and governments will effectively safeguard their assets. It must be further stated that it is
virtually impossible to safeguard and protect every type of vulnerability. However, deploying and
implementing the proper framework, along with a thorough risk assessment on all assets,
vulnerabilities, threats, and countermeasures will vastly decrease the risk of exploitation. This will allow
sovereigns and organizations around the world to place and use the appropriate controls, some which
include antivirus software, antispyware software, firewalls, encryption of data in transit and rest,
intrusion detection systems, intrusion prevention systems, and so on. In a recent Bloomberg
28
government study, it found that spies, criminals, and hacker activists are stepping assaults on US
government and corporate systems (Englemen and Strohm). This study also stated that companies,
including utilities, banks, and phone companies will have to spend almost 9 times more on cyber
security to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial
system, or cutting communications. The article cited above is a clear indication that IT security
management and risk analysis must be an essential ongoing process to counter such an event from
occurring.
29
References
1. Ameerally, Imran. "Risk Assessment: An Overview." Republic of Mauritius. Ministry of IT and
Telecommunications, 01 Dec. 2006. Web. 20 Feb. 2012.
<http://www.gov.mu/portal/sites/ncbnew/security/1dec/Risk%20Assessment.ppt>.
2. "Barrick Goldstrike Wireless Presentation." WMEA Technical Papers. Western Mining Electrical
Association. Web. 20 Feb. 2012. <http://www.wmea.net/Technical%20Papers/Barrick
%20Goldstrike%20Wireless%20Presentation.pdf>.
3. De Bie, Veronique. "IT Security Management Standards for Today’s Businesses." Lsec.com. L-SEC, 20
Jan. 2006. Web. 20 Apr. 2012.
<www.lsec.be/upload_directories/documents/standard2006.pdf>.
4. Engleman, Eric, and Chris Strohm. "Cybersecurity Disaster Seen in U.S. Survey Citing Spending Gaps."
Bloomberg. Bloomberg, 31 Jan. 2012. Web. 20 Apr. 2012.
<http://www.bloomberg.com/news/2012-01-31/cybersecurity-disaster-seen-in-u-s-survey-
citing-spending-gaps.html>.
5. "How Business and Entrepreneurship Can Shine Your Life." Risk Analysis Business Basics. Business
Basics, 21 Oct. 2010. Web. 17 Apr. 2012. <http://www.treatyoakmaps.com/?p=43>.
6. "Information Security Policy Templates." SANS. Web. 20 Feb. 2012. <http://www.sans.org/security-
resources/policies/>.
7. "ISO - International Organization for Standardization." International Organization for Standardization.
International Organization for Standardization. Web. 20 Feb. 2012.
<http://www.iso.org/iso/home.htm>.
References (continued)
30
8. Namestnikov, Yury. "Kaspersky Security Bulletin. Statistics 2011." SecureList.com. Kaspersky Lab ZAO,
1 Mar. 2012. Web. 18 Apr. 2012.
<http://www.securelist.com/en/analysis/204792216/Kaspersky_Security_Bulletin_Statistics_20
11>.
9. Pepitone, Julianne. "'Massive' Credit Card Data Breach Involves All Major Brands." CNNMoney. Cable
News Network, 30 Mar. 2012. Web. 18 Apr. 2012.
<http://money.cnn.com/2012/03/30/technology/credit-card-data-breach/index.htm>.
10. Perlroth, Nicole. "Inside the Stratfor Attack." Bits Blog. New York Times, 12 Mar. 2012. Web. 18 Apr.
2012. <http://bits.blogs.nytimes.com/2012/03/12/inside-the-stratfor-attack/>.
11. "Risk Assessment Case Study." The Security Risk Management Toolkit. Web. 20 Feb. 2012.
<http://www.risk.biz/case.html>.
12. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 16 IT Security
Management and Risk Assessment." Computer Security: Principles and Practice. Upper Saddle
River, NJ: Prentice Hall, 2008. Print.
13. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 14 IT Security
Management and Risk Assessment." Computer Security: Principles and Practice. 2nd ed. Upper
Saddle River, NJ: Prentice Hall, 2011. Print.
14. Verheul, Eric. "Practical Implementation of ISO 27001 / 27002." Security in Organizations. Radboud
University, 2011. Web. 20 Feb. 2012.
http://www.cs.ru.nl/~klaus/secorg/Slides/02_IS_IMPL_20v0.51.pdf.
15. Watson, Keith A. "Security Management Practices." Secure Purdue. Purdue University. Web. 20 Feb.
2012.
<http://www.purdue.edu/securepurdue/docs/training/SecurityManagementPractices.ppt>.