The Significance of IT Security Management & Risk Assessment

1

The Significance of IT Security Management & Risk Assessment

An overview of IT Security Management, which is comprised of standards, policies, plans, and

procedures as well as risk assessment and the various techniques and approaches to minimize an

organization’s financial impact due to the exploitation of numerous organizational assets.

Submitted by Brent Mohring & Bradley Susser

Information Security & Controls / Information Security Management

April 20, 2012

2

Table of Contents

Summary…..….................................................................................................................................3

Introduction………………………………………………………………………………………………………………………………..3

Fundamentals of IT Security Management…..................................................................................3

Organizational Context and Security Policy…................................................................................10

Developing a Security Policy….......................................................................................................12

Case Study ING: Making use of COBIT and Other Standards…......................................................14

Security Risk Assessment…............................................................................................................15

Risk Assessment Approaches…......................................................................................................16

Quantitative and Qualitative Risk Analysis….................................................................................18

Detailed Security Risk Analysis.......................................................................................................20

Case Study Barrick Gold…..............................................................................................................25

Conclusion…...................................................................................................................................27

Works Cited….................................................................................................................................29

3

Summary

The proliferation of the increasing number of attacks on organizational networks and systems

has created a global phenomenon, one which was not foreseeable by many information technology

pioneers. This is evident by the Kaspersky lab data - in particular, the report stated that the number of

browser attacks in 2011 increased from 580 million to around 946 million (Namestnikov) . Due to this

paradigm, IT Security Management and risk assessment have become an essential element that must be

incorporated across all non-governmental organizations as well as those in public sector. In this paper,

we will analyze IT Security Management, Organizational Policies, and Risk Assessment.

Introduction

IT Security Management encompasses how different organizations select, plan, implement, and

review their IT security methods. In taking this a step further, it is essential to align IT security risk

assessment with business objectives as well as organizational size. Risk assessment is the analysis and

identification of specific threats and vulnerabilities of an organization’s assets to help determine levels

of risk. Therefore, this paper will encompass the various approaches in ISO 13335, inclusive is the

baseline approach, the informal approach, the detailed risk analysis approach, and the combined

approach. Furthermore, we will provide a brief overview of both quantitative and qualitative paradigms

along with a case study that will help to provide why risk analysis is significant and essential to all

organizations spanning all industry segments. Finally, you’ll be able to decipher how organizations can

minimize risk while maximizing profits by implementing the proper countermeasures along with industry

best practices.

Fundamentals of IT Security Management

IT Security Management is the formal process of answering three fundamental questions: What

assets do we need to protect? What are the threats to these assets? What countermeasures can be

4

used? (Stallings, 467). To answer the first question, an asset must be defined. An asset is anything that

an organization has or owns. It can be something physical like a computer, a server, or a database. It

can also be something like a competitive advantage or a company’s reputation amongst their customers.

These are intangible assets. The second question addresses the threats to those assets. A computer

network might be threatened by something that could harm it, like a virus, or by another competitor

analyzing their network to make determinations about how the company operates. A physical asset

may be computer servers that are threatened by physical world events like power outages or floods.

Once an organization has identified the threats to their assets, they will need to understand what

countermeasures they can employ to protect their assets or mitigate the damage to their assets. These

countermeasures can be computer security products like firewalls or software protection, or physical

protection like biometric locks. Another important term is vulnerability. Vulnerability is a weakness in

an asset or group of assets which can be exploited by a threat, like an unsecured network, or a building

with a high level of foot traffic near secure systems.

The basics of IT security management include determining the security objectives & general risk

profile of the company, performing an IT Security Risk Assessment on each asset in the organization,

creating management, operational and technical controls, identifying if risks can be reduced to an

acceptable level or if risks can just be accepted, selecting controls, writing plans and procedures for

implementing the controls, determining if the plan meets the security objectives, and planning to

maintain, adapt and upgrade the controls (Stallings, 470) . For risk profile, every company is different,

so depending on a number of factors, such as their size, their industry, their location, their technology,

etc., they need to determine what their objectives are. What security they need, and how much

security they want to take on and how much risk they are willing to take. A large, established company

with a lot to lose might want to take on more security and have a lower risk. A startup company might

not have the resources for a full security suite and may try to go without some proper security to save

5

money and gain a competitive advantage in their market. For the asset risk assessment, ideally, every

asset in the company, or at least every asset that is critical to the organization’s business objectives

should have a risk assessment to determine the most cost-effective way to protect the asset with an

acceptable amount of risk to the company. For identification of risks, there might be a risk that is a low

threat or may have a low impact on the company if it happens, and it may cost a lot to try to protect the

vulnerability. So a company may strategically choose to not protect against a risk. The next step is for

the organization to select what controls they will use, and write up the plans and procedures for how

their security will work. Some examples of management controls are planning, assessments and

services. Some examples of operational controls are maintenance, protections implemented, and

training programs. And technical controls are security services, audits, and access control (Stallings,

482-483). These controls combine to ensure appropriate levels of security. Once the plan is written, it

can be compared to the security objectives to make sure that the goals are met. The company will then

create a plan to keep the system constantly working and upgrading. The security management process

will be cyclic; it will circle around in that the company’s assets and security concerns will constantly be

changing due to changes in business, the rapid advancement of technology, and the changing risk

environment. The company will have to keep reevaluating their security plans and changing them.

When deciding on how to plan IT Management, a company can first look at International

Standards of IT security. As companies can be audited on their security, it is best for them to examine

the standards and their best practices. One important standard is from the ISO – the International

Standards Organization has consolidated their standards into ISO 27000. Specifically, ISO/IEC

27000:2009 provides an overview of information security management systems.

6

ISO Security Standards (Stallings, 468):

The above table displays recently adopted standards. Another standards group is NIST – National

Institute of Standards and Technology. They have standards on IT security management in NIST02 &

NIST09. Organizations are being audited more frequently now after corporate governance issues like

the Enron collapse and government organizations losing personal data. These standards are especially

important today as organizations are expected to follow these standards to protect against losing their

data. Recently, a company called Stratfor was hacked, and this intelligence report company is having

their private documents leaked to the press (Perlroth). MasterCard and Visa also had their databases of

customer information hacked (Pepitone). So organizations need to strictly adhere to these standards.

One important standard is ISO 13335, comprising Security techniques on IT network security and

7

Management of information and communications technology security. It has chapters on topics like

securing remote access, securing communications across networks using virtual private networks,

selection of safeguards, and guidance on network security.

After reviewing international standards, let’s review the full definition of IT Security

Management - A process used to achieve and maintain appropriate levels of confidentiality, integrity,

availability, accountability, authenticity, and reliability. The functions of it are to (Stallings, 471-472):

• Determine objectives, strategies, policies

• Determine security requirements

• Identify and analyze threats, risks

• Specify and monitor safeguards or countermeasures

• Monitor implementation and operation to protect information and services in a cost-effective

manner

• Detect and react to incidents

• Develop a security awareness program

As with all business and IT projects, security implementations will need the backing of high level

corporate employees, like the CIO. Without that support, they won’t have the funding, resources, or

attention needed to be implemented. In instances like this, an IT employee may have to lobby and

convince them of the necessary work to be done. And the best way to do this is to tie the security to the

organization’s key business objectives, and show how the cost of not implementing the security, the risk,

is greater than the cost of implementing the security. This will be shown coming up in risk assessment.

There will always be a need in the security process for management. It won’t end once all of the

controls are set up and the systems are running.

Delving further into how to approach management, a process model can be used to show the

processes of IT security management. It: establishes security policy, objectives, processes and

8

procedures; performs risk assessment; creates an inclusive risk treatment plan with selection of controls

and acceptance of risk; implements the risk treatment plan; and maintains and improves the

implementation plan in response to risk incidences. The process works in a security framework, like the

one below (Stallings, 469):

At the top, you have the organizational aspects coupled with the IT security policy, which defines and

drives the rest of the process. There are four different security risk analyses listed here for the

organization to choose from. Once an assessment type is selected, the company selects the controls to

be used, and begins to develop the security plan and procedures that are shaped from all of the

previous selections. The next stage is the Implementation, with the implementation controls as well as

9

security awareness and training. The last phase does not end the process, but it is the phase that the

company will spend a lot of time in. The follow-up phase contains the maintenance on the systems, the

changing of the processes to match new security compliances, and the incidence handlings when threats

arrive. That includes detection, response, recovery, and documenting the incident for the future. We

want to point out that the Follow-Up has an arrow that shows that it eventually leads back to the rest of

the process as the security policy gets revised and the implementation starts over. In addition,

management is significant and must be proactive in incorporating standards, policies, and guidelines to

optimize the system to align with and meet business objectives. This in turn will effectively make the

organization more efficient by minimizing risk and maximizing profits. Getting to an actual process

model, the process model we’ll be looking at is shown below (Stallings, 470):

In the textbook, this is described as Plan-Do-Check-Act Process Model. This model is from the ISO 27000

series standards and it is for managing information security. It’s similar to the framework graph

displayed previously. The first step is Plan. The Interested Parties, the executives or experts who are

deciding the information security needs of the organization, will plan for possible and probable events.

10

They establish a security policy, objectives, processes and procedures that are relevant to managing the

risk and improving information security to deliver results in accordance with an organization’s overall

policies and objectives. The second phase is Do – this is the main implementation phase, when you

implement and operate the security policy, controls, processes and procedures. The third phase is

Check – you assess and, where applicable, measure process performance against security policy,

objectives and practical experience and report the results to management for review. The fourth phase

is Act - you take corrective and preventive actions, based on the results of the internal security audit and

management review or other relevant information, to achieve continual improvement of the security

management process. The process model fits in to the framework model. You can see that everything

in the process - the policy, organization risk analysis, control selection and development of security plan

and procedures is all of the Plan phase, and the Implementation controls and training is all the Do phase.

The Follow-Up Maintenance, security compliance, change management and incident handling are the

check act. The feedback from the Follow-Up becomes the Act phase as you go back and change the

security framework based on the results from the Follow-Up.

Organizational Context and Security Policy

Relating security with the role it plays within an organization and examining that role is part of

the Organizational Context section. The organizational security policy describes what the objectives and

strategies are, and the process used to achieve them. The intent of the policy is to provide a clear

overview of how an organization’s IT infrastructure supports its overall business objectives in general,

and more specifically what security requirements must be provided in order to do this most effectively.

The organizational or corporate security policy can be a single large document, or a set of related

documents. The objectives are IT Security outcomes, and the strategies are how to meet the objectives.

The policies identify the processes to be done, and must be maintained and updated regularly with

periodic reviews of security. An IT systems’ role in organization may change over time. Costs of IT

11

Security should lower business risks to increase profitability for the organization, even if that has to

entail additional capital expenditures. SANS defines the terms: “A policy is typically a document that

outlines specific requirements or rules that must be met. In the information/network security realm,

policies are usually point-specific, covering a single area. A standard is typically collections of system-

specific or procedural-specific requirements that must be met by everyone. A guideline is typically a

collection of system specific or procedural specific "suggestions" for best practice. They are not

requirements to be met, but are strongly recommended” (Information Security Policy Templates). We

will be focusing on policy in this presentation as the chart branches down to the subset of the functional

policy branch (Watson, 7):

The above Security Policy Map is from Purdue University. Policies are statements of management

intentions and goals, and this is a chart to show how policies affect the organization’s processes. This is

an example of Security Governance. You can see how the laws, regulations, security requirements, the

12

organizational goals and the business objectives all come together to influence and create the General

Organizational Policies that leads down to the functional policies of the decided-upon Procedures,

Standards, Guidelines and Baselines. Procedures are detailed steps to perform a specific task that is

dictated by policy: handling resources, adding and deleting user accounts, change management, etc.

(Watson, 9). Standards specify the use of specific technologies in a uniform manner and require

uniformity throughout the organization. Examples include operating systems, applications, server tools,

and router configurations (Watson, 10). Guidelines are recommended methods for performing a task,

they are not required. Examples are malware cleanup, spyware removal, data conversion, and

sanitization (Watson, 11). Baselines are similar to standards but account for differences in technologies

and versions from different vendors like different operating systems or system versions (Watson, 12).

Developing a Security Policy

To develop a security policy, you would first list the key organization security objectives. For

example, a large company that already has a lot of data might be a big target as people want to access

that data, so they might want tighter security controls, while a newer or smaller company may not be an

immediate target, and it would not make as much sense for them to try to develop elaborate security

controls. Next you would develop broad strategy statements such as “How will objectives be met?” and

“How will we maintain consistency across our organization?” Finally, you will factor in identified

objectives, as well as other key points such as the size of the organization. Some important questions to

ask during the development of the security policy are: “What are the aspects of the organization that

require IT support to function efficiently?”, “What are the tasks that can only be performed with IT

support?”, “Which essential decisions depend on accuracy, currency, integrity, or availability of data

managed by IT systems?”, “What data that is created, managed, processed and stored by the IT systems

needs protection?”, and “What are the consequences to the company of an IT system security failure?”

(Stallings, 471). You’ll need to tie these questions to the critical business objectives of the organization.

13

For example, a retail web site relies on its online order processing system to make money, so that is a

critical process, and the organization will need to know how much money they could lose for each time

period that the site is down. The security policy should address the following points (Stallings, 471-472):

Scope and purpose including relation of objectives to business, legal, regulatory requirements

IT security requirements - confidentiality, integrity, availability, accountability, authenticity and

reliability

Assignment of responsibilities for security employees

Risk management approach of organization

Security awareness and training

General personnel issues and any legal sanctions for those in positions with trust

Integration of security into systems development, procurement

Information classification scheme to be used across an organization

Incident detection and handling processes

How when policy reviewed, and change control to it

Lastly, I’d like to touch on the Organizational Security IT Officer. A company should have a single person

for overall supervision of security – an Organizational Security IT Officer. Because the responsibility for

IT security is shared across the organization, there is a risk of inconsistent implementation of security,

and a loss of central monitoring and control. The various standards strongly recommend that overall

responsibility for the organization’s IT security be assigned to a single person, the Organizational IT

security officer. This position will have the key responsibilities of: oversight and management of IT

security process, be a liaison with senior management, be in charge of maintenance, response to

incidents, interaction with IT project management security officers, investigation of incidents and

development of IT security awareness and training programs (Stallings, 473). The officer should keep

14

policies consistent. As the company grows, the Officer may manage teams who manage processes in

their areas.

Case Study ING: Making use of COBIT and Other Standards

In further making a case about how significant standards can minimize an organization’s risk

profile, we have explored and examined the initiatives taken by ING Group (Le Bie) and their use of

applying information technology governance and tools along with strong IT security management

commitment to safeguard against attacks while meeting regulatory compliance, inclusive with Sarbanes-

Oxley and Basel II. ING Group, a financial services company that provides banking, investment, life

insurance and retirement services on a global scale. In a case study that was written in 2006 by the IT

Governance Institute, an organization established in 1998 to advance international thinking in standards

for IT goes on to write in detail how ING Group was able to successfully execute what ITGI describes as

Val IT initiative along with control objectives for information-related technology. One of the processes

that encompasses Val IT or the Val IT framework is investment management, which in turn should come

at an affordable cost with an acceptable level of risk. This particular process, along with the other two

that encompass Val IT are backed up by empirical research, a common methodology, supporting

publications and services. ING then integrated Val IT with COBIT which incorporates best practices

enabled by key controls measured by outcome and performance metrics and key management which

provides a disciplined approach at addressing information security issues. In simple terms, Val IT asks

the strategic question “Are we doing the right things?” and the value question “Are we getting the

benefits?” and the COBIT framework asks the architectural question “Are we doing them the right way?”

and the delivery question “Are we doing them well?” Both methodologies, if used correctly, can aid in

having a firm’s IT infrastructure support business objectives, maximize business investment in IT, and

most importantly, administer IT-related risks which as you will soon see is distinctively the case when

referencing the ING organization. At the time of this study, ING reported in its 2005 annual financials a

15

profit before taxes compared to full-year 2004 results of 19.4% to 18.5 million euros while earnings-per-

share rose 22.7%. ING places extreme importance on IT security by implementing a hierarchy offering

checks and balances where at the top is the executive board, second from the top is the procurement

policy board, and third from the top an information risk steering committee which examines security

measures and is more aligned with the topic of this paper. Looking further ahead, the global economic

downturn did impact ING’s operations and market capitalization, but with the company’s proper IT

security management in place it faired far better than many of its peers. That is to say they were not

adversely impacted significantly due to lack of any compliance issues due to their strict IT security policy

and procedures and in looking at the organization as a whole we were unable to see any evidence that

ING’s networks or critical data was exploited in any way. The standards that were put in place by this

financial institution also aided in implementing a stringent risk policy that spanned across the entire

firm, inclusive resulting in improved risk assessment, which reduced the need for costly provisions.

ING’s active management in the area of IT security deserves to be commended, which is why to date,

the company has not been exploited and has continued to remain profitable with annual gross profit of

around 12.47 billion dollars and total topline numbers at around 70 billion dollars.

Security Risk Assessment

After creating a framework for an organization’s IT Security Management policies, standards and

procedures, the most integral part of IT security is assessing risk to the overall organization’s assets.

Therefore assessing security resources is essential at mitigating financial loss, some risks will be

addressed while others will not be addressed properly. Therefore, it is imperative that an organization

makes use of an approach that also must align IT security objectives with the overall business

organizational objectives. Before further discussing the various approaches towards risk analysis, we

must define what risk is. Risk is the potential that a given threat will exploit vulnerabilities of an asset or

group of assets to cause loss or damage to the assets. In simple terms, risk is the probability of a threat

16

occurrence multiplied by the cost to the organization or risk=probability*cost. In practice, it is difficult

to determine, but there are many approaches that can be used. We must further emphasize that before

describing these various approaches, each of these risk assessment methodologies need to address

rapid changes in IT technology as well as the risk environment by incorporating a cyclic process. In other

words, the process of risk analysis is never ending.

Risk Assessment Approaches

There are a number of organizations such as NIST and ISO that have developed over the years

numerous standards for IT assessment. In this paper, we will focus on those that encompass the ISO

13335 series. This includes the baseline approach, the informal approach, the detailed risk analysis

approach, and the combined approach.

The baseline approach measures information security in several categories, to analyze the gap

between current status and necessary level of status. A baseline approach implements safeguards to

protect against the most common threats. It contains generalized standards and “best industry

practices.” This approach implements basic general level security controls, and is best for small

organizations (Stallings, 474). Some advantages are that capital expenditures are reduced due to

minimizing the use of resources, and that this approach can be duplicated over a range of systems (it is

easy, cheap, and easily replicated). The disadvantages are that no special consideration is given to

variations in the organization’s risk exposure (such as who they are, how systems are used). As a result

of no special consideration to the organization, the baseline approach can be set too high leading to

unnecessary capital expenditures, or too low, leading to increased security risks and opening up more

vulnerabilities.

The informal approach implements risk analysis by exploiting individual knowledge and

experience. This approach is suitable to small and mid-size organizations. The advantages of this

approach are that it usually does not require a lot of resources or time. Individuals who perform this

17

analysis do not require additional skills or training, therefore informal risk assessment can be performed

fairly quickly and cheaply. This approach, unlike the baseline approach, does address the organization’s

specific systems and issues allowing for more targeted controls. The disadvantages to this approach are

that it is highly dependent on the skills of person in charge and the likelihood of missing some important

details will leave the organization vulnerable. Also, particular prejudices of the individuals may influence

the results, and this may also cause an increase in additional capital expenditures that may be

unnecessary. Based on the above disadvantages, informal approach may not be effective for many

organizations.

Detailed analysis involves in-depth identification and valuation of all information assets, the

assessment of threats to those assets, and assessment of vulnerabilities. This is a more comprehensive

approach, including numerous stages and is suitable for large organizations with IT objectives that are

critical to their business objectives or governmental agencies. Also, legal requirements may require a

detailed risk analysis. DRA has continued to evolve due to the development of trusted computer

systems and a number of standards encompass this approach, which we will not elaborate on. This is

the most comprehensive approach, and this approach provides the most detailed examination of an

organization’s security risks. It has the strongest justification for expenditure on controls. For

disadvantages, it has significant cost, time, resources and expertise needed to perform the analysis. And

the analysis taking too much time may take away time from other vulnerabilities. This type of analysis is

typically performed as a legal requirement for government organizations and businesses providing key

services to them.

The combined approach is a combination of the baseline approach and the detailed analysis

approach. It has many advantages, including an initial high-level analysis rather than a full-detailed risk

analysis of all systems which may be easier to sell management. The use of the baseline and informal

analysis in this approach ensures that a basic level of security protection is implemented early on. And

18

due to the speed of this process, resources are likely to be applied where they are most needed and

systems most at risk are likely to be examined further early in the process. The disadvantages are that a

high level analysis can be inaccurate, which is in contrast to detailed risk analysis, which can cause a

greater chance for vulnerability. But for most organizations, the change of the above disadvantage is

very minimal therefore this approach is the one that should be and is in fact most commonly used.

Quantitative and Qualitative Risk Analysis

There are a number of approaches as viewed above and for obvious reasons we will compare

the detail risk analysis approach later on in this paper but one must also understand that many of these

approaches can make use of either quantitative or qualitative metrics to compliment these various

standards to assess threats and vulnerabilities. Quantitative analysis is being able to come up with

actual costs associated with organizational risks whereby in contrast qualitative analysis is more of an

intangible assessment based on the priority of identified risks using their probability of occurring, the

corresponding impact as well as other factors such as the time frame and risk tolerance. In giving a

simplified example between quantitative and qualitative analysis, we will use an example of a possible

hospital exploit. In this scenario, a hospital has 1,000 electronic medical records. If this was

compromised, we would have to come up with a cost-benefit analysis or a monetary value. One way of

doing this is that if these records were compromised you would need to determine the cost associated

with the compromise. To assess the actual costs associated with a compromise, we could first get in

contact with the patients, create new identification numbers for the files, and create and reissue new ID

cards. You would now know the cost, which under meticulous examination you come up with the figure

of $30 per record. The cost of this compromise would come out to $30,000 just based on one thousand

records. Here, you were just multiplying the cost of each record multiplied by the number of exploited

records, which is where you would come up with the number $30,000. Pretty simplistic, except this is

only 1-dimensional as if you had 500,000 records it would be a cost of 15 million dollars and would

19

involve greater complexity which is why now you must incorporate a qualitative approach. Within the

above example, in addition, you now have an auditor walk through the door who says that you have 90

days to deploy the appropriate countermeasures due to the vulnerability he/she viewed on the system,

which was stated as having no encryption mechanism between the database and the web server or

encryption on the database itself, and therefore is not in compliance with HIPAA standards. We then

begin through further analysis to take a look at additional vulnerabilities such as a code review, in which

we discover that our assets are prone to an SQL injection attack (an appended message to exploit the

system and the data within it). Hence, there has to be controls in place to filter out such an attack.

Currently, we have the cost associated with the vulnerabilities in the system, and now the likelihood of

discoverability must be assessed. Using quantitative analysis, the worst-case scenario would be that the

compromise of 500,000 records comes to a cost of 15 million dollars. Going by quantitative analysis, this

is again a 1-dimensional evaluation. We must have a way to assign risk level to vulnerabilities that take

other factors into consideration. To keep it simple, we will use a qualitative weighting scale that consists

of high-medium-low ratings. The information that we’ve gathered thus far is the number of records that

could be compromised is from 1,000 to 500,000 and the records are valued at $30 each. The data is not

encrypted in transit or at rest, multiple business units could access and modify the data, and systems are

maintained by the operations group. Lastly, we have an audit requirement to document encryption and

apply mitigation controls. Let’s incorporate one additional piece to our assessment: reputation.

Reputation encompasses impact on earnings, consumer confidence, and publicity. We can easily assign

a qualitative risk level of high as an SQL injection attack is not often detected by system logs and

intrusion detection services. Reputation is at risk from the hospital going public with a loss of 500,000

medical records and that once this vulnerability is known there will be an increase in this type of attack

on hospital systems. We now have the qualitative cost and the quantitative cost, both of which have a

high risk factor. Now here is where management plays an important role in why we incorporate the

20

single loss expectancy (SLE) formula. In using this example, we take the value of the asset ($30 in this

case), and the exposure level (500,000) and multiply the asset value by the exposure level. We have a

SLE of 15 million dollars. We now calculate the annual loss expectancy (ALE). Which determines how

many times per year this will occur. To do this, you will take the SLE and multiply it by the annual rate of

occurrence (ARO). In this scenario the database is very new, so we can’t use historical examples. Going

back to a qualitative approach, we can’t come up with an appropriate cost-benefit analysis. So, we

would come up with a way to mitigate this risk by customizing intrusion detection signatures for traffic

analysis that poses a threat to the database and host intrusion detection software installed on both the

web server and database server. Due to these initiatives, we now feel comfortable reducing the risk

rating from high to medium. Furthermore, we could reduce the threat level to low via additional code

testing. Inclusive is HIPS (Hosted Intrusion Prevention Software) and IDS tools being properly

configured. The above is an example of how different organizations need to have a risk assessment

initiated that aligns with its business objectives. We must emphasize that although both quantitative

and qualitative analysis are useful, most organizations use a qualitative approach. This is why in the

next section we will focus our attention on describing a detailed risk analysis approach that primarily

focuses on qualitative metrics.

Detailed Security Risk Analysis

Although the majority of organizations make use of the combination approach, for educational

purposes and to cover all areas of risk assessment we have chosen to describe in greater depth the

detailed risk analysis approach along with techniques and models as this approach comprises of all the

essential elements to optimize IT security safeguards and minimize risk exposure for any corporation.

When first starting to examine an organization’s risk profile using this approach the first area we

examine is a firm’s perimeter. Inclusive is system boundaries, system functions, system/data criticality,

and system/data sensitivity. After looking at the system’s boundaries, the last step within the first

21

process of this approach and probably the most significant is to identify the assets that need to be

analyzed. As described above, this addresses the first three fundamental questions: “What assets do we

need to protect?” An asset is “anything which needs to be protected” because it has value to the

organization and contributes to the successful attainment of the organization’s objectives, and may be

either tangible or intangible (Stallings, 480). It includes computer and communications hardware

infrastructure, software including applications, information/data held on these systems, the

documentation on these systems, and the people who manage and maintain these systems. Within the

boundaries identified for the risk assessment, these assets need to be identified, and their value to the

organization assessed. It is important to emphasize again, that whilst the ideal is to consider every

conceivable asset; in practice this is not possible. Rather the goal here is to identify all assets that

contribute significantly to attaining the organization’s objectives, and whose compromise or loss would

seriously impact on the organizations operation (Stallings, 480). Whilst the risk assessment process is

most likely being managed by security experts, they will not necessarily have a high degree of familiarity

with the organization’s operation and structures. Thus they need to draw on the expertise of the people

in the relevant areas of the organization to identify key assets and their value to the organization. A key

element of this process step is identifying and interviewing such personnel. Many of the standards

listed previously include checklists of types of assets and suggestions for mechanisms for gathering the

necessary information. These should be consulted and used. The outcome of this step should be a list of

assets, with brief descriptions of their use by, and value to, the organization.

The next area we need to focus on is threat sources, which many times can be taken from past

experiences. So a threat source can be a natural disaster, a human agent – either acting directly (i.e.

insider retrieving and selling information, or a hacker targeting a server over the internet) or indirectly

(i.e. the result of an accident perhaps through the misconfiguration of various routers). The third area

to focus on is threat identification. This addresses the questions “What could cause the organization

22

harm?” and “How could this occur?” (Stallings, 481). Threats to the assets need to be identified as well

as the ways that the threats could affect the systems. To complement this, the next area to be

examined is vulnerabilities. We would identify exploitable flaws or weaknesses in the organization’s IT

systems or processes and determine the applicability and the significance of threat to the organization.

There is a need of a combination of the threat and the vulnerability to create a risk to an asset. We can

use lists of potential vulnerabilities in standards to help determine our own vulnerabilities. After this

step is examined, one must take it upon themselves to determine what controls are already in existence

to reduce redundancy and eliminate wasteful spending.

Determining Overall Risk Exposure by Making Use of Qualitative Risk Rating Tables

The first table that will be applied will consist of a rating, a likelihood description, and an expanded

definition to determine the overall likelihood that an asset will be compromised. This can be seen in the

following table (Stallings, 483):

Table 1.

The next essential step is to create a table that determines the consequence if a specified asset or a

number of assets are exploited. This table would comprise of a rating, the rating of the consequence to

the organization (from insignificant to a Doomsday scenario), and an expanded definition that would

23

briefly describe the magnitude of the impact and the repercussions to the overall organization. See the

below example (Stallings, 484-485):

Table 2.

Finally, due to meticulous examination and analysis based on the likelihood a threat will occur and the

impact it will have on an organization we can create another table by correlating the two previous

variables to qualitatively detail the risk level assigned to each combination. The title of this table will be

deemed Risk Level Determination and Meaning, which can be found below (Stallings, 486):

24

Table 3.

In our final table, we will create what is known as the Risk Register, which will allow management to

determine the assets that require treatment against the assets that do not require treatment. The Risk

Register should consist of the identified asset, the threat/vulnerability, the existing controls that are

already in place, the likelihood that each identified threat could occur and cause harm to an identified

asset, the consequence - which indicates the impact on the organization should a particular asset or

assets be compromised, the level of risk, and the priority of the risk (Stallings, 486):

Table 4.

25

The Risk Register would then allow executive management to accept the risk, avoid the risk, transfer the

risk, reduce the consequences, or reduce the likelihood. By making use of these models and techniques

allows for an organization to more efficiently and effectively handle any attacks by mitigating its risk

profile while incorporating best practices.

Case Study Barrick Gold

In further discussing risk assessment we decided to take a detailed look at a well-known publicly

traded organization primarily because it makes use of Supervisory Control And Data Acquisition (SCADA)

system (Barrick Goldstrike Wireless Presentation). The use of SCADA is more pronounced and prevalent

among many organizational systems that are vital to the United States’ infrastructure. Prior to 9/11, this

may not have been seen as a high priority, but because we are in the midst of potential cyber warfare

among various countries around the globe, any attack on such systems can cause significant economic

impact to the US. To give a few examples, SCADA is deployed to monitor and control our electric power

generation, transmission and distribution, water and sewage, mass transit, traffic signals and other

various industrial systems. Typically, mining companies have a much greater risk tolerance, but due to

the growing number of attacks on a multitude of corporations and governments around the world,

Barrick Gold has taken this threat quite seriously, especially when it comes to the safety of all

employees. Barrick Gold trades on the NYSE under the ticker ABX and is a Canadian-based company

formed in 1983. It engages in sale and production of gold and copper with production in exploration

and development projects located in North and South America, the Australia-pacific region and Africa,

and it currently has 26 operating mines with annual revenues around 14.31 billion dollars with total cash

on hand of 2.74 billion dollars and a debt of 13.37 billion dollars. Its current stock trades at a multiple of

around 10.9 times earnings, and it is anticipated to trade over the next year and a half at 8 times

earnings. In April 2011, Barrick acquired Equinox Minerals at around 7.3 billion Canadian. This

acquisition, along with other acquisitions adds further complexity to the organization. Therefore, risk

26

analysis is of extreme significance due to disparate systems and need to be integrated together with

appropriate assessment of IT security issues. In making use of the combined approach, we must not

forget that detailed risk analysis is an important part of this technique. Therefore, instead of going in to

great detail on the identification of assets, threats, and vulnerabilities and so forth, below we have

provided a hypothetical risk register model that we believe would address many of the company’s IT

security concerns which in turn would aid Barrick in analyzing and driving action to minimize the

likelihood of a risk occurring, reduce the visibility of the risk, increase the ability to handle the risk if it

should occur and reduce the impact of the risk. One added thing is that as you can see in the risk

register viewable below the reliability of the SCADA nodes and network was of the highest risk priority

due primarily to the safety of the workers in the mine as the SCADA systems among other things

monitors temperature control by placing various sensors throughout the mine and if say for example the

system went down and the miners had no access to oxygen than there could be a significant amount of

fatalities. On the other end of the spectrum are emails which were viewed as the least significant. One

other thing to take not of is the integrity of the stored file and database information we believed was

second as far as risk priority. One reason for this was it was of extreme importance not to allow access

to any opponent who may want information on let’s say company specific M&A activity by which they

can retrieve insider information to benefit financially. See the table below (Stallings, 490):

27

Table 6.

Conclusion

As we begin to turn from centralized systems to more distributed systems the potential for

attacks to propagate has increased dramatically. Furthermore, as technology has continued its’ rapid

advancement, so too has the technology created and deployed by attackers or opponents. Therefore, it

is an absolute necessity to create checks and balances in governance by using a systematic approach to

alleviate these threats. IT security management and risk assessment helps to mitigate this problem. All

organizations must use best practices in the area of IT security management and risk assessment. If

done successfully through the number of policies, procedures and standards described in this paper,

organizations and governments will effectively safeguard their assets. It must be further stated that it is

virtually impossible to safeguard and protect every type of vulnerability. However, deploying and

implementing the proper framework, along with a thorough risk assessment on all assets,

vulnerabilities, threats, and countermeasures will vastly decrease the risk of exploitation. This will allow

sovereigns and organizations around the world to place and use the appropriate controls, some which

include antivirus software, antispyware software, firewalls, encryption of data in transit and rest,

intrusion detection systems, intrusion prevention systems, and so on. In a recent Bloomberg

28

government study, it found that spies, criminals, and hacker activists are stepping assaults on US

government and corporate systems (Englemen and Strohm). This study also stated that companies,

including utilities, banks, and phone companies will have to spend almost 9 times more on cyber

security to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial

system, or cutting communications. The article cited above is a clear indication that IT security

management and risk analysis must be an essential ongoing process to counter such an event from

occurring.

29

References

1. Ameerally, Imran. "Risk Assessment: An Overview." Republic of Mauritius. Ministry of IT and

Telecommunications, 01 Dec. 2006. Web. 20 Feb. 2012.

<http://www.gov.mu/portal/sites/ncbnew/security/1dec/Risk%20Assessment.ppt>.

2. "Barrick Goldstrike Wireless Presentation." WMEA Technical Papers. Western Mining Electrical

Association. Web. 20 Feb. 2012. <http://www.wmea.net/Technical%20Papers/Barrick

%20Goldstrike%20Wireless%20Presentation.pdf>.

3. De Bie, Veronique. "IT Security Management Standards for Today’s Businesses." Lsec.com. L-SEC, 20

Jan. 2006. Web. 20 Apr. 2012.

<www.lsec.be/upload_directories/documents/standard2006.pdf>.

4. Engleman, Eric, and Chris Strohm. "Cybersecurity Disaster Seen in U.S. Survey Citing Spending Gaps."

Bloomberg. Bloomberg, 31 Jan. 2012. Web. 20 Apr. 2012.

<http://www.bloomberg.com/news/2012-01-31/cybersecurity-disaster-seen-in-u-s-survey-

citing-spending-gaps.html>.

5. "How Business and Entrepreneurship Can Shine Your Life." Risk Analysis Business Basics. Business

Basics, 21 Oct. 2010. Web. 17 Apr. 2012. <http://www.treatyoakmaps.com/?p=43>.

6. "Information Security Policy Templates." SANS. Web. 20 Feb. 2012. <http://www.sans.org/security-

resources/policies/>.

7. "ISO - International Organization for Standardization." International Organization for Standardization.

International Organization for Standardization. Web. 20 Feb. 2012.

<http://www.iso.org/iso/home.htm>.

References (continued)

30

8. Namestnikov, Yury. "Kaspersky Security Bulletin. Statistics 2011." SecureList.com. Kaspersky Lab ZAO,

1 Mar. 2012. Web. 18 Apr. 2012.

<http://www.securelist.com/en/analysis/204792216/Kaspersky_Security_Bulletin_Statistics_20

11>.

9. Pepitone, Julianne. "'Massive' Credit Card Data Breach Involves All Major Brands." CNNMoney. Cable

News Network, 30 Mar. 2012. Web. 18 Apr. 2012.

<http://money.cnn.com/2012/03/30/technology/credit-card-data-breach/index.htm>.

10. Perlroth, Nicole. "Inside the Stratfor Attack." Bits Blog. New York Times, 12 Mar. 2012. Web. 18 Apr.

2012. <http://bits.blogs.nytimes.com/2012/03/12/inside-the-stratfor-attack/>.

11. "Risk Assessment Case Study." The Security Risk Management Toolkit. Web. 20 Feb. 2012.

<http://www.risk.biz/case.html>.

12. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 16 IT Security

Management and Risk Assessment." Computer Security: Principles and Practice. Upper Saddle

River, NJ: Prentice Hall, 2008. Print.

13. Stallings, William, Lawrie Brown, Michael D. Bauer, and Michael Howard. "Chapter 14 IT Security

Management and Risk Assessment." Computer Security: Principles and Practice. 2nd ed. Upper

Saddle River, NJ: Prentice Hall, 2011. Print.

14. Verheul, Eric. "Practical Implementation of ISO 27001 / 27002." Security in Organizations. Radboud

University, 2011. Web. 20 Feb. 2012.

http://www.cs.ru.nl/~klaus/secorg/Slides/02_IS_IMPL_20v0.51.pdf.

15. Watson, Keith A. "Security Management Practices." Secure Purdue. Purdue University. Web. 20 Feb.

2012.

<http://www.purdue.edu/securepurdue/docs/training/SecurityManagementPractices.ppt>.