Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Identification of Risk

The first step to identify the risks in the context of information security is to identify all the information assets of the organization. Information assets include the infrastructure, facilities, hardware, software, applications, utilities and tools, data, employees, contractors, and suppliers which are needed to run any business.

Table 5-1 lists typical information assets that are found in organizations.

Table 5-1. Typical Information Assets

Function Information Asset

Human Resources Employee Personal Records (with PII); Other Employee Records (Offer Letters,

CVs, Offer Letters, Certificates, Performance Appraisal, etc.); Human Resources Management System; Employees (may be further categorized based on type

of employees); Suppliers/Third Party Vendors; Recruitment Test Papers and Answer Keys; etc.

Training Training Material; Training Quiz/Test Papers; Training Feedback and Analysis; Online Tools used for the Training; etc.

Marketing & Sales Proposals; Marketing Strategies, Marketing Plans; Communications with the

Customers including on the scope of new projects, pricing, etc.; Visit Plans of the departmental personnel; etc.

Project Management & Project Teams (including

Product Development Teams / Engineering Teams)

Proposals; Communications with the Customers; Customer Provided Property such as Hardware; Customer Provided Information/Data; Project Artifacts; Applications; Utilities; Open Source Software; Third Party Software; Software Code Developed; New Concepts/Innovations yet to be patented; New Processes Invented; Design Documents, Architecture Documents; etc.

Information Technology Desktops/Workstations; Laptops; Servers; Printers; Communication Equipment;

CD/DVD Writers/Tape Drive; Backup Tapes; Scanners; External Hard-disks/USB Pen Drives; Original Licenses/License Keys; Network Cabling; Firewall,

Router & Log Analyzer; ISP/External Connectivity; Physical Keys; Specific Servers like Anti-Virus Servers, Application Servers, Database Servers, Patch Management Server, FTP Server etc.; Other utilities used like Remote

Connectivity Tools, Monitoring Tools, etc.; Logs of various servers/applications, system administrator activity logs; Encryption Keys; Root and other Administrative logins and passwords; etc.

(continued)

Table 5-1. (continued)

Function Information Asset

Finance & Legal Vendor Agreements/Contracts; Financial/Banking Details/Records; Statutory

Records including Notices received, Cases Pending, etc.; Financial Instruments; Payroll, Tax and such other details; Digital Signatures; Login Ids and Passwords of Authorized Persons authorized to carry out different types of tasks on tools like SAP, Oracle Financials, etc.; Compliance Filings; Various reports filed with various statutory and regulatory agencies, etc.

Quality Process Documents; Quality Records including Audit Records, Management Review Records and other records; Testing Records; Defect Details; Best Known Methods; etc.

Note: a) The functions mentioned are only sample functions and the organizations may have more functions than the above or may be differently organized; b) Some of the above assets may be again bucketed into common, specific depending upon the differential risks e.g. management laptops have different risks compared to the clerical laptops; Customer-provided data like Patient Details, Credit Card details have different risks than the data without much sensitivity like generic data like details of the machines on the shop floor, etc., c) Again, the records / documents may be classified as hard copy records / documents or soft copy records / documents as they carry different risks; d) Tools / Utilities may have to be classified separately depending upon the purpose and their capability; etc.; e) Above list is not comprehensive. It is only illustrative. There may be hundreds of other documents / records / tools / utilities etc. which may be included which may also differ from organization to organization.

The second step is to identify the threats the organization is exposed to with respect to each function within the organization. This may be done based on the historical data with the organization; or data obtained from the local and / or regional and / or national and / or international agencies or institutes of relevance or other sources of learned and reliable information. Additionally, expertise of the organizational employees, contractors, and suppliers is used. Another way is to identify the vulnerabilities the organization is exposed to like tail gating, lack of effective policies, lack of awareness / knowledge, technical vulnerabilities like security flaws in the utilities or applications used, the organization location, and so on, and then identify the threats which may exploit these vulnerabilities. Another

way is to identify the threats first and then identify the vulnerabilities which may lead to such threats. However, it is necessary to identify various pairs of threats and vulnerabilities an information asset is exposed to. Each information asset may be exposed to different vulnerabilities which may lead to different threats or each threat may be due to different vulnerabilities. Also, different vulnerabilities may sometimes lead to the same threat. For example, a fire threat may result from storing old paper records and inflammable material in the organization, the kitchen being allowed to use electric or gas stoves, or weak wiring.

A vulnerability of not having adequate awareness of policies may allow some non-employee to tail gate an employee which can lead the stranger to steal confidential files or papers, destroying the data center by planting a bomb, firing at the employees, or killing the employees. This makes clear the need for identifying different sets of vulnerabilities and threats.

Some of the typical pairs of threats and vulnerabilities are listed in Table 5-2.

Table 5-2. Threats and Vulnerabilities

Threat Vulnerability

Malicious Destruction Lack of Physical Security

Theft and Fraud Lack of Physical Security

Fire Lack of Environmental Protection

Flood Lack of Environmental Protection

Misplace / Loss of Documents Inadequate Document / File Handling Procedures Malicious Destruction Incorrect Access Rights

Theft and Fraud Incorrect Access Rights Data Corruption & Loss of Data Lack of Backups

Theft and Fraud Access of Production Data to Application Maintenance Engineers

Theft and Fraud Lack of effective software change management leading to unauthorized changes

Theft and Fraud Lack of Segregation of Duties

Misuse of Equipment and Facilities Inconsistent Compliance with Security Policies

Access of Facilities / Systems / Applications / Data by Ex-Employee or others and Possible Thefts and Frauds


Lack of Proper Exit Procedures

Technical Vulnerability Inadequate Configuration

Undesirable Impact Inadequate Patch Validation

Malicious Software Infection Lack of Adequate Monitoring Mechanisms Malicious Software Infection Technical Incompatibility

Prey to Social Engineering Tricks Inadequate Security Awareness & Training

Misuse of credentials Infrequent change of passwords / Weak Passwords

Technical Failures Improper / Inappropriate Maintenance Intrusion / Unauthorized Data Access Inadequate Firewall / Router Policies Single Point of Failure Lack of Redundancy

Service Deficiency Choice of Wrong Service Provider

Note: a) Above list is only illustrative. It is impossible to cover all threats and vulnerabilities; b) The Threats and Vulnerability applicability depends upon the Information Asset.

The third step is to identify each information asset, the pair of threat and vulnerability, the impact on each of the aspects of information security, that is, confidentiality, integrity, and availability. This can be a rating provided to each information asset, for each pair of threat and vulnerability, in terms of the impact on each of the information security aspects ( confidentiality, integrity and availability) that can be compromised or breached. Table 5-3 describes the potential impact on security objectives.1

Table 5-3. Levels of Impact on Security Objectives1

Security Objective Low Impact Medium Impact High Impact

Confidentiality The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Integrity The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets,

or individuals.

Availability The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on

organizational operations, organizational assets,

or individuals.

Amplification A limited adverse effect means that, for example, the loss of

confidentiality, integrity, or availability might:

(i) cause a degradation in organizational capability to an extent and duration that the organization

is able to perform its primary functions, but the effectiveness of the functions is noticeably

reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or

(iv) result in minor harm to individuals.


The unauthorized disclosure of information could

be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could

be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have

a serious adverse effect on organizational operations, organizational assets, or individuals.

A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant

degradation in organizational capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;

(ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result

in significant harm to individuals that does not involve loss of life or serious life threatening injuries.


The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets,

or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets,

or individuals

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect

on organizational operations, organizational assets,

or individuals.

A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of organizational capability to an extent and duration that the organization is not able to perform one or more of its primary functions;

(ii) result in major damage to organizational assets;

(iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

Low impact on any security objective is given a value of 1, medium impact on any security objective is given a value of 2 and high impact on any security objective is given a value of 3. If any security objective is not applicable to the information asset under consideration then it is given a value of 0. For each information asset, for each pair of threat and vulnerability, the impact value for confidentiality plus the impact value for the integrity plus the impact value for availability gives the total asset impact value. Asset impact is optionally categorized as C1, C2, C3 based on the following total asset impact values listed in Table 5-4.

Table 5-4. Asset Category Classification Based on Asset Impact Value

Asset Impact Category Total Asset Impact Value

C1 – High impact asset Total Asset Impact Value of 7 or 8 or 9 C2 – Medium impact asset Total Asset Impact Value of 4 or 5 or 6 C3 – Low impact asset Total Asset Impact Value of 1 or 2 or 3

The fourth step is to identify the controls already implemented by the organization to manage this risk. These controls may be physical security like security guards; awareness sessions wherein the employees are made aware of the do's and don'ts or specific steps to be taken to avoid, control, and mitigate the risks; or implementation of a tool in the organization like a firewall that eliminates such a risk.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel