Assessing Security Risks
Home > 
Best Practices > 
Protect Your Business > 
IT Security Management and Policies > 
Assessing Security Risks
< back
Plan for Information Security
Backup and Recovery
Assessing Security Risks
Implementing & Maintaining a Secure Framework
Protecting Your Computer Assets
Selecting Safeguards

Assessing Security Risks

The security management cycle starts with an assessment of the security risks. Security Risk Assessment is done to identify what security measures are required. It is the initial step in evaluating and identifying the risks and consequences associated with vulnerabilities, and provides a basis for management to establish a cost-effective security program.

Based on the assessment results, appropriate security protection and safeguards should be implemented to maintain a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical security precautions and systems.

This step is followed by a cyclic compliance review and re-assessment, designed to provide assurance that security controls are put into place properly in order to meet users' security requirements, and to cope with rapid technological and environmental changes. This relies on continuous feedback and monitoring. The review can be undertaken through periodic security audits to identify what enhancements may be necessary.

By evaluating a list of considerations, you can identify what assets to protect, their relative importance, and each asset's priority ranking for urgency and required level of protection. The flow chart below shows the major steps in Security Risk Assessment.


Security Risk Assessment Steps

1. Planning

Before starting a security risk assessment, planning is needed for proper preparation, monitor and control. Some major items should be defined first:

Safeguards can be technical or procedural controls. Some safeguards examples:

Project Scope and Objectives:
the scope of the assessment may cover the protection of certain business functions, e.g. customer service department, credit department, sales department.
Background Information:
any relevant information that are useful for the assessment, e.g. financial statement, organisation chart, company objectives.
Constraints:
e.g., budget, cost, time, technology, etc.
Roles and Responsibilities of Parties Involved:
define and assign duties for all team members involved.
Approach and Methodology:
quantitative and qualitative analysis on the impact of risk, the effect of security problems and appropriate security measures.
Project Size and Schedule:
project cost and number of staff involved, and the timeframe for implementing all the major activities outlined in the assessment.
2. Information Gathering

The aim is to collect relevant information for further analysis in order to identify the risks and understand the current system and environment.

Kinds of information to be collected:

Security requirements and objectives
System and network architecture & infrastructure
Information available to the public on the web pages
Physical assets such as hardware equipment
Systems such as operating systems, network management systems
Contents such as databases and files
Applications and servers information
Networks such as supported protocols and network services offered
Access controls
Process
Identification and authentication mechanisms
Government laws and regulations pertaining to minimum security control requirements
Documented or informal policies and guidelines

Information can be collected through various ways:

Site visits
Group Discussions
Multi-level interviews
Surveys
Questionnaires
Checklists on key items
On-site observations
3. Risk Analysis

Risk Analysis helps to determine the value of the assets and their associated risks. In turn, the security risk assessment and audit can help identify loopholes in the network. The processes can be highlighted as follows:

Identification and Valuation of Asset
for both tangible and intangible assets such as hardware and reputation.
Threat Analysis
to identify the threats and to determine likelihood of their occurrence and potential to harm systems or assets.
Vulnerability Analysis
to identify and analyse the vulnerabilities of the system and environment e.g. use vulnerability scanners to identify technical vulnerabilities.
can be measured in terms of accessibility and number of authorised users.
Mapping of Asset / Threat / Vulnerability
to identify the possible combinations & the inter-relationship of assets, threats and vulnerabilities that may induce risks.
Assessment of Impact and Likelihood
to estimate the degree of overall harm or loss that could occur.
to estimate the frequency of a threat happening.
Risk Results Analysis
using qualitative and quantitative methods, and matrix Approach to analyse and present the risk results properly.
4. Vulnerability Scanners

A vulnerability scanner can assess a variety of vulnerabilities across information systems (including computers, network systems, operating systems, and software applications) that may have originated from a vendor, system administration activities, or general day-to-day user activities.

In general, a vulnerability scanner:

allows early detection and handling of known security problems.
helps to identify rogue machines that may be connected to the network without authorisation.
helps to verify the inventory of all devices on the network including device type, operating system version and patch level, hardware configurations and other relevant system information.

But there are some limitations on the use of vulnerability scanners:

Snapshot only: a vulnerability scanner can only assess a "snapshot of time" in terms of a system or network's security status. Therefore, scanning needs to be conducted regularly, as new vulnerabilities can emerge, or system configuration changes can introduce new security holes.
Human judgement is needed: vulnerability scanners can only report vulnerabilities according to the plug-ins installed in the scan database. Plug-ins are part of the knowledge database or scan database of the vulnerabilities that the scanner is capable of detecting. They cannot determine whether the response is a false negative or a false positive. Human judgement is always needed in analysing the data after the scanning process.
Discover known technical vulnerabilities: a vulnerability scanner is designed to discover known vulnerabilities only. It cannot identify other security threats, such as those related to physical, operational or procedural issues.

Tips for Conducting a Vulnerability Scanning

The following are issues that need to be considered when conducting vulnerability scanning:

Location of Network-based Scanner: Whether a scanner is located in front of or behind the firewall will have an effect on the scan result. Both external and internal scanning should be conducted in order to build a more complete picture.
Scanning Port Range: Port scanning detects which ports are available (i.e., being listened to by a service). Because open ports may imply security weaknesses, port scanning is one of the basic reconnaissance techniques used by attackers. Therefore, security scanning should always include port scanning. However, some vulnerability scanners have a pre-defined default port range set, such as only from port 0 to 15000. System administrators should be aware of these default settings and ensure all necessary ports are scanned.
Baseline Setup: It is a good practice to keep archived logs of all scans (i.e. develop a working baseline), and compare the latest results with the baseline for trend analysis over time.
After-scan and Ongoing Practices: It is important to correctly interpret the scanning results so that valid vulnerabilities can be identified and subsequently fixed. The priority of necessary follow-up action should also be worked out and agreed upon.
Potential threats caused by the scan process: A scan itself can pose risks to production machines, for instance, crashing an already vulnerable server if all "plug-ins", including high-risk ones (such as a DoS scan) are enabled. The administrator should note any deterioration in the system and network performance of the target groups during scanning. Therefore, risk assessment and careful planning are necessary before scanning. The administrator should note any deterioration in the system and network performance of the target groups during scanning.
Handling of scanning results: Leakage of scanning results, which contain system vulnerability information, may facilitate attackers in exploiting those loopholes directly. It is therefore important to safeguard this information by keeping it in a safe place, or keeping it encrypted to prevent unauthorised access. If an external party is employed during the assessment process, the organisation should ensure that any party is trustworthy, and that both findings and proprietary information will be kept secure.
Policy and procedure on scanning process: Malicious or improper use of scanning tools could pose an enormous risk and cause tremendous harm to information systems. Therefore, policies and procedures should be in place to specify whom, how and when vulnerability assessment tools are to be used. No one should be allowed to conduct any vulnerability scanning without prior permission.
5. Identifying & Selecting Safeguards

After reviewing the results of security risk assessment, safeguards will be identified and evaluated for their effectiveness in reducing the likelihood and impact of identified threats and vulnerabilities to an acceptable level.

Safeguards can be technical or procedural controls. Some safeguards examples:

Re-configure operating systems, network components and devices to patch up the weaknesses identified during the security assessment;
Implement password control or authentication software;
Implement encryption or authentication technology to protect data transmission;
Develop / Enhance the security policy, guidelines or procedures to ensure effective security.
6. Implementing & Maintaining a Secure Framework

Following the results obtained from your security risk assessment, the security management cycle enters a phase of implementation and maintenance, where appropriate security protection measures and safeguards are implemented in a way that builds a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical and administrative security measures. All these steps are crucial in contributing to the safeguards of your business assets.

Set up and Implement a Security Policy
Set up and Implement Management and Administrative Processes
Select and Implement Technological Measures
7. Monitoring & Recording

With implementation and maintenance being carried out to provide a secure framework, there is also the need for constant monitoring and recording so that proper arrangements can be made when tackling a security incident.

In addition, day-to-day operations such as users' access attempts and activities while using a resource, or information, need to be properly monitored, audited, and logged as well: e.g. individual user ID needs to be included in audit logs to enforce individual responsibility. Each user should understand his responsibility when using company resources and be accountable for his actions.

Major activities include:

Maintaining a security incident handling and reporting procedure
Maintaining an audit trail for major business systems and critical applications
Maintaining an event history and error log for operating systems
Maintaining access records of visitors or guests enter your premises
Maintaining records to keep track of authorisation to access and undertake critical business activities
Related topic(s):
Information Security Assessment
Vulnerability Management
Information For:
IT Professionals
SME