Chapter Overview
Risk Management
Before the design of new security solutions can begin, the security analysts must first
understand the current state of the organization and its relationship to security. Does the
organization have any formal security mechanisms in place? How effective are they?
What policies and procedures have been published to the security managers and end
users? This chapter examines the processes necessary to undertake formal risk
management activities in the organization. Risk management is the process of
identifying, assessing, and reducing risk to an acceptable level and implementing
effective control measures to maintain that level of risk. This is done with a number of
processes from risk analysis through various types of feasibility analyses, including
quantitative and qualitative assessment measures and evaluation of security controls.
Introduction
Risk identification is the formal process of examining and documenting the current
information technology security situation.
Risk identification is conducted within the larger process of identifying and justifying
risk controls, known as risk management.
In the past, an organization could establish a competitive business model, method, or
technique to provide a product or service that was superior and create a competitive
advantage. What is becoming apparent is the problem of competitive disadvantage, or
the need to avoid falling behind the competition.
To keep up with the competition, organizations must design and create a safe
environment in which business processes and procedures can function.
This environment must maintain the confidentiality, privacy and integrity of
organizational data. These objectives are met through the application of the principles of
risk management.
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to assure the confidentiality,
integrity, and availability of all the components in the organization’s information system.
The primary deliverable from risk assessment is a list of documented vulnerabilities,
ranked by criticality of impact.
Working from that list, you can assess options, estimate costs, weigh relative merits of
options, and gauge the benefits from various control approaches.
An Overview of Risk Management
Know Yourself
First, we must identify, examine, and understand the information and systems currently in
place.
In order to protect our assets, defined here as the systems that use, store, and transmit
information, we have to understand everything about the information.
Once we have examined these aspects, we can then look at what we are already doing to
protect the information and systems from the threats.
Know The Enemy
Informed of our own nature, and aware of our own weaknesses, we must then know the
enemy.
For information security this means identifying, examining, and understanding the threats
that most directly affect our organization and the security of our organization’s
information assets.
We then can use our understanding of these aspects to create a list of threats prioritized
by importance to the organization.
The Roles of The Communities of Interest
Each community of interest must manage the risks the organization encounters. Each
community of interest has a role to play, as described below.
Information security. Understand the threats and attacks that introduce risk into the
organization.
Management and users. Play a part in the early detection and response process. Ensure
that sufficient resources are allocated
Information technology. Assist in building secure systems and operating them safely.
General management, IT management, and information security management are
collectively accountable for identifying and classifying risks.
Risk Identification
A risk management strategy calls on us to “know ourselves” by identifying, classifying,
and prioritizing the organization’s information assets.
These assets are the targets of various threats and threat agents, and the goal is to protect
the assets from the threats.
Once we have gone through the process of self-examination, we can move into threat
identification.
We must assess the circumstances and setting of each information asset.
To manage the risks caused by vulnerabilities, we must identify those vulnerabilities and
begin exploring the controls that might be used to handle the risks.
We begin the process by identifying and assessing the value of our information assets.
Asset Identification and Valuation
This iterative process begins with the identification of assets, including all of the
following elements of an organization’s system: people, procedures, data, software,
hardware, and network.
Then, we classify and categorize the assets, adding details as we dig deeper into the
analysis.
Hardware, Software, And Network Asset Identification
Automated tools can sometimes uncover the system elements that make up the hardware,
software, and network components.
Once stored, the inventory list must be kept current by using a tool that periodically
refreshes the data.
What attributes of each of these information assets should be tracked? When deciding
which information assets to track, you may want to consider including these asset
attributes:
 Name
 IP address
 MAC address
 Element type
 DeviceClass = S (server)
 DeviceOS = W2K (windows 2000)
 DeviceCapacity = AS (Advanced Server)
 Hardware, software, and network asset identification
 Serial number
 Manufacturer’s name
 Manufacturer’s model number or part number
 Software version, update revision, or FCO number
 Physical location
 Logical location
 Controlling entity
People, Procedures, and Data Asset Identification
The human resources, documentation, and data information assets of an organization are
not as easily identified and documented as tangible assets, such as hardware and
software.
These assets should be identified, described, and evaluated using knowledge, experience,
and judgment.
As these assets are identified, they should also be recorded, using a reliable datahandling process.
Some attributes will be unique to a class of elements.
 People: Position name/number/ID (try to avoid names and stick to identifying
positions, roles or functions); supervisor; security clearance level; special skills
 Procedures: Description; intended purpose; relationship to hardware, software,
and networking elements; storage location for reference; storage location for
update

Data: Classification; owner/creator/manager; size of data structure; type of data
structure used (sequential or relational); online or offline; location; backup
procedures employed
Information Asset Classification
Many organizations already have a classification scheme.
Examples of these kinds of classifications are confidential data, internal data, and public
data. Informal organizations may have to organize themselves to create a useable data
classification model.
The other side of the data classification scheme is the personnel security clearance
structure, which identifies the level of information individuals are authorized to view
based on what each person needs to know.
Information Asset Valuation
As each asset of the organization is assigned to a category, posing a number of questions
assists in developing the weighting criteria to be used for asset valuation. These questions
include:
 Which information asset is the most critical to the success of the organization?
 Which information asset generates the most revenue?
 Which information asset generates the most profitability?
 Which information asset would be the most expensive to replace?
 Which information asset would be the most expensive to protect?
 Which information asset would be the most embarrassing or cause the greatest
liability if revealed?
Listing Assets in Order of Importance
Which factor is the most important to the organization?
Once each question has been weighted, calculating the importance of each asset is
straightforward. The final step is to list the assets in order of importance. This can be
achieved by using a weighted factor analysis worksheet.
Data Classification And Management
Corporate and military organizations use a variety of classification schemes.
Information owners are responsible for classifying the information assets for which they
are responsible.
At least once a year, information owners must review information classifications to
ensure the information is still classified correctly and the appropriate access controls are
in place.
The U.S. Military Classification Scheme has a more complex categorization system than
required by most corporations. For most information, the military uses a five-level
classification scheme: Unclassified, Sensitive But Unclassified (i.e., For Official Use
Only), Confidential, Secret, and Top Secret.
Most organizations do not need the detailed level of classification used by the military or
federal agencies. A simple scheme, such as Public, For Official Use Only, Sensitive, and
Classified, will allow the organization to protect its sensitive information.
Security Clearances
The other side of the data classification scheme is the personnel security clearance
structure. For each user of data in the organization, a single level of authorization must be
assigned that indicates the level of classification he or she is authorized to view.
Before an individual is allowed access to a specific set of data, he or she must meet the
need-to-know requirement.
This extra level of protection ensures that the confidentiality of information is properly
maintained.
Management of Classified Data
Management of classified data includes its storage, distribution, portability, and
destruction.
Information that is not unclassified or public must be clearly marked as such.
When classified data is stored, it must be available only to authorized individuals.
When an individual carries classified information, it should be inconspicuous, as in a
locked briefcase or portfolio.
The clean desk policy requires employees to secure all information in appropriate
storage containers at the end of each day.
When copies of classified information are no longer valuable or excessive copies exist,
proper care should be taken to destroy them by means of shredding, burning or
transferring to an authorized document destruction service.
Some individuals would not hesitate to engage in dumpster diving to retrieve
information that could embarrass an organization or compromise information security.
Threat Identification
Each of the identified threats has the potential to attack any of the protected assets.
If you assume every threat can and will attack every information asset, the project scope
will quickly become so complex that it will overwhelm the ability to plan.
To make this part of the process manageable, each step in the threat and vulnerability
identification processes is managed separately and then coordinated at the end of the
process.
Identify and Prioritize Threats and Threat Agents
Each threat must be examined to assess its potential impact on the targeted organization.
This is referred to as a threat assessment.
To frame the discussion of threat assessment, address each threat with a few questions:
 Which threats present a danger to this organization’s assets in the given
environment?
 Which threats represent the most danger to the organization’s information?
 How much would it cost to recover from a successful attack?

Which of these threats would require the greatest expenditure to prevent?
Vulnerability Identification
We now face the challenge of reviewing each information asset for the threats it faces
and creating a list of the vulnerabilities.
Vulnerabilities are specific avenues that threat agents can exploit to attack an information
asset.
Now, we examine how each of the threats that are possible or likely, could be perpetrated
and list the organization’s assets and their vulnerabilities?
The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions.
At the end of the process, a list of information assets and vulnerabilities is developed.
This list is the starting point for the next step, risk assessment.
Risk Assessment
We can determine the relative risk for each of the vulnerabilities through a process called
risk assessment.
Risk assessment assigns a risk rating or score to each information asset, which is useful in
gauging the relative risk to each vulnerable information asset and making comparative
ratings later in the risk control process.
Likelihood is the probability that a specific vulnerability will be attacked. Likelihood
vulnerabilities are assigned a number between 0.1 for low and 1.0 for high.
Valuation of Information Assets. We can assign weighted scores for the value of each
information asset to the organization. Scores can range from 1 to 100, with 100 reserved
for mission-critical assets.
Factors in Risk Estimation
Percentage of Risk Mitigated by Current Controls. If a vulnerability is fully managed
by an existing control, it no longer needs to be considered for additional controls and can
be set aside. If it is partially controlled, estimate what percentage of the vulnerability has
been controlled.
Uncertainty. It is not possible to know everything about each vulnerability, such as how
likely it is to occur and how much impact a successful attack would have. We must apply
judgment to add a factor into the equation to allow for an estimation of the uncertainty of
the information
Risk Determination
For the purpose of relative risk assessment, risk equals likelihood of vulnerability
occurrence times value (or impact) minus percentage risk already controlled plus an
element of uncertainty
Identify Possible Controls
For each threat and its associated vulnerabilities that have residual risk, create a
preliminary list of control ideas.
Residual risk is the risk that remains to the information asset even after the existing
control has been applied.
Access Controls
One particular application of controls is in the area of access controls, which specifically
address admission of a user into a trusted area of the organization.
There are a number of approaches to controlling access. Access controls can be
discretionary, mandatory, or non-discretionary.
Types Of Access Controls
Discretionary access controls (DAC) are implemented at the discretion or option of the
data user.
Mandatory access controls (MAC) are structured and coordinated with a data
classification scheme, and are required.
Non-discretionary access controls are determined by a central authority in the
organization and can be based on an individual’s role (role-based controls), a specified
set of tasks the individual is assigned (task-based controls), or the specified lists
maintained on subjects or objects.
Lattice-Based Access Control
Yet another type of non-discretionary access is a lattice-based access control, in which a
lattice structure (or matrix) contains subjects and objects, and the boundaries between
each pair are demarcated. This specifies the level of access (if any) that each subject has
to each object.
In a lattice-based access control, the column of attributes associated with a particular
object (such as a printer) is referred to as an access control list or ACL.
The row of attributes associated with a particular subject (such as a user) is referred to as
a capabilities table.
Documenting Results of Risk Assessment
The goal of this process has been to identify the organization’s information assets that
have specific vulnerabilities and list them, ranked according to those that most need
protection.
In preparing this list, we have collected and preserved a wealth of factual information
about the assets, the threats they face, and the vulnerabilities they experience.
We should also have collected some information about the controls that are already in
place.
The process you develop for risk identification should include defining what function the
reports will serve, who is responsible for preparing the reports, and who is responsible for
reviewing them.
The ranked vulnerability risk worksheet is the working document for the next step in the
risk management process: assessing and controlling risk.