Computer Security:
Principles and Practice
Fourth Edition, Global Edition
By: William Stallings and Lawrie Brown
Lecture slides prepared for “Computer Security: Principles and Practice”, 4/e, GE, by William Stallings and Lawrie Brown, Chapter 14 “IT Security Management and Risk Assessment”.
1
Chapter 14
IT Security Management
and Risk Assessment
In previous chapters, we discussed a range of technical and administrative measures that
can be used to manage and improve the security of computer systems and networks. In
this chapter and the next, we look at the process of how to best select and implement
these measures to effectively address an organization’s security requirements. As we
noted in Chapter 1, this involves examining three fundamental questions:
1. What assets do we need to protect?
2. How are those assets threatened?
3. What can we do to counter those threats?
2
IT Security Management Overview
Ensures that critical assets are sufficiently protected in a cost-effective manner
Security risk assessment is needed for each asset in the organization that requires protection
Provides the information necessary to decide what management, operational, and technical controls are needed to reduce the risks identified
Is the formal process of answering the questions:
3
IT security management is the formal process of answering these questions, ensuring
that critical assets are sufficiently protected in a cost-effective manner. More specifically,
IT security management consists of first determining a clear view of an organization’s IT
security objectives and general risk profile. Next, an IT security risk assessment is needed
for each asset in the organization that requires protection; this assessment must answer
the three key questions listed above. It provides the information necessary to decide
what management, operational, and technical controls are needed to either reduce
the risks identified to an acceptable level or otherwise accept the resultant risk. This
chapter will consider each of these items. The process continues by selecting suitable
controls and then writing plans and procedures to ensure these necessary controls
are implemented effectively. That implementation must be monitored to determine if
the security objectives are met. The whole process must be iterated, and the plans and
procedures kept up-to-date, because of the rapid rate of change in both the technology
and the risk environment. We discuss the latter part of this process in Chapter 15. The
following chapters, then, address specific control areas relating to physical security in
Chapter 16, human factors in Chapter 17, and auditing in Chapter 18.
What assets need to be protected
How are those assets threatened
What can be done to counter those threats
Table 14.1
ISO/IEC 27000 Series of Standards on IT Security Techniques
The discipline of IT security management has evolved considerably over the last few
decades. This has occurred in response to the rapid growth of, and dependence on, networked
computer systems and the associated rise in risks to these systems. In the last
decade a number of national and international standards have been published. These
represent a consensus on the best practice in the field. The International Standards
Organization (ISO) has revised and consolidated a number of these standards
into the ISO 27000 series. Table 14.1 details a number of recently adopted
standards within this family. In the United States, NIST has also produced a number
of relevant standards, including NIST SP 800-18 (Guide for Developing Security
Plans for Federal Information Systems, February 2006), NIST SP 800-30 (Guide
for Conducting Risk Assessments, September 2012), and NIST SP 800-53 (Security
and Privacy Controls for Federal Information Systems and Organizations, January
2015). NIST also released the “Framework for Improving Critical Infrastructure
Cybersecurity ”in 2014, to provide guidance to organizations on systematically managing
cybersecurity risks. With the growth of concerns about corporate governance
following events such as the global financial crisis and repeated incidences of the
loss of personal information by government organizations and other businesses,
auditors for such organizations increasingly require adherence to formal standards
such as these.
4
IT Security Management
5
[ISO13335] provides a conceptual framework for managing security. It defines
IT security management as follows:
IT SECURITY MANAGEMENT: A process used to achieve and maintain appropriate
levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.
IT security management functions include:
• determining organizational IT security objectives, strategies, and policies
• determining organizational IT security requirements
• identifying and analyzing security threats to IT assets within the organization
• identifying and analyzing risks
• specifying appropriate safeguards
• monitoring the implementation and operation of safeguards that are necessary in
order to cost effectively protect the information and services within the organization
• developing and implementing a security awareness program
• detecting and reacting to incidents
IT SECURITY MANAGEMENT: A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability. IT security management functions include:
Determining organizational IT security objectives, strategies, and policies
Determining organizational IT security requirements
Identifying and analyzing security threats to IT assets within the organization
Identifying and analyzing risks
Specifying appropriate safeguards
Monitoring the implementation and operation of safeguards that are necessary in order to cost effectively protect the information and services within the organization
Developing and implementing a security awareness program
Detecting and reacting to incidents
6
This process is illustrated in Figure 14.1 (adapted from figure 1 in ISO27005 (Information security risk management, 2005) and
figure 1 in ISO13335, part 3]), with a particular
focus on the internal details relating to the risk assessment process. IT security management
needs to be a key part of an organization’s overall management plan. Similarly,
the IT security risk assessment process should be incorporated into the wider risk
assessment of all the organization’s assets and business processes. Hence, unless senior
management in an organization are aware of, and support, this process, it is unlikely
that the desired security objectives will be met and contribute appropriately to the
organization’s business outcomes. Note that IT management is not something undertaken
just once. Rather it is a cyclic process that must be repeated constantly in order
to keep pace with the rapid changes in both IT technology and the risk environment.
7
The iterative nature of this process is a key focus of ISO 31000 (Risk management-
Principles and guidelines, 2009), and is specifically applied to the security risk management
process in ISO 27005. This standard details a model process for managing
information security that comprises the following steps:
Plan: Establish security policy, objectives, processes and procedures;
perform risk assessment; develop risk treatment plan
with appropriate selection of controls or acceptance of risk.
Do: Implement the risk treatment plan.
Check: Monitor and maintain the risk treatment plan.
Act: Maintain and improve the information security risk management
process in response to incidents, review, or identified
changes.
This process is illustrated in Figure 14.2, which can be aligned with Figure 14.1.
The outcome of this process should be that the security needs of the interested parties
are managed appropriately.
Organizational Context and Security Policy
Maintained and updated regularly
Using periodic security reviews
Reflect changing technical/risk environments
Examine role and importance of IT systems in organization
8
The initial step in the IT security management process comprises an examination of
the organization’s IT security objectives, strategies, and policies in the context of the
organization’s general risk profile. This can only occur in the context of the wider
organizational objectives and policies, as part of the management of the organization.
Organizational security objectives identify what IT security outcomes should be
achieved. They need to address individual rights, legal requirements, and standards
imposed on the organization, in support of the overall organizational objectives.
Organizational security strategies identify how these objectives can be met. Organizational
security policies identify what needs to be done. These objectives, strategies, and
policies need to be maintained and regularly updated based on the results of periodic
security reviews to reflect the constantly changing technological and risk environments.
To help identify these organizational security objectives, the role and importance
of the IT systems in the organization is examined. The value of these systems
in assisting the organization achieve its goals is reviewed, not just the direct costs of
these systems. Questions that help clarify these issues include the following:
• What key aspects of the organization require IT support in order to function
efficiently?
• What tasks can only be performed with IT support?
• Which essential decisions depend on the accuracy, currency, integrity, or
availability of data managed by the IT systems?
• What data created, managed, processed, and stored by the IT systems need
protection?
• What are the consequences to the organization of a security failure in their IT
systems?
If the answers to some of the above questions show that IT systems are important
to the organization in achieving its goals, then clearly the risks to them should be
assessed and appropriate action taken to address any deficiencies identified. A list
of key organization security objectives should result from this examination.
Once the objectives are listed, some broad strategy statements can be developed.
These outline in general terms how the identified objectives will be met in a consistent
manner across the organization. The topics and details in the strategy statements
depend on the identified objectives, the size of the organization, and the importance
of the IT systems to the organization. The strategy statements should address the
approaches the organization will use to manage the security of its IT systems.
First examine organization’s IT security:
Objectives – wanted IT security outcomes
Strategies – how to meet objectives
Policies – identify what needs to be done
Security Policy
9
Given the organizational security objectives and strategies, an organizational
security policy is developed that describes what the objectives and strategies are and
the process used to achieve them. The organizational or corporate security policy
may be either a single large document or, more commonly, a set of related documents.
This policy typically needs to address at least the following topics:
• The scope and purpose of the policy
• The relationship of the security objectives to the organization’s legal and
regulatory obligations, and its business objectives
• IT security requirements in terms of confidentiality, integrity, availability,
accountability, authenticity, and reliability, particularly with regard to the
views of the asset owners
• The assignment of responsibilities relating to the management of IT security
and the organizational infrastructure
• The risk management approach adopted by the organization
• How security awareness and training is to be handled
• General personnel issues, especially for those in positions of trust
• Any legal sanctions that may be imposed on staff, and the conditions under
which such penalties apply
• Integration of security into systems development and procurement
• Definition of the information classification scheme used across the organization
• Contingency and business continuity planning
• Incident detection and handling processes
• How and when this policy should be reviewed
• The method for controlling changes to this policy
The intent of the policy is to provide a clear overview of how an organization’s IT
infrastructure supports its overall business objectives in general, and more specifically
what security requirements must be provided in order to do this most
effectively.
Needs to address:
Scope and purpose including relation of objectives to business, legal, regulatory requirements
IT security requirements
Assignment of responsibilities
Risk management approach
Security awareness and training
General personnel issues and any legal sanctions
Integration of security into systems development
Information classification scheme
Contingency and business continuity planning
Incident detection and handling processes
How and when policy reviewed, and change control to it
Management Support
IT security policy must be supported by senior management
Need IT security officer
To provide consistent overall supervision
Liaison with senior management
Maintenance of IT security objectives, strategies, policies
Handle incidents
Management of IT security awareness and training programs
Interaction with IT project security officers
Large organizations need separate IT project security officers associated with major projects and systems
Manage security policies within their area
10
It is critical that an organization’s IT security policy has full approval and buy-in
by senior management. Without this, experience shows that it is unlikely that sufficient
resources or emphasis will be given to meeting the identified objectives and achieving
a suitable security outcome. With the clear, visible support of senior management, it is
much more likely that security will be taken seriously by all levels of personnel in the
organization. This support is also evidence of concern and due diligence in the management
of the organization’s systems and the monitoring of its risk profile.
Because the responsibility for IT security is shared across the organization,
there is a risk of inconsistent implementation of security and a loss of central
monitoring and control. The various standards strongly recommend that overall
responsibility for the organization’s IT security be assigned to a single person, the
organizational IT security officer. This person should ideally have a background in
IT security. The responsibilities of this person include:
• Oversight of the IT security management process
• Liaison with senior management on IT security issues
• Maintenance of the organization’s IT security objectives, strategies, and policies
• Coordination of the response to any IT security incidents
• Management of the organization-wide IT security awareness and training
programs
• Interaction with IT project security officers
Larger organizations will need separate IT project security officers associated with
major projects and systems. Their role is to develop and maintain security policies
for their systems, develop and implement security plans relating to these systems,
handle the day-to-day monitoring of the implementation of these plans, and assist
with the investigation of incidents involving their systems.
Security Risk Assessment
11
We now turn to the key risk management component of the IT security process.
This stage is critical, because without it there is a significant chance that resources
will not be deployed where most effective. The result will be that some risks are
not addressed, leaving the organization vulnerable, while other safeguards may be
deployed without sufficient justification, wasting time and money. Ideally every
single organizational asset is examined, and every conceivable risk to it is evaluated.
If a risk is judged to be too great, then appropriate remedial controls are deployed to
reduce the risk to an acceptable level. In practice this is clearly impossible. The time
and effort required, even for large, well-resourced organizations, is clearly neither
achievable nor cost effective. Even if possible, the rapid rate of change in both IT
technologies and the wider threat environment means that any such assessment
would be obsolete as soon as it is completed, if not earlier! Clearly some form of
compromise evaluation is needed.
Another issue is the decision as to what constitutes an appropriate level of
risk to accept. In an ideal world the goal would be to eliminate all risks completely.
Again, this is simply not possible. A more realistic alternative is to expend an amount
of resources in reducing risks proportional to the potential costs to the organization
should that risk occur. This process also must take into consideration the likelihood
of the risk’s occurrence. Specifying the acceptable level of risk is simply prudent
management and means that resources expended are reasonable in the context of
the organization’s available budget, time, and personnel resources. The aim of the
risk assessment process is to provide management with the information necessary for
them to make reasonable decisions on where available resources will be deployed.
Given the wide range of organizations, from very small businesses to global
multinationals and national governments, there clearly needs to be a range of alternatives
available in performing this process. There are a range of formal standards that
detail suitable IT security risk assessment processes, including ISO 13335, ISO 27005,
ISO 31000, and NIST SP 800-30. In particular, ISO 13335 recognizes four approaches
to identifying and mitigating risks to an organization’s IT infrastructure:
• Baseline approach
• Informal approach
• Detailed risk analysis
• Combined approach
The choice among these will be determined by the resources available to the organization
and from an initial high-level risk analysis that considers how valuable the IT systems
are and how critical to the organization’s business objectives. Legal and regulatory
constraints may also require specific approaches. This information should be determined
when developing the organization’s IT security objectives, strategies, and policies.
Critical component of process
Ideally examine every organizational asset
Not feasible in practice
Approaches to identifying and mitigating risks to an organization’s IT infrastructure:
Informal
Detailed risk
Combined
Baseline
Baseline Approach
Goal is to implement agreed controls to provide protection against the most common threats
Forms a good base for further security measures
Use “industry best practice”
Easy, cheap, can be replicated
Gives no special consideration to variations in risk exposure
May give too much or too little security
Generally recommended only for small organizations without the resources to implement more structured approaches
12
The baseline approach to risk assessment aims to implement a basic general level
of security controls on systems using baseline documents, codes of practice, and
industry best practice . The advantages of this approach are that it doesn’t require
the expenditure of additional resources in conducting a more formal risk assessment
and that the same measures can be replicated over a range of systems. The
major disadvantage is that no special consideration is given to variations in the organization’s
risk exposure based on who they are and how their systems are used.
Also, there is a chance that the baseline level may be set either too high, leading to
expensive or restrictive security measures that may not be warranted, or set too low,
resulting in insufficient security and leaving the organization vulnerable.
The goal of the baseline approach is to implement generally agreed controls to
provide protection against the most common threats. These would include implementing
industry best practice in configuring and deploying systems, like those we discuss in
Chapter 12 on operating systems security. As such, the baseline approach forms a good
base from which further security measures can be determined. Suitable baseline recommendations
and checklists may be obtained from a range of organizations, including:
• Various national and international standards organizations
• Security-related organizations such as the CERT, NSA, and so on
• Industry sector councils or peak groups
The use of the baseline approach alone would generally be recommended only for
small organizations without the resources to implement more structured approaches.
But it will at least ensure that a basic level of security is deployed, which is not
guaranteed by the default configurations of many systems.
Informal Approach
13
The informal approach involves conducting some form of informal, pragmatic risk
analysis for the organization’s IT systems. This analysis does not involve the use of
a formal, structured process, but rather exploits the knowledge and expertise of the
individuals performing this analysis. These may either be internal experts, if available,
or, alternatively, external consultants. A major advantage of this approach is
that the individuals performing the analysis require no additional skills. Hence, an
informal risk assessment can be performed relatively quickly and cheaply. In addition,
because the organization’s systems are being examined, judgments can be
made about specific vulnerabilities and risks to systems for the organization that
the baseline approach would not address. Thus more accurate and targeted controls
may be used than would be the case with the baseline approach. There are a number
of disadvantages. Because a formal process is not used, there is a chance that some
risks may not be considered appropriately, potentially leaving the organization vulnerable.
Besides, because the approach is informal, the results may be skewed by the
views and prejudices of the individuals performing the analysis. It may also result in
insufficient justification for suggested controls, leading to questions over whether
the proposed expenditure is really justified. Lastly, there may be inconsistent results
over time as a result of differing expertise in those conducting the analysis.
The use of the informal approach would generally be recommended for small
to medium-sized organizations where the IT systems are not necessarily essential to
meeting the organization’s business objectives and where additional expenditure on
risk analysis cannot be justified.
Involves conducting an informal, pragmatic risk analysis on organization’s IT systems
Exploits knowledge and expertise of analyst
Fairly quick and cheap
Judgments can be made about vulnerabilities and risks that baseline approach would not address
Some risks may be incorrectly assessed
Skewed by analyst’s views, varies over time
Suitable for small to medium sized organizations where IT systems are not necessarily essential
Detailed Risk Analysis
14
The third and most comprehensive approach is to conduct a detailed risk assessment
of the organization’s IT systems, using a formal structured process. This provides
the greatest degree of assurance that all significant risks are identified and their
implications considered. This process involves a number of stages, including
identification of assets, identification of threats and vulnerabilities to those assets,
determination of the likelihood of the risk occurring and the consequences to the
organization should that occur, and hence the risk the organization is exposed to. With
that information, appropriate controls can be chosen and implemented to address
the risks identified. The advantages of this approach are that it provides the most
detailed examination of the security risks of an organization’s IT system, and produces
strong justification for expenditure on the controls proposed. It also provides
the best information for continuing to manage the security of these systems as they
evolve and change. The major disadvantage is the significant cost in time, resources,
and expertise needed to perform such an analysis. The time taken to perform this
analysis may also result in delays in providing suitable levels of protection for some
systems. The details of this approach are discussed in the next section.
The use of a formal, detailed risk analysis is often a legal requirement for
some government organizations and businesses providing key services to them. This
may also be the case for organizations providing key national infrastructure. For
such organizations, there is no choice but to use this approach. It may also be the
approach of choice for large organizations with IT systems critical to their business
objectives and with the resources available to perform this type of analysis.
Most comprehensive approach
Assess using formal structured process
Number of stages
Identify threats and vulnerabilities to assets
Identify likelihood of risk occurring and consequences
Significant cost in time, resources, expertise
May be a legal requirement to use
Suitable for large organizations with IT systems critical to their business objectives
Combined Approach
Combines elements of the baseline, informal, and detailed risk analysis approaches
Aim is to provide reasonable levels of protection as quickly as possible then to examine and adjust the protection controls deployed on key systems over time
Approach starts with the implementation of suitable baseline security recommendations on all systems
Next, systems either exposed to high risk levels or critical to the organization’s business objectives are identified in the high-level risk assessment
A decision can then be made to possibly conduct an immediate informal risk assessment on key systems, with the aim of relatively quickly tailoring controls to more accurately reflect their requirements
Lastly, an ordered process of performing detailed risk analyses of these systems can be instituted
Over time, this can result in the most appropriate and cost-effective security controls being selected and implemented on these systems
15
The last approach combines elements of the baseline, informal, and detailed risk
analysis approaches. The aim is to provide reasonable levels of protection as quickly
as possible, and then to examine and adjust the protection controls deployed on key
systems over time. The approach starts with the implementation of suitable baseline
security recommendations on all systems. Next, systems either exposed to high risk
levels or critical to the organization’s business objectives are identified in the high-level
risk assessment. A decision can then be made to possibly conduct an immediate
informal risk assessment on key systems, with the aim of relatively quickly
tailoring controls to more accurately reflect their requirements. Lastly, an ordered
process of performing detailed risk analyses of these systems can be instituted. Over
time this can result in the most appropriate and cost-effective security controls being
selected and implemented on these systems. This approach has a significant number
of advantages. The use of the initial high-level analysis to determine where further
resources need to be expended, rather than facing a full detailed risk analysis of
all systems, may well be easier to sell to management. It also results in the development
of a strategic picture of the IT resources and where major risks are likely
to occur. This provides a key planning aid in the subsequent management of the
organization’s security. The use of the baseline and informal analyses ensures that a
basic level of security protection is implemented early. And it means that resources
are likely to be applied where most needed and that systems most at risk are likely
to be examined further reasonably early in the process. However, there are some
disadvantages. If the initial high-level analysis is inaccurate, then some systems for
which a detailed risk analysis should be performed may remain vulnerable for some
time. Nonetheless, the use of the baseline approach should ensure a basic minimum
security level on such systems. Further, if the results of the high-level analysis are
reviewed appropriately, the chance of lingering vulnerability is minimized.
ISO13335 considers that for most organizations, in most circumstances, this
approach is the most cost effective. Consequently its use is highly recommended.
Detailed Security Risk Analysis
16
The formal, detailed security risk analysis approach provides the most accurate
evaluation of an organization’s IT system’s security risks, but at the highest cost.
This approach has evolved with the development of trusted computer systems,
initially focused on addressing defense security concerns, as we discuss in Chapter 13 .
The original security risk assessment methodology was given in the Yellow Book
standard (CSC-STD-004-85 June 1985), one of the original U.S. TCSEC rainbow
book series of standards. Its focus was entirely on protecting the confidentiality of
information, reflecting the military concern with information classification. The
recommended rating it gave for a trusted computer system depended on difference
between the minimum user clearance and the maximum information classification.
Specifically it defined a risk index as
Risk Index = Max Info Sensitivity – Min User Clearance
A table in this standard, listing suitable categories of systems for each risk level,
was used to select the system type. Clearly this limited approach neither adequately
reflects the range of security services required nor the wide range of possible threats.
Over the years since, the process of conducting a security risk assessment that does
consider these issues has evolved.
Provides the most accurate evaluation of an organization’s IT system’s security risks
Highest cost
Initially focused on addressing defense security concerns
Often mandated by government organizations and associated businesses
A number of national and international standards document the expected formal
risk analysis approach. These include ISO 27005, ISO 31000, NIST SP 800-30,
and [SASN13]. This approach is often mandated by government organizations
and associated businesses. These standards all broadly agree on the process used.
Figure 14.3 (reproduced from figure 5 in NIST SP 800-30) illustrates a typical
process used.
17
Establishing the Context
Initial step
Determine the basic parameters of the risk assessment
Identify the assets to be examined
Explores political and social environment in which the organization operates
Legal and regulatory