Chapter 2

Information Assurance for the Enterprise
Instructors Manual Chapter 2

Chapter 2: Assessing Risks
Learning Objectives
In this chapter, students understand risk elements as they relate to information
assurance. At the end of this chapter, the student should be able to explain:
The elements of risk assessment
The role and purpose of risk assessment in information assurance
The fundamentals of how to perform a risk assessment
How the audit process serves to identify and track risks
Preparing for Class
Instructors should have a good understanding and knowledge of Information
Assurance and Security in general. Instructors can bring in real world examples of
Risk Management Policies in different industries. Also, guest speakers from Risk
Management offices of large enterprises can bring a real world perspective to the
students.
Prerequisites for Class
Ensure that the students are
In a computer lab, if possible, for access to the Internet
Arranged in the classroom advantageously to ensure maximum participation
Fundamentally sound with information security basics
Class Preparation Notes
For this class the students will need
2-1
Access to a working computer with Internet access
A highlighter (its not mandatory if they can take good notes)
Key Terms
Acceptability Risk assessment level of acceptability in dollars
Audit It assures the integrity of the security solution
Audit conclusion When the audit report is reviewed with auditees upper
management prior to release
Audit Criteria A set of predefined controls to be audited
Audit Documentation Audit activities at each stage are documented
Audit Reporting Audit manager assumes the responsibility for audit reporting
Auditee The organization being audited
Checklist Checklist for performing the audit against different factors
Client Organization Organization that mandates the audit
Compliance Meeting the standards
Confidentiality Keeping practices and procedures between the company and
client private
Contracts Agreements between the company and customer
Control Objective These are focused behaviors with observable outcomes
Corrective Action Documented action against perceived risk/threat
Cost/Benefit Analyses the pros and cons of an action
Countermeasures They are steps that will be taken to mitigate a given risk
2-2
Estimate of the Consequences Harm caused against a threat
Evidence Obtained by conducting interviews
Event Logs Audit records are kept in event logs that are automatically
maintained by the system
Follow-up A follow-up is another audit to confirm compliance
Gaps They are identified risks between ideal practice and the current operation
Impartiality Objective, non-biased opinion
Internal Audit The organization performs the audit within their own
organization with their own people
Interviews They are conducted to gather evidence
Latent Threat A possible threat that only becomes active at a later time if one
of the conditions changes
Laws and Regulations These are the structure with which a company must be
in compliance
Lead Auditor The person who has the sole authority for the auditing process
Likelihood The certainty of risk
Noncompliances Areas where a plan is not fulfilling a law or regulation
Nonconformances It is another term for noncompliances
Operational Security Analysis It leads to the deployment of a concrete
security solution
Preventive Measures The strategy to reduce the likelihood of a risk occurrence
2-3
Process Entropy It is the natural tendency for any organized system to degrade
over time due to the changing conditions
Probability of Occurrence A percentage indicating the likelihood of
occurrence
Proof of Compliance It is the audit evidence document
Quantitative Factors Numerically measurable risk factors
Reactive Measures The strategy to respond effectively if a risk becomes a
direct threat
Risk It is a possibility of a threat
Risk Analysis The process by which the risk is understood
Risk Analysis Report It is an operational response by identifying those threats
that have to be managed
Risk Assessment It is an operational process by which risks are identified and
characterized
Risk Estimation Determines the probability and impact of threats
Risk Evaluation It is a function that is used to decide about the nature of
emerging threats
Risk Identification Documenting the characteristics of vulnerabilities
Risk Management It ensures effective and up-to-date alignment between
identified threats and the countermeasures deployed to mitigate them
Risk Mitigation It determines how the risk will be handled
Risk Mitigation Report It is the mechanism for communicating information
about how risk is handled
2-4
Risk Tolerance It is the minimum level of protection that management can
reasonably afford in its day-to-day operations
Risk Transfer It specifies how any foreseen impact can be reallocated so that
the loss is not permanent or catastrophic
Scope of the Assessment It should include the entire set of organizational and
technical issues
Standards Gap analysis must be based on universal standards such as ISO
27000, NIST, GASSP or COBIT
Third Party Work Risk management plan must include work performed by
entities outside the organization
Threat A way of exploiting known weakness in an organization
Threat Picture It is a comprehensive understanding of all threats
Vulnerability Perceived weakness in an organization can be exploited
Weakness A part of a system that can be exploited
Lecture Outline
I. Risks An Overview
A. A risk is the possibility that a threat is capable of exploiting a known
weakness
B. Risk Assessment
1. It is an operational process by which risks are identified and
characterized
2. It focuses on understanding the nature of all feasible risks
2-5
3. It identifies and evaluates each relevant threat, determines its
impact, and itemizes the safeguards that will be needed
4. It determines the preventive measures as well as reactive
measures relevant to a threat
5. It provides specific information on the probability of occurrence
and the estimate of the consequences
6. It maximizes operational deployment and resource use
7. It should reflect a commonly accepted and repeatable
methodology, which will produce independently verifiable
concrete evidence
8. To ensure the effectiveness and accuracy of risk assessment, the
scope of the inquiry has to be defined precisely and be limited to
a particular problem
9. The Risk Assessment should be an ongoing process that
considers the following factors:
i. The existence and interrelationships among all of the
organizations information assets
ii. The specific threats to each asset
iii. The precise business, financial, and technological issues
associated with each threat
C. Making Threats Visible
1. Gap Analysis
i. Identification of gaps between ideal practice and the current
operation
2-6
ii. Gaps are assumed to represent vulnerabilities that must be
addressed by the security system
iii. Refer to Figure 2-2 (Page 29) for Gap Analysis Illustration
iv. Gap analysis drives the decisions about the actions that
must be taken to alleviate that specific area of weakness
v. Four major universal standards used to perform a gap
analysis ISO 27000 series, NIST 800-18, GASSP model
and COBIT model
2. Risk Classification
i. Risk Identification
a. It identifies potential harmful risks
b. It documents the characteristics of every vulnerability
c. Latent threats do not have immediate consequences and
are ignored in developing security strategy
ii. Risk Estimation
a. It is a data-driven process
b. It measures and quantitatively describes each potential
risk
c. It determines the probability and impact of all threats
that have been identified through risk identification
d. It includes quantitative factors such as assets affected,
the potential duration of the threat, and the severity of
adverse impact
D. Strategy Formulation
2-7
1. ROI Countermeasure should not cost more than the harm that
the threat could cause
2. Trade-Offs
i. Cost benefit and likelihood of occurrence have to be
balanced when formulating a security response
ii. There must be a trade-off between the frequency of
occurrence and the unit cost of each occurrence
3. Practical Decision
i. Decision can be based on annualized loss exposure (ALE)
ii. If the expense is greater than any possible harm, then the
countermeasure is not included in the security response
iii. ALE = Annual Cost of Deployment (Annual Rate of
Occurrence X Cost per Occurrence)
4. Certainty Factors
i. The degree of certainty of the estimate should be expressed
as a level of confidence from 0 to 100%
ii. Knowing the probability of events will be beneficial in
security response
5. Risk Mitigation Report
i. The mechanism for communicating information about risk
is the risk mitigation report
ii. It specifies the steps selected for each risk and itemizes the
countermeasures that will be implemented as well as the
2-8
parties in the organization who will be responsible for
accomplishing each task
iii. It sets the security process in motion
E. Security Solution
1. Operational Security Analysis
i. It analyzes precisely the implications of the threat picture
developed in the risk identification and estimation stage
ii. Minimum levels of protection must be specified for risk-
tolerance decision by the management
iii. It provides the information needed to assign operational
priorities
iv. It allows for risk-mitigation decision about how to reduce
the severity or affect of a known risk
v. Risk-mitigation decisions also specify ways to recover
from the risk including risk transfer
vi. It must contain the needs, issues, and concerns of various
organizational stakeholders
vii. Organizational value of an asset can be obtained by the
following methods:
a. Applied Information Economics
b. The Balanced Scorecard
c. Economic Value Added
d. Economic Value Sourced
e. Portfolio Management
2-9
f. Real Option Valuation
F. Operational Risk Assessment
1. They are conducted as a part of the risk management process
2. It uses risk identification and estimation as the primary data-
gathering mechanism
3. It uses risk evaluation function to decide the nature of emerging
threats
4. They are used to fine-tune the security response overtime
5. It should provide explicit implementation advice about changes
that must be made to countermeasures
6. Planning for Operational Risk Assessment
i. Planning involves establishing a standard schedule for the
performance of each assessment as well as defined
processes for problem reporting and corrective action
ii. It must have a defined set of performance criteria
iii. Each countermeasure must have a set of observable criteria
built into its specification
7. Implementing the Operational Risk Assessment Process
i. Risk assessment must be flexible to meet the demands of a
changing security environment
ii. It should specify roles and responsibilities
iii. It should ensure that a responsible party will always be in
place to address any contingency
2-10
iv. It ensures that adequate resources are available to support
the assessment activities
8. Standard Measurement
i. It should ensure that each assessment produces consistent
data
ii. Consistency is critical for understanding the precise nature
of the threats
G. Audit
1. It assures the integrity of the security solution from the pervasive
influence of process entropy
2. It verifies that the necessary knowledge and accountability are in
place to guarantee continuous performance
3. It confirms that the implemented security procedures are working
as intended within the normal business setting
4. Refer to Figure 2-5 (Page 38) for the audit process illustration
5. They are done to determine something about the four Cs:
i. Contract
ii. Capability
iii. Compliance
iv. Certification
6. Aims of Audit
i. Internal or External Audit
ii. To identify non-compliances or non-conformances against
specified audit criteria
2-11
iii. To determine whether the auditee has achieved its stated
objectives
7. Audit Framework
i. The audit process maintains accountability for performance
ii. Each element is termed a control objective, which are
focused behaviors with observable outcomes
iii. Audit maintains the status of all designated security
procedures on an ongoing basis
iv. Audits are always carried out based on a specific set of
audit criteria as they involve legal considerations
8. Managing the Audit Process
i. The audit process should be managed separately and
independent of the organization being audited
ii. The audit manager supervises, monitors and evaluates the
activities of the audit team
iii. Audit Planning
a. There are four types of participants in an audit process
b. Auditee The part or parts of the organization being
audited
c. Lead Auditor The chief auditor
d. Auditor The audit team
e. Client The organization that engaged the auditors
2-12
iv. Performing the Audit
a. The preparation, validation, and distribution of the audit
forms and checklists is an important activity in the audit
process
b. Establishing a good checklist is a factor in successful
information assurance audits
c. Event logs which maintain records in information
assurance must be identified and accounted for at the
beginning of the process
d. Electronic records must be audited using the same
methodology and level of rigor that is applied to
traditional body of audit evidence
e. Outcomes and conclusions from electronic records must
be fully integrated into the body of audit findings
v. Authenticating Audit Evidence
a. Evidence obtained must be authenticated
b. All objective data and conclusions must be
authenticated by means of a suitable analysis
c. Refer to Figure 2-7 (Page 45) for Developing an Audit
Evidence Illustration
d. Ensuring confidentiality is important
e. Audit should be terminated if confidentiality is
breached
f. Audit must be impartial by making sure that all findings
are supported by unambiguous evidence
2-13
vi. Preparing the Audit Report
a. Auditors report preliminary conclusions, including
problems encountered
b. The final report contains observations, major and minor
findings, and timing of follow-up activities
vii. Importance of Validation
a. Members of the organization must assist in validating
the findings
II. Certification and Accreditation (C&A)
A. It is a federal government audit process
B. It uses as product-oriented approach
C. It generates a document that management can use to identify an accept the
residual risk in any system
D. It is a comprehensive evaluation of the technical and non-technical
security features of the entity being tested
E. Certification of a system is the outcome of an information assurance
analysis in the following areas:
1. Physical
2. Personnel
3. Administrative
4. Information
5. Information Systems
6. Communications
2-14
F. Accreditation establishes the risk tolerance levels of the system and allows
the system administrator to prescribe the appropriate set of access controls
G. DITSCAP
1. It is the Federal Governments DoD Information Technology
Security Certification and Accreditation Process (DITSCAP)
2. It ensures that prospective customers know what all of the risks
associated with a given system are
3. The following the phases of DITSCAP evaluation:
i. Definition Key players agree on the intended systems
mission, attendant security requirements, the scope of C&A
boundary, the audit schedule, the level of effort, and
resource commitment
ii. Verification Certifiers determine the systems compliance
with System Security Authorization Agreement (SSAA)
requirements
iii. Validation It validates compliance with the SSAA
requirements
iv. Post Accreditation Review of configuration and security
management.
Teaching Tip
This chapter is about assessing risks. You may want to ask students about life cycle risks
and how they are protecting themselves and their families. For example why do you
take out life insurance? Ask students to itemize risks involved in their daily commute to
the college. Which one has more probabilities and which one does not? Why?
2-15
If you have access to the college/university risk management office, then tell students to
analyze the current policies of information risk.
2-16
Discussion point
The essay questions at the end of the chapter are a good starting point for bringing
discussion questions in the classrooms. Ask students how the information assets are
secured in their own industry (depending on where they work).
Key Terms Quiz
Use the terms from the Key Terms list to complete the sentences that follow.
Dont use the same term more than once. Not all terms will be used.
1. _____ provides probabilities that a risk will occur as well as the cost/benefit
impacts if it does.
2. The least quantitative type of risk assessment is called a risk _____.
3. Decisions about the deployment of the security response are based on _____.
4. One mechanism for assessing whether to deploy countermeasures is the Balanced
_____.
5. The only way to ensure accountability is through _____ of risk performance.
6. Measurement requires established _____.
7. The process that ensures that control objectives are being met is called _____.
8. There are essentially two types of risk assessments: _____ and _____.
9. The document that ensures that nonconformities are brought to managements
attention is called a _____.
10. Audit conclusions are only based on _____.
Answers
1. Risk Analysis provides probabilities that a risk will occur as well as the
cost/benefit impacts if it does.
2-17
2. The least quantitative type of risk assessment is called a risk identification.
3. Decisions about the deployment of the security response are based on
countermeasures.
4. One mechanism for assessing whether to deploy countermeasures is the Balanced
Scorecard.
5. The only way to ensure accountability is through audit of risk performance.
6. Measurement requires established standards.
7. The process that ensures that control objectives are being met is called gaps.
8. There are essentially two types of risk assessments: identification and
estimation.
9. The document that ensures that nonconformities are brought to managements
attention is called a risk mitigation report.
10. Audit conclusions are only based on impartiality.
Multiple Choice Quiz
1. A control framework ensures that:
A. defects are prevented
B. vulnerabilities dont happen
C. procedures are followed
D. no risk is ignored
2. Confidentiality is important in all types of assessments because:
A. it ensures cooperation
2-18
B. it prevents leaks
C. it identifies threats
D. it reduces cost
2-19
3. Continuous risk management is underwritten by:
A. plans
B. project management
C. risk assessment
D. procedures
4. Most risk assessments are conducted against:
A. reference models of best practice
B. gaps
C. specified criteria
D. the technology
5. Besides the effectiveness of security controls, audit can assure:
A. security technologies
B. security processes
C. safety
D. security work
6. A gap analysis looks at:
A. the best practices
B. the difference between current and ideal practice
C. the presence of non-conformities
D. the audit evidence
7. A likelihood estimate is important because:
2-20
A. people like estimates
B. knowledge of probability of occurrence supports decision making
C. investment in security is easy to make
D. likelihood drives cost
8. A risk estimation is different from an operational security analysis in that:
A. risk estimations are quantitative and security analyses are not
B. risk estimations deal with probability
C. the aim of the security analysis is to determine whether the strategy is correct
D. the aim of the security analysis is to determine ROI
9. Scope is essential to risk assessment because:
A. it defines the range of things that will be examined
B. it sets the security perimeter
C. it establishes the types of analyses that will be needed
D. it is a component of the risk mitigation strategy
10. Risk assessments are:
A. basic countermeasures
B. unnecessary because threats are always evolving
C. features that are found in the security of operations function
D. an essential precondition to planning the response
Answers
1. C
2-21
2. B
3. C
4. A
5. B
6. B
7. B
8. A
9. A
10. D
Essay Quiz
1. It is important to validate audit interviews by other means. Why is that the case
and what can happen if this is not done?
2. Risk assessments always embody some form of probability estimate. Why is that
necessary and what does it prevent?
3. What is the role of Annualized Exposure Loss in security system formulation?
What may happen if the ALE is ignored?
4. Forms and checklists are important in all types of assessments. Why is that the
case and what do they essentially provide for the process?
5. Security audits are different from risk assessments in that they are regular and
ongoing. What is the primary benefit of a continuous process?
6. Gap analyses are most easily accomplished if they are based on standards.
Explain why?
2-22
7. Certification is a very useful aspect of the risk process. Explain how certification
can assure against risks.
8. One of the most important aspects of the practical security process is the risk
mitigation report. Explain what purpose it serves and why it is a key element of
security.
9. How does risk assessment relate to the information identification process?
10. What is the role of risk identification in the overall process? Why is risk
identification a necessary step?
Answers
1. It is important to validate audit interviews by other means. Why is that the case
and what can happen if this is not done?
Evidence obtained through interviews during the audit process must be
authenticated to ensure consistent interpretation. The audit process must be
confidential and impartial to validate all the findings. If confidentiality is
breached then the audit must be terminated as the findings will not be impartial.
2. Risk assessments always embody some form of probability estimate. Why is that
necessary and what does it prevent?
Risk assessment identifies the potential threat against the organization.
Probability estimation allows the organization to assess the level of acceptability
of the risk in dollars and cents. Organizations can determine the Return on
Investment (ROI) for a possible threat.
3. What is the role of Annualized Exposure Loss in security system formulation?
What may happen if the ALE is ignored?
2-23
Annualized Loss Exposure (ALE) allows the organization to estimate the expense
of maintaining a countermeasure over one year. If the expense is greater than any
possible harm, then there is no ROI to the organization. Thus, if organizations
ignore ALE, then they will not be able to have a cost/benefit analysis.
4. Forms and checklists are important in all types of assessments. Why is that the
case and what do they essentially provide for the process?
Checklists allow an organization to determine if they are in compliance with all
the standards and audited criteria. Thus, they are essential in the auditing process.
5. Security audits are different from risk assessments in that they are regular and
ongoing. What is the primary benefit of a continuous process?
A continuous security audit process will determine any latent threats that might be
possible due to the changing conditions.
6. Gap analyses are most easily accomplished if they are based on standards.
Explain why?
Standards determine the ideal practice, thus identification of gaps between ideal
practice and the current operation determines risks for an organization.
Measuring the organizations operation against standards will assist in identifying
potential risk.
7. Certification is a very useful aspect of the risk process. Explain how certification
can assure against risks.
2-24
Certification assures compliance against standards and auditing criteria. Thus,
certification of an organization that meets the standards proves that organization
to be at a lesser risk.
8. One of the most important aspects of the practical security process is the risk
mitigation report. Explain what purpose it serves and why it is a key element of
security.
Risk Mitigation Report is the mechanism to communicate information about risk.
This document specifies the steps selected for each risk and itemizes the
countermeasures that will be implemented as well as the parties in the
organization who will be responsible for accomplishing each task. Thus, it is a
very important element of the security process.
2-25
9. How does risk assessment relate to the information identification process?
The identification process determines the precise area of threat as well as
identifies the information assets affected during the risk assessment. Since
identification documents the characteristics of every vulnerability, it is an
important risk assessment tool.
10. What is the role of risk identification in the overall process? Why is risk
identification a necessary step?
Risk identification is the simplest form of risk classification. It identifies
potential harmful risks. It documents the characteristics of every vulnerability
including itemizing a list of all the threats that would be able to exploit it. It is a
necessary step as it identifies every risk item through extensive interviews and
detailed technical analysis.
Case Exercise
Complete the following case exercise as directed by your instructor:
Heavy Metal Technologies (HMT) is a defense contractor headquartered
in Huntsville, Alabama. HMT was recently contracted by the Army to
upgrade the fire control system for the MH64-D Apache Longbow attack
helicopter. Because the contracted enhancement is so important to the
continuing success of the main ground attack helicopter program and thus
because of its importance to national defense, the Army wants a total
commitment from HMT that the integrity, confidentiality, and availability
2-26
of project information will be assured. Therefore the Army would like
HMT to address the following five organizational control concerns. Please
provide a written solution for each of these.
The Army requires a procedure that all security concerns will be
identified and addressed.
The Army requires a procedure to assure that performance of the
security process will be continuous.
The Army requires a procedure to assure that the control processes
will be cost efficient.
The Army requires a procedure to assure that the comp will be able to
satisfy its contractual and legal obligations.
The Army requires a procedure to assure that all third-party work will
meet security criteria.
2-27

Chapter 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2

Uploaded by

Copyright:

Available Formats

Information Assurance for the Enterprise

Instructors Manual Chapter 2

You might also like