Security Risk Assessment: Planning and Key Metrics
Security Risk Assessment: Planning and Key Metrics
The security assessment considerations as described by Landoll (2016), at a high level, includes six phases. The phases are the project definition, the project preparation, gathering the data, analyzing the risk, mitigation of risks and the recommendations or findings.
Considerations Required to Describe a Security Risk Assessment Project
A project consists of begging and end, and in many cases, projects are used to achieve strategic organizational goals. A company may use projects to innovate, move into a new business market or use a project to drive down cost within the organization as described by Verzuh (2015). A security risk assessment is the same as managing any other project. Usually, a project sponsor and stakeholders have an interest or need in kicking off the project with a particular objective in mind. Once a project is created the preparation for the project will take place. The security assessment team is to be identified and proper authorization granted to the team to be able to perform the assessment when the project starts. Data gathering is a phase that is performed at the location of the security risk assessment and includes the value of the existing administrative, physical, and technical security controls as described by Landoll (2016). The types of data to be collected include administrative, technical and physical data. An example of administrative data is reviewing procedures, policies or training plans. Technical data gathering examples could include design, configuration, and architectural reviews. The physical review may take in account observations and inspections of applications or the physical location of the site. Risk analysis takes into account the asset valuation and maps it with known threats and vulnerabilities as Landoll (2016) points out. Once the analysis is completed the risk is calculated, and risk statements for assets are created. Once risk analysis is complete, as Landoll (2016) points out, the information derived from the risk analysis phase need to be prioritized and the risks mitigated. A safeguard plan needs to be laid out which maps threats and vulnerabilities to the safeguards to mitigate the risk of the accessed assets. The last step of the security risk assessment is the recommendations or findings from the security risk assessment and the resolutions. A report and presentation are presented to the stakeholders and project sponsor.
Preparation Steps Required for a Security Risk Assessment
Before arriving on-site for the security risk assessment, preparation can be completed to ensure the team is efficient once the project starts. Examples of preparation items as discussed by Landoll (2016) is to introduce the team to the sponsor, stakeholders and are of the organization to be assessed. Be sure the security assessment team understands the business mission. Have the sponsor or stakeholders have their team identify critical systems, assets, and threats before the start of the project if possible. The last preparation step is to determine the expected controls. If the assessment team or the security risk assessment methodology chooses to include the step of determining expected controls, as Landoll (2016) points out, then these controls should be documented as the expected security program for the organization.
Five Key Security Metrics
The current or common security metrics are a qualitative, financial, qualitative, hybrid and quality metric. The first key metric, which is the quantitative measures, as Brotby (2009) points out, are generally technical and are pulled from computer systems. The second one is the financial metrics are usually used by the organization's management team to determine the financial performance of projects or the return on investment. The qualitative metric is the third key metric, although less favored because it is seen as imprecise and subjective can provide indicators such as process quality or operational maturity as Brotby (2009) describes. The hybrid is the fourth important security metric. Example of a hybrid approach to security metrics is the balanced scorecard (BCS) or the Sherwood Applied Business Security Architecture (SABSA). The last key metric is the quality metric. This metric, as described by Brotby (2009) can be helpful in measuring the quality of metrics themselves. An example of a quality metric is six sigma, ISO 9000 and the Capability Maturity Model (CMM).
Why Definition and Planning Matter
The definition and planning are essential to an effective assessment because the sponsor and stakeholder need to understand the definition or scope of the security risk assessment and the expected deliverables or results that will be delivered once the risk assessment project has completed. Not having the definition and plan and scope defined, may create a misunderstanding between the sponsors and stakeholders and the team providing the security risk assessment.
References
Brotby, W. K. (2009). Information security management metrics. CRC Press.
Landoll, D. (2016). The security risk assessment handbook (2nd ed.). CRC Press.
Verzuh, E. (2015). The fast forward MBA in project management (5th ed.). John Wiley & Sons.