Six-Phase Information Assurance Risk Assessment Process
Six-Phase Information Assurance Risk Assessment Process
The organization DigitalGlobe has been chosen for an abbreviated assessment. The paper will discuss the considerations for decreasing risk and mitigating assessed vulnerabilities. Information covered will be a summary of the assessed challenges in the information assurance security plan. An overview of the key information assurance considerations will be covered in the paper. Options for addressing risk items, recommendations for mitigation approach for the risks assessed will be discussed.
Brief Summary of Assessed Challenges
The assessment challenge or process as described by Landoll (2016), at a high level, includes six phases. The phases are the project definition, the project preparation, gathering the data, analyzing the risk, mitigation of risks and the recommendations or findings.
Project Definition: A project consists of begging and end, and in many cases, projects are used to achieve strategic organizational goals. A company may use projects to innovate, move into a new business market or use a project to drive down cost within the organization as described by Verzuh (2015). A security risk assessment is the same as managing any other project. Usually, a project sponsor and stakeholders have an interest or need in kicking off the project with a particular objective in mind.
Project Preparation: Once a project has been created the preparation for the project takes place. The security assessment team is to be identified and proper authorization granted to the team to be able to perform the assessment when the project starts.
Data Gathering: Data gathering is a phase that is performed at the location of the security risk assessment and includes the value of the existing administrative, physical, and technical security controls as described by Landoll (2016). The types of data to be collected include administrative, technical and physical data. An example of administrative data is reviewing procedures, policies or training plans. Technical data gathering examples could include design, configuration, and architectural reviews. The physical review may take in account observations and inspections of applications or the physical location of the site.
Risk Analysis: Risk analysis takes into account the asset valuation and maps it with known threats and vulnerabilities. Once the analysis is completed the risk is calculated, and risk statements for assets are created. The assets, threats, and vulnerabilities, as described by Landoll (2016), are identified as key concepts for the security risk assessment process.
Risk Mitigation: Once risk analysis is complete, as Landoll (2016) points out, the information derived from the risk analysis phase need to be prioritized and mitigated. A safeguard plan needs to be laid out which maps threats and vulnerabilities to the safeguards to mitigate the risk of the accessed assets.
Recommendations and Findings: The last step of the security risk assessment is the recommendations or findings from the security risk assessment and the resolutions. A report and presentation are presented to the stakeholders and project sponsor.
Options for Addressing Assessed Risk Items
The reason that information assurance and security exists is to protect a companies or organization's valuable assets as described by Peltier (2013). Information security includes information or data, computer hardware, and software. The information security team, using the appropriate safeguards and applications contributes to the mission of the company or organization by protecting the physical and financial resources, reputation, legal position, employees and other.
The information security program is devised so that security is a business enabler for the organization as described by Peltier (2013). For information security to become an enabler, the company must explore and assess the information security risks to business operations. The business or organization must also identify what policies, standards, and controls are essential in implementing to reduce the security risks identified. Promoting awareness and understanding amongst the team members is also required. Once policies, standards, and controls are implemented the information security must access the compliance and control effectiveness of what is put and place and revise if needed.
The core views or tenets of security commonly referred to as CIA. CIA stands for Confidentiality, Integrity, and availability. Confidentiality is a measure of privacy or confidentiality of data or information. Integrity ensures the data is dependable and correct. Availability involves the ability to team members, customers, and other authorized users access to the information or data as described by Jacobs (2015).
Before the team begins a security risk assessment, a few activities should be performed to confirm all is ready for the launch of an efficient project as described by Landoll (2016). Example of activities that can occur before the security risk assessment begins includes introducing the assessment team to the organization, obtaining permission for testing and data gathering, and reviewing available information.
Recommended Mitigation Approach
There are options for addressing risk items. Two issues to consider when performing a risk assessment as described by Calder & Watkins (2015). First, there should be a regular review of security risk and the controls related to the security risks. While doing the review, a few things should be taken into consideration such as new threats, vulnerabilities, reviewing the impact of changes to the business such as goals, technology, process or even changes to laws and legislation. The second issue is the standard requires the business to identify the competencies needed by the people working with the ISMS framework.
A qualitative approach is commonly used to identify assets, threats, vulnerabilities, impacts, risk assessment, and controls as described by Calder & Watkins (2015). Assets are tracked in a risk log. In the risk log, each asset identified by the team, which the owner(s) is of the asset, any known threats(s) and all of the vulnerabilities that effects the asset get recorded in the corporate risk log.
Asset Inventory and Risk Classification
The information asset inventory will be conducted on processes, information, information systems, hardware, and software. A threat is something that can go wrong about an identified asset as Calder & Watkins (2015) points out. The vulnerability is something that exposes the asset open to being attacked by something that is a known threat. The impact is the outcome of an exploit of something that is vulnerable from a threat which then causes the impact to an asset. The assets accessibility, integrity or the confidentiality could be breached. Risks are assessed to identify potential business harm that might result from exploitation of a threat to understanding the business impact for each as Calder & Watkins (2015) points out.
The organization's assets are assessed during the security assessment. Once the security risk to the organization's assets is recognized, the security risk assessment team must develop a recommendation to reduce the risk for the assets. These recommendations, as described by Landoll (2016), are discussed as safeguards or countermeasures. Safeguards are derived for each asset. The assessment or risk analysis should be completed to conclude if the threat exploiting the vulnerability creates an impact. Then the business assesses and identifies the level of risk classification to be assigned to the risk and enables one to identify, for each risk if it is an acceptable risk or on the other hand something that requires controls to be put in place. A control is a mitigation or countermeasure put in place for risks found. A business can accept a risk or transfer the risk to others. Five types of controls are identified by Calder & Watkins (2015) which are directive, preventative, detective, corrective and recovery controls. The directive control consists of creating a policy. The preventative control is put in place to stop or reduce the impact of vulnerability or attack. The detective control is triggered based on the discovery of an attack and provides an immediate control action. Business continuity or disaster recovery control is known as a recovery control. The directive control as Calder & Watkins (2015) points out is a way of delivering the preventative, detective, and corrective controls.
Conclusion
In this document, the considerations for decreasing risk and mitigating assessed vulnerabilities were outlined. A summary of the assessed challenges in the information assurance security plan was identified. The key information assurance considerations were laid out and the options for addressing risk items, recommendations for mitigation approach for the risks assessed reviewed. All these needed for a successful security risk assessment.
References
Calder, A., & Watkins, S. (2015). IT governance: An international guide to data security and ISO27001/ISO27002, 6th edition. Kogan Page.
Jacobs, S. (2015). Engineering information security: The application of systems engineering concepts to achieve information assurance, 2nd edition. Wiley.
Landoll, D. (2016). The security risk assessment handbook: A complete guide for performing security risk assessments, 2nd edition. CRC Press.
Peltier, T. R. (2013). Information security fundamentals, second edition. CRC Press.
Verzuh, E. (2015). The fast forward MBA in project management, 5th edition. Wiley.