Users login

Create an account »


Users login

Home » Hacking News » Risk Assesments

Risk Assesments

by phiber on March 29th, 2001 During the formation of the Internet, it was an open forum for communication and exchange of data. As the Internet grows, the number of risks and vulnerabilities will increase. Part of any organization's information security program is the risk assessment process. Assessment results must provide cost-effective and management-approved corrective actions.

- Written by By John D. Johnson ([email protected]) for SecurityPortal

During the days when Al Gore was involved with the formation of the Internet, it was developed as an open forum for promoting communication and exchange of information and data between networks. As the Internet grows from the global communication system that we have today to a more truly worldwide medium for data exchange, communication connectivity and ecommerce expansion in the future, the number of risks and vulnerabilities will increase in greater proportion as its connectivity swells. Part of any organization's information security program for protecting enterprise components and the information supporting business functions is the risk assessment process implemented and actually followed by that organization. Assessment results must provide cost-effective and management-approved corrective actions that mitigate potential risks down to an acceptable level for network operation and business function.

The focal point for any organizational program depends on the management structure implemented to accomplish its goals, resources assigned to the effort, management support, and degree of adherence by employees.

Part one of this series will review successful elements for developing a risk assessment process based on a government evaluation of leading organizations. Part two will consider successful elements of information security from leading organizations. Finally, part three will examine the overall framework of information security management that supports business functions and integrates the risk management process to address common security concerns.

Steps in the practice of an organization's risk management program involve:

Determining critical security program factors that successfully support business functions and essential corporate elements;

Identifying and implementing risk management processes that achieve management objectives;

Developing and using security tools to accomplish risk assessment processes;

Identifying and integrating the benefits achieved through increased risk management.

As information technology continues to evolve with greater capabilities, reduced costs and expanded accessibility throughout the world, security management principles and methods must evolve with these changes. One of the basic tools used by the information security industry is the application of risk management. The risk management process, primarily through risk assessments, provide business executives with information to better understand factors involving risks based on threats and vulnerabilities that potentially have a negative impact on network operations. This information gives them a foundation to base sound and cost-effective decisions for actions needed to eliminate or reduce any risks.

Risk assessments determine risks that are relevant for review by management, evaluate appropriate policies and security measures to mitigate these risks, and review changes of risks over time to adjust implemented and planned responses, accordingly.

Risk assessments provide basic elements to:

Identify any potential threat that may adversely affect corporate assets or network operations, especially the most critical elements within an organization;

Estimate the level that a given threat or vulnerability may actually happen based on established criteria for evaluating these factors;

Identify and provide a system of priority ranking of valuable assets within the organization for protection against identified and relevant risks;

Collect data for measuring the impact of any potential loss or damage to critical assets, including costs involved with the recovery or replacement of those assets;

Provide management for their selection of available cost-effective actions or mechanisms to mitigate or reduce potential risks;

Document the selection, planning and integration of management-approved measures, including action plans for periodic review and evaluation, implementation of security measures, and adjustments as network conditions change.

Successful information security management, including the planning, conduct and presentation of risk assessments, requires a focus on the most relevant risks, willingness by management to resource and implement adjustments, and increase the awareness for security controls that mitigate significant risks.

Learning from how companies in the private sector and Government agencies operate through evaluations and studies provide a wealth of information that security professionals can use to improve their organization's security program and enhance the protection of its assets. The fact that you review information from this web site is an example of that. Other sources include studies conducted by the U.S. Government's General Accounting Office (GAO) that review information security management issues, including risk assessment practices by leading organizations. Both the May 1998 executive guide Information Security Management: Learning From Leading Organizations, GAO/AIMD-98-68 and the November 1999 supplement Information Security Risk Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 are available in .PDF format at and then link on GAO Reports.

The executive guide echoes the statement of a security manager quoted in the guide, "Because every control has some cost associated with it, every control needs a business reason to be put in place." Further, the guide identifies the major elements of leading organizations that they adopted for a successful security program:

Establish a central management focal point for information security management;

Promote security awareness among their employees;

Link policies to business risks; and,

Develop practical risk assessment procedures that link security to business needs.

The primary lessons from this study for security professionals are presented in part two of this presentation.

The risk assessment supplement (GAO/AIMD-00-33) provides a study of four different organizations recommended out of thirty from government and private sector sources with strong security programs or that actively pursue efforts to improve risk assessment practices. The four organizations consisted of a multinational oil company, a financial services company, a regulatory organization, and a computer hardware and software company. The study identified common factors among the organizations that successfully improved the efficient and effective implementation of their risk assessment programs and adoption of appropriate remedial actions. Key aspects identified for program success included:

Senior management support and involvement;

Designation of focal points to oversee the risk assessment process at various levels;

Procedures were well defined and documented;

Business and technical experts were involved in the risk assessment process;

Management at various levels are held responsible for establishing priorities in performing risk assessments and determining acceptable levels of risk;

Risk assessments were limited in scope to manageable segments within schedule and performance criteria; and,

Documentation of risk assessment results and maintaining reports as a permanent record to hold management accountable for decisions made.

Tools to conduct risk assessments developed by the organizations were reviewed that were periodically updated as experience and best practices were identified. Developed tools for risk assessments included tables, questionnaires and standard report formats, with mostly simple aids to assess and report the analysis process.

Organizations participating in the study communicated that implementing "a practical risk assessment process was important to supporting their business activities and provided several benefits." The benefits identified from the study of the four organizations were:

The fact that risk assessment programs within their organizations helped identify and address the greatest risks to their business operations. This initial evaluation of risks permitted them to "develop reasonable steps for preventing or mitigating situations that could interfere with accomplishing the organization's mission."

Helped management and employees "better understand risks to business operations; avoid risky practices, …and be alert for suspicious events."

Risk assessments provided a way for them to reach "a consensus on which risks were the greatest and what steps were appropriate for mitigating them." Further, one company official emphasized "that controls selected in this manner were much more likely to be effectively adopted than controls that had been imposed by personnel outside of the business unit."

The program provided an effective way to convey risk assessment findings and recommendations to management and standardized reports made results more understandable and results easier to compare throughout elements of the organization.

On page ten of the study, Figure 2: Risk Assessment Practices and Related Benefits are four crucial elements of the risk assessment process, consisting of:

Critical Success Factors

Obtain senior management support and involvement

Designate focal points

Define procedures

Involve business and technical experts

Hold business units responsible

Limit scope of individual assessments

Document and maintain results


Identify threats and likelihood of those threats materializing

Identify and rank critical assets and operations

Estimate potential damage

Identify cost effective mitigating controls

Document assessment findings




Standard report formats

Software to facilitate documentation and analysis

Lists of threats and controls


Assurance that the greatest risks have been identified and addressed

Increased understanding of risks

Mechanism for reaching consensus

Support for needed controls

Means for communicating results

Notable aspects of each case study include additional features that improve an organizational security program and the conduct of risk assessments. These aspects include:

Risk assessments identified as a key component for addressing security and safety concerns for conducting business by an organization;

Risk assessments consisted of - planning and preparation, assessment activities, report development, and developing an action plan as part of the response to risk assessment recommendations;

Identifying individuals knowledgeable about the business operations and assets for interviews and coordination of the risk assessment;

Interview questions covered "many areas of information security, including information classification; information storage; handling, destruction, and disposal; access controls; and transmittal of mail, data, fax, video and voice";

The primary function of risk assessment activities by the evaluation team involved the collection and analysis of data on threats, potential vulnerabilities and recommending corrective actions that reduce or mitigate risks. Consideration was given to "disclosure of information to unauthorized individuals and organizations, loss of information and inability to access company information due to computer malfunction or loss of communications";

Managers had to document appropriate justification and alternative solutions for reducing risks concerning decisions not to implement recommendations from the risk assessment involving high risk findings;

Recognition that the fundamental risk assessment process aimed to "balance security requirements with other factors associated with doing business". Acceptance of some risks when doing business was understood by management;

Security requirements for the organization were organized under the control elements of "authentication, access control, environmental integrity, information integrity, confidentiality, availability, audit, non-repudiation, and administration", recognized as either mandatory or operational requirements;

Action plans to implement recommendations for reducing or mitigating risks included the "steps to be taken, the time frame for completion, and the responsible groups" for implementing them;

"The objective of the risk assessment is to determine the level of risk associated with a business function or process…to determine the applicable security controls." Comparing controls that are appropriate with those already in place "to identify and address gaps";

Categories within risk assessments included potential vulnerabilities, types of damage and possible consequences;

Managers responsible for addressing the findings of risk assessments had such responsibilities documented within their written performance evaluation criteria;

Considered under possible consequences were "defined potential damage as including fraud, operational outage, embezzlement, extortion, theft of intellectual properties, regulatory violations, or diminishment of the organization's image;

Analysis within the risk assessment process included evaluation on the strength levels for security training among employees; and,

A uniform format of risk assessment reports throughout the organization to ensure better understanding of findings through standardized report formats, "established audit and measurement procedures to ensure the effectiveness of actions taken" and instituting common methods for monitoring compliance of the security program.

In the next segment we will study security management practices identified with organizations that have successful security programs. This study is aimed at outlining ways for security professionals to strengthen their organization security programs and inform business executives of proven methods that enhance security without questionable expenditure of resources.

Source - SecurityPortal

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »