Conducting a Threat Risk Assessment to Protect your Information Assets
An organization has many assets that must be properly managed
, these include: people, money, infrastructure, and information. The threat risk assessment (TRA) process, detailed in this article, can be used to determine risk for any of these assets but was primarily developed for information security.
What are we trying to accomplish with a TRA?
Basically, we want to ensure that our information assets are secured enough, i.e. not too little and not too much. The security objectives that we have to meet are:
confidentiality: the protection of information from unauthorized disclosure; confidentiality is lost if unauthorized individuals have access to the information;
integrity: the protected of information from improper modification; integrity is lost if unauthorized changes are made to the information by either intentional or accidental acts;
availability: the protection of information from destruction or denial-of-service; availability is lost if authorized users cannot access the information when required;
acceptable use: information is to be used for business purposes; inappropriate use refers to the use of assets, by authorized personnel, for purposes that could cause harm to the company; the harm could include the loss of confidentiality, integrity, or availability, as mentioned above, or result in the loss of competitive advantage.
Remember the CIA triad with acceptable use.
The recommended security controls that can be used to meet the security objectives are:
administrative: i.e. management or people controls security policies, administrative directives, organizational structures, responsibilities, and operational procedures (these are also referred to as procedural safeguards);
physical: building and environmental security along with supervision and/or periodic checking (receptionists, guards, continual staffing);
logical: Technical safeguards including computer hardware, software, or firmware (e.g. access control mechanisms, identification and authentication mechanisms, encryption methods, and intrusion detection software).
Remember the acronym APL (this is also the name of a programming language).
The administrative controls help define changes to process and procedure. The physical controls drive your facility needs. The logical controls help feed the IT security plan.
But what is Risk?
If there are no threats or no vulnerabilities then you don't have any risks. If there isn't a threat agent to effect the threat then you don't have any risks. If current safeguards are sufficient to protect the vulnerabilities then you don't have any risks.
Risk is a function of the likelihood of a given threat agent exercising a potential vulnerability, and of the resulting impact of that adverse event on the company. To determine the likelihood of a future adverse event, threats to an information asset must be analyzed in conjunction with the potential vulnerabilities and the safeguards currently in place to protect the information. Impact refers to the magnitude of harm that could be caused by a threat's exercise of a vulnerability. The level of impact is governed by the potential impact to the corporate mission and in turn produces a relative value for the information assets and resources affected (i.e. the sensitivity and criticality of the information assets).
The Steps to follow for a TRA
The threat risk assessment methodology encompasses nine primary steps:
Step 1: Information Characterization
Step 2: Threat Identification
Step 3: Vulnerability Identification
Step 4: Safeguard Analysis
Step 5: Likelihood Determination
Step 6: Impact Analysis
Step 7: Risk Determination
Step 8: Safeguard Recommendation
Step 9: Results Documentation
Each step has various inputs and outputs and, of course, a process to follow. The old IPO charts may come to mind: Input Process Output.
The first and primary step of importance is to create an inventory all information assets and profile them to determine their sensitivity and criticality. You can define your information using an Information Asset Profile (IAP); see my other article on "Profiling your Information". The IAP defines the information owners, users, proper use, and value to the organization.
You then conduct a threat assessment that creates lists of the threats, vulnerabilities, likelihood of occurrence, and potential impact. Some threat terms that may help you with this are:
Threat Agent: either "intent", an action by a person, or "situation", an "act of God".
Threat Types: either "deliberate", passive (monitor) easiest to accomplish and active (modify); or "accidental", incompetence and lack of awareness.
Fundamental Threats:
Information leakage loss of Confidentiality,
Information modification loss of Integrity,
Information Destruction loss of Availability,
Denial of Service (DoS) loss of Availability,
Inappropriate use violates legitimate use policy.
Once you've created the risk statement based on the threat assessment you can define the recommended security controls as follows:
Preventive: attempt to avoid the occurrence of unwanted events (inhibit attempts to violate information security).
Detective: attempt to identify unwanted events after they have occurred (warn of violations or attempted violations).
Deterrent: attempt to discourage threat agents from violating information security.
Corrective: attempt to remedy the circumstances that allowed the event, or return conditions to what they were.
Recovery: attempt to restore lost resources or capabilities and help recover monetary losses.
Containment: attempt to limit the impact (injury or loss).
A TRA isn't a one time activity.
The process of assessing risks and selecting safeguards may need to be performed a number of times to cover different parts of the company or individual information locations or media. It is important to carry out periodic reviews of security risks and implemented safeguards to:
a) take account of changes to business requirements and priorities;
b) consider new threats and vulnerabilities;
c) confirm that safeguards remain effective and appropriate.
The TRA is considered to be a vital, living document, which is essential to meeting the security objectives of your organization. The TRA must be updated at least annually, or whenever an occurrence reveals a deficiency in the existing assessment. The TRA should also be updated whenever changes are planned to the systems or environments in which the information asset exists, which could create new risks or redundant safeguards.
Changes in the threat profile will also have a potential impact on the TRA. For example, when threat agent motivation diminishes or the effort expended by the threat agent decreases, the threat from that source may be reduced. Since changes in the threat profile do not always follow a cyclical pattern, management must stay in touch with the current threat levels and update the TRA accordingly.
For a complete guideline on conducting a Threat Risk Assessment visit the MASE Consulting web site:
Threat Risk Assessment Guideline Conducting a Threat Risk Assessment to Protect your Information Assets
By: Donald Johnston
Useful Information On Organic Tomatoes Gis Assessment Facilitates Informed Decision Making Garmin Nuvi 265wt Information Hurtige laan info Information on M&T CD Rates What Should Be Done When You Lose A Wallet - Info Test maker - Crucial Information about test maker Information On Rustic Barstools Public Domain Information Information on Rustic Barstools Information On Western North Carolina Realty Useful Information On North Carolina Acreage For Sale Information on Western North Carolina Realty