Posted on May 10, 2013 by traceadmin
Patrick Fussell, Information Security Analyst
In this series, we will explore some of the fundamental components of the NIST 800 Series risk assessment framework and how this methodology deviates from other common risk assessment practices to create a more effective assessment process.
Risk Assessments are an integral part of an organization’s information security program and allow management to decide where effort should be applied to eliminate or reduce risk to information assets. A common approach to risk assessments is to evaluate assets, threats, and controls of your information assets. Then you characterize the risks to help make strategic decisions. This approach broadly gives insight into the areas of highest risk or control effectiveness for each asset.
In our experience, one of the biggest traps is a risk assessment that has too much detail too soon. When an organization first begins to implement an information security program, a risk assessment that is too granular has limited value. Management trying to use it strategically can’t see the forest for the trees and decisions will not come from a holistic or strategic perspective.
Trying to strike a balance between a comprehensive approach and one that’s succinct enough to produce meaningful results is one piece of the risk assessment puzzle that makes effective risk assessments a challenge. To obtain a clear understanding of the risk to a system, it’s helpful to understand how assets relate to the organization and how they’re managed.
Let’s consider an example of an asset class that plays a significant role in an organization, such as servers. “Servers” could mean anything. One could think of individual systems or whole classes of systems. Before deciding how your risk assessment will represent them, you must understand from a high level exactly what considerations are relevant to this infrastructure. If just one small group of servers is affected by a control gap, we want to be able to represent the localized nature of the issue. On the other hand, if we treat every server on its own in the risk assessment, we’ll get lost in a sea of analysis that is useless because of its sheer volume. This tension has far-reaching implications in how the risk, threat, and control relationships can be expressed.
To approach this in the most effective way possible, the NIST framework suggests that we approach the risk assessment from the highest possible level and move progressively, over time, to a more detailed view. This “multi-tiered” approach—where risk is viewed from three distinct levels: the organizational level, the mission/business process level, and the information system level—enables us to present risks at different levels of granularity. Starting at the organization level, management can appropriately provide a context for high-level risk management activities carried out by an organization. As the organization matures, probing deeper to more detailed and granular levels, the picture will be refined to improve risk mitigation strategies.
This means that the first step is not to get lost in the details. Look at your organization in the broadest sense first. Identify risks that apply everywhere and controls that mitigate risk everywhere. Your first risk assessment doesn’t need to consider ports, protocols, IP addresses, etc. If you perform your risk assessment in layers from the top down, you make incremental progress toward a more effective strategy. Once you ensure that the farthest-reaching and most important controls are in place (policies, programs, frameworks, committees, oversight, monitoring, etc.), your organization is then mature enough to move to the “next level” and get more granular in your risk analysis.
Future posts in this series will add to this approach, with additional cues from the NIST risk assessment framework and our experience performing risk assessments across our client base.
Posted in IT Risk Management and Risk Assessments