Channel Strategies for the CIOThe book Security Risk Management: Building an Information Security Risk Management Program from the Ground Up by Evan Wheeler provides fundamentals and practical techniques for creating an IT security risk assessment
Requires Free Membership to View
and management program. According to Wheeler, security professionals often fall into the trap of telling the business (or client) they need to fix something, without being able to explain why. This book seeks to articulate risk exposures in business terms. It offers techniques for how to perform risk assessments for new IT projects, efficiently manage daily risk activities, qualify the current risk level and produce a security risk assessment report for your clients.
The following excerpt comes from Chapter 10: Risk Assessment Techniques (pdf). You may also download Appendix A: A Sample Security Risk Profile (pdf) from the book.
Baseline Reviews
In terms of operational risk assessments, another important focus is Certification and
Accreditation (C&A). For many business professionals, these terms may not be meaningful, but
don’t worry: like with the term information assurance, you will most often see these terms
in the context of the US federal government. Although the terminology isn’t popular in private
industry yet, the function actually is already in use. On the most basic level C&A tasks
require establishing a security baseline for each system in the environment, ensuring any new
deployments are compliant with the baseline, monitoring the configuration of the system over time
to be sure it doesn’t deviate from the baseline, and documenting any areas where the system can’t
comply with the baseline. In essence, a C&A process is meant to formalize the standard for
configuring a system securely and force an explicit review of those controls and authorization
decision to allow it to operate in an environment.
A good practice is to create a hash library of known good software in the environment.
Evan Wheeler
Certification and accreditation are really both subsets of an overall information security risk management program. Risk management is the overall program for identifying weaknesses, threats to those weaknesses, and assessing the impact to the organization that might result from an exploitation of those weaknesses. Certification is the process of evaluating whether the system/application meets the minimum standards that have been established, and accreditation is the management decision process to determine if any deviations from standards are acceptable. When you think about this in basic terms, it essentially equates to a business risk assessment followed by a risk decision. In the US federal government, there are very explicit job roles and positions involved in this process; however, most corporations use a combination of the resource owner or operator and a representative from the security team to negotiate these details.
There are many activities required to make a C&A process run smoothly, and many of these tasks will be performed by the resource administrators or operations teams, with oversight from the Information Security team. As part of the change management process, the post-implementation steps of updating documentation such as network diagrams, server build documents, software hash libraries, standard build images, and so on should be performed. A good practice is to create a hash library of known good software in the environment; that way, when there is an investigation of a system compromise, you can easily identify software and configuration files that have not been tampered with because they match the unique hash you created in advance.
Download the entire chapter. Download the appendix.
Reprinted with permission from Elsevier Inc. Copyright 2011. "Security Risk Management" by Evan Wheeler. For more information about this title and similar books, please visit the book’s page on the Syngress web site.
This was first published in July 2011
Join the conversationComment
Share
Comments
Results
Contribute to the conversation