Book chapter: IT security risk assessment and program management

SearchSecurityChannel.com Staff

The book Security Risk Management: Building an Information Security Risk Management Program from the Ground Up by Evan Wheeler provides fundamentals and practical techniques for creating an IT security risk assessment

    Requires Free Membership to View

and management program. According to Wheeler, security professionals often fall into the trap of telling the business (or client) they need to fix something, without being able to explain why. This book seeks to articulate risk exposures in business terms. It offers techniques for how to perform risk assessments for new IT projects, efficiently manage daily risk activities, qualify the current risk level and produce a security risk assessment report for your clients.

The following excerpt comes from Chapter 10: Risk Assessment Techniques (pdf). You may also download Appendix A: A Sample Security Risk Profile (pdf) from the book.  

Baseline Reviews
In terms of operational risk assessments, another important focus is Certification and Accreditation (C&A). For many business professionals, these terms may not be meaningful, but don’t worry: like with the term information assurance, you will most often see these terms in the context of the US federal government. Although the terminology isn’t popular in private industry yet, the function actually is already in use. On the most basic level C&A tasks require establishing a security baseline for each system in the environment, ensuring any new deployments are compliant with the baseline, monitoring the configuration of the system over time to be sure it doesn’t deviate from the baseline, and documenting any areas where the system can’t comply with the baseline. In essence, a C&A process is meant to formalize the standard for configuring a system securely and force an explicit review of those controls and authorization decision to allow it to operate in an environment. 

A good practice is to create a hash library of known good software in the environment.

Evan Wheeler

Certification and accreditation are really both subsets of an overall information security risk management program. Risk management is the overall program for identifying weaknesses, threats to those weaknesses, and assessing the impact to the organization that might result from an exploitation of those weaknesses. Certification is the process of evaluating whether the system/application meets the minimum standards that have been established, and accreditation is the management decision process to determine if any deviations from standards are acceptable. When you think about this in basic terms, it essentially equates to a business risk assessment followed by a risk decision. In the US federal government, there are very explicit job roles and positions involved in this process; however, most corporations use a combination of the resource owner or operator and a representative from the security team to negotiate these details.

There are many activities required to make a C&A process run smoothly, and many of these tasks will be performed by the resource administrators or operations teams, with oversight from the Information Security team. As part of the change management process, the post-implementation steps of updating documentation such as network diagrams, server build documents, software hash libraries, standard build images, and so on should be performed. A good practice is to create a hash library of known good software in the environment; that way, when there is an investigation of a system compromise, you can easily identify software and configuration files that have not been tampered with because they match the unique hash you created in advance.

Download the entire chapter.  Download the appendix.

Reprinted with permission from Elsevier Inc. Copyright 2011. "Security Risk Management" by Evan Wheeler. For more information about this title and similar books, please visit the book’s page on the Syngress web site.

This was first published in July 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.