The book Security Risk Management: Building an Information Security Risk Management Program from the Ground Up by Evan Wheeler provides fundamentals and practical techniques for creating an IT security risk assessment and management program. According to Wheeler, security professionals often fall into the trap of telling the business (or client) they need to fix something, without being able to explain why. This book seeks to articulate risk exposures in business terms. It offers techniques for how to perform risk assessments for new IT projects, efficiently manage daily risk activities, qualify the current risk level and produce a security risk assessment report for your clients.
In terms of operational risk assessments, another important focus is Certification and Accreditation (C&A). For many business professionals, these terms may not be meaningful, but don’t worry: like with the term information assurance, you will most often see these terms in the context of the US federal government. Although the terminology isn’t popular in private industry yet, the function actually is already in use. On the most basic level C&A tasks require establishing a security baseline for each system in the environment, ensuring any new deployments are compliant with the baseline, monitoring the configuration of the system over time to be sure it doesn’t deviate from the baseline, and documenting any areas where the system can’t comply with the baseline. In essence, a C&A process is meant to formalize the standard for configuring a system securely and force an explicit review of those controls and authorization decision to allow it to operate in an environment.
A good practice is to create a hash library of known good software in the environment.
Certification and accreditation are really both subsets of an overall information security risk management program. Risk management is the overall program for identifying weaknesses, threats to those weaknesses, and assessing the impact to the organization that might result from an exploitation of those weaknesses. Certification is the process of evaluating whether the system/application meets the minimum standards that have been established, and accreditation is the management decision process to determine if any deviations from standards are acceptable. When you think about this in basic terms, it essentially equates to a business risk assessment followed by a risk decision. In the US federal government, there are very explicit job roles and positions involved in this process; however, most corporations use a combination of the resource owner or operator and a representative from the security team to negotiate these details.
There are many activities required to make a C&A process run smoothly, and many of these tasks will be performed by the resource administrators or operations teams, with oversight from the Information Security team. As part of the change management process, the post-implementation steps of updating documentation such as network diagrams, server build documents, software hash libraries, standard build images, and so on should be performed. A good practice is to create a hash library of known good software in the environment; that way, when there is an investigation of a system compromise, you can easily identify software and configuration files that have not been tampered with because they match the unique hash you created in advance.
Reprinted with permission from Elsevier Inc. Copyright 2011. "Security Risk Management" by Evan Wheeler. For more information about this title and similar books, please visit the book’s page on the Syngress web site.