Eddie Amos

Would You Like to Buy Some Oceanfront Property in West Virginia?

I had a fascinating conversation with a gentleman on an airplane ride back from a recent Hackathon.  The topic was security and what steps an organization should go through in order to secure their environment.  I was horrified that this individual felt that they could secure their environment without understanding the various threats that the organization may face or without doing a proper risk assessment.

The prevailing thought was to simply buy a firewall and somehow a miracle would just happen and their enterprise would simply be secure.  I think this individual may have subscribed to someone’s marchitecture without taking the time to understand what is required to put a security program in place.  So I decided to write down a couple of thoughts on the topic based on research that I’m doing for another project.

Break the Problem Down Into Smaller Pieces

Before implementing a Security Management Plan, one must take time to understand the scope and the various systems and activities that will be considered as part of the planning process.  This will help identify the parameters and components that are in or out-of-scope for the particular plan.   This level of due diligence is necessary because a Security Assessment can be as broad as the entire organization or as narrow as certain procedures or automated task.  Taking the time to understand the parameters up-front will provide the Assessment Team with the scope they need to complete the Security Management Plan in a methodical and logical manner.

Why is this important?  There is risk associated with most digital and non-digital assets in an organization today.  It is unlikely that an organization needs to or can afford to secure every device or system that they manage.  Some components may require extensive controls to be put in place while others may simply be designated as out-of-scope or fit within an acceptable risk profile.   An organization should understand how to protect any component(s) that drives the business or mission. This is usually driven by numerous factors such as government regulations, the protection of Intellectual Property or simply standard operating procedures for a company to remain a legitimate going concern.

Who Owns The Security Function?

Many individuals view Risk Management as simply a function carried out and maintained by the Information Technology (IT) group.  Risk Management is much broader than IT and should have the attention and support from senior management to individual line workers as an on going concern in the organization.  This means clear communications of the Security Management Plan and designated owners for each component that has been identified in the plan.  It’s important to create a culture where Security Management and Threat Management is viewed in the same light as financial controls and operational excellence.  Building a culture that appreciates the importance of the discipline will help in the enforcement of the plan and identify new potential risk that may occur overtime.

Following this approach will help an organization determine the level of security needed and the cost associated with securing an asset.  During the Risk Assessment phase, some items may be deemed to have an acceptable risk profile and no new security controls are needed while others may require extensive controls to be put in place to protect the asset.  Factors that should be reviewed include a consideration of the organizations business model, specific legal, statutory, regulatory or contractual requirements that may govern the business or requirements dedicated by the organization for the processing of information.

Once an organization understands the factors that are influencing the risk, they will be in a better position to identify, prioritize and estimate the associated adverse consequences that may occur. This includes determining the severity of the situation and if appropriate controls are needed to mitigate or contain the risk in an acceptable manner.  Creating and then implementing a Security Management Plan should give an organization better optics into their threat exposure level and allow them to create various mitigation scenarios for the assets deemed to be in scope for the risk plan.

Identifying Threats In My Organization

Understanding and embracing the need to have a complete Security Management Plan is the first step of the journey.   Obtaining organizational buy-in and commitment is a critical part of this task.  Many organizations are required by law to conduct risk assessments in order to have a better understanding of possible risk and the necessary controls needed to satisfy government regulations (Landoll 2006).

Once commitment is identified and communicated to the organization, a Risk Analysis should be conducted.  A Risk Analysis is a technique to identify and assess factors that may jeopardize the success of a project or the ability of the organization to achieve a goal.  The Risk Analysis will help define preventative measures to reduce the probability of these factors from occurring and identify various countermeasures to successfully deal with the constraints if they develop (Hamdi and Boudriga 2005).

There are numerous publicly available documents and frameworks that provide organizations with the steps necessary to perform a thorough risk assessment. These documents and frameworks help organizations identify, prioritize and then estimate risk and the associated adverse consequences that may occur without addressing the noted concern(s).

NIST Publication 800-30 section 3.1.2 provides a good overview of the various information-gathering techniques that may be used to gain a better understanding of the components in their organization and the data that should be reviewed within the defined operational boundaries. These techniques involve interviews, questionnaires, document reviews and the use of automated scanning tools that are particularly useful in identifying potential problems with various network resources.

Various quantitative and qualitative tools are also available to assist an organization in understanding not only what is happening but also why a particular problem is occurring. Using these tools and techniques will give an organization a better view of their system characteristics so they can start examining the various components that will be addressed in their plan.  Once this level of data has been uncovered, threat identification and the source of the problem can be evaluated to determine possible risk and the controls needed to secure a particular asset.

What is the Relationship between a Threat and Risk?

So far we have discussed risk but what is risk and how is it associated with a threat?  A risk is a known or unknown factor that may jeopardize the success of a project or the ability of an organization to achieve a goal.  When an organization performs a risk analysis, they are using techniques that will help them identify and define preventative measures to reduce the probability of these factors from occurring using various controls or countermeasures (Landoll 2006).  This process helps an organization gain a better understanding of potential problems in their physical and non-physical infrastructure.

A threat on the other hand is the potential for a particular risk to be exploited.  This can be malicious or purely accidental in nature.  This means that it is important for an organization to consider many factors when conducting a risk assessment and not assume that all problems will occur solely from questionable individuals attempting to manipulate the organization.   Threats can be environmental in nature or come from a disgruntled employee, hacker, anarchist or cyber-terrorist attempting to gain access to, steal, destroy or manipulate assets.  By having a good understanding of your assets and their associated risk, one can help an organization determine the various controls needed to mitigate threats from various internal and external entities.

Leveraging Existing Guidance

Publications like ISO/IEC 27002 and NIST Publication 800-30 go one step further to remind organizations that a threat-source does not necessarily present a risk when there is no vulnerability that can be exploited (ISO/IEC 2005).  This is a very broad statement meaning that not every component is at risk but one should ensure that the proper due diligence is conducted on any assets deemed to be mission or business critical.  While something may not be vulnerable today, we live in a very dynamic and quickly changing world.  Before one can make a determination in regards to an organization’s assets, it’s critical to start by understanding the environment to get executive buy-in, conduct the necessary research to identify components that may be at risk and then determine the controls necessary to isolate the situation.

Finally remember that a Security Management Plan is a living document.  Periodic updates and assessment should be conducted to ensure the plan remains in a high state of readiness.   Next week I’ll provide a couple of thoughts of Security Administration.

References

Hamdi, M. and N. Boudriga (2005). Computer and network security risk management: theory,     challenges, and countermeasures.  International Journal of Communication Systems 18(8): 30.

ISO/IEC (2005). Information technology : Security techniques : Code of practice for information security management. Geneva, ISO.

Landoll, D. J. (2006). The Security Risk Handbook: A Complete Guide for Performing Security Risk Assessments. Boca Raton, FL, Taylor & Francis Group.