Printed: December 18, 2017

Only those documents viewed through the AESOP system are officially controlled. All other copies, whether viewed through another computer program or a printed version, are not controlled and
therefore Generationnext (www.generationnext.in) assumes no responsibility for accuracy of the document.

GENERATIONNEXT

What we do?

www.generationnext.in

This document is the property of www.generationnext.in .

 Printed: December 18, 2017
All other copies, whether viewed through another computer program or a printed version, are not controlled and therefore www.generationnext.in
assumes no responsibility for accuracy of the document.

Risk Assessment & Security Roadmap

With benchmarking data collected from the Security Health Check Snapshot Assessment task it is time to chart a course. Strategic
planning must focus on relevant, practical, and proportional recommendations. This Risk Assessment and Security Roadmap blog can
enable organizations to:
Establish Coordinates
Pinpoint your Business Requirements
Create your Security Risk Profile
Harmonize
Integrate Regulatory, Legal and, Policy Drivers
Identify Organization Stakeholders and Seek Consensus
Chart your Course
Develop a Security Roadmap
Deliver Prioritized Action Plans

The Need for a Solid Risk Assessment Program

Meeting todays numerous information security regulations is one of the most challenging and complex issues facing corporate IT
today. The increased frequency of security incidents, including well publicized breaches, has resulted in new legislation at both the
federal and state level.
Fundamental to meeting these regulations, including the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and
Accountability Act (HIPAA) and Sarbanes-Oxley are regularly scheduled risk assessments. Each of these regulations holds
organizations accountable for the protection of private information and requires risk assessments as one component of an effective
security program.
Now, more than ever, organizations need a complete understanding of the impact of regulations on their core business and the need for
third party risk assessments to comply with these regulations.
When harmonized with security policy the most fiscally responsible and secure infrastructure is driven from the top with clear strategic
justification, prioritization, and timing.
The first step in developing a proactive IT Security Governance program is the risk assessment. The risk assessment identifies and
prioritizes risks to enterprises via networks and information systems. Risk assessment is the foundation for developing risk
management strategies within an organization. Organizations should use a practical methodology which identifies the assets that
support business operations, the vulnerabilities, and the threats to those assets.
Risk is present at the union of:
Assets,
Threats,
Vulnerabilities

This document is the property of www.generationnext.in Page 2 of 5

 Printed: December 18, 2017
All other copies, whether viewed through another computer program or a printed version, are not controlled and therefore www.generationnext.in
assumes no responsibility for accuracy of the document.

Our methodology consists of information gathering to determine the current state, analysis of information, and the development of a
security roadmap
Information Gathering
The information gathering process focuses on the three key risk components: assets, vulnerabilities, and threats. The approach is
asset-centric, meaning the risk assessment begins with the identification of assets and the value/criticality of assets that are central to
business operations. Threats which could impact these assets are identified and assessed. Finally, vulnerabilities that may be present
on the asset controls are examined to determine the likelihood of impact.
The information gathering phase typically consists of interviews with business managers and technical staff and review of
documentation relating to information security and assets (including network topology). Technical vulnerability assessment results can
be used to enhance the accuracy of initial risk assessment results, leveraging Common Vulnerabilities & Exposure CVE) together with
the Common Vulnerability Scoring System (CVSS).
Asset Identification
The goal of a risk assessment is to identify the risk to critical business operations. The first step in the risk assessment is to identify the
assets that support critical business operations. These assets could include physical and logical assets such as data center systems,
employee computers, network communications devices and channels, remote work areas such as employees home computers,
customer data, employee data, and intellectual property.
The key critical and sensitive assets that support business areas are identified through documentation review and interviews of
business managers and select technical staff, identifying:
Physical assets and locations
Asset ownership and classification
Network and logical connectivity
Software (OS and application)
Data flow throughout the network
Questions during the interview also focus on how the information technology assets are utilized by all types of system users
administrators, customers, employees, etc. This allows a profile to be built of Application Roles and Relationships and User Roles and
Relationships. Assets are then ranked based on their value to operations.
On a scale of 1 to 4, asset value will be ranked as follows:
1. Catastrophic catastrophic failure is possible if the asset is destroyed / compromised.
2. Critical the asset is considered mission critical to business operations.
3. Marginal the asset marginally affects business operations; some degradation of service is likely if the asset is destroyed /
compromised.
4. Negligible destruction / compromise of the asset will have a negligible effect on business operations.
Vulnerability Assessment
Threats cannot impact assets unless the assets are vulnerable to the specific threats. Security mitigating controls may be in place,
reducing the likelihood of a threat exploiting a given asset. Understanding the types of vulnerabilities that exist on critical assets is a key
step in the risk assessment.

This document is the property of www.generationnext.in Page 3 of 5

 Printed: December 18, 2017
All other copies, whether viewed through another computer program or a printed version, are not controlled and therefore www.generationnext.in
assumes no responsibility for accuracy of the document.

Comprehensive information security programs require that every asset have protective measures in the areas of:
Protection
Detection
Containment
Eradication
Recovery
Preventative measures reduce the likelihood of exploitation. The ability to detect and respond to incidents allows an organization to
minimize losses in the event of exploitation. Furthermore, effective detection and response provides a deterrent to exploitation attempts.
Vulnerabilities can be identified based upon the degree of protective measures in the areas of prevention, detection, and response. For
each critical asset, identify the status of compensating or mitigating controls in place. A few examples of areas to evaluate include:
Prevention
Security policies and procedures
Network and application architecture
Software version and patch level
Network segmentation and access controls
Authentication/authorization mechanisms
Security awareness program
Detection
Network intrusion detection capabilities
Host intrusion detection capabilities
Incident reporting policy and processes
Response
Incident response program capabilities
Response policies and process
System back-up and recovery capabilities
Vulnerabilities that affect critical assets are discovered through interviews, documentation review, and technical analysis and validation
testing. Vulnerabilities are classified based on their severity. Severity identifies the exposure of an asset:
High vulnerability which allows threat to control/destroy an asset.
Medium vulnerability which allows threat to compromise/access an asset.
Low vulnerability which provides threat information which could be used to compromise an asset.
For each critical asset identified during the asset identification phase, identified vulnerabilities are noted and classified.
The more accurate the vulnerability assessment, the more accurate the risk assessment will be. The assets and threats that support
and impact business operations tend to change much less frequently than the vulnerability analysis. New vulnerabilities, changes in
technology, and user/administrator introduced issues all contribute to a dynamic vulnerability environment. Areas identified through this
high level vulnerability assessment are candidates for a detailed, technical assessment.
Threat Identification
Threats are individuals, groups, or external events which can impact assets. Threats can take many forms, including people (such as
insiders or Internet users), technology (such as worms or Trojans), and events (such as flood or fire). The project team works with the
enterprise to identify the threats that may impact identified assets. To ensure that all credible threats are considered maintain a list of
various threat types.
Our approach to threat identification is based on threat modeling building scenarios that reflect possible events. Each asset is
analyzed from the perspective of the impact (liability) of various threats scenarios. Examples of impact produced by threats include:
Direct costs from physical destruction / loss
Direct costs from theft / extortion

This document is the property of www.generationnext.in Page 4 of 5

 Printed: December 18, 2017
All other copies, whether viewed through another computer program or a printed version, are not controlled and therefore www.generationnext.in
assumes no responsibility for accuracy of the document.

Costs to resolve incidents (internal productivity loss, outside resources)

Loss of consumer confidence
Failure to meet regulatory requirements
Failure to meet contractual agreements
Worst case scenarios (catastrophic failures of information systems that result in physical destruction, death, injury, or an
inability to continue operations)
The scenarios listed above can only happen if a threat impacts an asset that has a vulnerability. However, understanding how the
threats might impact an enterprises business is an important step in the process. The output of this stage is a ranking of threats based
on their prevalence. Prevalence is a measure used to indicate if a particular threat has the capability and motivation to impact each
asset.
Rank threats on the following scale:
High threat has capability and motivation to destroy / compromise asset function
Medium threat has capability and motivation to degrade asset function
Low threat has minimal capability and motivation to affect asset
Capability and motivation are important attributes of threat. Threats need both attributes to be credible. For example, consider the
scenario when the threat is an Internet attacker and the asset is an e-commerce server connected to the Internet. The attacker has
motivation in the form of monetary gain and capability via hacking skills. Each identified asset is analyzed based on the threats that
have the ability to affect them, and each threat is ranked based on prevalence.
The results of threat modeling are recorded. The asset and threat information collected thus far provides possible impacts to the
business. However, the likelihood of these impacts cannot be determined without the final component of the risk assessment, which is
the vulnerability assessment.
Analysis
The results of the information gathering phase is a collection of data which represents the assets critical to business operations, the
threats that may impact those assets, and the vulnerabilities resident on those assets. Risk is present when critical assets, credible
threats, and existing vulnerabilities are present.
As the goal of the risk assessment is to identify and prioritize risk to guide the formulation of security strategies, focus on a qualitative
risk assessment rather than attempting to assign monetary values to potential losses. It is more practical to use this approach because
of the limited data available on likelihood and costs and the difficulty in accounting for liability such as the loss of consumer confidence.
Through a strategic approach to Risk Assessment, this process enables organizations to optimize their security investments and
proactively protect their most important information assets from potential threats. When you protect the right assets from the right
threats with the right measures, you maximize your security ROI.

Chart your Course with a Security Roadmap

With initial coordinates established develop your security roadmap. After ascertaining risk within the environment, the next step is to
develop strategies to manage that risk. Risk exists due to the convergence of assets, threats, and vulnerabilities, and accordingly
mitigating controls which reduce one or all of these factors will reduce the overall risk to the organization. Focus on strategies that
maximize return on security investment (ROSI) strategies that result in the maximum reduction in risk for the minimum security
investment.
The security roadmap clearly represents the risks faced by the organization, and risk management strategies that can be employed to
reduce those risks. Risk management strategies fall into four categories:
Risk Mitigation Todays security risk management is primarily mitigation reducing exposure through security
countermeasures (People, Process, and Technology)
Risk Transfer Risk is transferred (contractually) to a 3rd party, e.g., outsourced or an insurance provider
Risk Avoidance Risk is avoided (i.e., such as eliminating an existing online or network capability)
Risk Acceptance Risk is accepted. Certain risk is cheaper to accept than fix. There is a point of diminishing returns with
security spending versus return.
Risk mitigation remains the most common security Risk Management strategy because much of the risk associated with security cannot
be transferred or avoided it must be reduced. Strategies are prioritized based on the amount of risk reduction they produce, and the
relative cost. The results are documented in the security roadmap action plan.

This document is the property of www.generationnext.in Page 5 of 5