Chapter 14

IT Security Management
and Risk Assessment
IT Security Management Overview

IT security management >>> Formal process of answering the questions:

What can be
What assets need to be How are those done to
protected assets counter those
threatened threats

• Ensures that critical assets are sufficiently protected in a cost-effective manner

o determining a clear view of an organization’s IT security objectives and general risk profile

o Security risk assessment is needed for each asset in the organization that requires protection; this assessment must answer
the three key questions listed above.

o Provides the information necessary to decide what management, operational, and technical controls are needed to reduce the
risks identified to an acceptable level or otherwise accept the resultant risk.
The process continues by:
- selecting suitable controls

- and then writing plans and procedures to ensure these necessary controls
are implemented effectively.

- That implementation must be monitored to determine if the security

objectives are met.

- The whole process must be iterated,

- and the plans and procedures kept up-to-date, because of the rapid rate
of change in both the technology and the risk environment.
Table 14.1
ISO/IEC 27000 Series of Standards on IT Security Techniques

“Information security management systems - Overview and

27000:2012 vocabulary” provides an overview of information security
management systems, and defines the vocabulary and definitions
used in the 27000 family of standards.
27001:2005 “Information security management systems – Requirements” specifies the
requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a documented Information Security
Management System.
27002:2005 “Code of practice for information security management” provides guidelines
for information security management in an organization and contains a list of
best-practice security controls. It was formerly known as ISO17799.
“Information security management system implementation
27003:2010 guidance” details the process from inception to the production
of implementation plans of an Information Security Management
System specification and design.
“Information security management – Measurement” provides
27004:2009 guidance to help organizations measure and report on the
effectiveness of their information security management system
processes and controls.
27005:2011 “Information security risk management” provides guidelines on the
information security risk management process. It supersedes ISO13335-3/4.
“Requirements for bodies providing audit and certification of
27006:2007 information security management systems” specifies
requirements and provides guidance for these bodies.
Table 14.1
ISO/IEC 27000 Series of Standards on IT Security Techniques
IT Security Management/ISO
IT SECURITY MANAGEMENT: A process used to achieve and
maintain appropriate levels of confidentiality, integrity, availability,
accountability, authenticity, and reliability. IT security management
functions include:

Monitoring the
implementation
Determining Identifying and and operation of
organizational Determining analyzing safeguards that Developing and
Identifying Specifying are necessary in implementing a Detecting
IT security organizational security threats
and analyzing appropriate order to cost security and reacting
objectives, IT security to IT assets effectively protect
risks safeguards awareness to incidents
strategies, and requirements within the the information program
policies organization and services
within the
organization
ISO 27001
ISO 27005

Plan establish security policy, objectives, processes and procedures; perform risk assessment; develop risk treatment
plan with appropriate selection of controls or acceptance of risk.

Do implement the risk treatment plan.

Check monitor and maintain the risk treatment plan.

Act maintain and improve the information security risk management process in response to incidents, review, or
identified changes.
Organizational Context and Security Policy

• Maintained and updated regularly

o Using periodic security reviews
o Reflect changing technical/risk environments
First examine
organization’s IT • Examine role and importance of IT systems in organization:
o What key aspects of the organization require IT support in order to function
security: efficiently?

o What tasks can only be performed with IT support?

Objectives - wanted
IT security outcomes o Which essential decisions depend on the accuracy, currency, integrity, or
availability of data managed by the IT systems?

Strategies - how to o What data created, managed, processed, and stored by the IT systems
need protection?
meet objectives
o What are the consequences to the organization of a security failure in their
IT systems?
Policies - identify
what needs to be
done If the answers to some of the above questions show that IT systems
are important to the organization in achieving its goals, then clearly the
risks to them should be assessed and appropriate action taken to
address any deficiencies identified. A list of key organization security
objectives should result from this examination.
Security Policy

Needs to address:

• Scope and purpose including relation of objectives to business, legal, regulatory requirements
• IT security requirements
• Assignment of responsibilities
• Risk management approach
• Security awareness and training
• General personnel issues and any legal sanctions
• Integration of security into systems development
• Information classification scheme
• Contingency and business continuity planning
• Incident detection and handling processes
• How and when policy reviewed, and change control to it

• The intent of the policy is to provide a clear overview of how an organization’s IT infrastructure supports its
overall business objectives in general, and more specifically what security requirements must be provided in
order to do this most effectively.
Management Support
• IT security policy must be supported by senior management
• Need IT security officer
o To provide consistent overall supervision
o Liaison with senior management
o Maintenance of IT security objectives, strategies, policies
o Handle incidents
o Management of IT security awareness and training programs
o Interaction with IT project security officers
• Large organizations need separate IT project security officers
associated with major projects and systems
o Manage security policies within their area
Security Risk Assessment

Critical component of process

Ideally examine every organizational asset

• Not feasible in practice

Approaches to identifying and mitigating

risks to an organization’s IT
infrastructure:
• Baseline
• Informal
• Detailed risk
• Combined
Baseline Approach
• Goal is to implement agreed controls to provide protection against the most
common threats

• Forms a good base for further security measures

• Use “industry best practice”

o Easy, cheap, can be replicated
o Gives no special consideration to variations in risk exposure
o May give too much or too little security

• Generally recommended only for small organizations without the resources

to implement more structured approaches
Informal Approach
Involves conducting an
informal, pragmatic risk Exploits knowledge and
Fairly quick and cheap
analysis on organization’s expertise of analyst
IT systems

Judgments can be made

about vulnerabilities and
Some risks may be Skewed by analyst’s views,
risks that baseline
incorrectly assessed varies over time
approach would not
address

Suitable for small to

medium sized
organizations where IT
systems are not necessarily
essential
Detailed Risk Analysis
Most May be a
comprehensive legal
approach requirement
Significant to use
cost in time,
resources,
expertise

Assess using
formal Suitable for large
structured organizations
process with IT systems
• Number of stages critical to their
• Identify threats and
vulnerabilities to assets
business
• Identify likelihood of risk objectives
occurring and
consequences
Combined Approach
Results in the development of a
strategic picture of the IT
resources and where major risks
are likely to occur

Combines elements of Ensures that a basic level of

other approaches security protection is
implemented early
• Initial baseline on all
systems
• Informal analysis to
identify critical risks For most organizations this
• Formal assessment on approach is the most cost
effective
these systems

Use is highly recommended

Detailed Security Risk Analysis

Provides the most accurate evaluation of an

organization's IT system’s security risks

Highest cost

Initially focused on addressing defense security

concerns

Often mandated by government organizations and

associated businesses
Establishing the Context
• Initial step
o Determine the basic parameters of the risk assessment
o Identify the assets to be examined

• Explores political and social environment in which the

organization operates
o Legal and regulatory constraints
o Provide baseline for organization’s risk exposure

• Risk appetite
o The level of risk the organization views as acceptable
• Asset: A system resource or capability of value to its
owner that requires protection
• Threat: A potential for a threat source to exploit a
vulnerability in some asset, which if it occurs may
compromise the security of the asset and cause harm to
the asset’s owner
• Vulnerability: A flaw or weakness in an asset’s design,
implementation, or operation and management that
could be exploited by some threat
• Risk: The potential for loss computed as the
combination of the likelihood that a given threat exploits
some vulnerability to an asset, and the magnitude of
harmful consequence that results to the asset’s owner
Asset Identification
• Identify assets to examine
• Draw on expertise of people in relevant areas of organization
to identify key assets
o Identify and interview such personnel

Asset

• “anything which needs to be protected” has value

to organization to meet its objectives tangible or
intangible whose compromise or loss would
seriously impact the operation of the organization
Hardware Assets
• Hardware assets include servers, workstations, laptops,
mobile devices, removable media, networking and
telecommunications equipment, and peripheral equipment
• Key concerns are loss of a device, through theft or damage,
and lack of availability of the device for an extended period
• Another concern is device malfunction, due to deliberate
malfunction or other causes
Software Assets

Software assets include applications,

operating systems and other system
software, virtual machine and container
Availability is a key consideration here, and
virtualization software, software for
asset valuation must take account of
software-defined networking (SDN) and
disruption losses and recovery expenses
network function virtualization (NFV),
database management systems, file systems,
and client and server software
Information Assets
• Information assets comprise the information stored in databases and
file systems, both on-premises and remotely in the cloud
• ITU-T X.1055 lists the following as types of information assets in a
telecommunications or network environment:

■ Communication data ■ Customer calling patterns

■ Routing information ■ Customer geographic ■ Training materials
■ Subscriber information locations ■ Billing information
■ Blacklist information ■ Traffic statistical information ■ Operational or support
■ Contracts and agreements procedures
■ Registered service
■ System documentation ■ Business continuity plans
information
■ Research information ■ Emergency plan fallback
■ Operational
■ User manuals arrangements
information
■ Customer information ■ Audit trails and achieved
■ Trouble information information
■ Configuration
information
Threat Identification
• A threat is:
Integrity

Confidentiality Availability
Anything that
might hinder or
prevent an asset
from providing
appropriate levels
of the key security
services
Reliability Accountability

Authenticity
Threat Sources
• Threats may be
o Natural “acts of God”
o Man-made
o Accidental or deliberate

Evaluation of human threat sources should consider:

• Motivation
• Capability
• Resources
• Probability of attack
• Deterrence

• Any previous experience of attacks seen by the

organization also needs to be considered
Threat types
• Dropper
• Malware • Auto-rooter
• Virus • Kit (virus generator)
• DNS attacks
• Worm • Spammer program
• Hacker or cracker
• Ransomware • Flooder
• Injection flaw
• Spam • Keyloggers
• Code injection
• Logic bomb • Rootkit
• Social engineering
• Trojan horse • Zombie or bot
• Phishing
• Backdoor (trapdoor) • Spyware
• Password attack
• Mobile code • Adware
• Website exploit
• Exploit • Remote access attacks
• Exploit kit • Denial-of-service (DoS)
• Downloader • Distributed denial-of-
service (DDoS) attack
Vulnerability Identification
• Identify exploitable flaws or weaknesses in organization’s IT
systems or processes
o Determines applicability and significance of threat to organization

• Need combination of threat and vulnerability to create a risk to

an asset
• Outcome should be a list of threats and vulnerabilities with
brief descriptions of how and why they might occur
• Operational vulnerabilities
• Lack of change management,
inadequate separation of duties,
Vulnerability Categories lack of control over software
installation, lack of control over
media handling and storage, lack of
control over system
communications, inadequate
access control or weaknesses in
access control procedures,
• Technical vulnerabilities inadequate recording and/or
•
review of system activity records,
Flaws in the design, implementation, and/or configuration of
software and/or hardware components, including application
inadequate control over encryption
software, system software, communications software, keys, inadequate reporting,
computing equipment, communications equipment, and handling and/or resolution of
embedded devices security incidents, and inadequate
monitoring and evaluation of the
effectiveness of security controls
• Human-caused vulnerabilities
• Key person dependencies, gaps in awareness and training, gaps
in discipline, and improper termination of access • Business continuity and
compliance vulnerabilities
• Physical and environmental vulnerabilities • Misplaced, missing, or inadequate
processes for appropriate
• Insufficient physical access controls, poor siting of equipment,
management of business risks;
inadequate temperature/humidity controls, and inadequately
inadequate business
conditioned electrical power
continuity/contingency planning;
and inadequate monitoring and
evaluation for compliance with
governing policies and regulations
Analyze Existing Controls

• Existing controls used to attempt to minimize threats need to

be identified
• Security controls include:
• Management
• Operational
• Technical processes and procedures

• Use checklists of existing controls and interview key

organizational staff to solicit information
IT Security Management / Risk Assessment

IT security management >>> Formal process of answering the questions:

What can be
What assets need to be How are those done to
protected assets counter those
threatened threats

• Ensures that critical assets are sufficiently protected in a cost-effective

manner
o determining a clear view of an organization’s IT security objectives and general risk profile

o Security risk assessment is needed for each asset in the organization that requires protection; this assessment must answer
the three key questions listed above.

o Provides the information necessary to decide what management, operational, and technical controls are needed to reduce the
risks identified to an acceptable level or otherwise accept the resultant risk.
Risk Analysis
• Specify likelihood of occurrence of each identified threat to
asset given existing controls
• Specify consequence should threat occur
• Derive overall risk rating for each threat
o Risk = probability threat occurs x cost to organization
• Hard to determine accurate probabilities and realistic cost
consequences
• Use qualitative, not quantitative, ratings
Table 14.2
Risk Likelihood
Table 14.3

Risk

Consequences

(Table can be found on pages

503-504 in textbook)
Table 14.4
Risk Level Determination and Meaning
Table 14.5

Risk Register
Risk Treatment Alternatives
Choosing to accept a risk level greater than normal
Risk for business reasons, due to excessive cost or time
acceptance needed to treat the risk. Management must then
accept responsibility for the consequences

Not proceeding with the activity or system that

Risk creates this risk, This usually results in loss of
avoidance convenience or ability to perform some function
that is useful to the organization.

Sharing
responsibility for
Risk transfer the risk with a
third party

Modifying the structure or use of the assets at risk to

Reduce reduce the impact on the organization should the risk
consequence occur, This could be achieved by implementing
controls to enable the organization to quickly recover

Implement suitable controls to lower the chance of the

Reduce vulnerability being exploited, These could include technical or
administrative controls such as deploying firewalls and access tokens,
likelihood or procedures such as password complexity and change policies. Such
controls aim to improve the security of the asset
Case Study: Silver Star Mines
• Fictional operation of global mining company
• Large IT infrastructure
o Both common and specific software
o Some directly relates to health and safety
o Formerly isolated systems now networked
• Decided on combined approach
• Mining industry less risky end of spectrum
• Subject to legal/regulatory requirements
• Management accepts moderate or low risk
Assets
Reliability and integrity of SCADA nodes and
net

Integrity of stored file and database

information

Availability, integrity of financial system

Availability, integrity of procurement system

Availability, integrity of
maintenance/production system

Availability, integrity and confidentiality of

mail services
Supervisory Control And Data Acquisition 
Table 14.6

Silver Star Mines Risk Register

Summary
• IT security management • Detailed security risk
• Organizational context and analysis
security policy o Context and system
characterization
• Security risk assessment o Identification of
o Baseline approach threats/risks/vulnerabilities
o Informal approach o Analyze risks
o Detailed risk analysis o Evaluate risks
o Combined approach o Risk treatment

• Case study: Silver Star

Mines