Chapter 10 - Risk Assessment Techniques - TechTarget

1 CHAPTER10 Risk AssessmentTechniquesINFORMATION IN THIS Chapter Operational Assessments Project-Based Assessments Third-Party AssessmentsINTRODUCTIONOnce you have a risk model and a few assessments under your belt, you will wantto start thinking strategically about how to manage the regular operational, project,and third-party assessments that will occupy most of your time as a risk manageror analyst. This can quickly become an overwhelming task if not approachedstrategically, making the best use of the tools and resources that are will want to have a single risk model for the organization, but the actualassessment Techniques and methods will need to vary based on the scope of theassessment. An Assessment of risk during an incident investigation, for example,must be more streamlined than an architectural risk Assessment of a new softwareapplication in ASSESSMENTSDo you think that you would use the exact same Techniques to perform a riskassessment on a new application or system in development as you would use toassess an entire company during an acquisition?

2 The answer is that you wouldn far, we have established risk models and frameworks, which will be the foun-dation for any Assessment , but how you go about performing that Assessment willvary based on the size and nature of the target. It can be helpful to start thinkingabout categories of assessments, beginning with the distinction betweenoperational assessments, meaning those ongoing day-to-day assessments that areoccurring all year long, and project-based assessments which have a finite dura-tion. The operational assessments will encompass regular assessments of emergingthreats, newly announced vulnerabilities, and discovered standard violations, justto name a few. Operational assessments should not be confused with assessmentsof risks in the operations domain. In this context, operational describes the format189 security Risk : 2011 Elsevier Inc.

3 All rights the Assessment , indicating that these are ongoing and revolving assessmentswith no clear endpoint, as opposed to assessments of projects that have setcompletion dates. In contrast, an Assessment of the operations domain woulddefine the scope of the Assessment , which would focus on threats to operationscontinuity. We are focusing on the former for the purposes of this examples of operational risk Assessment tasks in the information securityspace include the following: Threat analysis Vulnerability scanning Patch remediation Penetration Testing Incident prioritization Exception processing Compliance to standards reviews Certification and accreditation (C&A) Auditing (internal or external) Responses to client due diligence evaluations Vendor on-site reviews Regulatory gap analysisAs you can see, this list is rather diverse, and even so, it doesn t even begin tocover all the various tasks for which a security risk management team might beresponsible.

4 It just wouldn t be practical to use the exact same approach andtechniques for each of these tasks, but fortunately, the fundamentals stay thesame. It is really just the tools and format of the Assessment that change with thetype of task. For example, a vulnerabilityscan of your Internet presence is goingto require a technical tool or service to perform security scanning of vulnerabil-ities, but an on-site review of a service provider s physical security controls isgoing to require a body with a clipboard and a list of required controls. Likewise,you aren t going to require an on-site physical Assessment of Dell s facility justbecause they provide your server hardware, but you would want to perform thaton-site Assessment of an offshore development center that provides 80% of thecode for your products. When you are establishing your risk managementprogram, start by thinking about the different levels of resources that you will beassessing and map out which methodology will be most efficient for TechniquesFor all those potential operational assessments, your options really come down tojust a few Assessment formats: Questionnaire Interview Passive testing190 Chapter 10 Risk Assessment Techniques Active testing Review of third-party Assessment Acceptance of a certificationWhen it comes to internal or third-party assessments, you should consider map-ping the depth and intrusiveness of the Assessment technique to the risk sensitivity ofthe service being provided.

5 For example, a review of an independent assessmentreport or a passive test, such as conducting a Google search for information aboutyour organization, will usually be nonintrusive, requiring mostly only your ownteam s resources. For those resources that have lower risk sensitivities or have alreadybeen reviewed in the past without any significant findings, you may want to considerthese approaches to minimize your impact on staff from other business and InterviewsThe first two Techniques are questionnaires and interviews, and we will addressthem together since, ultimately, a questionnaire is just a passive version of aninterview. Choosing which is appropriate can often be difficult and it may comedown to trial and error to determinewhich one your organization responds tobetter, but hopefully, these guidelines will give you a good place to start.

6 First,the benefit of an interview style Assessment versus a questionnaire is that a skilledassessor can use the responses to a static question to guide their follow-up ques-tions and direct which additional questions they ask. For instance, if you areassessing the IT environment and you have a series of questions about passwordcontrols (length, complexity, change history, expiration, initial distribution, resetprocedures, and so on), but the system in question uses digital certificates orcryptographic keys instead, you can skip all the remaining password questionsand drill into the key management questions on the fly. To do this with a ques-tionnaire, you either need to program some logic into an online questionnaire oryou will be doing a lot of back and forth follow-up questions about why theyselected N/A for all your password , if you are doing an internal Assessment , you would be surprisedhow many additional risks you can uncover just by getting several people in aroom at once and listening to them disagree about how something actually manager will give you one answer, the engineer will correct him, and thejunior engineer who recently joined the team will say nobody told me that wasthe procedure.

7 Of course, the above scenario assumes that some level of trust hasalready been established, that the culture supports healthy disagreement in public,and that your assessor understands the power of just listening. A side benefit ofthe interview technique can often be increased awareness among the team beingassessed about what is expected from a security perspective and, as a result, badpractices can often be corrected right then. In contrast to that situation is thedefensive interviewee or the subject who is actively offended that anyone woulddare question their practices. If you suspect that might be the case, then aquestionnaire might be the more effective way to Assessments191 Nomatterhowlongyouspendcraftingthe perfect questionnaire, you willalways have questions that are misunderstood. If the question isn t clear, you willprobably experience one of the following responses from the person answeringthe questionnaire (in order of likelihood, from most to least likely) the question N/A if it is an up on the questionnaire entirely and not finish the question with a No just to be for clarificationYou may wish that response 5 was more common, but with so many pulls onresources time, you are probably going to have to hunt down the responder tofind out that there was a question they didn t understand.

8 You can minimize thissituation by trying to provide organization-specific examples along with eachquestion. A targeted example can go a long way toward clarifying the intent ofthe question. Of course, when conducting an interview, you can address any con-fusion immediately, which minimizes the time lost and the frustration experiencedby both a general rule, using an interview style is going to give you the richest andmost accurate information in the shortest amount of time, assuming you can getthe right people in a room all at once. It may seem onerous to schedule all theseinterviews and coordinate resources, but it gets you exposure to many criticalfunctions in the organization and will be your quickest option. The challenge isthat interviews don t scale well for large organizations, so you will need to priori-tize where you use a questionnaire versus an interview.

9 One approach is to use aninterview for the first Assessment and a questionnaire for each subsequent assess-ment for that same resource. That way, you get a detailed risk Assessment andunderstanding of the resource up front, but can scale back the resource effort overtime. Another approach is to send out a questionnaire and schedule an in personmeeting with everyone involved to review the answers and discuss any follow-upquestions. With this approach, you leverage the benefits of both and Passive TestingQuestionnaires and interviews might work well for identifying policy violations orprocess weaknesses, but to really evaluate the technical vulnerabilities in yourenvironment, you will need to perform some sort of security testing. Althoughpassive testing sounds harmless, bewarethat the definition of passive is notalways consistent across the field.

10 There are definitely gray areas to be aware of;any testing should require appropriate senior management approval. Most securityscanners or vulnerability scanners are tools with large databases of known attacksand weaknesses and will scan the environment for signs of vulnerabilities or com-promises. These tools will also typically have the ability to identify missingpatches, configuration mistakes, or denial-of-service Chapter 10 Risk Assessment TechniquesSecurity scanning tools are very common. Many will focus on general operatingsystem and commercial application vulnerabilities, but others specialize in mappingenvironments or testing Web applications for weaknesses. Most will only look forsigns of a weakness, while others also include the option to validate a vulnerabilityby actually exploiting it. Any tool that will actually verify a weakness by executingthe exploit would be considered a penetration testing tool, not just a scanner.