A risk assessment involves evaluating threats to business assets, identifying security vulnerabilities or weaknesses that can take advantage of those threats, and prioritizing business risk. System security is the overall effort focused on the protection of information assets to support the proper behavior of business systems.
System security is an ongoing process to mitigate damage, reduce threats and ensure continuity to ensure real outputs of systems consistent with expected outputs. System security also involves procedures, policies, physical security, organization, and could also involve hardware failures for instance. A vulnerability for a system could be, for example, that its related administration procedure does not require users to change passwords regularly. Another could be that there is nobody in charge of security administration on the system.
A security risk assessment is the first step in the life cycle of security management. At a high level, the risk assessment is a process which: evaluates threats to business assets; identifies security weaknesses or vulnerabilities that can be taken advantage of by those threats; and prioritizes business risk, as generally explained in the FDIC Financial Institution Letter 68-99, Risk Assessment Tools And Practices For Information System Security, Jul. 7, 1999, which is incorporated herein by reference. The security risk assessment is the process that typically drives all security planning, analysis and design activities in the later methodology stages.
The overriding goal of security is to protect the confidentiality, integrity, and availability requirements of the assets. The risk assessment will help determine what controls need to be in place to meet this goal cost effectively.
A security risk assessment typically includes the following steps: (1) analyzing the environment; (2) assessing the business risk; and (3) conducting security strategy sessions.
When analyzing the environment, often it is helpful to conduct a technical analysis. Technical analysis involves probing critical technology architecture components to look for common security holes. Operating systems and networks have known vulnerabilities that can be easily detected in a technical analysis. The purpose of this analysis is to determine the maturity of the security practices within the current infrastructure. This will help determine what security Best Practices may be implemented to improve the security of the overall environment.
Automated tools or intrusion detection procedures can be used to conduct an analysis. These tools may capture a picture of an individual system's security at one point in time. The tools may simulate attacks on the targeted system and provide a list of the technical vulnerabilities. The lists may be sorted by the level of vulnerability found: Low, Medium or High. The tests may not provide a good picture of the overall security in the network. The test results, however, provide statistical data that can drive home the assessment findings.
Another important step of risk assessment is to assess the business risk. This documents key assets, threats, vulnerabilities, and business effects to the environment; it also identifies major risks to the company and prioritizes them.
Determining what risks expose the organization to the most loss is a critical step in determining what controls need to be implemented. Risk may be reduced to the organization's acceptable level by implementing controls. The correct controls can be implemented only if the risks are prioritized according to potential impact to the business.
Security risk is the potential for damage or loss of an asset. It combines the value the owner places on the asset in potential danger, the impact the loss of the asset would have, and the likelihood that the weakness will be taken advantage of to damage the asset. Quantitatively:
Risk =(Potential damage)×(Likelihood of occurrence)
Validation risk assessments and enterprise-wide risk assessments have the same basic purpose and process. The purpose of a risk assessment is to evaluate threats to assets, to identify vulnerabilities, to determine risk, and to develop countermeasures to mitigate risk. The process for doing this involves analyzing the environment, assessing business risk, and developing recommendations.
The scope of a security validation is to see how well the current design/implementation has mitigated the risk to the sponsoring organization. If the validation determines that there is remaining risk (called residual risk), then this has to be either formally approved by the organization or used to redesign additional security controls.
Regardless of how the risk assessments have been conducted, it is often difficult to compare the risks associated with alternative implementations. These risk assessments provide long lists of the individual risks, and relative threat of each risk that do not provide a true picture of the overall risk. Heretofore, there has not been a reliable method for accumulating the individual risks in a system to provide a realistic overall risk value. Thus, a system and method to calculate the overall risk of a system from the vulnerabilities found on each of its components and from different information resources is needed