What to know about IT System Risk Assessment and protecting your IT
All You Need Is To Know About Computer System Risk Assessment
- Introduction. With the advent of technology, everything is moving in the digital domain. As more and more data including personal, professional, financial as well as banking information goes binary, the threat of it being lost or misused increases exponentially. This is where cybersecurity comes in. In a nutshell, it's a combination of comprehension of risks, administration of measures and blocking of loopholes. Coordinated concurrent actions are required to be taken to protect your company's interests.
- Risk Assessment. Risk evaluation and mitigation are inseparable parts of IT security job and in order to carry out a judicious risk assessment, you've to first undertake the following actions :-
- Identify the important data that needs to be protected to ensure that your company's interests are unharmed.
- Segregate the top five business operations that are required to use this data.
- Envisage the likely dangers that could upset the functionality of these business functions.
- Threat Versus Cost Analysis. After you've homed onto the assets that you've to protect, you can formalize your plan of action. However, spending the organization's time or money, you need to seek answers to following questions to get to the base of the issue :-
- What all risks can be averted through implantation of your solution?
- Are you addressing the highest priority risks?
- Is it the most cost-effective solution? Understanding the Risk.
- The dictionary meaning of risk is 'a situation leading to exposure of your assets to a danger'. In business terminology, it's the chance of a financial loss. Considering in mathematical terms, it's categorized as zero, low, medium or high. Risk determination involves knowing the threat, system's vulnerability and the asset under danger. Although risk is not limited to numbers, it can be mathematically represented as, "Risk = Threat X Vulnerability X Asset".
- Risk analysis involves commonsense and needs a completely logical approach. Take the example of risk assessment for the threat of your important data getting hacked. In this case, the threat is high, the asset is also critical. If you've no firewall protection, vulnerability is also high and hence the risk is high. On the other hand, if your data is protected through adequate anti-hack technology, the vulnerability becomes either zero or low, thereby reducing the risk accordingly. You've to keep the following points in mind while carrying out risk analysis :-
- The Power of Zero. If any of the three factors in the above mathematical formula is zero, risk will reduce to zero.
- Risk Involves Uncertainty. If something is certain, it can't be considered a risk.
- Following are the most common ways in which you can suffer financial losses :-
- Data Leak. Leakage of some trade secret can lead to loss of business to competition. Loss of customer's personal information results in customers losing trust in you, which causes reduction in customer base.
- Inefficient or Dysfunctional System. An ineffective system can lead to customers not being able to place their orders or delayed response from the company directly affecting the business.
- Legal Implications. Loss of even non-critical data is against most of the security compliance norms. Such incidences can therefore attract financial penalties.
- Risk Assessment Process. Having understood the risk and its ramifications on your business, you'll now go through the step by step procedure for carrying out IT System risk assessment given as under :-
- Step #1 : Identification and Prioritization of Assets. Assets can be servers, data disks, partnership documents, customer contacts, trade secrets etc. The list of valuable assets needs to be worked out in consultation with all stakeholders. After the list is finalized, their relative importance should be discussed and decided. This is required in order to address the most critical points within the allocated budget for risk management. The prioritization has to be done in an objective manner taking into consideration common benchmarks like asset's value, impact of its loss, legal implications etc. Based on the benchmarks approved by the managing committee and included in the security directives of the company, categorize the assets as minor, major or critical. Finally, compile the following information for each asset :- - Hardware. - Software. - Data. - Users. - Interface. - Support system. - Purpose. - Operational requirements. - Criticality. - Policies. - Security structure. - Network arrangement. - Flow of information. - Storage security. - Physical safety. - Technical control. - Environmental protection.
- Step #2 : Threat Identification. An interference targeted to exploit any weakness in your security system to break into it in order to steal your vital information is a threat. Apart from the malware and hackers, there can be numerous other threats like :- - Internal System Collapse. The chances of such an event can't be negated, but it depends upon the quality of your system. A smart user will therefore always invest in a good quality system. - Natural Catastrophe. Disasters like hurricanes, floods, fire etc can cause loss of not just data, but also physical assets including servers, lockers etc. Therefore, place your servers diligently; for eg, it shouldn't be located on the first floor if the area is vulnerable to floods. - Accidental Human Intervention. Human error can't be ignored, although it can be reduced with adequate training. Some important files can be fortuitously deleted, someone may click on a malware link or a critical piece of equipment may get physically damaged. Regular backing up data, tracking changes and training all computer handlers to exercise caution are some steps that can prove useful against such losses. - Inimical Humans. This can further be subdivided into following three types : - * Interference includes. intentional deletion of data, distributed denial (DD) of service, theft of servers etc. * Impersonation involves when someone abuses of somebody else's identity to harm your company. Credentials can be procured from dark market, snatched by physical attacks or obtained through social media. * Interception is the good old hacking as you know.
- Step #3 : Pinpoint Your Weaknesses. A weakness or a vulnerability can be misused by your enemies to breakthrough your security and cause harms to your company. There are professional services like security audits, NIST database on vulnerability, software and system analysis that can be used to identify vulnerabilities in your system. The system's digital resilience can be increased through regular patch updates and tests. However, adequate focus should also be kept on possibilities of physical damages. For instance, having your servers on the higher floors will reduce your system's physical vulnerability against a flood. IT system testing is also a useful method for the purpose and it may consist of :- - Methods to test penetrability. - Vulnerability scans using automated tools. - Standard procedures like STandE that include complete tests and evaluations of the information security.
- Step #4 : Carryout an Audit of Controls. Controls can be technical, meaning encryption, software for user authentication, identification and detection of intrusion or non-technical like environmental and physical tools, administrative checks, policies for security and protection etc. Both these types of controls can further be subdivided into detective or preventive. As the name suggests, the former category of controls assist you to keep a check on the user history and detect and inform about any attempted hack. Preventive controls like encryption aim at preempting and foiling any likely attacks. A meticulously planned allocation of controls is essential for having a foolproof system to guard against threats.
- Step #5 : Ascertain the Chances of a Damage. Carryout a detailed assessment of the chances that a vulnerability may be exploited. This must be undertaken considering type of weakness, proficiency and motive of the source of threat and the efficiency of your controls. You can give a numerical value to the chance or classify them as low, medium and high.
- Step #6 : Threat Impact Assessment. Analysis of the impact of the threat is an essential aspect and the factors that are needed to be included are :- - The system's importance based on its value and that of the data that it processes. - The objective and functions of the system. - Responsiveness and susceptibility of the system. The impact assessment can be carried out using the existing documents within the organization. One such document is the report on the impact analysis of the business (BIA). The report outlines the effect of the loss of each type of data on the system in quantitative or qualitative manner. The incidence of a harmful activity or a likely attack can undermine the wholeness, confidentiality and trustworthiness of the information and the system. As in case of chances of a damage, impact analysis can also be indicated qualitatively as low, medium or high. Some more factors that must form part of the impact assessment are :- - The likely annual average of the occurrence exploitation of the weakness by the threat. - A rough cost of each of these incidents. - Relative weightage of a particular threat exploiting a specific weakness.
- Step #7 : Prioritization of Assessed Risks to Information Security. Give risk ratings to each of the pairs of threat/vulnerability on the basis of following aspects :- - The chance of the exploitation of the weakness by the threat. - The effect of the successful exploitation. - The efficacy of the security system in place or under planning to avert or reduce the risk. Risk-level matrix is an important tool for this operation. Values of 0.1, 0.5 and 1.0 are alotted for low, medium and high chances of the risks respectively. Similarly, impact levels are rated as 10, 50 and 100 for low, medium and high impacts respectively. Risk calculation is done by simply multiplying the two values and the risks are thereafter rated as low, medium or high on the basis of the results.
- Step #8 : Suggested Controls. Based on the risk levels, actions to be taken by senior level managers and other authorities to reduce the risks is finalized. Some general guidelines on the basis of risk levels are given below :- - High Risk. Major remedial measures need to be planned for implementation at the earliest. - Medium Risk. Restorative measures should be planned within a feasible time-frame. - Low Risk. A decision must be taken whether the risk should be accepted or corrective measures are required to be devised. While deciding the controls to reduce each risk, take the following into consideration :- - Company Policies. - Cost versus Benefit. - Effect of actions being considered. - Feasibility. - Existing Rules and Regulations. - Efficacy of the recommended controls. - Dependability.
- Step #9 : Record the Results. Finally, you've to frame a report on computer system risk assessment to help the senior management to make informed and timely decisions on the policies, procedures, budget etc. The report has to list all the vulnerabilities and the corresponding threats, assets that face the risk, effect that the risk may have on the company's prospects and profits, chances of incidence and the suggestions for control mechanisms. This report can also be used to spot a few remedial steps which can tackle multiple risks simultaneously. Regular backing up of data, for instance will not only reduce the risk of loss of data from accidental deletion as well as from natural disasters. A cost-benefit comparison must also flow out from the report. While giving recommendations, make an endeavor that the business objectives are always kept in focus.
When you start working on this complete procedure, the company's procedures and operations will become clear to you and you'll be able to give valuable inputs for improving the same. This gives you the opportunity to formulate the risk assessment policy for your company describing in detail the periodical actions. You can then decide upon the actions to arrest risks to keep them within the acceptability limits. The company's short term action plan then flows out from these broad policies.
Contact Us Today for Computer & IT System Risk Assessment
While working in the IT security, one must always remember that risk assessment for information security and the risk management for the enterprise go hand in hand. It's these two processes that are the guiding factors in formulation of the complete information security system. They provide you the answers as to what are the threats and weaknesses that can harm your company's business and also suggest ways to reduce these.