How a risk assessment impacts information security policy?

Information Security Asked by TJCLK on December 6, 2020

I usually do the technical part of security, so I’m not familiar with security policy area.

Risk assessment (measurement and evaluation) is always taken in an organization, such as to identify vulnerabilities, threats, the impact of threats, risk treatment options, and so on.

I want to see how this risk assessment methods/procedures/results will impact the organization’s information security policies. To summarise:

How can risk assessment improve the information security policy?
What are the implications of risk assessment for IS security policy?

I prefer some formal explains/descriptions instead of an oral summary.

4 Answers

Risk assessment should not affect information security policies. Policy should be a statement of goals/objectives, and should normally not change. Policy should define the limits of risk management.

Multiple different organizations provide different risk assessment/risk analysis methodologies, but I think those are too detailed for your question (I'm not sure if you're asking about ATO, C&A, ISCM, RMF, etc.). If I understand the question correctly, the answer is that Risk Assessment & risk analysis are intended to start a constructive suggestion about the response to the risk. When you complete a technical assessment:

  1. There are generally more findings than there are resources to fix findings. Risk assessment prioritizes resources against risks - if you have $N dollars and 10x$N problems, it makes sense to spend the first $ on high probability, high impact problems, and defer solutions on low probability/low impact problems. Technical findings may reveal that you don't have a fence around your facility, leaving you vulnerable to physical infiltration; that is not a problem if you are a ship at sea.

  2. Many of the findings are the result of the instant when the technical assessment was conducted. Risk Assessment can discuss the urgency of the problem. If my patch half life is 7 days, then at any instant technical assessment will find that I have unpatched machines. Risk assessment allows me to compare the cost of an emergency configuration control board against the fact that those patches should be resolved within 7-10 days.

  3. Many findings are unresolvable. I worked on one assessment that found a flaw in network devices that would have required tens of millions to fix - we would have had to replace relatively shelf standard network devices (that could be administered by normal network admins), with specialized network devices that required specialized training and exclusive support. The unit cost was high, the support costs were higher and the number of units were in the low thousands. Replacing shelf standard equipment with custom crafted equipment is very expensive. There was an alternate solution that could be done using maintenance spares, and the resulting environment was actually more secure than the custom equipment.

  4. Sometimes the technical finding is not the problem; the underlying procedures/governance is the problem. I've managed a number of assessments where the technical problems mount up because the relevant manager hasn't bothered to ask for the money to solve the underlying problem. Risk assessment is the framework for the discussion that begins, "If you ask for $X now, you'll get it next year, but if you wait for the incident to happen, it will cost you 100$X. Here is how to do it..."*

  5. Sometimes the finding is not worth the effort. It doesn't make sense to implement two factor authentication on a SCADA control panel. If it costs thousands of dollars to stop processing, log out of the system, log back into the system and start processing again at the end of every shift, there are other ways to ensure accountability.

Technical assessment compares an abstract ivory tower set of principles to a system that is in place to perform a mission function.

Risk Assessment is the start of a dialogue, "How do we accomplish our mission with our resources in our environment, knowing that we have these vulnerabilities?".

Correct answer by Mark C. Wallace on December 6, 2020

Policy is a management intent to tell the organization what they want the organization to do to meet the the orgainization's strategy.

To implement the policy, let us say IT policy, you will use processes, applications, systems and network. You may have some existing security controls to protect these.

You then do the risk assessment on these assets to find out how secure they are and depending on the system criticality and sensitivity of the data they are handling, you put in additional controls based on the risk management policy and risk appetite.

To figure out what controls you need, you will use a security framework like NIST.

Hope this helps.

Answered by Deepak Mathur on December 6, 2020

While Mark is right in principle, in reality there is a bi-directional relationship between risk assessment and policy. Because in reality, no policy is perfect.

A good risk assessment will tell you which areas of your business contain the highest risks. This in turn informs you where to apply your countermeasures.

If you find out that you have risks that can best be addressed with organisational countermeasures, or that such countermeasures are not as effective as you thought, you have indicators that your guidelines, processes and/or policies may be incomplete or unclear. These are results to consider during your next policy review (you do review the polices regularily, right?).

Risk assessment is a periodical activity, and many organisations fail to close all the feedback loops.

Answered by Tom on December 6, 2020

This is a rather unspecific question, so I will answer it in a rather broad manner.

The most formal and widely accepted explanation for this can be viewed in ISO/IEC 27005:

Risk assessment consists of the following activities:

  • Risk Identification
  • Risk analysis
  • Risk evaluation

Risk assessment determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effect on the risk identified, determines the potential consequences and finally prioritizes the derived risks and ranks them against the risk evaluation criteria set in the context establishment.

Your question was, how risk assessment can improve the information security policy?

An information security policy sets goals for information security within an organization. When planning on how to achieve these goals, this organization has to define the respective process, the needed ressources, responsibilities etc. To define these key aspects, you have to conduct an information security risk assessment. So risk assessment is not just improving an information security policy, it is mandatory.

For further information you should give the international standard ISO/IEC 27005 a read. The whole process and it's benefits are explained in full there.

Answered by Tom K. on December 6, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP