Identifying IT security requirements for the organization is very important as part of the development of the disaster recovery and business continuity plan of the information system in an organization. One of the areas the organization needs to identify its security requirements is security risk assessment.
IT Security risk assessment is the process of identifying IT risks, analyze the potential impact, and then implement the measures to prevent the risk when it is realized. One of the sources that can help in identifying the security requirements of the organization is security risk assessment. With security risk assessment, we can identify the threats to the assets and identify the vulnerabilities of the systems. Thus, we can evaluate and estimate the potential impact.
With security risk assessment, all the business harm likely to result from a security failure can be considered. All the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets can be taken into account too. And then we can make the necessary controls where the expenditure should be balanced against the business harm likely to result from security failures. Basically we can apply this technique to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful.
The results of this Security Risk Assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
Periodic reviews of the security risk assessment and implemented controls should be carried out to help take action:
- If any changes to business requirements and priorities
- If any new threats and vulnerabilities should be taken into account
- Assure that controls remain effective and appropriate
Reviews should be performed at different levels of depth depending on the results of previous security risk assessments and the changing levels of risk that management is prepared to accept. Security risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks.
Selecting controls
Once security requirements have been identified, controls should be selected and implemented to ensure security risk are reduced to an acceptable level. However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all organizations.
As an example, segregation of duties describes how duties may be segregated to prevent fraud and error. It may not be possible for smaller organizations to segregate all duties and other ways of achieving the same control objective may be necessary.
Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. Separating the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services, should be considered.
Small organizations may find this method of control difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. It is important that security audit remains independent.
Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account.
Information security starting point
A number of controls can be considered as guiding principles providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practice for information security.
Controls considered to be essential to an organization from a legislative point of view include:
- Data protection and privacy of personal information.
- Safeguarding of organizational records
- Intellectual property rights
- Controls considered to be common best practice for information security include:
- Information security policy document
- Allocation of information security responsibilities
- Information security education and training
- Reporting security incidents
- Business continuity management
These controls apply to most organizations and in most environments. It should be noted any control should be determined in the light of the specific risks an organization is facing. Hence, although the above approach is considered a good starting point, it does not replace selection of controls based on a security risk assessment.
Critical success factors
Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:
- Security policy, objectives and activities that reflect business objectives;
- An approach to implementing security that is consistent with the organizational culture;
- Visible support and commitment from management;
- A good understanding of the security requirements, security risk assessment and security risk management;
- Effective marketing of security to all managers and employees;
- Distribution of guidance on information security policy and standards to all employees and contractors;
- Providing appropriate training and education;
- A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement.
By: IT Security Consultant Group
