Security Risk Assessment
A security risk assessment is a tool for keeping information technology (IT) security at a standard and reasonable level relative to the requirements based on the business needs. The risk assessment process is the process of making business decisions based upon the results of one or more risk analyses. The business needs include system criticality along with security needs such as confidentiality, availability and integrity of the project data. Risk assessments should be done in cooperation with the system owners.
Risk assessments are used to determine risks to various parts of the organization. Risk assessments generally are centered on the risks to the business processes but also focus on the systems that support the business processes. A risk assessment allows a risk to be quantified by determining the chance that an undesired event will occur and the impact of the event. Once the risk is quantified and possible mitigating steps are determined, it is easier to make a business decision about what action should be taken if any to reduce the possibility of the undesired event happening.
All organizations should have risk assessment procedures and processes in place in order to properly secure their network and data resources. All parts of the organization that support the business processes for the organization should have their risk assessed. This not only includes the applications and systems that directly support specific business processes, but it includes the network in general, servers or services that most or all business divisions use such as email, and even how personnel, physical security, and IT and other policies are handled.
There are some items that are considered to be basic security steps and should be carried out by all organizations.
Many items that may otherwise be pointed out in a risk assessment are "no brainers" to security experts and many other people. Many of these practices have been accepted into organizations as practices that make common sense and are commonly practiced by most organizations today. Some of these commonly accepted practices include:
- The use of a firewall to protect the organization's network from open attack - The firewall rules should prevent outgoing traffic unless specifically allowed. This policy would make it more difficult for viruses and malicious key logging programs to send user account and password information to attackers.
- Use of anti-virus programs on all computers and to filter email on mail servers to prevent unchecked virus spreading.
- Prevention of staff members from connecting to external networks such as the internet without proper permission and configuration through organizational policy whether using physical lines or wireless connections.
- Filtering or blocking dangerous file attachments in email which are commonly used by viruses to spread.
- Control of mobile computers and memory storage devices along with control of data and programs entering and exiting the organization through them. Mobile computers if not properly protected could bring in viruses to infect the entire network or they could be used as a transport mechanism for sensitive data to leave the organization.
- Proper policies and procedures for use of wireless devices which can seriously compromise security if not used properly.
- Proper training for staff so they are wise to attempts to thwart security, spread viruses, phishing attacks and other human engineered attacks.
- Provision for regular updates to all computer systems including servers and workstations.
- Creation and implementation of an incident response plan.
- Creation and testing of a disaster recovery plan.
If your organization has not taken these basic steps, the first priority should be to implement them, then continue with additional risk assessments.