Calculating Overall Risk
June 2, 2009
An Overall risk exposure value should be calculated for each server or each application to provide a means for comparison with other servers or applications. Enough polarisation should exist that the management of servers and applications — i.e. prioritising of changes or compliance efforts — may be controlled more granularly based on both technical and business risk.
Assessing Business Risk
June 2, 2009
Business risk for the purposes of A Simple Security Risk Assessment is the input provided by Business Unit which incorporates the value and criticality of the Information Assets to business operations. A Business risk value is usually assigned to each application and not to each server or configuration item (unlike Technical risk which is assigned to each configuration item).
Assessing Technical Risk
June 2, 2009
Technical risk for the purposes of A Simple Security Risk Assessment refers to the probability that an attacker will exploit a vulnerability in the software related to a specific configuration item, or that a misconfiguration of the configuration item will result in the same or a similar level of Impact. Let’s see how we can go about rating it.
Information Asset Attributes
June 2, 2009
As discussed in the previous post, it is a common approach for Industry Standard Risk Methodologies to categorise the threat type prior to assigning a value. The threat type provides a level of context around the value that will be assigned to it and is far easier than exhaustively evaluating every possible threat (although this may be required for some).
The categories used by A Simple Security Risk Assessment are the attributes of Information Assets[1] that are affected by a successful exploitation of a vulnerability in the related code by an attacker, or alternatively, the Information Asset attributes that are affected by an accidental misconfiguration of the setting.
Industry Standard Risk Methodologies
June 2, 2009
Risk methodologies of various levels of complexity already exist for different purposes. Whilst it is prudent to evaluate industry standard security risk methodologies, stringently following an industry standard may not result in a suitable outcome for your organisation. The objective of this post is to provide an introduction to the general concepts of risk assessment and is not to provide a comprehensive review.
A Simple Security Risk Assessment
June 2, 2009
Many security practitioners (and others) struggle to understand the environment they are working in and find it difficult to prioritise what needs to be done. To help, I’m going to share a series of articles that demonstrate an approach to completing A Simple Security Risk Assessment, an approach that takes into consideration both technical and business risk. The series comprises of:
1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk
