IT Security Management: A process used to achieve and maintain appropriate levels of confidentiality,

integrity, availability, accountability, authenticity, and reliability.

IT security management functions include:

• determining organizational IT security objectives, strategies, and policies
• determining organizational IT security requirements
• identifying and analyzing security threats to IT assets within the organization
• identifying and analyzing risks
• specifying appropriate safeguards
• monitoring the implementation and operation of safeguards that are necessary in order to cost effectively
protect the information and services within the organization
• developing and implementing a security awareness program
• detecting and reacting to incidents

Security risk assessment

Ideally every single organizational asset is examined, and every conceivable risk to it is evaluated.
If a risk is judged to be too great, then appropriate remedial controls are deployed to reduce the risk to an
acceptable level.

There are four approaches to identifying and mitigating risks to an organization’s IT infrastructure:

- Baseline approach
The baseline approach to risk assessment aims to implement a basic general level of security controls on
systems using baseline documents, codes of practice, and industry best practice. The advantages of this
approach are that it does not require the expenditure of additional resources in conducting a more formal
risk assessment and that the same measures can be replicated over a range of systems

- Informal approach
The informal approach involves conducting some form of informal, pragmatic risk
analysis for the organization’s IT systems. This analysis does not involve the use of
a formal, structured process, but rather exploits the knowledge and expertise of the
individuals performing this analysis

- Detailed risk analysis

most comprehensive approach is to conduct a detailed risk assessment of the organization’s IT systems,
using a formal structured process. This provides the greatest degree of assurance that all significant risks are
identified and their implications considered.
This process involves a number of stages, including
1. identification of assets
2. identification of threats and vulnerabilities to those assets,
3. determination of the likelihood of the risk occurring
4. the consequences to the organization should that occur, and hence the risk the organization is
exposed to.

- Combined approach analysis approaches.

The aim is to provide reasonable levels of protection as quickly as possible, and then to examine and adjust
the protection controls deployed on key systems over time.

The approach starts with the implementation of suitable baseline security recommendations on all systems.
Next, systems either exposed to high risk levels or critical to the organization’s business objectives are
identified in the high-level risk assessment.
A decision can then be made to possibly conduct an immediate informal risk assessment on key systems,
with the aim of relatively quickly tailoring controls to more accurately reflect their requirements. Lastly, an
ordered process of performing detailed risk analyses of these systems can be instituted.
Over time this can result in the most appropriate and cost-effective security controls being selected and
implemented on these systems.
This approach has a significant number of advantages. The use of the initial high-level analysis to determine
where further resources need to be expended, rather than facing a full detailed
risk analysis of all systems, may well be easier to sell to management.

Detailed Risk Anaysis

The formal, detailed security risk analysis approach provides the most accurate evaluation of an
organization’s IT system’s security risks, but at the highest cost.

1 -Context and System Characterization

The initial step is known as establishing the context or system characterization. Its purpose is to determine
the basic parameters within which the risk assessment will be conducted, and then to identify the assets to
be examined.
The process starts with the organizational security objectives and considers the broad risk exposure of the
organization. This recognizes that not all organizations are equally at risk, but that some, because of their
function, may be specifically targeted. It explores the relationship between a specific organization and the
wider political and social environment in which it operates

At this point in determining an organization’s broad risk exposure, any relevant legal and regulatory
constraints must also be identified. These features provide a baseline for the organization’s risk exposure
and an initial indication of the broad scale of resources it needs to expend to manage this risk in order to
successfully conduct business.

Asset Identification The last component of this first step in the risk assessment is to identify the assets to
examine. This directly addresses the first of the three fundamental questions we opened this chapter with:
“What assets do we need to protect?” An asset is “anything that needs to be protected” because it has value
to the organization and contributes to the successful attainment of the organization’s objectives.
2- Identification of Threats/Risks/Vulnerabilities

The next step in the process is to identify the threats or risks the assets are exposed to. This directly
addresses the second of our three fundamental questions: “How are those assets threatened?” It is worth
commenting on the terminology used here.

The terms threat and risk, while having distinct meanings, are often used inter changeably in this context

- Asset: A system resource or capability of value to its owner that requires protection.
- Threat: A potential for a threat source to exploit a vulnerability in some asset, which if it occurs may
compromise the security of the asset and cause harm to the asset’s owner.
- Vulnerability: A flaw or weakness in an asset’s design, implementation, or operation and
management that could be exploited by some threat.
- Risk:The potential for loss computed as the combination of the likelihood that a given threat exploits some
vulnerability to an asset, and the magnitude of harmful consequence that results to the asset’s owner.

Threat Identification Answering the first of these questions involves identifying potential threats to assets.
In the broadest sense, a threat is anything that might hinder or prevent an asset from providing appropriate
levels of the key security services: confidentiality, integrity, availability, accountability, authenticity,
and reliability.

Vulnerability Identification involves identifying flaws or weaknesses in the organization’s IT systems or

processes that could be exploited by a threat source.
This will help determine the applicability of the threat to the organization and its significance.
Note that the mere existence of some vulnerability does not mean harm will be caused to an asset.
There must also be a threat source for some threat that can exploit the vulnerability for harm. It is the
combination of a threat and a vulnerability that creates a risk to an asset

3- Analyze Risks
Having identified key assets and the likely threats and vulnerabilities they are exposed to, the next step is to
determine the level of risk each of these poses to organization.

The aim is to identify and categorize the risks to assets that threaten the regular operations of the
organization.

Risk analysis also provides information to management to help managers evaluate these risks and determine
how best to treat them. Risk analysis involves first specifying the likelihood of occurrence of
each identified threat to an asset, in the context of any existing controls.

4 - Determine Likelihood
Having identified existing controls, the likelihood that each identified threat could occur and cause harm to
some asset needs to be specified. While the various risk assessment standards all suggest tables similar to
these, there is considerable variation in their detail.
The selection of the specific descriptions and tables used is determined at the beginning of the risk
assessment process, when the context is established.
5- Determine Consequence /Impact on Organization

The analyst must then specify the consequence of a specific threat eventuating.
Note this is distinct from, and not related to, the likelihood of the threat occurring. Rather, consequence
specification indicates the impact on the organization should the particular threat in question actually
eventuate.
Even if a threat is regarded as rare or unlikely, if the organization would suffer severe consequence should
it occur, then it clearly poses a risk to the organization.
Determine Resulting level of Risk Once the likelihood and consequence of each specific threat have been
identified, a final level of risk can be assigned.
This is typically determined using a table that maps these values to a risk level, such as those shown in
This table details the risk level assigned to each combination. Such a table provides the qualitative
equivalent of performing the ideal risk calculation using quantitative values. It also indicates the
interpretation of these assigned levels.

Documenting the Results in a Risk Register The results of the risk analysis process should be documented
in a risk register.
The risks are usually sorted in decreasing order of level. This would be supported by details of how the
various items were determined, including the rationale, justification, and supporting evidence
used.
The aim of this documentation is to provide senior management with the information needed to make
appropriate decisions as how to best manage the identified risks.
6 - Evaluate Risks
Once the details of potentially significant risks are determined, management needs to decide whether it
needs to take action in response. This would take into account the risk profile of the organization and its
willingness to accept a certain level of risk, as determined in the initial establishing the context phase of this
process.
Those items with risk levels below the acceptable level would usually be accepted with no further action
required. Those items with risks above this will need to be considered for treatment.

7-Risk Treatment
Typically the risks with the higher ratings are those that need action most urgently.
However, it is likely that some risks will be easier, faster, and cheaper to address than others.

There are five broad alternatives available to management for treating identified risks:

• Risk acceptance: Choosing to accept a risk level greater than normal for business reasons. This is
typically due to excessive cost or time needed to treat the risk. Management must then accept
responsibility for the consequences to the organization should the risk eventuate.

• Risk avoidance: Not proceeding with the activity or system that creates this risk. This usually results
in loss of convenience or ability to perform some function that is useful to the organization. The loss
of this capability is traded off against the reduced risk profile.

• Risk transfer: Sharing responsibility for the risk with a third party. This is typically achieved by
taking out insurance against the risk occurring, by entering into a contract with another organization,
or by using partnership or joint venture structures to share the risks and costs should the threat
eventuate.

• Reduce consequence: By modifying the structure or use of the assets at risk to reduce the impact on
the organization should the risk occur. This could be achieved by implementing controls to enable
the organization to quickly recover should the risk occur. Examples include implementing an off-site
backup process, developing a disaster recovery plan, or arranging for data and processing to be
replicated over multiple sites.

• Reduce likelihood: By implementing suitable controls to lower the chance of the vulnerability being
exploited. These could include technical or administrative controls such as deploying firewalls and
access tokens, or procedures such as password complexity and change policies. Such controls aim to
improve the security of the asset, making it harder for an attack to succeed by reducing the
vulnerability of the asset.