Introduction: The term risk has different connotations for different people and circumstances. The general definition of risk according to the Oxford Advanced Learner’s Dictionary is “the possibility of meeting danger or suffering from harm or loss”. So, risk to a stuntman would indicate physical harm and risk to a businessman would indicate financial loss. In any case risk is present in every aspect of our lives and is not something to be taken lightly. The article assessed in this paper is essentially a guideline for risk assessment and risk management in the Information Technology Industry. “Security measures cannot assure 100% protection against all threats. Therefore, risk analysis, which is the process of evaluating system vulnerabilities and the threats facing it, is an essential part of any risk management program”. (Risk Analysis helps establish a good security posture; Risk Management keeps it that way, B D Jenkins, Security Risk Analysis and Management).
Methodology: This document was published by the National Institute of Standards and Technology and is tilted ‘Risk Management Guide for Information Technology Systems’. The authors are Gary Stoneburner, Alice Goguen and Alexis Feringa. The methodology used in preparing this document is through secondary sources. The sources are those concepts found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-27, Engineering Principles for IT Security, along with the principles and practices in NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems. The guidelines are also in agreement with the policies found in the Office of Management and Budget Circular A-130, Appendix III, “Security of Federal Automated Information Resources”, the Computer Security Act of 1987 and Government Information Security Reform Act of October 2000. Though primarily directed at Government Organizations that handle information that is sensitive in nature, the authors have suggested that it is also useful for non-governmental and private organizations. It is intended to educate all those people in an organization who have some connection with the IT department. They include the senior management, the approving authority, and all other staff directly connected to the IT department.
Important Points in the document: The paper first states the importance of risk management. It says that there are three processes in risk management. They are assessment, mitigation, and assessment of risk. Risk assessment and management should start at the time of system development life cycle (SDLC) and not after everything is operational. That includes finding the need for the IT system, its development, implementation, the actual operational stage and disposal as and when required. The next part is about risk assessment. Unless the risk is assessed, it cannot be managed. It lays out nine steps in assessing risk. The first is characterisation of the system which includes assessing the hardware and software, the data to be handled, the key personnel involved, mission, importance and sensitivity. The methods to assess risk on this step is through questionnaires, interviews, documents and automated scanning tools. The next step is threat identification. There are three sources of threats in IT.
They are natural sources that can be classified under natural disasters like flood, earthquake and tornados. The next threat is from humans. It could be without intent to harm, like wrong data entry or deliberate like hacking and accessing confidential information. The third source is classified as environmental and can include extended power failure, leak of hazardous chemicals and pollution. Motivation for human threat is also detailed and include challenge, ego or rebellion. It also includes terrorist threats, industrial espionage and dishonest, disgruntled and negligent employees. A detailed list of the type of action by humans that risk the system is also given. The third step of risk assessment is finding out the vulnerability of the system. It may occur due to failure of removal of ID’s of terminated employees, lack of capability of system firewall and failure to correct newly identified security flaws. Earlier security assessments, IT security audit reports, experience of other users and vendor advice are also useful methods for finding sources of vulnerability. The third step of risk assessment is the actual testing vulnerability and ability to withstand threats. This will be done once the system and security methods are in place. Next comes preparation of checklist to see whether all guidelines about security have been purchased or arranged. It would be ideal to lay this out in a tabular format.
The checklist will cover the management, operations and technical areas of the organization. The fourth step is control analysis whereby an analysis is to be made to see whether all control systems are in place. This is to develop a rating to understand potential vulnerability, for example, if there is good security that can tackle a potential threat, it can be given a good rating i.e level of threat is low. Next comes control methods like technical and human control methods. There are also preventive and detective controls. Detective controls means a warning that a security violation has been attempted. It also includes a likelihood analysis rating it as high, low or medium. The next risk assessment technique is to measure the impact in case a threat takes place. The impact that results from an attack is classified into loss of integrity, loss of availability of data and loss of confidentiality. The seventh step of risk assessment is risk determination. For this a risk level matrix is to be prepared. The eight step is the control recommendations that can eliminate or reduce a risk. The final step is documenting the whole process.
Evaluation: This article has been published by a trusted federal organization after extensive secondary research. There is no personal or commercial gain for this organization from the publication of this document. It is also an ideal document for all private and public organizations that handle sensitive information.
Personal thoughts: Perception of risk is commonplace in all human beings. But its level varies from individual to individual. It had never occurred to the writer that such extensive analysis, precaution and management for risk is required. It has also given valuable information on the types of risk in IT world. A new understanding about the extent to which people will go to create risk has been understood. The biggest insight was how the IT industry’s vulnerability to risk.