After the risk level has been assigned the team will identify controls or safeguards that are in place or could be put in place to possibly eliminate the risk or at least reduce the risk to an acceptable level. One of the goals of risk assessment is to document the organization’s due diligence when making business decisions. Therefore, it will be important to identify as many controls and safeguards as possible that could reduce the risk exposure level. By doing this the team will be able to document all of the options that were considered.
There are a number of factors that need to be considered when recom- mending controls and alternative solutions. For instance, how effective is the recommended control? One way to determine the relative effectiveness is to perform the risk-level process (probability and impact) on the threat with the identified control in place. If the risk level is not reduced to an acceptable point then the team may want to examine another option.
There may also be legal and regulatory requirements to implement specific controls. With so many new and expanding requirements mandated by government agencies, controlling boards, and laws, it will be necessary for the risk management team to be current on these requirements.
When selecting any type of control, it will be necessary to measure the operational impact on the organization. Every control will have an impact in some manner. It could be the expenditure for the control itself. It could be the impact on productivity and turnaround time. Even if the control is a new procedure the effect on the employees must be reviewed and used in the determination of whether to implement.
A final consideration is the safety and reliability of the control or safeguard. Does the control have a track record that demonstrates that it will allow the organization to operate in a safe and sound mode? The overall safety of the organization’s intellectual property is at stake. The last thing that the risk assessment team will want to do is to implement a control that puts the enterprise at a greater risk.
The expenditure on controls must be balanced against the actual business harm. A good rule of thumb is that if the control costs more than the asset it is designed to protect, then the return on investment is probably going to be low. One way to identify a good return on investment is to
Table 2.12 Sample Definitions for Impact
Impact Level Definition
High The loss of confidentiality, integrity or availability could be expected to have severe or catastrophic adverse effect on organizational operations, assets or individuals.
• Severe degradation or loss of mission capability to an extent and duration that the organization is not able to perform its primary functions
• Results in major damage to the organization’s assets • Results in major financial loss
• Results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries Medium The loss of confidentiality, integrity or availability could be expected to have serious adverse effect on organizational operations, assets, or individuals.
• Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness is reduced • Results in significant damage to the organization’s assets • Results in significant financial loss
• Results in significant harm to individuals but not loss of life or serious injuries
Low The loss of confidentiality, integrity or availability could be expected to have limited adverse effect on organizational operations, assets, or individuals.
• Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness is reduced • Results in minor damage to the organization’s assets • Results in minor financial loss
identify each control and cross-reference it to all of the threats that could be mitigated by the implementation of that specific control. This process will provide the team with an initial idea of which control is most cost effective.
Therefore, the goal of this step in the risk assessment process is to analyze the controls that have been implemented, or are planned for implementation. Security controls encompass the use of technical and nontechnical methods. The technical controls are safeguards that are incorporated into computer hardware, software, or firmware. These would include access control mechanisms, identification and authentication pro- cesses, encryption tools, and intrusion detection software. Nontechnical controls are management and operational controls such as policies, pro- cedures, standards, personnel security, and environmental control mech- anisms.
The control categories for both technical and nontechnical control methods can be further classified as avoidance, assurance, detection, and recovery. The team should concentrate on controls that will allow the mission of the enterprise to function while providing an adequate level of protection. It may be prudent to establish a list of possible controls in each of the layers that will help the enterprise meet its business objectives.
Avoidance controls are proactive safeguards that attempt to min- imize the risk of accidental or intentional intrusions.
Assurance controls are tools and strategies employed to ensure the ongoing effectiveness of the existing controls and safeguards.
Detection controls are techniques and programs used to ensure early detection, interception, and response for security breaches.
Recovery controls are planning and response services to rapidly restore a secure environment and investigate the source of the breaches.
Figure 2.6 Probability–impact matrix example.
IMPACT
HIGH MEDIUM LOW
HIGH HIGH HIGH MEDIUM
MEDIUM HIGH MEDIUM LOW
PROBABILITY
LOW MEDIUM LOW LOW
During this step, the risk assessment team will determine the security controls generally based on existing security architecture, some regulatory requirement, a business standard, or a combination of all three. As we
discussed in the previous chapter, the Information Technology—Code of
Practice for Information Security Management (ISO/IEC 17799) is a good basis for establishing a set of controls.
There are other sources for standards, and each year the risk assessment teams seem to receive new regulations discussing the need to protect information and information-processing assets. Other sources might include some of the following.
Security Technologies for Manufacturing and Control Systems
(ISA-TR99.00.01-2004)
Integrating Electronic Security into Manufacturing and Control
Systems Environment (ISA-TR99.00.02-2004)
Federal Information Processing Standards Publications (FIPS Pubs)
National Institute of Standards and Technology
CobiT Security Baseline
Health Insurance Portability and Accountability Act (HIPAA)
The Basel Accords
Privacy Act of 1974
Gramm–Leach–Bliley Act (GLBA)
Sarbanes–Oxley Act (SOX)
Information Security for Banking and Finance (ISO/TR 13569)
FFEIC Examination Guidelines
When I find that a new set of standards or controls has been introduced, I try to map them to an established industry standard such as ISO 17799. This allows me to be certain that any new item is assimilated into the controls list and that items are not duplicated. By doing this, management is given the opportunity to see that the new standards or industry requirements have already been addressed in the existing practices of the organization.
First I map out the new requirements such as HIPAA (see Table 2.13). After mapping out the new standards, I map those to the organization’s existing control standards or to ISO 17799. That might look like the mapping shown in Table 2.14.