SPYRUS Policies and Procedures - Threat and Risk Assessment
The fundamental principle of security is risk management. The TRA addresses the specific circumstances of the business and its secure operation, and assesses threat and risk using standards-based methodology . The TRA is referenced in the CP and CPS. The TRA is completed once, and then it should be updated on an annual basis, or whenever there are changes to the system security configuration of the operation. Because the TRA may describe certain vulnerabilities in detail, it is an internal document.
The TRA investigates the security safeguards in place or planned, and assesses their adequacy, in terms of threats, vulnerabilities and risks. The purpose is to ensure that appropriate and cost-effective safeguards are in place to provide the requisite trust and assurance for the assurance level needed for the planned transactions and activities.
The methodology presented in the SPYRUS template is a basic four-step industry and government standard, widely adopted as an effective and comprehensive systems approach. Based on risk management, the methodology is sufficiently flexible to apply it to an organization comprehensively, or to a specific facility, location, branch or program within an organization.
While many different TRA guides have been developed, most adhere to the four basic steps, briefly summarized as follows:
- Step One: Preparation - The first step is to identify and categorize the information and assets associated with the business, operation and system, and to assess the sensitivity of the information and assets, in terms of required security attributes. Knowledge of the nature of the business carried out by the organization is necessary to identify the sensitivity, importance and value of the information and assets. A statement of sensitivity will identify the necessary security attributes, and analyze them in the specific context. Security attributes to be considered include: confidentiality, integrity, availability, authentication, non-repudiation, accountability, and reliability. For a PKI, information to be protected normally includes root key material, transaction data, authority transactions, user personal information and proprietary information in the business database, certificate information in the CA database, systems including the components of the PKI and the firewalls and other
system security software and hardware. A table format can be used to categorize and analyze information and assets against the security attributes either qualitatively or quantitatively.
- Step Two: Threat assessment - All of the generic threats to sensitive information and assets are considered, that is, disclosure (loss of confidentiality), interruption (loss of non-repudiation, accountability, reliability, and availability), removal (loss of all attributes), modification (loss of integrity, authentication, accountability, reliability), and destruction (loss of all attributes except confidentiality). These threats are then broken down into specific threats, or threat agents (the factors that would cause the threats to occur), and the likelihood of those threats occurring is assessed, as "low," "medium" or "high." Then the impact of the threat occurring is assessed, again as "low," "medium" or "high."
- Step Three: Risk assessment - The third step of the TRA is risk assessment, which encompasses two subordinate steps. First, the safeguards in place and their effectiveness in deterring or preventing the identified threats are reviewed. From this, and based on the threat information, vulnerabilities can be identified. A vulnerability is either an inherent weakness in the system, or a flaw or weakness created by the application, or lack of application, of appropriate safeguards to counter identified threats. Based on the vulnerability assessment, associated risk can then be assessed, and stated as "low," "medium" or "high."
The result is an assessment of risk, normally described, again, in terms of as "low," "medium" or "high." Consequences are best stated in qualitative terms; while quantitative measures have been developed by various sources, they are often subjective or arbitrary, requiring interpretation to be understood.
The SPYRUS PKI has been designed with considerable system and other security safeguards in place. System design has integrated security features that result in few remaining vulnerabilities.
- Step Four: Recommendations - The final step is to make recommendations that address risk. Recommendations will focus on the areas of highest risk; conversely, there may be recommendations on removing safeguards for low risk threats. A useful TRA provides management with a profile of the security status of the facility, program or system under review. It should provide information, where possible, on resources associated with recommendations. The TRA should enable management to make informed decisions on security.
Risks can be mitigated through the application of additional safeguards; risk can be avoided by curtailing certain high risk activities, or risk can be accepted. The risk that remains after recommended safeguards have been put in place is known as "residual risk." Management of the business must decide whether the residual risk is acceptable, or whether it is necessary to put in place even more safeguards to reduce the risk even further. In most circumstances, some residual risk is tolerable; and in all situations, it is impossible to negate risk completely and continue to operate.
The formal TRA is followed by implementation, monitoring, review and feedback. It is a continuing process, to ensure that the threats and risks are continually known and addressed. System change, personnel change, site change, as well as changes to system parameters or business operations, dictate a review of threats and risks.
The SPYRUS template provides the framework for managing risk effectively. It is based on widely accepted international standards, amongst them, ISO Technical Report 13335: Guidelines for the management of IT Security.
|
