Risk Assessment Areas of Analysis
Areas of Analysis
We divided the analysis in to four main areas of analysis: Infrastructure, Applications, Operations and People. We will describe in high-level each area's relevance to security, the current status and recommendations. Understanding how the organization nature of business affects risk is important in determining where to apply resources in order to help mitigate those risks. Recognizing the critical areas of business risk will help the organization to optimize allocation of resources and budget.
Business Risk Profile
Infrastructure security area focuses on how the network should function, the business processes it's targeted to support, how servers and users machines are built and deployed, and how the network is managed and maintained. Investing in Infrastructure security will provide significant improvements in the areas of network defense, incident response, network availability, and fault analysis. By establishing an optimized infrastructure design that is understood and constantly followed, an organization can identify areas of risk and design methods of threat mitigation.
In this risk assessment, we focused on the following three sub categories and their importance to security:
Perimeter defense is your first line of defense against intruders, it addresses security at network borders, where your internal network connects to the outside world. Usually refers to Firewalls, Anti-virus, Remote Access, Segmentation, Intrusion Detection Systems and Wireless Security.
Authentication procedures for users, administrators, and remote users. Ensure that outsiders do not gain unauthorized access to the network through the use of local or remote attacks. This section refers to Administrative, Internal & Remote Users, Password Policies and Inactive Accounts management.
Management & Monitoring
Infrastructure Management, events monitoring and logging are critical to maintaining and analyzing the organization IT environments. These tools are often more valuable in investigating when an attack has occurred and incident analysis is required. This section included Incident Reporting & Response, Secure Build, Physical Security and Security Information & Event Management (SIEM)
This section is meant to review applications within the organization and assess them from a security and availability standpoint. It examines technologies used within the organization environment to help enhance Defense-in-Depth.
Defense in depth: The practice of layering defenses to provide added protection. Defense in depth increases security by raising the effort needed in an attack. This strategy places multiple barriers between an attacker and an enterprise's computing and information resources. (ISACA, Glossary)
It reviews the high level procedures an organization can follow to help mitigate application risk by focusing on the following areas of application security:
Deployment & Use
Focuses on the deployment of business-critical applications in production, the security, stability and availability of core applications and servers. The ongoing maintenance to ensure that security bugs are handled and that new vulnerabilities are not introduced into the environment. Includes Load-Balancing, Clustering, Application & Data Recovery, Third Party Independent Software Vendor or Internally Developed and Vulnerabilities analysis.
Poor application design that does not properly address to security issues such as authentication, authorization, and data validation can allow attackers to exploit security vulnerabilities and thereby gain access to the organization sensitive information. Not considering the security in the design of a system or an application is one of the major contributing factors to today's cyber security vulnerabilities, making it easier for systems to be compromised. When examining the vulnerabilities in this area we address toAuthentication, Password Policies, Authorization & Access Control, Proper logging, and Input Validation.
Confidentiality, Integrity and Availability of data is one of the greatest concerns for any business. Data loss or theft can hurt an organization's revenue as well as reputation. It is important to understand how applications handle business critical data at its different stages. Data security includes:
- Authentication and authorization of access.
- Access control limiting or controlling the type of data that can be accessed. (such as read-only, read and write or delete)
- Logging and other transactional monitoring.
- Encryption and integrity controls.
- Data Classification
Data Classification: The information an organization uses can be of varying value and importance. It is important for an organization to understand the sensitivity of information and classify data based on its sensitivity and the impact of release or loss of the information.
This area of analysis examines the organization operational practices, procedures, and guidelines followed to help enhance the organization security. It examines policies and procedures that govern system deployment, infrastructure documentation, and the use of technology within the environment.
It also includes the existence of supporting activities required to manage the information and procedures. An organization can potentially enhance its Defense-in-Depth posture by establishing and following a clear operational practices, procedures, and guidelines. High level procedures can help mitigate operations risks.
This sub category refers to the operational procedures, processes and guidelines that are applied to the environment by the organization. Accurate environment documentation and guidelines are critical to the operation team's ability to support, maintain and enhance the security of the environment. It includes Firewall Rules & Filters, Administrative Users, Management Host, Disaster Recovery & Business RP and Third Party contractual relationships.
Corporate security policy refers to policies and guidelines. These exist to govern the secure and maintain appropriate use of technology and processes. It address all types of security (such as user, system, and data) and includes Data Classification & Disposal, Protocols & Services, Acceptable Use, User Account Management, Governance and Security Policies
Patch & Update Management
Timely application of patches and updates is good practice and necessary to help protect against known and exploitable vulnerabilities. It involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. In includes Network Documentation, Application Data Flow, and Patch & Change Management.
Backup and Recovery
In the event of a disaster or hardware/software failure data backup and recovery is essential to maintaining business continuity. Lack of appropriate procedures could lead to significant loss of data and productivity.
This area reviews high-level procedures an organization can follow to help mitigate people risk by focusing on areas of people security. This aspect is critical to help organization maintain overall security. It reviews those processes within the enterprise governing corporate security policies, Human Resources processes, and employee security awareness and training.
This Area of Analysis also focuses on dealing with security as it relates to day-to-day operational assignments and role definitions.
Requirements & Assessments
Security requirements should determine by management so that both their technical and business decisions enhance security rather than conflict with it. Periodic assessments by a third party can help a review, evaluate, and identify areas for improvement.
Policies and Procedures
Policies and Procedures should be practical and clear as possible to limit the company's exposure to risk. Procedures covering employee hiring and termination can help protect the company from unscrupulous or disgruntled employees. It should include Background Checks, HR Policy, and Third-Party contractual Relationships.
Training & Awareness
Employees should be trained and made aware of how security applies to their daily job activities so that they do not inadvertently expose their company to greater risks.
Employees should understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. This will involve putting practices and policies in place that promote security and training employees to be able to identify and avoid risks.
* Based on Microsoft Risk Security Assessment Tool