The Goals and Objectives of a Risk Assessment
An organization may consider many goals and objectives prior to undergoing a risk and vulnerability assessment. Some of these goals and objectives may be the result of required compliancy to new laws, mandates, and regulations for information security. Security as a process for an IT infrastructure and assets is primarily concerned with prevention, detection, and response. A sound and comprehensive security process coupled with a robust IT security architecture and framework will assist the organization in ensuring the security of the IT infrastructure and assets as per the organization’s minimum acceptable risk or exposure level.
Security Process Definition
Security as a process typically includes three key elements: prevention, detection, and response.
Prevention deals with the implementation of security controls and countermeasures or safeguards during the initial security design phase of the development life cycle. By incorporating security requirements into the design phase of the development life cycle, prevention or protection is easier to implement because it is inherent in the system’s or application’s design up front. Prevention techniques and solutions should be designed and developed into the system or application to ensure that availability, integrity, and confidentiality for the system or application are implemented.
Detection or monitoring deals with monitoring the IT infrastructure and assets. This includes monitoring log files, audit trails, intrusion detection system reporting, and reviewing vulnerability assessments reports and CVE items that are installed within the production IT infrastructure. Continuous monitoring of the IT infrastructure and assets for newly discovered risks, threats, and vulnerabilities is an ongoing process and the responsibility of information security professionals who are responsible and accountable for securing the IT infrastructure and assets.
Response is the reaction that an IT organization takes in response to a security breach or incident from a known or unknown risk, threat, or vulnerability. Response usually encompasses the following four areas:
- Business Continuity Plan (BCP)—Organizations that have a significant amount of investment in the IT infrastructure and assets typically create, test, and validate an internal BCP plan to address how to maintain operations and functionality in the event of lost critical assets. A BCP plan typically includes a risk assessment, asset valuation or criticality assessment, and a vulnerability assessment in order for the organization to build the proper BCP plan in the event of risk, threat, or vulnerability incidents affecting the production IT infrastructure and assets.
- Disaster Recovery Plan (DRP)—Organizations that have a significant exposure to risks and threats, particularly weather related, act of God related, or war related, must have a plan for dealing with a disaster (for example, hurricane, flood, fire). A DRP plan typically requires an outsourcing solution and/or a hot site that replicates the main IT infrastructure and systems that the organization is fully dependent on to maintain its business operations.
- Security Incident Response Team (SIRT) and Plan—Many organizations have their own internal Security Incident Response Team (SIRT) that comprises a cross-section of human resources, legal, IT, and departmental management personnel. The SIRT typically has authority to collect and conduct investigations pertaining to security breaches and/or security incidents. Because of the potential sensitivity and nature of a security breach or incident, confidentiality and maintaining the integrity of data and information used to investigate and collect the data and information must be conducted under certain rules and guidelines. This is critical if forensic data is to be used in a court of law as evidence if a criminal charge is put on the perpetrator or perpetrators for violation of access or unauthorized use of an organization’s IT infrastructure and assets.
- Forensic Analysis Plan—Depending on the laws, mandates, regulations, and jurisdiction of the security breach and/or incident occurring, a carefully developed forensic analysis plan and computer forensic data and information collection must be followed for the data and information to be admissible in a court of law as evidence for a criminal case in the United States. The CIRT team must be properly trained and the IT security professionals who collect and retrieve data and information must abide by the forensic analysis plan where data and information collected during the security breach or incident investigation is pursued.
Depending on the organization’s compliancy requirements to new laws, mandates, and regulations, the priorities, definition of criticality or importance, and the goals and objectives that are identified for conducting a risk and vulnerability assessment will be unique to that organization.
Goals and Objectives of a Risk and Vulnerability Assessment
Some of the more common goals and objectives of conducting a risk and vulnerability assessment are as follows:
- IT organizations can have an accurate inventory of IT assets and data assets.
- IT organizations can have prioritized IT assets and data assets based on different measurements criteria—asset value in dollars, the importance of assets to the organization, or the criticality to the organization.
- Risks, threats, and known vulnerabilities can be identified and documented for the IT organization’s production, infrastructure, and assets.
- Risks, threats, and known vulnerabilities can be prioritized based on impact or criticality of the IT asset or data asset that it impacts.
- The vulnerability window can be identified and minimized according to the organization’s minimum acceptable tolerance to being vulnerable.
- Remediation or mitigation of the identified risks, threats, and vulnerabilities can be properly budgeted and planned according to the prioritization or criticality of IT assets and data assets.
- Compliancy with new information security laws, mandates, and regulations can be achieved by first conducting a risk and vulnerability assessment.
- Identification of the gaps or voids in the organization’s IT security architecture and framework can be found with specific recommendations for closing the gaps and voids.
- A risk and vulnerability assessment identifies the exposures, risks, threats, and vulnerabilities that the organization is subject to and assists the IT organization in justifying the cost of needed security countermeasures and solutions to mitigate the identified risks, threats, and vulnerabilities.
- A risk and vulnerability assessment provides an IT organization with an objective assessment and recommendations to the organization’s defined goals and objectives for conducting the risk and vulnerability assessment.
- A risk and vulnerability assessment assists IT organizations with understanding the return on investment if funds are invested in IT security infrastructure.