Once the decision has been made to perform a risk assessment, an outline will need to be created to guide the process by deciding what specific steps to take. Performing a risk assessment isn’t a project decided on one day and completed the next. It takes time and planning.
The two primary types of risk assessment approaches are quantitative and qualitative. This chapter helps to paint the overall picture of both approaches. In general, a risk assessment involves the following steps:
Before progressing with the risk assessment, two preliminary actions need to be completed. These are:
What will be assessed needs to clearly be defined. If a system is to be assessed, then the system needs to be described. An example of a system might be the Human Resource department’s (HR’s) personnel records database. If a process is to be assessed, then the process needs to be described. An example of a process would be the Finance department’s creation of an invoice.
An important factor is to describe the system or process as it is right now. A risk assessment is a point-in-time assessment, unlike overall risk management, which is a continuous process.
When describing the system or process, two primary areas are often the focus:
The scope of the risk assessment is also important to define to help prevent uncontrolled changes, which can result in cost overruns and missed deadlines.
Scope of risk assessments: According to NIST SP 800-30, “the scope of the risk assessment determines what will be considered in the assessment. Risk assessment scope affects the range of information available to make risk-based decisions and is determined by the organizational official requesting the assessment and the risk management strategy.” Similar to “scope creep,” when unplanned work gets added to a project, the risk manager needs to define the risk assessment scope to avoid unplanned data gathering and analysis.
Operational characteristics define how the system operates in an environment. Just naming the system, such as “Email server,” is not enough; instead, how the system is currently configured and operating needs to be identified.
For example, FIGURE 6-1 shows a single email server in a network that handles all email to and from the Internet. The server also provides email services for all clients in the internal network. But the illustration in Figure 6-1 is old and doesn’t reflect the organization’s current configuration.
FIGURE 6-2, on the other hand, shows the organization’s current network diagram, which has a demilitarized zone (DMZ). The DMZ includes an email server used to send and receive email from the Internet and an internal email server that sends and receives email from the DMZ server but does not interact with the Internet.
The differences between Figures 6-1 and 6-2 help show the importance of documenting current operational characteristics. What would happen if a risk assessment was begun by evaluating the threats against the system in Figure 6-1? The obvious answer is that the information would be outdated and valuable time would be spent on the wrong effort.
The risk assessment needs to be performed against the current system. However, the current configuration isn’t always apparent or readily available. Sometimes, discovering the current configuration takes some digging. Here are two simple questions that can be asked:
The mission of the system defines what the system does. Compared with the operational characteristics of the system, the mission is easy to define. The definition of the mission for any single system can be as short as a paragraph or can consist of simple bullet statements.
For example, an email system could have the following mission: The email server provides all email services for the organization, which include the following functions:
If previous audits or risk assessments are available, they should be reviewed. These reports can contain much valuable information to make the job of performing a risk assessment easier.
These reports list assets, threats, and vulnerabilities and should also list controls currently in place. They may provide recommendations for additional controls. Three items especially worth investigating are: