A security assessment is a request to analyze the risk of an IT solution. The request is initiated by a CISO (Chief Security Officer) or ISO (Information Security Officer) within a corporation. It is used to make sure that security concerns are met before changes are made to the information technology infrastructure. There are foundation plans which evaluate the state of new applications or infrastructure. Or there are incremental plans that address changes to the foundation plan.
What are the components of a risk assessment?
The following components are critical: an environmental characterization questionnaire, a change summary, reference plans, the Threat Vulnerability Matrix (TVM), scope, and risk summary. In my current work, the risk assessment is created in a web portal where a series of web pages and a database create the assessment. The risk assessor interviews application and/or infrastructure owners about the changes in a discovery call, follow-up meetings, and emails. The main results are a change summary narrative of the application or infrastructure, discovered risks, and a risk summary.
The risk summary comes from two sets of risks. The first set is non-inherited risks; they are discovered in the discovery and follow on calls/emails along with risks already in the foundation plan along with it various incremental changes. The second set of risks, inherited risks, comes from technologies that are referenced in the change summary. For example: if an application uses Active Directory to authenticate users of an application, it is to be referenced as a reference plan. That application would then inherit risks associated with Active Directory.
Where will an assessor spend most of their time?
In my current role, the discovery and follow-up meetings are used to collect information in the following areas: application environment overview, hardware, software, network transmissions, authentication and authorization, logging and auditing, storage, and support and maintenance. This information needs to gel with the data in the ECQ (Environmental Change Questionnaire) that is filled in by the SME (Subject Matter Experts) of the group that wants the assessment completed. The ECQ has these most commonly used sections focused on datasets (data in storage), hardware, software, and networks. The ECQ is a database and contains all the latest entries for a request.
The discovery questions can be kept in a template that has questions for each of the sections that belong in the change summary of the risk. The requests change summary needs to focus only on changes related to the specific request, not the security plan associated with the request. Remember a security plan can have multiple requests (changes) to that plan over time. So once that narrative is completed it needs to be tuned to list all of the reference plans (technologies) that are associated with the requests change.
The assessor should target discovery and other common questions towards SMEs that reveal specific risks. Some risks are not easily seen and require creative questions. Also the depth of the risk may need greater exploration because the risk could have cascading or explosive ramifications (eg. a critical risk in a storage subsystem towards applications that run on them).
The TVM section of the risk assessment must contain all risks found in the discovery analysis and the risks in the assessment summary. There is a database of risks, vulnerabilities, threats, impacts, controls, and mitigating controls risks. This matrix is the core of risk creation and is kept in a formula based database. This TVM database should be carefully examined periodically to determine that the most dangerous threats are elevated in their rankings and the others that arent as serious anymore (eg. due to deployment of better IT technology) are decreased. A strong TVM enables consistency in evaluations over time. Only assessor judgment or formula changes lead to different results.
In summary, the main sections of work are the ECQ that the SME fills out and the change summary is created by the risk assessor. The change summary contains non-inherited risks that the assessor discovers from the interview or other customer follow-ups. Inherited risks are associated with technologies that the change summary references. The highest risk is listed in the front of the risk summary table. The change summary shows the new base summary with new request narrative, the data elements, scope of the request, the risk summary with non-inherited and inherited risks.