Musings on Information Security

This Month

Month Archive

November 2005
October 2005
September 2005
August 2005

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

« September 07 | September 10 »

Friday, September 9

Simplified Security - Tip #3: Asset Risk Impact Assesment

by RaviC on Fri 09 Sep 2005 08:00 AM PDT

Asset Risk Impact Assessment - Benefit is company will get to know ballpark budget figure plus will know how to allocate security budget wisely

This involves three parts: Asset Assessment, Risk Assessment and Impact Assessment

Asset Assessment - In this phase the business unit leaders rank the priority of their business unit assets. They also estimate maximum tolerable downtime for each asset. Using this data from various business units a company wide asset priority table is created. Typically, this is arrived at by giving weight-age for different business units and normalizing the asset ranking across business units .

Risk Assessment - Risk is a possibility that threat will exploit vulnerability. The words risk and threat are used interchangeably. In this phase all the risks/threats that can affect our prioritized assets are identified.

Impact Assessment - This is a phase where we measure the likelihood of risk being realized on an asset. If the risk event is realized once, then the loss is Single Loss Expectancy (SLE). If the risk event occurs at an Annualized Rate of Occurrence (ARO), we can compute Annual Loss Expectancy (ALE). For a risk/threat event to happen vulnerability has to exist. Safeguard is countermeasure which removes vulnerability and protects against one or more specific threats. The thumb rule is the annual cost of safeguard should not exceed the annual cost of asset loss!

There are five actions that we can take on a risk/threat:

Reduce - Implement safeguard to reduce risk

Assign - Buy insurance

Accept - Accept the consequences, make sure to document it!

Reject - Deny that risk exists

Transfer - Outsource the asset and hence risk

Please see the attached sample impact table in excel format to arrive at the estimate of total cost to mitigate risk. This cost is a ballpark estimate about how much you should be willing to spend on security. This is a phase where you can plan to squeeze the most out of your dollar. As an example, if analysis indicates that the cost of safeguards to the data-center is way too expensive, you could use a co-location facility where such safeguards exist and address your concerns needs by well defined SLA with co-location vendor.