Professional Documents
Culture Documents
INFORMATION SECURITY
MANAGEMENT SYSTEM
This module will enable a learner to understand information security and implementing various
measures for managing security as it is rightly said:
OBJECTIVES
This module helps to develop knowledge, skills and techniques in the design of security systems
using the theory and application of protection from hacking. It is planned that this will contribute to
the protection from Hacking CSTA (Certified Security Testing Associate) accreditation and also to
CISSP (Certified Information System Security Professional) accreditation. Students who want to
learn the fundamentals of computing and specialize in the fields of security specialist and forensic
computing will be really benefitted. This module focuses on the objectives of information security.
1.1 INTRODUCTION
1.1.1 PURPOSE OF AUDITS
Rapid and dramatic advances in information technology (IT), while offering tremendous benefits,
have also created significant and unprecedented risks to government operations. Federal, state, and
local governments depend heavily on information systems (IS) security measures to avoid data
tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in
critical operations. These risks are expected to only continue to escalate as wireless and other
technologies emerge. Government auditors, to be effective instruments of accountability, need to
be able to evaluate IS security and offer recommendations for reducing the security risk to an
acceptably low level. Further, the growing importance of IT in performing daily operational
activities, along with the elimination of paper-based evidence and trails, demands that auditors
consider the effectiveness of IT controls during the course of financial and performance audits.
To do so, auditors must acquire and maintain the appropriate resources and skill sets—a daunting
challenge in an era of rapid evolution and deployment of new information technology. Likewise,
government audit organizations need to take stock of their IS security audit capabilities and ensure
that strategies exist for their continued development and enhancement and auditors from local
governments in cooperation with staff of the United States. These include planning, developing a
strategy, implementing the capability, and assessing results.
The auditor should be adequately educated about the company and its critical business activities
before conducting a data center review. The objective of the data center is to align data center
activities with the goals of the business while maintaining the security and integrity of critical
information and processes. To adequately determine if whether or not the client‘s goal is being
achieved, the auditor should perform the following before conducting the review:
The next step in conducting a review of a corporate data center takes place when the auditor
outlines the data center audit objectives. Auditors consider multiple factors that relate to data center
procedures and activities that potentially identify audit risks in the operating environment and
assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor
is able to adequately determine if the data center maintains proper controls and is operating
efficiently and effectively.
Following is a list of objectives the auditor should review:
Personnel procedures and responsibilities including systems and cross-functional training
Change management processes are in place and followed by IT and management
personnel
Appropriate back up procedures are in place to minimize downtime and prevent loss of
important data
9 |©ATL Education Foundation
The data center has adequate physical security controls to prevent unauthorized access to
the data center
Adequate environmental controls are in place to ensure equipment is protected from fire
and flooding.
The next step is collecting evidence to satisfy data center audit objectives. This involves traveling
to the data center location and observing processes and procedures performed within the data
center. The following review procedures should be conducted to satisfy the pre-determined audit
objectives:
Data center personnel – All data center personnel should be authorized to access the data
center (key cards, login ID‘s, secure passwords, etc.). Data center employees are
adequately educated about data center equipment and properly perform their jobs. Vendor
service personnel are supervised when doing work on data center equipment. The auditor
should observe and interview data center employees to satisfy their objectives.
Equipment – The auditor should verify that all data center equipment is working properly
and effectively. Equipment utilization reports, equipment inspection for damage and
functionality, system downtime records and equipment performance measurements all help
the auditor determine the state of data center equipment. Additionally, the auditor should
interview employees to determine if preventative maintenance policies are in place and
performed.
Policies and Procedures – All data center policies and procedures should be documented
and located at the data center. Important documented procedures include: data center
personnel job responsibilities, back up policies, security policies, employee termination
policies, system operating procedures and an overview of operating systems.
Physical security / environmental controls – The auditor should assess the security of the
client‘s data center. Physical security includes bodyguards, locked cages, man traps, single
entrances, bolted down equipment, and computer monitoring systems. Additionally,
environmental controls should be in place to ensure the security of data center equipment.
These include: Air conditioning units, raised floors, humidifiers and uninterruptible power
supply.
Backup procedures – The auditor should verify that the client has backup procedures in
place in the case of system failure. Clients may maintain a backup data center at a separate
location that allows them to instantaneously continue operations in the instance of system
failure.
The data center review report should summarize the auditor‘s findings and be similar in format to a
standard review report. The review report should be dated as of the completion of the auditor's
inquiry and procedures. It should state what the review entailed and explain that a review provides
only "limited assurance" to third parties.
10 |©ATL Education Foundation
1.1.8 NETWORK VULNERABILITIES
Interception: Data that is being transmitted over the network is vulnerable to being
intercepted by an unintended third party who could put the data to harmful use.
Availability: Networks have become wide-spanning, crossing hundreds or thousands of
miles which many rely on to access company information, and lost connectivity could
cause business interruption.
Access/entry point: Networks are vulnerable to unwanted access. A weak point in the
network can make that information available to intruders. It can also provide an entry point
for viruses and Trojan horses.
1.1.9 CONTROLS
The auditor should ask certain questions to better understand the network and its vulnerabilities.
The auditor should first assess what the extent of the network is and how it is structured. A network
diagram can assist the auditor in this process. The next question an auditor should ask is what
critical information this network must protect. Things such as enterprise systems, mail servers, web
servers, and host applications accessed by customers are typically areas of focus. It is also
important to know who has access and to what parts. Do customers and vendors have access to
systems on the network? Can employees access information from home? Lastly the auditor should
assess how the network is connected to external networks and how it is protected. Most networks
are at least connected to the internet, which could be a point of vulnerability. These are critical
questions in protecting networks.
In assessing the need for a client to implement encryption policies for their organization, the
Auditor should conduct an analysis of the client‘s risk and data value. Companies with multiple
external users, e-commerce applications, and sensitive customer/employee information should
maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in
the data collection process. Auditors should continually evaluate their client‘s encryption policies
11 |©ATL Education Foundation
and procedures. Companies that are heavily reliant on e-commerce systems and wireless
networks are extremely vulnerable to the theft and loss of critical information in transmission.
Policies and procedures should be documented and carried out to ensure that all transmitted data is
protected. Companies can base their policies on the Control Objectives for Information and related
Technology (COBIT) guidelines established by the IT Governance Institute (ITGI) and Information
Systems Audit and Control Association (ISACA). The IT auditor should be adequately informed
about COBIT guidelines.
The auditor should verify that management has controls in place over the data encryption
management process. Access to keys should require dual control, keys should be composed of two
separate components and should be maintained on a computer that is not accessible to
programmers or outside users. Furthermore, management should attest that encryption policies
ensure data protection at the desired level and verify that the cost of encrypting the data does not
exceed the value of the information itself. All data that is required to be maintained for an
extensive amount of time should be encrypted and transported to a remote location. Procedures
should be in place to guarantee that all encrypted sensitive information arrives at its location and is
stored properly. Finally the auditor should attain verification from management that the encryption
system is strong, not attackable and compliant with all local and international laws and regulations.
The process of encryption involves converting plain text into a series of unreadable characters
known as the ciphertext. If the encrypted text is stolen or attained while in transit, the content is
unreadable to the viewer. This guarantees secure transmission and is extremely useful to companies
sending/receiving critical information. Once encrypted information arrives at its intended recipient,
the decryption process is deployed to restore the ciphertext back to plaintext.
Proxy servers hide the true address of the client workstation and can also act as a firewall. Proxy
server firewalls have special software to enforce authentication. Proxy server firewalls act as a
middle man for user requests.
Antivirus software programs such as McAfee and Symantec software locate and dispose of
malicious content. These virus protection programs run live updates to ensure they have the latest
information about known computer viruses.
Logical security includes software safeguards for an organization‘s systems, including user ID and
password access, authentication, access rights and authority levels. These measures are to ensure
that only authorized users are able to perform actions or access information in a network or a
workstation.
Programming
Processing
Access
When it comes to programming it is important to ensure proper physical and password protection
exists around servers and mainframes for the development and update of key systems. Having
physical access security at your data center or office such as electronic badges and badge readers,
security guards, choke points, and security cameras is vitally important to ensuring the security of
your applications and data. Then you need to have security around changes to the system. Those
usually have to do with proper security access to make the changes and having proper authorization
procedures in place for pulling through programming changes from development through test and
finally into production.
With processing it is important that procedures and monitoring of a few different aspects such as
the input of falsified or erroneous data, incomplete processing, duplicate transactions and untimely
processing are in place. Making sure that input is randomly reviewed or that all processing has
proper approval is a way to ensure this. It is important to be able to identify incomplete processing
and ensure that proper procedures are in place for either completing it, or deleting it from the
system if it was in error. There should also be procedures to identify and correct duplicate entries.
Finally when it comes to processing that is not being done on a timely basis you should back-track
14 |©ATL Education Foundation
the associated data to see where the delay is coming from and identify whether or not this delay
creates any control concerns.
Finally, access, it is important to realize that maintaining network security against unauthorized
access is one of the major focuses for companies as threats can come from a few sources. First you
have internal unauthorized access. It is very important to have system access passwords that must
be changed regularly and that there is a way to track access and changes so you are able to identify
who made what changes. All activity should be logged. The second arena to be concerned with is
remote access, people accessing your system from the outside through the internet. Setting up
firewalls and password protection to on-line data changes are key to protecting against
unauthorized remote access. One way to identify weaknesses in access controls is to bring in a
hacker to try and crack your system by either gaining entry to the building and using an internal
terminal or hacking in from the outside through remote access.
CASE STUDY
A Security Audit program was conducted by ATL Security Group for a client of ATL(* Name
of Client is kept confidential). Let us study the areas concentrated by this program to make
ourselves more clear on Security Auditing.
This Security Audit program contains over 400 unique tasks divided into 11 areas of audit focus
which are the divided into 38 separate task groupings. The audit program is one that either an
external auditor, internal auditor can use to validate the compliance of the Information Technology
and the enterprise to ISO 27000 Series (ISO 27001 & ISO 27002), Sarbanes-Oxley, HIPAA, and
PCI-DSS.
Included with this program were Microsoft (2003 and 2007 format) Excel workbooks and an
indexed PDF document that contain the following:
Sample Audit Program Graphic - This is a copy of the Audit Program Graphic with links
changed to point to the Sample Audit Program plus a chart has been added to show the
positive and negative points of the audit. (see chart below) .
SUMMARY
Auditing is a privileged function and should be controlled by management. It is also important that
management support this function and that it be aware of the results on an ongoing basis. The
auditing process includes the creation of audit files by the system. When the network administrator
enables auditing, AUDITCON automatically creates files to record the audited events and the
auditor's actions.
AUDITCON creates separate files for each container and volume in which auditing is enabled. At
the NDS level, the data is stored in the Audit Data files. At the volume level, the data is stored in
the Audit Data records of the Audit History file. The auditor maintains the audit files and uses the
data collected in the files to create reports.
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the
highest levels of management now comfortably discuss IT controls and audit results. However,
their quality expectations are rising. Where IT once performed audits annually, many now support
quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies
assessed, measured, and proven compliant. Broader scope means more complexity and more work.
With the Security Audit Program you can increase timeliness and accuracy of audit data while
reducing IT audit effort, disruption, and cost.
EXERCISE
Q 1. We have recent off-site backups and current anti-virus on all desktops and servers. Off-site
tape backups and anti-virus updates protect you from accidentally deleted files or virus infected
systems. Network assessments ensure protection of information assets.
a) Yes
b) No
Q 2. We have had an external firewall penetration assessment within the past 12 months. Networks
are attacked on a daily basis. External penetration assessments review your firewalls, your first
line of defense against hackers and other external threats.
a) Yes
b) No
Q 3.Our security policies have been audited by an independent organization. Experts recommend
you have your policies and procedures audited by an outside organization. Don't have all your
policies documented? Altius IT offers Policy templates.
a) Yes
17 |©ATL Education Foundation
b) No
Q 4.Our web site interfaces with customers and has been audited to ensure security. Web
applications are the most vulnerable element of an organization‘s IT infrastructure. Web
application and database assessments identify your web site vulnerabilities.
a) Yes
b) No
Q 5.We encrypt our confidential documents and E-mail messages. Encryption prevents third parties
from opening confidential documents or incorrectly addressed E-mail. Security consulting helps
identify your user related risks.
a) Yes
b) No
Answers: 1) a, 2) a, 3) a, 4) a, 5) a
How do attackers exploit the lack of this control?How can this control be implemented, automated,
and its effectiveness measured?How do attackers exploit the lack of this control?How can this
control be implemented and its effectiveness measured?How do attackers exploit the lack of this
control?How do attackers exploit the lack of this control?How do attackers exploit the lack of this
control?
2.1 INTORDUCTION
What is information security?
We all store valuable information either in our memories or in paper documents and in the world of
IT on computer and other digital storage devices. For every information user is a node where the
information can leak out. Thus Information Security is essentially a process for securing the
Information of any user. For example if your
house is having a number lock, you would
always store the password of the lock either in
your mind or in a piece of paper or perhaps on
your cell phone. All of these are possible
points where this password could be leaked
out. A pretending friend may take out this
information (password) from your head using
certain tactics which is commonly termed as
social engineering in the world of hacking. Or
someone may steal the piece of paper where
you have written the password or someone
may send an SMS or stored password as a
business card. Securing this information is
nothing but an example of information
security. For example – You may take
precautions by trying not to tell your
password to friends or may write the
password in a coded form on paper (age old
technique for storing valuable information). Figure: CIA of Information Security
Utility
Authenticity
Possession
ISO 27001 and ISO 27002 naturally map and align with other standards and compliance
frameworks. For organizations dealing with Sarbanes-Oxley, IT general controls, and SAS 70s,
ISO 27001 naturally maps into the security- and risk-related portions of the Control Objectives for
Information and related Technology (COBIT) framework. For other compliance requirements such
as GLBA, HIPAA, and PCI, ISO 27001 provides a superset of controls that covers and
encompasses all of the security and risk-related controls.
When implementing single ISMS with the intent of covering multiple compliance requirements, an
organization first identifies the scope of the compliance requirements as they pertain to its assets,
business operations, facilities, and IT processes. This drives the development of the necessary
process flows. The process flows can then be aggregated into a single set or union of processes that
fall under all of the compliance requirements. The organization also must identify the mATLgs
between the various compliance requirements to the ISO 27001 controls. These mATLgs should
include the specific control requirements for each compliance initiative, which helps ensure that all
requirements are addressed.
PDCA MODEL
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to
structure all ISMS processes. Figure 1 illustrates how an ISMS takes as input the information
security requirements and an expectation of the interested parties and through the necessary actions
22 |©ATL Education Foundation
and processes produces information security outcomes that meets those requirements and
expectations. The adoption of the PDCA model will also reflect the principles as set out in the
OECD Guidelines (2002) governing the security of information systems and networks. This
International Standard provides a robust model for implementing the principles in those guidelines
governing risk assessment, security design and implementation, security management and
reassessment. The main point of the ISO/IEC 27001 is the continual improvement of the processed
that produce the effects by applying this PDCA model.
ISO17799
BS ISO/IEC 17799:2000 (BS 7799-1:2000) Information technology - Code of practice for
information security management
“The adoption of ISO27001 as a security control framework offers several benefits for executive
management and the groups and individuals responsible for risk, security, compliance, and
audit.”
DOMAIN OF BS 7799-1
BS 7799 contains 10 security domains
A.10.10 Monitoring
Objective: To detect unauthorized information processing activities.
A.15.2 Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
Now let us see an implementation project for ISO 27001 done by ATL Security Group for a client
of ATL (name confidential) where an insight view can be clearly seen how ISO standards are
implemented.
It is defined through executive decision, influences amount of risk worth taking to achieve
enterprise goals and missions.
It relates to risks that must be mitigated and managed.
Risk Tolerance
Asset list.
Threat analysis to identify risks.
Risk impact estimate for each asset.
Ongoing process for reviewing assets, threats and risks.
Someone responsible for this process.
Operational procedures for responding to changing conditions (emergencies, high risk etc.).
ASPECTS OF SECURITY
Static Aspects:
Dynamic Aspects:
Defense in depth is the concept of protecting a computer network with a series of defensive
mechanisms such that if one mechanism fails, another will already be in place to thwart an
attack.
All named assets (such as documents, software, hardware etc.) are listed starting with the
most sensitive.
The list is never complete. It has to be periodically updated.
Default ―all other assets‖ entries are also created.
These are divided into logical groups based on their probability of attacks or the risk of their
―location‖ between perimeters.
Risk Impact Assessment
COBIT structure
COBIT covers four domains:
Plan and Organize
o Define a Strategic IT Plan and direction
o Define the Information Architecture
o Determine Technological Direction
o Define the IT Processes, Organization and Relationships
o Manage the IT Investment
o Communicate Management Aims and Direction
o Manage IT Human Resources
o Manage Quality
o Access and Manage IT Risks
o Manage Projects
Acquire and Implement: The Acquire and Implement domain covers identifying IT
requirements, acquiring the technology, and implementing it within the company‘s current
business processes. This domain also addresses the development of a maintenance plan that
a company should adopt in order to prolong the life of an IT system and its components.
The following table lists the IT processes contained in the Acquire and Implement domain.
Deliver and Support: The Deliver and Support domain focuses on the delivery aspects of
the information technology. It covers areas such as the execution of the applications within
the IT system and its results, as well as, the support processes that enable the effective and
efficient execution of these IT systems. These support processes include security issues and
training. The following table lists the IT processes contained in the Deliver and Support
domain.
Monitor and Evaluate: The Monitor and Evaluate domain deals with a company‘s strategy
72 |©ATL Education Foundation
in assessing the needs of the company and whether or not the current IT system still meets
the objectives for which it was designed and the controls necessary to comply with
regulatory requirements. Monitoring also covers the issue of an independent assessment of
the effectiveness of IT system in its ability to meet business objectives and the company‘s
control processes by internal and external auditors. The following table lists the IT
processes contained in the Monitor and Evaluate domain.
The complete COBIT package consists of:
Executive Summary
Governance and Control Framework
Control Objectives
Management Guidelines
Implementation Guide
IT Assurance Guide
STRIDE
It is a technique for Threat Identification which attempts to categorize potential security threats by
matching them to six categories.
The threat categories are:
1. Spoofing Identity which means illegally obtaining access and use of another person's
authentication information, such as a user name or password, that is, impersonate another
user.
2. Tampering with data which means malicious modification of data. An attacker who
maliciously changes data is often much harder to detect, and does much more damage, than
a smash-and-grab Web site defacer or disk reformatter. Why? First, you might not find the
modified data until some time has passed; once you find one tampered item, you'll have to
thoroughly check all the other data on your systems to ensure that nothing else was
tampered with.
3. Repudiation: It represents the risk that a legitimate transaction will be disowned by one of
the participants. Non repudiation means that it can be verified that the sender and the
recipient were, in fact, the parties who claimed to send or receive the message,
respectively.
4. Information disclosure which means that an attacker can gain access, without permission,
to data that the owner doesn't want him or her to have.
5. Denial of service (DoS) which means an explicit attempt to prevent legitimate users from
using a service or system. It involves the overuse of legitimate resources. Such attacks can
be stopped by removing the resource used by the attacker, but then real users can't use the
resource either.
6. Escalation of privilege which means an unprivileged user gains privileged access. An
example of privilege elevation would be an unprivileged user who comes up with a way to
be added to the Administrators group.
Each category of threat is rated as High (3), medium (2) and low (1).
After each of the above questions has been asked, the values (1–3) for a given threat should be
counted. The result can fall in the range of 5–15. Then the threats with overall ratings of 12–15 can
be treated as High risk, 8–11 as Medium risk, and 5–7 as Low risk.
RISK ASSESSMENT
Risk
Risk is the possibility of loss resulting from a threat, security incident, or event.
Assets
Any real or personal property, tangible or intangible, that a company or individual owns that can be
Consequential
A secondary result ensuing from an action or decision is consequential. From an insurance or
security standpoint, costs, loss, or damage beyond the market value of the asset lost or damaged,
including other indirect costs.
Cost/benefit analysis
Process in planning, related to the decision to commit funds or assets. This is a systematic attempt
to measure or analyze the value of all the benefits that accrue from a particular expenditure.
Usually, this process involves three steps:
Identification of all direct and indirect consequences of the expenditure.
Assignment of a monetary value to all costs and benefits resulting from the expenditure.
Discounting expected future costs and revenues accruing from the expenditure to express
those costs and revenues in current monetary values.
Events
Something that happens; a noteworthy happening is event. In the security context, this usually
represents an occurrence such as a security incident, alarm, medical emergency, or related episode
or experience.
Goodwill
The value of a business that has been built up through the reputation of the business concern and its
owners is goodwill.
Loss Event
It is an occurrence that actually produces a financial loss or negative impact on assets. Examples
include security incidents, crimes, war, natural hazards, or disasters.
Natural Disaster
It is a naturally occurring calamitous event bringing great damage, loss, or destruction such as
tornadoes, e.g. Hurricanes, earthquakes and related occurrences.
Probability
It is the chance, or in some cases, the mathematical certainty that a given event will occur; the ratio
of the number of outcomes in an exhaustive set of equally likely outcomes that produce a given
event to the total number of possible outcomes.
Risk Analysis
A detailed examination including risk assessment, risk evaluation, and risk management
alternatives, performed to understand the nature of unwanted, negative consequences to human life,
health, property, or the environment; an analytical process to provide information regarding
undesirable events; the process of quantification of the probabilities and expected consequences for
identified risks.
Risk Assessment
It is the process of assessing security-related risks from internal and external threats to an entity, its
assets, or personnel.
Security Incident
It is a security-related occurrence or action likely to lead to death, injury, or monetary loss. An
assault against an employee, customer, or supplier on company property would be one example of
a security incident.
Security Vulnerability
It is an exploitable capability; an exploitable security weakness or deficiency at a facility, entity,
venue, or of a person.
Threat
Intent of damage or injury; an indication of something impending is threat.
I. WHAT IS RISK?
Risk can be defined as the combination of the probability of an event and its consequences. In all
types of undertaking, there is the potential for events and consequences that constitute
opportunities for benefit (upside) or threats to success (downside).
Risk Management is increasingly recognized as being concerned with both positive and negative
aspects of risk. Therefore this standard considers risk from both perspectives. In the safety field, it
is generally recognized that consequences are only negative and therefore the management of
safety risk is focused on prevention and mitigation of harm.
People (Behavior)
Process (Actions)
Technology (architecture)
IV. KINDS OF RISK
Assessing risk is one element of a broader set of risk management activities. Other elements
include establishing a central management focal point, implementing appropriate policies and
related controls, promoting awareness, and monitoring and evaluating policy and control
effectiveness.
Although all elements of the risk management cycle are important, risk assessments provide the
foundation for other elements of the cycle. In particular, risk assessments provide a basis for
establishing appropriate policies and selecting cost-effective techniques to implement these
policies. Since risks and threats change over time, it is important that organizations periodically
reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they
have selected. This continuing cycle of activity, including risk assessment, is illustrated in the
following depiction of the risk management cycle. Risk assessments, whether they pertain to
information security or other types of risk, are a means of providing decision makers with
information needed to understand factors that can negatively influence operations and outcomes
and make informed judgments concerning the extent of actions needed to reduce risk. For example,
bank officials have conducted risk assessments to manage the risk of default associated with their
loan portfolios, and nuclear power plant engineers have conducted such assessments to manage
risks to public health and safety. As reliance on computer systems and electronic data has grown,
information security risk has joined the array of risks that governments and businesses must
manage. Regardless of the types of risk being considered, all risk assessments generally include the
following elements. Identifying threats is essential that could harm and thus adversely affect
critical operations and assets. Threats include such things as intruders, criminals, disgruntled
employees, terrorists, and natural disasters. The following are RA terms that the candidate will
need to know:
Asset: An asset is a resource, process, product, computing infrastructure, and so forth that an
organization has determined must be protected. The loss of the asset could affect C.I.A.,
confidentiality, integrity, or availability or have an overall effect, or it could have a discrete dollar
value—tangible or intangible. It could also affect the full ability of an organization to continue in
business. The value of an asset is composed of all of the elements that are related to that asset—its
creation, development, support, replacement, public credibility, considered costs, and ownership
values.
Threat: Simply put, the presence of any potential event that causes an undesirable impact on the
organization is called a threat. As we will discuss in the Operations Domain, a threat could be man-
made or natural and have a small or large effect on a company‘s security or viability.
Vulnerability: The absence or weakness of a safeguard constitutes vulnerability. A minor threat
78 |©ATL Education Foundation
has the potential to become a greater threat, or a more frequent threat, because of vulnerability.
Think of vulnerability as the threat that gets through a safeguard into the system. Combined with
the terms asset and threat, vulnerability is the third part of an element that is called a triple in risk
management.
Asset: An asset is a resource, process, product, computing infrastructure, and so forth that an
organization has determined must be protected. The loss of the asset could affect C.I.A.,
confidentiality, integrity, or availability or have an overall effect, or it could have a discrete dollar
value—tangible or intangible. It could also affect the full ability of an organization to continue in
business. The value of an asset is composed of all of the elements that are related to that asset—its
creation, development, support, replacement, public credibility, considered costs, and ownership
values.
Threat: Simply put, the presence of any potential event that causes an undesirable impact on the
organization is called a threat. As we will discuss in the Operations Domain, a threat could be man-
made or natural and have a small or large effect on a company‘s security or viability.
Vulnerability: The absence or weakness of a safeguard constitutes vulnerability. A minor threat
has the potential to become a greater threat, or a more frequent threat, because of vulnerability.
Think of vulnerability as the threat that gets through a safeguard into the system. Combined with
the terms asset and threat, vulnerability is the third part of an element that is called a triple in risk
management.
Safeguard: A safeguard is the control or countermeasure employed to reduce the risk associated
79 |©ATL Education Foundation
with a specific threat or group of threats.
Exposure Factor (EF): The EF represents the percentage of loss that a realized threat event would
have on a specific asset. This value is necessary to compute the Single Loss Expectancy (SLE),
which in turn is necessary to compute the Annualized Loss Expectancy (ALE). The EF can be a
small percentage, such as the effect of a loss of some hardware, or a very large percentage, such as
the catastrophic loss of all computing resources.
Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single event. It
represents an organization‘s loss from a single threat and is derived from the following formula:
Asset Value ($) Exposure Factor (EF) = SLE
For example, an asset valued at $100,000 that is subjected to an exposure factor of 30 percent
would yield an SLE of $30,000. While this figure is primarily defined in order to create the
Annualized Loss Expectancy (ALE), it is occasionally used by itself to describe a disastrous event
for a Business Impact Assessment (BIA).
Annualized Rate of Occurrence (ARO): The ARO is a number that represents the estimated
frequency with which a threat is expected to occur. The range for this value can be from 0.0 (never)
to a large number (for minor threats, such as misspellings of names in data entry). How this number
is derived can be very complicated. It is usually created based upon the likelihood of the event and
the number of employees that could make that error occurs. The loss incurred by this event is not a
concern here, only how often it does occur.
For example, a meteorite damaging the data center could be estimated to occur only once every
100,000 years and will have an ARO of .00001. In contrast, 100 data entry operators attempting an
unauthorized access attempt could be estimated at six times a year per operator and will have an
ARO of 600.
Annualized Loss Expectancy (ALE): The ALE, a dollar value, is derived from the following
formula: Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) = ALE.
Pretend you are new and look at everything with a fresh view, are what you record reasonable or
should changes be made. Everyone in the workplace will have an opinion, seek them out and
evaluate their comments. Manufacturer data sheets are an excellent resource for hazard information
on machinery and chemicals. Use them as a reference for your risk assessments.
Information that is already in your business's possession may also be useful, like accident and ill
health records; they can often identify hazards which are less obvious. Not all hazards are
immediately obvious, noise and exposure to dust for instance may not manifest themselves for
some years.
Look for hazards by walking around the workplace. List the hazards that could reasonably be
expected to cause harm. Ask for the opinion of employees as they may have noticed things that are
80 |©ATL Education Foundation
not immediately obvious. Examples of hazards include:
Cables trailing over floors
Fire
Chemicals
Work benches which are too high or too low
Electricity
Loads which have to be moved manually
Work equipment
Working environment e.g. ventilation, lighting, heating.
STEP 2: WHO IS AT RISK AND HOW?
Compile a list of all persons; individuals who may be at risk then you will be able to manage it.
You may need to consider them as groups rather than as individuals.
Descriptions of harm are needed, type of injury, e.g. repetitive tasks like on a production line.
There are special requirements for some groups of workers like young people, pregnant women,
and disabled persons. Extra thought will be needed for some hazards workers in particular
disciplines such as cleaners, visitors, contractors, maintenance workers etc, may not be in the
workplace all the time. Also consider members of the public if they could be hurt by your
activities. If you share your workplace, you will need to think about how your work affects others
present, as well as how their work affects your staff: talk to them and ask your staff if they can
think of anyone you may have missed.
List groups of people and individuals who may be affected by the hazards:
Staff
Members of the public
Contractors on the premises.
Pay particular attention to vulnerable persons, e.g. those with disabilities, visitors, female
employees who are pregnant or who have recently returned to work after having a baby,
inexperienced employees or young persons.
STEP 3: EVALUATE THE RISKS AND DECIDE ON PRECAUTIONS
There are Approved Codes of Practice available from the HSE which are taken to be industry best
practice. What are you going to do about the hazards; everything reasonably practicable is the
answer.
Is what you are doing sufficient? Use the ACOPs to measure your performance.
Use the ERICPD acronym to check that you Eliminate, Reduce, Isolate, Control, PPE (personal
protective equipment), Discipline of the workforce to work correctly. Evaluate the risks arising
from the hazards and decide whether existing precautions are adequate or if more should be done.
When evaluating the extent of the risk, account should be taken of the chance of some harm
occurring, the likely severity of this, and the number of people who could be affected. The simplest
Risk Ratings
Even after all precautions have been taken some risk may remain. Ensure the precautions in place
meet standards set by legal requirements; comply with a recognized standard, represent good
practice and reduce the risk as far as is reasonably practicable. Where additional controls or further
action are necessary to reduce the risk, decide what more could reasonably be done by adopting the
following principles:
Once the level of risk has been determined and the control measures needed to reduce or eliminate
the risk established, an action plan should be drawn up with timescales for implementation of the
control measures. The table below may be used as a guide for devising such an action plan.
Medium Efforts should be made to reduce the risk, but the costs of prevention should be
carefully measured. Risk reduction measures should be implemented within a
defined time period.
Where the moderate risk is associated with extremely harmful consequences,
further assessment may be necessary to establish more precisely the likelihood of
harm as a basis for determining the need for improved control measures.
High Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk involves
work in progress, urgent action should be taken.
Extreme Work should not be started or continued until the risk has been reduced. If it is
not possible to reduce risk even with unlimited resources, work has to remain
prohibited.
All findings should be written down, kept simple and not too elaborate. For example 'Tripping over
rubbish bins provided', Staff instructed, Housekeeping checks now in place weekly. Welding fume,
local exhaust ventilation used and inspected regularly
Risk assessments need to, be sufficient and suitable, they are rarely perfect, but need to evaluate the
hazard properly. You need to be able to show:
a proper check was made
who might be affected
the significant hazards are controlled
all people potentially involved
precautions are reasonable
staff were involved
the remaining risk is low
Don‘t try to do everything at once. Make a plan of action to deal with the most important things
first. Health and safety inspectors acknowledge the efforts of businesses that are clearly trying to
make improvements.
Quick fixes
Medium and long term goals
Training
If you have less than five employees, risk assessments do not have to be written down. If you
employ five or more people, the significant findings of the assessment must be recorded. However
you are advised to keep records even where there are less than five employees since these provide
evidence that something has been done. Keep any written assessments for future reference and
ensure that employees are informed of the findings and control measures, either existing or
additional, those have to be observed and used. In some circumstances the findings of the risk
assessment should also be given to others who could be affected, for example agency workers,
contractors etc.
Q 2. We've audited our site for compliance with California's On-line Privacy Protection Act. Not
only is a web site the first contact with a prospect, it reflects on your organization‘s image. In
addition to interfacing with customers, web sites must comply with legislation.
a) Yes
b) No
Q 3. We've had an outside independent IT security audit within the past 12 months. Every system
has limitations. In addition, new and emerging threats develop on a regular basis. An
independent security audit helps you identify and eliminate your vulnerabilities.
a) Yes
b) No
Q 4. We have an incident response plan if someone has broken into our network. Ad hoc
investigations may do more harm than good. Organizations need a formal incident
response policy and plan to provide appropriate notification and analysis of a crime scene.
a) Yes
b) No
Q 5. Our users and IT staff regularly attend training on IT security threats. User education and
training is important to stay ahead of new and emerging threats. Security workshops at your
location are a cost effective and easy way to keep up-to-date.
a) Yes
b) No
Answers: 1) a, 2) a, 3) a, 4) a, 5) a