Professional Documents
Culture Documents
IT Control and Audit - Appendix 5-IT Risk Assessment Example Using NIST SP 800-30
IT Control and Audit - Appendix 5-IT Risk Assessment Example Using NIST SP 800-30
Assessment Example
Using NIST SP 800-30
The risk assessment used in this example is based on the National Institute of Standards and
Technology (NIST) SP 800-30 guide, “Guide for Conducting Risk Assessments.”* The guide is
consistent with the policies presented in the Office of Management and Budget Circular A-130,
Appendix III, “Security of Federal Automated Information Resources”; the Computer Security
Act of 1987; and the Government Information Security Reform Act of October 2000. NIST SP
800-30’s risk assessment includes the following nine steps:
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk-level Determination
8. Control Recommendations
9. Results Documentation
The steps above are implemented to identify information security risks associated with the selected
organization’s information system. Step 1 through Step 7 (except Step 4) directly relate to risk
assessment. Steps 4, 8, and 9 relate to the identification and implementation of controls that miti-
gate or reduce risks, as well as documentation of results. Following is an example showing how the
NIST risk assessment is implemented in an organization.
* http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
417
418 ◾ Appendix 5: IT Risk Assessment
When interviewing the ITED and the BSA, it was noted that Banner holds critical and sensitive
information about finance, accounting, human resources (HR), and payroll. The BSA further
added that users of Banner include finance, accounting, HR, and technical/IT support personnel.
Based on review of documentation, the University has several policies and procedures in place
related to information systems operations, information security, and change control management.
In regards to the network infrastructure, the NA indicated that the University provides a wide
variety of networking resources to all qualified members within the university community. Access
to computers, systems, and networks is a privilege which imposes certain responsibilities and obliga-
tions, and which is granted subject to university policies, as well as local, state, and federal laws. All
users must comply with policies and guidelines, and act responsibly while using network resources.
Physical access to the University’s facilities and its data center, according to the ITED and
the OS, is restricted through security mechanisms, including (1) biometric devices, (2) security
Exhibit A5.1 Financial Application System in Scope for Risk Assessment Purposes
Application Server Name/Operating
Application Name System Version Application Server Location
guards, (3) video surveillance, and (4) visitors’ logs. The authority to change the above physical
access control mechanisms is limited to the ITED. The OS also stated that the University has
implemented various environmental controls in order to prevent damage to computer equipment,
and to protect data availability, integrity, and confidentiality. They are as follows: fire suppression
equipment (i.e., FM-200 and fire extinguishers), uninterruptible power supplies, alternate power
generators, and raised floors.
When asked about logical information security around Banner both, the SA and BSA, agreed
on the following:
◾◾ Some password settings have been configured although current configuration is not consis-
tent with industry best practices.
◾◾ Reviews of user access within Banner are conducted, but not on a periodic basis. Terminated
user accounts are removed from Banner, but not in a timely manner. Documentation sup-
porting reviews and removal of user access is not maintained.
◾◾ Programmers are restricted to work changes and modifications (i.e., updates and upgrades)
to Banner in a test/development environment prior to their implementation in production.
However, test results are not reviewed by management (i.e., ITED) nor approved before final
implementation in production.
Lastly, Banner information is backed up daily though the OS stated that such daily backup is
stored locally as the University has no offsite facility in place for backup storage.
Step 3. V
ulnerability Identification
NIST defines vulnerability as a “weakness in an information system, system security proce-
dures, internal controls, or implementation that could be exploited by a threat source” (p. 9).
Vulnerabilities around Banner that could be exploited by threat-sources were identified from dis-
cussions with management personnel, observations, and inspections of relevant documentation,
as recommended by NIST. Documentation reviewed include previous IT risk assessments, as well
as IT Audit and Security Reports. Refer to Exhibit A5.2 for a list of five vulnerabilities and threat-
source pairs identified per IT area.
Step 4. C
ontrol Analysis
This step takes into consideration the controls that are in place, or are planned for implementation
by the University in order to reduce or eliminate the probability of a threat exercising a vulner-
ability. This step is addressed in Steps 8 and 9.
NIST recommends the following High–Medium–Low definitions to describe the likelihood that
vulnerabilities could be exercised by a given threat-source. However, for this example, Very High
and Very Low levels have been added to obtain a more granular rating indicating the probability
that vulnerabilities may be exercised. Refer to Exhibit A5.3.
Probabilities of Very High = 1.00, High = 0.75, Medium = 0.50, Low = 0.25, and Very
Low = 0.10 were assigned for each vulnerability based on management’s estimate of their like-
lihood level.
Very High Results in the loss of extremely priced assets or resources; 100
will violate or harm the University’s reputation.
Determination of risk levels (i.e., Risk Rating) is obtained by multiplying the ratings assigned for
threat likelihood (i.e., probability) and the threat impact. Determination of these risk levels or rat-
ings is of a subjective nature, as it results solely from management’s estimates and opinions (based
on knowledge and/or prior experience) when assigning threat likelihood and impact. Exhibit A5.5
shows various degrees or levels of risk, based on NIST, to which an IT system (in this case Banner)
might be exposed if a given vulnerability was exercised by a threat. Exhibit A5.5 also suggests nec-
essary actions that management must take for each risk level. For purposes of this example, Very
High and Very Low risk levels were incorporated in an effort to obtain granularity of risk ratings.
Exhibit A5.6 illustrates completion of the aforementioned Steps 1–7, including a description of
each risk identified, as well as final determination of their levels (i.e., risk rating) for every vulner-
ability that could be potentially exercised.
Very High 100 Corrective measures are mandatory; action plans must be
implemented; IT system may not operate.
(Continued)
◾
423
424 ◾
Appendix 5: IT Risk Assessment
Exhibit A5.6 (Continued) Risk Assessment
Likelihood Determination Impact
Information 4. Terminated user Unauthorized Very High 1.00 High 75 4. Terminated users can gain 75
Security - accounts are not users access to Banner and view
Terminations removed timely, (terminated or modify its financial
or not removed employees). information.
at all, from
Banner.
Change 5. Test results for Implementation Low 0.25 High 75 5. Banner modifications are 18.75
Control Banner of unauthorized not properly authorized.
Management modifications application Implementation of such
are not modifications. modifications could result
approved by in invalid or misleading
management, data.
prior to their
implementation
into the
production
environment.
Appendix 5: IT Risk Assessment ◾ 425
As mentioned earlier, Steps 4, 8, and 9 relate to the identification and implementation of con-
trols that mitigate or reduce risks, as well as results documentation. Those steps are addressed in
the following sections.
Risk Avoidance Avoids the risk by eliminating its cause and/or consequence.
Risk Limitation Limits risks by implementing controls that minimize the impact of a
vulnerability exercised by a threat.
Risk Planning Manages risks through a risk mitigation plan that prioritizes,
implements, and maintains controls.
recommendations are established. Management listed all potential RCs that could reduce the
risks identified, and assigned priority to those controls using rankings ranging from Very High
to Very Low levels (refer to Exhibit A5.8). Management also acknowledged that implementing all
RCs may not be the most appropriate and feasible option. Further analyses related to feasibility,
effectiveness, and cost–benefit were performed in the following sections for each RC in order to
determine the most appropriate ones for reducing risks.
◾◾ Management Security Controls. These controls manage and reduce the risk of loss while pro-
tecting the organization’s mission. Management security controls take the form of policies,
guidelines, and standards to fulfill the organization’s goals and missions.
◾◾ Technical Security Controls. These controls relate to the configuration of parameters within
applications, systems, databases, and networks to protect against security threats over criti-
cal and sensitive information, as well as IT system functions.
(Continued)
Appendix 5: IT Risk Assessment ◾ 427
◾◾ Operational Security Controls. These controls make certain that security procedures gov-
erning the use of the organization’s IT assets (i.e., Banner) are adequately implemented
consistent with the organization’s goals and mission. Operational security controls address
operational deficiencies that could result from potentially exercised vulnerabilities.
Category determination and discussions of each RC per IT area were performed with the assis-
tance of management and are documented in Exhibit A5.9.
◾◾ Rule 1. If control reduces risks more than needed, consider an alternate, less expensive
control.
◾◾ Rule 2. If the cost of the control is higher than the risk reduction provided, consider identi-
fying additional controls.
◾◾ Rule 3. If the control does not provide a significant risk reduction, consider identifying
additional controls.
◾◾ Rule 4. If the control does provide a significant risk reduction and it is cost-effective, imple-
ment the control.
Below is an overall summary of the cost–benefit analysis procedures management performed for
each RC:
◾◾ Evaluated potential benefits over costs to support implementation of the new control, and
communicate such to the University’s senior management and Board of Directors.
Once the cost–benefit analysis was performed, controls were formally selected (refer to Exhibit
A5.10). However, because risks cannot be eliminated completely, but reduced to acceptable levels,
Exhibit A5.9 Recommended Control: Category Determination and Discussion
IT Area: Recommended Control Control Category and Discussion
IS Operations - Offsite Storage: RC1 is part of the Management Security Controls and the Operational Security
RC1. Backups of Banner financial data are Controls categories. RC1 has the capability of supporting the continuity of operations
archived off-site to minimize risk that data is and business resumption during emergencies or disasters. Equally important, RC1
lost. ensures that Banner’s backed up data gets rotated to an off-site location in order to
minimize the risk that significant data could be lost during a particular event (e.g.,
hardware failure, computing environment disaster, etc.). The recovery of lost data
could require significant effort or be virtually impossible in certain situations.
Information Security - Passwords: RC2 belongs to the Technical Security Controls category. Strong authentication
RC2. The identity of users is authenticated to controls through configuration of logical security settings (i.e., passwords) verify the
Banner through passwords consistent with identity of the employee to ensure it is valid and genuine. More important, strong
industry best practices minimum security password controls promote adequate security and protect Banner’s financial data
values. Passwords must incorporate from threats, such as, deliberate attacks by malicious persons or disgruntled
configuration for minimum length, periodic employees trying to gain unauthorized access in order to compromise system and
change, password history, lockout threshold, data integrity, availability, or confidentiality. Strong passwords may also protect
and complexity. Banner’s financial information from unintentional acts, such as negligence and errors,
Information Security - Reviews of User Access: RC3, RC4, and RC5 pertain to the Management Security Controls as well as the
RC3. Banner owners authorize the nature and Technical Security Controls categories. They make certain that access to users is
extent of user access privileges. granted following the principle of “least privilege” (also known as the principle of
RC4. The ability to make modifications to Banner minimal privilege), which basically requires that users must be able to access only the
security parameters, security roles, or security information and resources necessary to carry on their daily tasks. In other words,
configuration is limited to appropriate access granted to users must be legitimate and consistent with job responsibilities.
personnel. Failure to review user access levels on a periodic basis may not allow the University to
RC5. User access privileges within Banner are detect and correct unauthorized access in a timely manner.
periodically reviewed by application owners to
verify that access privileges remain appropriate
and consistent with job requirements.
◾
(Continued)
429
430 ◾
Exhibit A5.9 (Continued) Recommended Control: Category Determination and Discussion
Information Security - Terminations: RC6 belongs to the Technical Security Controls category. Notification of employee
RC6. The security administrator is notified of resignations or terminations should be communicated, in a timely basis, to IT
employees who have been terminated. Access personnel and must include specific systems and/or applications so that access may
privileges of such employees are immediately be removed accurately. Failure to notify IT personnel may result in terminated
changed to reflect their new status. employees having access rights capable of executing different types of financial
transactions, exposing the University to malicious attacks, damages, intrusions, and/or
misappropriation of assets. Furthermore, having active accounts of terminated
employees within Banner for a period longer than necessary allows opportunities for
manipulation of confidential and/or sensitive information, security breaches, etc. This
may result in former employees with potential access rights for executing unlimited
types of transactions (e.g., fraud accounting, disbursements, etc.).
Change Control Management: RC7 and RC8 are part of the Management Security Controls category. Change control
RC7. Modifications to Banner are tested and is critical to have highly reliable systems that meet the defined service levels of the
approved by management prior to their University and should be formalized through adequate documentation. It is
implementation in production in accordance necessary that each change be controlled throughout its life cycle and integrated into
with test plans and results. the production environment in a systematic and controlled manner. The primary
RC8. User and other requests for modifications objective is to maintain the integrity and reliability of the production environment,
to Banner, including upgrades, fixes, and while making changes for the user community. Failure to enforce appropriate change
emergency changes, are documented and controls can result in operational disruptions, degraded system performance, or
approved by management to verify that all compromised security. Furthermore, lack of documentation may result in the inability
changes to the production environment were to track where changes have been made, thus, delaying the correction of problems.
documented, tested, and authorized. Proper documentation supports test results, including resolution of problems
encountered, as well as approvals to implement changes into live environments.
Exhibit A5.10 Selection of Controls, Results, and Residual Risks
IT Area Risk Selected Control Results/Residual Risk
IS Operations - 1. Banner information cannot be RC1. Backups of Banner financial data Risk reduced to acceptable
Offsite Storage recovered in the event of a system are archived off-site to minimize risk levels/No residual risk.
failure, impacting the University’s that data is lost.
ability to report financial information
according to established reporting
requirements.
Information 2. Security parameters are not RC2. The identity of users is Management configured three
Security - appropriately configured, allowing for authenticated to Banner through of five security parameters (i.e.,
Passwords potential unauthorized user access to passwords consistent with industry best minimum length, password
the Banner application. practices minimum security values. history, and lockout threshold).
Passwords must incorporate Periodic change and password
configuration for minimum length, complexity were not
periodic change, password history, configured/Residual risks
lockout threshold, and complexity. remained.
Information 4. Terminated users can gain access to RC6. The security administrator is Risk reduced to acceptable
Security - Banner and view or modify its financial notified of employees who have been levels/No residual risk.
Terminations information. terminated. Access privileges of such
employees are immediately changed to
reflect their new status.
Change Control 5. Banner modifications are not RC7. Modifications to Banner are tested Risk reduced to acceptable
Management properly authorized. Implementation and approved by management prior to levels/No residual risk.
◾ 431
of such modifications could result in their implementation in production in
invalid or misleading data. accordance with test plans and results.
432 ◾ Appendix 5: IT Risk Assessment
there were some risks that still remained after formal selection and implementation of the controls.
These remaining risks are called “residual risks” and are discussed next.
Exhibit A5.11 illustrates the relationship between control implementation and residual risk.
Step 9 describes the results of this risk assessment, including the residual risks remaining in
Banner after mitigation has been applied, as well as a plan for managing such residual risks.
Step 9. R
esults Documentation
As indicated above, implemented controls may lower risks, but not necessarily eliminate them.
Residual risks may remain after all other known risks have been countered, factored, or reduced,
exposing the organization to loss.
Exhibit A5.10 shows the effect from implementing controls over the risks identified, as indi-
cated by management. The following summarizes such effect once the selected controls were
implemented:
Eliminating or
reducing
vulnerabilities
Reducing magnitude
of impact
◾◾ Risk 1, Risk 4, and Risk 5 related to recovery of Banner data, access of terminated user accounts,
and unauthorized implementation of Banner changes, respectively, were reduced to acceptable
levels with no remaining residual risks. No further procedures were deemed necessary.
◾◾ Risk 2, related to configuration of inappropriate security parameters (i.e., passwords), as well
as Risk 3 (i.e., inconsistencies in user access) was not reduced to acceptable levels resulting
in some residual risks remaining, which are discussed below.
For Risk 2, management configured three out of five password parameters (i.e., minimum length,
password history, and lockout threshold). However, periodic password change and complexity
settings were not configured. Management acknowledges that periodic password change (or pass-
word expiration) and complexity may be a source of frustration to users, who are often required
to create and remember new passwords every few months for various accounts. Therefore, users
tend to choose weak passwords and use the same few passwords for many accounts. Management
further stated that the costs for configuring these two password settings were not justifiable. As
a result, a residual risk remained still exposing Banner financial data to threats like malicious
attacks, damages, intrusions, and/or manipulation.
After several discussions regarding the residual risks, management expressed interest over
improving current Banner password settings in the near future. In the meantime, the following
constitutes management’s plan and current safeguards to manage and/or mitigate the residual
risks related to Risk 2:
◾◾ Current password settings configured at the local area network (LAN) are consistent with
industry best practices and address settings such as minimum length, password history,
lockout threshold, password change, and complexity. This current control helps managing
and mitigating the residual risk in Banner, as users need to authenticate to the LAN before
accessing the Banner application. The LAN serves as the first level of authentication for
Banner users, and those settings are effectively configured.
◾◾ Information security tools over Banner are administrated and implemented to restrict access,
as well as, record and report security events (e.g., security violation reports, unauthorized
attempts to access information resources, etc.).
◾◾ Banner application owners authorize access for new users and/or users that have changed
roles and responsibilities.
◾◾ Banner users are required to have a unique user identifier in order to distinguish one user
from another and to establish accountability.
◾◾ Banner terminals and work stations are protected by time-out facilities, which are activated
after an appropriate, predetermined period of inactivity has elapsed.
In regards to Risk 3, management stated that only one user access review would continue to be
performed during the year as the cost for performing additional/periodic reviews of user access is
not justifiable. As a result, the following residual risks remained as acknowledged by management:
1. Lack of periodic reviews of user access levels may result in employees having access rights to
record and authorize different types of transactions (e.g., accounting transactions, journal
entries, etc.), thus, exposing the University to a risk of fraud, manipulation of information,
or misappropriation and errors.
2. Failure to review user access levels on a periodic basis may not allow the University to detect
and correct unauthorized access in a timely manner.
434 ◾ Appendix 5: IT Risk Assessment
In order to come up with a plan to identify safeguards to manage and/or mitigate such residual
risks, management pointed to the following procedures which were currently in place:
◾◾ Banner application owners authorize access for new users and/or users that have changed
roles and responsibilities.
◾◾ The ability to make modifications to Banner security parameters, security roles, or security
configuration is limited to appropriate personnel.
◾◾ Information security tools over Banner are administrated and implemented to restrict access,
as well as record and report security events (e.g., security violation reports, unauthorized
attempts to access information resources, etc.).
◾◾ There are effective procedures in place to ensure that production systems are available for
the execution of processing and that financial data can be recovered should any disruptions
in processing occur.
◾◾ There are effective change control procedures to ensure that Banner modifications are
tested in separate test/development environment before implementation into the production
environment.
Management further expressed their intention to segregate Banner users in groups. A schedule will
be prepared to conduct additional, periodic reviews of access for several groups of users during the
year. Access of all these groups of users must be reviewed and approved during a period of two
years. Documentation supporting those reviews will also be maintained as evidence.
The aforementioned control activities are helpful in managing and mitigating the residual
risks resulting from password settings, as well as the lack of periodic user access reviews. These
additional safeguards compensate the exceptions previously noted and can mitigate the risks of
unauthorized users gaining access to Banner financial data.
Overall, results of this risk assessment exercise were satisfactory, meaning that IT controls are
functioning effectively. That is, controls in place not only mitigate risks, but cover effectiveness
and efficiency of operations, reliability and completeness of accounting records, and compliance
with applicable laws and regulations, among others. Management expressed great satisfaction with
the results of both, risk assessment and mitigation exercises, and further indicated that the results
obtained around the Banner financial application were consistent with previous risk assessments
and evaluations. Particularly, the results of the risk exercises performed motivated the University’s
IT management to continue providing users safe and reliable financial information by con-
stantly protecting the information’s confidentiality, integrity, and availability through effective
IT controls.