Security Risk Management Process in the Organization - Essay Example

Describe the process for analyzing needs identified through a risk assessment. How many s of action should be developed to eliminate, reduce, or mitigate risk? Describe the process for analyzing needs identified through a risk assessment. How many courses of action should be developed to eliminate, reduce, or mitigate risk? A security risk assessment plays a very important role in the security management process as it provides information concerning the risks, threats and assets to an organization (Laugdoll, 2006). There is a variety of definitions of a security risk assessment, many of them overly complex or related to a specific industry segment. However, while security risk assessments may differ in terms of their reach, accuracy and approach, its main objective is to assess and measure the assets, threats and risks to an organization. This paper describes the process for analyzing needs identified through a risk assessment and different courses of action that may be undertaken to eliminate, reduce, or mitigate risk. A security risk assessment is a very complex procedure, which involves the revision of the threat environment of the organization, the value of assets, the vulnerabilities of the security controls, the criticality of systems, the impact of expected loses, and, finally, recommendations for increased controls that may reduce risk to an acceptable level. The data collected in this process enable the senior manager of the organization to identify its needs for any additional security controls. It is a reliable way of estimating risk, which plays a very important role in developing actions aimed to eliminate, reduce or mitigate risk. The risk assessment process was designed in the 1990s for the needs of the Interagency Forum for Infrastructure Protection (IFIP), founded in response to the issue of security protection against the terrorist threat. Initially, it was used to protect federal dams, high-voltage electric power transmission systems, and other important national infrastructures (Biringer, Mataluccin and O’Connor, 2007). Recently, following the theorist attack on the 11 September 2001, the threat potential in the United States has dramatically increased. Thus, it is particularly important to provide organizations with appropriate controls and security measures to protect their facilities as well as the lives of their employees (Biringer, Mataluccin and O’Connor, 2007). The process of security risk assessment starts with a detailed facility characterization, which involves such components as understanding of the mission, operating conditions of the company’s building, and the security evens. It is necessary to make a thorough physical description of the building, including its physical layout, floor plans, locations of site boundaries, building locations, construction details and assess point. A physical description of the organization building also needs to include policy, procedures, and physical and cyber-protection features with their locations. It is crucial to mention all faults and vulnerabilities in protection of the building as they make the organization more vulnerable to threats and attacks. Facility characterization should be finished with a statement of the protection objectives, which involves a list of undesired events and a listing of the respective critical assets that need to be protected (Biringer, Mataluccin and O’Connor, 2007). The revision of the threat environment involves the description of the adversarial threat spectrum and the assessment of threat potential for attack. A description of threat includes the number and type of adversaries, their modus operandi, the weapons and tools they could use, and the type of acts they are likely to commit. The threat against which the organization is protected is defined as the Design Basis Threat (DBT). The DBT, is a management decision, which aims to identify the level of threat in order to protect the organization. It usually covers several different levels of threat. The sources of information about potential threat, which need to be identified at this stage, involve local, state and federal law enforcement and related intelligence agencies (Sandia National Laboratories, 2006). It is also important to provide information on past criminal activities associated with the site and analytical projections of future activities (Biringer, Mataluccin and O’Connor, 2007). Once the information on the adversarial threat spectrum has been completed, threats can be categorized in terms of likelihood and combined with the likelihood of consequences due to the initiating event. A complete threat analysis involves adversary capability, adversary history/intent, and relative attractiveness of the organization assets to an adversary group. Adversary capability includes its access to region, technical and planning skills, and, finally, material and financial resources. Adversary history comprises such issues as its historic interest and attacks, current surveillance and interest in site, and documented threats. Finally, when assessing relative attractiveness of asset to adversary, it is necessary to take into account desired level of consequence, ideology, and ease of attack (Biringer, Mataluccin and O’Connor, 2007). The next stage of a risk assessment process involves the estimation of consequences related to the loss of specific critical assets for each undesirable event. At this stage, it is essential to define measurement criteria values for consequence parameters, such as economic and environmental impact, the number of people affected, loss of critical mission or function, duration of loss, replacement value and loss of public confidence (Sandia National Laboratories, 2005). It is also helpful to prioritize the targets of the company and determine severity for loss of particular assets or targets (Sandia National Laboratories, 2006). After that, it is necessary to assess system ineffectiveness, estimated through the evaluation of the security system effectiveness. If security system effectiveness is low, then, consequently, security system ineffectiveness is assessed as high. Weaknesses and the associated deficient protection elements, responsible for the low level of the security system effectiveness, are site-specific system vulnerabilities (Biringer, Mataluccin and O’Connor, 2007). Given the qualitative estimates for likelihood of attack, system ineffectiveness, and consequence, it is possible to estimate relative security risk. While security risk estimates are not absolute, they are a very useful tool for making risk management decisions. Once estimated risk levels are measured, the analysis team and security risk managers compare them to a predetermined risk threshold and make decisions concerning further analysis (Biringer, Mataluccin and O’Connor, 2007). In case of a high risk level for the threat spectrum, the security risk managers may consider strategies to reduce, eliminate, or mitigate risk. These strategies aim to reduce the levels of the parameters of the security risk equation: probability of attack, system ineffectiveness and consequences of undesirable events. As protection system effectiveness is improved and consequences are mitigated, risk level may be successfully reduced. After that, it is necessary to analyze impacts imposed by risk reduction packages (Biringer, Mataluccin and O’Connor, 2007). Completed assessment is presented to the senior management of the organization, who decide if there is a need to implement any additional security controls are needed (Landoll, 2006). The process of security testing and review provides the senior management with the information on necessary security updates on controls. In the security testing procedure security controls are determined and tested during security testing efforts, thus providing the organization with information on vulnerabilities of systems protecting sensitive information. Control upgrades need to comprise both physical protection features and cyber-protection features. The implementation of new security controls and improvements of existing ones enable organizations to reduce or even eliminate risk to their assets. Given the information gained through security risk assessments and the security testing procedure, the senior management can take risk-based decisions concerning expenditure of resources on both new and existing controls. At this stage, organizations can mitigate the risk through accepting or transferring additional controls and corrections (Landoll, 2006). Finally, at the last stage of the security risk management process operational personnel implements and operates all security controls necessary. These activities include implementation of such technical security controls as account and access controls, firewalls, and anti-virus software. As security operations involve the direct control of security safeguards, they aim to prevent errors and omissions as well as waste, fraud and abuse. With the application of patches, the performance of account maintenance and the provision of security awareness training on a daily and weekly basis, an adequate security posture can be maintained. The risk assessment process enables the organization to identify and analyze their needs for additional security controls. Apart from that, it contributes to the transfer of knowledge between the security assessment team and the organization’s staff, an increase in communications concerning security among business units, and the development of security awareness within the organization. The results of the security risk assessment can also be used to measure the security posture within an organization (Landoll, 2006). A complex facility characterization enables the organization to identify the respective critical assets that need to be protected. Given the information on the adversarial threat spectrum, it is possible to assess the threat potential for attack in terms of the adversary capability, adversary history/intent, and attractiveness of the organization assets to an adversary group. The organization can prioritize its targets and, thus, estimated the severity of consequences related to the loss of targets or assets for each undesirable event. Furthermore, with the identification of site-specific system vulnerabilities, responsible for the low level of the security system, the organization can estimate relative security risk and consider strategies aimed to reduce, eliminate, or mitigate risk (Biringer, Mataluccin, & O’Connor, 2007). Once the impacts imposed by risk reduction packages have been analyzed, it is possible to implement new security controls and improve existing ones (Landoll, 2006). This procedure is supported through the process of security testing and review, which provides the organization with information on vulnerabilities of systems. As organizations accept and transfer additional controls and corrections, they are able to mitigate risk. Finally, regular implementation and operation of all security controls allow the organization to maintain an adequate security posture and, thus, contribute to safety of organization facilities and employees. References: Biringer, B., Mataluccin, R. & O’Connor, S. (2007) Security risk assessment and management: a professional practice guide for protecting buildings and infrastructures. New Jersey, John Wiley & Sons. Laugdoll, D.J. (2006). The security risk assessment handbook. A complete guide for performing security risk assessments. London, Taylor & Francis Group Sandia National Laboratories (2005), Security Risk Assessment Methodology for Communities. Retrieved from Sandia RAM Overview. Retrieved from http://www.sandia.gov/ram/index.htm on 18 December 2009 Sandia National Laboratories (2006), Security Risk Assessment Methodologies. Sandia RAM Overview. Retrieved from http://www.sandia.gov/ram/index.htm on 19 December 2009 Read More