The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments
The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.
• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls
To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:
• Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
• Preventive controls reduce exposure. Firewall is an example of preventive control
• Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
• Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.
Related articles by Zemanta
- What is a risk assessment framework (deurainfosec.com)
- Way beyond the edge and de-perimeterization (deurainfosec.com)