Welcome » IT Booklets » Information Security » Information Security Risk Assessment » Key Steps » Analyze the Information
Classify and Rank Sensitive Data, Systems, and Applications Financial institutions should assess the relative importance of the various information systems based on the nature of their function, the criticality of data they support, and the sensitivity of data they store, transmit, or protect. When assessing the sensitivity of data, institutions should consider the increased risk posed to the institution from the aggregation of data elements.
Institutions may establish an information data classification program to identify and rank data, systems, and applications in order of importance. Classifying data allows the institution to ensure consistent protection of information and other critical data throughout the system. Classifying systems allows the institution to focus its controls and efforts in an efficient and structured manner. Systems that store or transmit data of different sensitivities should be classified as if all data were at the highest sensitivity. Classification should be based on a weighted composite of all relevant attributes.
Assess Threats and Vulnerabilities Financial institutions should assess potential threats and vulnerabilities of their information systems. Generally, this assessment is to determine which threats or vulnerabilities deserve priority attention relative to the value of the information or information systems being protected. Although threats and vulnerabilities need to be considered simultaneously, it is important to distinguish threats from vulnerabilities.
Threats are events that could cause harm to the confidentiality, integrity, or availability of information or information systems. They can be characterized as the potential for agents exploiting a vulnerability to cause harm through the unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Threats can arise from a wide variety of sources. Traditionally, the agents have been categorized as internal (malicious or incompetent employees, contractors, service providers, and former insiders) and external (criminals, recreational hackers, competitors, and terrorists). Each of the agents identified may have different capabilities and motivations, which may require the use of different risk mitigation and control techniques and the focus on different information elements or systems. Natural and man-made disasters should also be considered as agents.
Vulnerabilities can be characterized as weaknesses in a system, or control gaps that, if exploited, could result in the unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Vulnerabilities are generally grouped into two types: known and expected. Known vulnerabilities are discovered by testing or other reviews of the environment, knowledge of policy weaknesses, knowledge of inadequate implementations, and knowledge of personnel issues. Adequate and timely testing is essential to identify many of these vulnerabilities. Inadequate or untimely testing may critically weaken the risk assessment.
Expected vulnerabilities to consider are those that can reasonably be anticipated to arise in the future. Examples may include unpatched software, new and unique attack methodologies that bypass current controls, employee and contractor failures to perform security duties satisfactorily, personnel turnover resulting in less experienced and knowledgeable staff, new technology introduced with security flaws, and failure to comply with policies and procedures. Although some vulnerabilities may exist only for a short time until they are corrected, the risk assessment should consider the risk posed for the time period the vulnerability might exist.
Financial institutions should analyze through scenarios the probability of different threat agents causing damage. These scenarios should consider the financial institution's business strategy, quality of its control environment, and its own experience, or the experience of other institutions and entities, with respect to information security failures. The assignment of probabilities by the financial institution should be appropriate for the size and complexity of the institution. Simple approaches (e.g., probable, highly possible, possible, and unlikely) are generally sufficient for smaller, non-complex, financial institutions.
Business lines should also analyze the potential damage, or impact, of a threat agent's action. Impact can be measured in terms of data integrity, confidentiality, and availability of information; costs associated with finding, fixing, repairing, and restoring a system; lost productivity; financial losses; and other issues affecting the institution's operations, and reputation.
Many analytical methods may be used to arrive at the likelihood and impact of a threat agent's action. Methods fall into two general categories: quantitative and qualitative. Quantitative methods involve assigning numerical measurements that can be entered into the analysis to determine total and residual risks. Measurements may include costs to safeguard the information and information systems, value of that information and those systems, threat frequency and probability, and the effectiveness of controls. Techniques may include manual or automated data analysis to provide measurement of the potential damage in relation to the controls. A shortcoming of quantitative methods is a lack of reliable and predictive data on threat frequency and probability, and the future reliability and performance of the control structure. That shortcoming is typically addressed by assigning numeric values based on qualitative judgments.
Qualitative analysis involves the use of scenarios and attempts to determine the seriousness of threats and the effectiveness of controls. Qualitative analysis is by definition subjective, relying upon judgment, knowledge, prior experience, and industry information. Qualitative techniques may include walk-throughs, storyboarding, surveys, questionnaires, interviews, and workgroups to obtain information about the various scenarios. Each identified threat should be analyzed to determine potential severity and loss against the effectiveness of the existing control structure.
Evaluate Control Effectiveness The institution should identify controls that will mitigate the impact or likelihood of each identified threat agent exploiting a specific vulnerability. Controls are generally categorized by timing (preventive, detective, or corrective) or nature (administrative, technical, or physical). The evaluation should recognize the unique control environment of the institution, and evaluate the effectiveness of that environment in responding to the threats arrayed against it. The evaluation should address the controls that prevent harm as well as those that detect harm and correct damage that occurs. Preventive controls act to limit the likelihood of a threat agent succeeding. Detective and corrective controls are essential to identify harmful actions as they occur, to facilitate their termination, and to reduce damage.
Controls should not be assumed to be completely effective. Measures of control effectiveness can be obtained from a well-planned and executed security monitoring program. Self-assessments, metrics, and independent tests may address compliance with existing controls and the adequacy of those controls. A well-planned and executed security monitoring program is sound industry practice and should be based on an assessment of the risk of non-compliance or circumvention of the institution's controls.
The evaluation of controls should also encompass the risks to information held and processed by service providers. An institution's contract with the service provider should contain language that establishes standards the service provider should meet and provide for periodic reporting against those standards. The contract should include a provision for the independent review of internal controls at service providers and vendors, require that timely action be taken to address identified vulnerabilities, and require a reporting to the institution of the review, its findings, and the actions taken in response to the findings. The report should be sufficient to enable the institution to evaluate contract compliance and to assess risk.
The evaluation of controls should include a review of the relevant physical access controls - including access to records, equipment, and financial institution and data center facilities - and provide an assessment of potential vulnerabilities to a physical attack or other disaster. Reviews should be comprehensive and address all data and facilities, including remote facilities. Because the risk from many threat scenarios may be mitigated by physical as well as other controls, the physical control evaluation is an integral part of the overall scenario evaluation.