Question

You are the web master for the Republican Party National Committee. Prepare a risk assessment analysis for your website. 300 words.

Some questions to consider: Who is likely to attack your site? When are attacks likely to occur? What sort of attacks might take place? How can you best minimize attacks and protect the integrity of your site?

Answer 1

Risk Assessment Analysis is a process that helps you identify and manage potential problems that could undermine key business initiatives or projects.

To carry out a Risk Assessment Analysis, you must first identify the possible threats that you face, and then estimate the likelihood that these threats will materialize.

Risk Assessment Analysis can be complex, as you'll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, and other relevant information. However, it's an essential planning tool, and one that could save time, money, and reputations.

Steps for Risk Assessment Analysis of a Republican Party National Committee website mentioned in the question.

A risk assessment analysis is a systematic process of evaluating existing controls and assessing their adequacy against the potential operational and compliance threats identified in a risk analysis. The risk assessment process must be a continual, monitored process to be effective.

The steps to a risk assessment analysis include:

1. Identify and Prioritize Assets

Assets include servers, client contact information, sensitive partner documents, and trade secrets and so on. Remember, what you as a technician think is valuable might not be what is actually most valuable for the business. Therefore, you need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information, as applicable:

• Software
• Hardware
• Data
• Interfaces
• Users
• Support personnel
• Mission or purpose
• Criticality
• Functional requirements
• IT Security policies
• IT Security architecture
• Network topology
• Information storage protection
• Information flow
• Technical security controls
• Physical security environment
• Environmental security

Because most organizations have a limited budget for risk assessment, you will likely have to limit the scope of the project to mission-critical assets. Accordingly, you need to define a standard for determining the importance of each asset. Common criteria include the asset’s monetary value, legal standing and importance to the organization. Once the standard has been approved by management and formally incorporated into the risk assessment security policy, use it to classify each asset you identified as critical, major or minor.

2. Identify Threats

A threat is anything that could exploit a vulnerability to breach security and cause harm to your organization. While hackers and malware probably leap to mind, there are many other types of threats:

• Natural disasters. Floods, hurricanes, earthquakes, fire and other natural disasters can destroy much more than a hacker. You can lose not only data, but the servers and appliances as well. When deciding where to house your servers, think about the chances of a natural disaster. For instance, don’t put your server room on the first floor if your area has a high risk of floods.
• System failure. The likelihood of system failure depends on the quality of your computer For relatively new, high-quality equipment, the chance of system failure is low. But if the equipment is old or from a “no-name” vendor, the chance of failure is much higher. Therefore, it’s wise to buy high-quality equipment, or at least equipment with good support.
• Accidental human interference. This threat is always high, no matter what business you are in. Anyone can make mistakes such as accidentally deleting important files, clicking on malware links, or accidentally physical damaging a piece of equipment. Therefore, you should regularly back up your data, including system settings and other configuration information, and carefully track all changes to critical systems.
• Malicious humans. There are three types of malicious behavior:
  • Interference is when somebody causes damage to your business by deleting data, engineering a distributed denial of service (DDOS) against your website, physically stealing a computer or server, and so on.
  • Interception is classic hacking, where they steal your data.
  • Impersonation is misuse of someone else’s credentials, which are often acquired through social engineering attacks or brute-force attacks, or purchased on the dark web.

3. Identify Vulnerabilities

Third, we need to spot vulnerabilities. Vulnerability is a weakness that a threat can exploit to breach security and harm your organization. Vulnerabilities can be identified through vulnerability analysis, audit reports, vendor data, commercial computer incident response teams, and system software security analysis.

Testing the IT system is also an important tool in identifying vulnerabilities. Testing can include the following:

• Information Security test and evaluation (ST&E) procedures
• Penetration testing techniques
• Automated vulnerability scanning tools

You can reduce your software-based vulnerabilities with proper patch management. But don’t forget about physical vulnerabilities. For example, moving your server room to the second floor of the building will greatly reduce your vulnerability to flooding.

4. Analyze Controls

Analyze the controls that are either in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system. Controls can be implemented through technical means, such as computer hardware or software, encryption, intrusion detection mechanisms, and identification and authentication subsystems. Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.

Both technical and nontechnical controls can further be classified as preventive or detective controls. As the name implies, preventive controls attempt to anticipate and stop attacks. Examples of preventive technical controls are encryption and authentication devices. Detective controls are used to discover attacks or events through such means as audit trails and intrusion detection systems.

5. Determine the Likelihood of an Incident

Assess the probability that a vulnerability might actually be exploited, taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of your controls. Rather than a numerical score, many organizations use the categories high, medium and low to assess the likelihood of an attack or other adverse event.

6. Assess the Impact a Threat Could Have

Impact analysis should include the following factors:

• The mission of the system, including the processes implemented by the system
• The critical level of the system, determined by its value and the value of the data to the organization
• The sensitivity of the system and its data

The information required to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA) (or mission impact analysis report, as it is sometimes called). This document uses either quantitative or qualitative means to determine the impact that would be caused by compromise or harm to the organization’s information assets.

An attack or adverse event can result in compromise or loss of information system confidentiality, integrity and availability. As with the likelihood determination, the impact on the system can be qualitatively assessed as high, medium or low.

The following additional items should be included in the impact analysis:

• The estimated frequency of the threat’s exploitation of a vulnerability on an annual basis
• The approximate cost of each of these occurrences.

7. Prioritize the Information Security Risks

For each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:

• The likelihood that the threat will exploit the vulnerability
• The impact of the threat successfully exploiting the vulnerability
• The adequacy of the existing or planned information system security controls for eliminating or reducing the risk

A useful tool for estimating risk in this manner is the risk-level matrix. A high likelihood that the threat will occur is given a value of 1.0; a medium likelihood is assigned a value of 0.5; and a low likelihood of occurrence is given a rating of 0.1. Similarly, a high impact level is assigned a value of 100, a medium impact level 50, and a low impact level 10. Risk is calculated by multiplying the threat likelihood value by the impact value, and the risks are categorized as high, medium or low based on the result.

8. Recommend Controls

Using the risk level as a basis, determine the actions that senior management and other responsible individuals must take to mitigate the risk. Here are some general guidelines for each level of risk:

• High— A plan for corrective measures should be developed as soon as possible.
• Medium — A plan for corrective measures should be developed within a reasonable period of time.
• Low — The team must decide whether to accept the risk or implement corrective actions.

As you consider controls to mitigate each risk, be sure to consider:

• Organizational policies
• Cost-benefit analysis
• Operational impact
• Feasibility
• Applicable regulations
• The overall effectiveness of the recommended controls
• Safety and reliability

9. Document the Results

The final step in the risk assessment analysis process is to develop a risk assessment analysis report to support management in making appropriate decisions on budget, policies, and procedures and so on. For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations.