NIST SP800-30 approach to risk assessment By Babby Boss Risk is the state that exposes an asset to harmful elements.

Risk can also be defined as a function of the likelihood of a given threat-sources exercising a potential vulnerability, and the resulting impact of that adverse event on the organization. Risk management is the process of risk identification, risk measurement, and attempts to reduce risk to an acceptable level. The key objective of risk management process is to enhance security of the organization and ensure business continuity. Therefore, the risk management process is a vital management function. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems provides necessary guidelines on how to achieve this goal. Risk management incorporates three processes: Risk assessment process, which includes identification and evaluation of risks and risk impacts, and recommendation for risk-reducing measures. Risk mitigation process, which refers to prioritizing, implementing, and maintaining the suitable risk-reducing measures recommended from the risk assessment process. Continual evaluation process, which is important for implementing a successful risk management program.

A risk assessment delivers several benefits to an organization: Firstly, it provides a review of the organizations current implementation of information asset protection. Without a risk assessment it would not be possible to have an independent analysis of the security program. There is little hope that those governing the security program would share viewpoints of an independent risk assessor. Second, it measures effectiveness of the security program and provides important information to model the program to varying threat situation and business environment. Without regular risk assessment an organizations information security program would fail to match the revolution shown in the threats, hackers skills and business mission. Finally, it helps the management to optimize resource allocation. Without a risk assessment the organization would lack understanding of the security risks and therefore resource allocation to reduce risks would be governed by irrelevant factors like technology familiarity, convenience, etc.

We will discuss here the risk assessment approach outlined in NIST SP800-30. The risk assessment methodology covers following nine major steps.

Step 1 - System Characterization System characterization institutes the scope of the risk assessment exercise, defines the limits, and gives necessary information to define the risk. The risk assessor collects asset-related information as well as information about the operating environment. The asset-related information is linked to hardware, software, interfaces, asset owner, criticality, and sensitivity. The environmental information is related to the functional requirements of the asset, users, security policies, network architecture, security controls, and flow of processing. The assessor uses various techniques for data collection: Questionnaire, Survey, Document review, Observation, Interview, and Output of Asset Inventory Management tools. Step 2 - Threat Identification A threat is the potential for a particular threat-source to effectively exercise a particular vulnerability (or weakness) that can be inadvertently activated or deliberately exploited. However, a threat-source does not cause any risk in absence of vulnerability. To determine the threat potential, the assessor needs to take into account threat-sources, probable vulnerabilities, and controls in place. Common threat sources are:

Natural Threats - Floods, earthquakes, etc. Human Threats - Malware, cyber attacks, etc. Environmental Threats - Long-term power failure, gas leakage, etc.

The assessor should consider all potential threat-sources that could cause damage to an asset and its operating environment. All such threats are listed in a Threat Catalog or Threat Statement. Step 3 - Vulnerability Identification The assessor should develop a list of vulnerabilities that can be exploited by the potential threat-sources. All such vulnerabilities should be listed in a Vulnerability Catalog. The assessor may use previous IT audit reports, previous risk assessment reports, penetration test report, security policy, standards, and procedures, behaviour observation techniques, control tests, vulnerability databases, security news sites and forums, vendors' advisories, security bulletins, etc. to identify vulnerabilities. Step 4 - Control Analysis The purpose of this step is to analyze existing and planned security controls to reduce or eliminate the likelihood of vulnerability exploitation. The assessor may use the same techniques - survey, questionnaire, document review, observation, interview, test, etc. to determine adequacy of security controls.

Step 5 - Likelihood Determination The likelihood of a threat-source exploiting vulnerability increases with the asset's exposure level, threat-source motivation and capability, and nature of the vulnerability, and decreases with the effectiveness of current controls. Accordingly, likelihood rating is high (or likely), medium (or moderate), or low (or unlikely) depending upon significance of these factors. Step 6 - Impact Analysis The assessor needs to obtain following information to measure impact of the risk resulting from a successful threat exercise of a vulnerability.

System mission System and data criticality System and data sensitivity

Impact information can be obtained from Business Impact Analysis (BIA) document which prioritizes the impact levels related with the compromise of an organizations information assets based on an assessment of the sensitivity and criticality of those assets. Alternatively it can be determined based on the level of protection required to maintain the system and datas availability, integrity, and confidentiality. Therefore, the adverse impact of a security event can be described in terms of loss or degradation of any of the three security goals: integrity, availability, and confidentiality. Integrity refers to the requirement that information be protected from improper modification, unavailability of critical IT assets may affect the organizations mission, and unauthorized, unexpected, or accidental disclosure of information could result in loss of public confidence, embarrassment, or lawsuit against the organization. It is easier to quantitatively measure some tangible impacts in terms of profit loss, repairing cost, or maintenance efforts. However impacts like loss of reputation are difficult to be measured in definite units and therefore expressed in terms of high, medium, and low impacts. Step 7 - Risk Determination The risk for a particular threat/vulnerability pair is computed as a product value of Impact and Likelihood ratings. The assessor needs to develop a risk-level matrix. An example risk-level matrix taking into account three levels of likelihood and impact ratings is as follows.

IMPACT

Low (10) Low (10 x 0.1 = 1) Low (10 x 0.5 = 5) Low (10 x 1.0 = 10)

Medium (50) Low (50 x 0.1 = 5) Medium (50 x 0.5 = 25) Medium (50 x 1.0 = 50)

High (100) Low (100 x 0.1 = 10) Medium (100 x 0.5 = 50) High (100 x 1.0 = 100)

Unlikely (0.1) LIKELIHOOD Moderate (0.5) Likely (1.0)

If the assessor considers more levels for likelihood and impact ratings then following risk-level matrix can be used. Here the risk levels start from Very Low and continue to Very High.
IMPACT Very Low (1) Very Unlikely (1) Unlikely (2) LIKELIHOOD Very Low (1) Low (2) Very High (5) Medium (5) Medium (10) High (15)

Low (2)

Medium (3)

High (4)

Low (2)

Low (3)

Medium (4)

Low (4)

Medium (6)

Medium (8) Medium (12) High (16)

Moderate (3)

Low (3)

Medium (6)

Medium (9) Medium (12) High (15)

Likely (4)

Medium (4)

Medium (8) Medium (10)

High (20) Very High (25)

Very Likely (5)

Medium (5)

High (20)

The organization urgently needs to take corrective measures to fix finding evaluated as a high risk. However, medium risk finding does give organization sufficient time to develop and apply corrective measures. In case of finding rated as low risk, the organization may determine the need to apply corrective actions. Generally low risks are accepted because cost of applying corrective controls is not justifiable. Step 8 - Control Recommendations Depending upon the result of risk determination, the assessor recommends security controls to mitigate or eliminate the identified risks. The purpose is to reduce the level of risk to a level acceptable to the organization. Several factors like control effectiveness, applicable regulations, policies, etc. matter while recommending security controls. Step 9 - Results Documentation After successful completion of the risk assessment activities, the assessor should produce a report for executive management as well as concerned owners to enable them make decisions on required changes. The report should allow management to understand current state of security and allocate adequate resources to reduce and correct potential losses. The report should catalogue findings revealed after adopting a methodical approach to risk assessment. The following flowchart summarizes risk assessment methodology discussed above.