No Batteries Required - Home
Information Security: Risk Assessment & Management
Ray Kahn
APR 08, 2013 09:17 AM
A+ A A-


Information Security

Growth in the use of information technology from mundane tasks to business functions has increased the need for effective information management. As a result there has been a growing need for the protection of confidential, private and sensitive information from unauthorized access, use, disclosure, destruction or modification. Information Security is a set of processes, policies and technologies which aim to protect information assets of an organization. They are intended to safeguard organizational data while also enabling the organization to pursue its business objectives.

Information Security (InfoSec) is an important part of IT function; in fact I would argue that it is THE most important responsibility of any IT department. InfoSec is a set of processes, tools and techniques that seek to identify threats and vulnerabilities and aim to implement effective countermeasures designed to reduce risk to an organization to a reasonable level (risk can never be eliminated as it is an evolving phenomenon). These processes, tools and techniques need to be holistic, consistent, repeatable and cost effective and ought to take into consideration the requirements of both the formal and informal organization – ISACA defines a formal organization as a network of people interacting, using processes to channel this interaction, with a common strategy; an informal organization refers to subcultures, individuals and groups within the formal organization’s business units. InfoSec core objectives therefore are information Confidentiality, Integrity and Availability (CIA) and in order to realize these objectives a robust and effective risk assessment and management process is needed.

Risk Assessment

SANS Institute defines risk as “the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” A threat is then defined as the potential for the exercise of a particular vulnerability. Vulnerability is a weakness or a flaw in any part of an organization’s information assets, and these range from procedures and policies to technological. It is important to realize that a threat is a risk only if acted upon. From the InfoSec perspective then risk would affect information CIA (see above).  

Risk assessment is a process in which threats and vulnerabilities are identified and their likelihood and impact measured. This is not an easy task by any mean and I must emphasize this exercise is an iterative, evolving and continuous activity.

Our first assumption must be that there are already plenty of vulnerabilities built into organizational information assets. And every time a change is introduced a potential new vulnerability is introduced as well (process or technology maturity plays a great deal in risk mitigation). Common IT threats include natural, human and environmental (power failure, water damage, etc). As part of your risk assessment exercise you will need to compile a list of threats and review it with your team to make sure you have as complete a list as possible.

Vulnerabilities exist in process, people and technology assets. Start by reviewing public vulnerability archives, such as National Vulnerability Database ( and Common Vulnerabilities and Exposures ( Additionally, you need to review your information systems and be able to answer the following questions for each system:


  • Is the owner identified?
  • Are incidents being reviewed regularly?
  • Are incidents being properly classified and prioritized?
  • Have escalation paths been sufficiently defined and followed in practice?
  • Are incidents documented properly?
  • Does the organization have an incident tracking system?
  • Are incidents being followed-up?
  • Are lessons being learned from incidents and procedures?
  • Are resolutions being properly documented? 


Once this list is compiled then you can start using tools and techniques to identify vulnerabilities in your control systems:


  • Vulnerability Scanners: examine operating systems, networks and code for flaws. See for a list of commercial and free vulnerability scanners.
  • Penetration Testing: Metasploit ( is an open source framework for penetration testing of exploit development, host vulnerability validation and exploit execution. Commercial variants are also available.
  • Audit People and Processes: this is a review of efficacy of the following controls:
  • Policies
  • Standards & guidelines
  • Accountability rules
  • Resource allocation & prioritization
  • Metrics for all of the above
  • Compliance


Through these steps you should be able to construct a better representation of risks to your information assets. The result of this exercise should be a concise document that outlines vulnerabilities, nature of those vulnerabilities and their accountability and recovery paths. But you still need to determine their likelihood and impact.

Likelihood determination is not a difficult task. You could follow the standard classification of likelihood that an event will happen - Low, Medium and High – as long as there is widespread consensus among your team. You should base the likelihood calculations on your organization’s historical data and published reports by your vendors (found on their websites). Impact determination should also use the same classification as that of likelihood but with the added dimension of its effect on information CIA (Confidentiality, Integrity and Availability). For example, a threat would have a “High” impact on “Confidentiality” if it results in “loss of confidentiality which leads to severe effect on organization”.

Risk Management

By now you should have a document that pairs a threat to vulnerability along with its impact, likelihood and recovery path. This document should guide you during threat mitigation activity. As an example I have included a section of our Risk Management Document. As you can see this document follows standards established by SANS, ISACA and other information security organizations.






Risk Management Strategy




Production Site Blade Server Failure.

Severe - Could cause site to become unavailable for more than 72 hours.

Low - Past data indicates this happens very rarely.

Implement fail-over data center at an alternate site.




Production Site Virtual Servers Cluster Failure.

Severe - Could cause site to become unavailable for more than 12 hours.

Low - Past data indicates this happens very rarely.

Fail-over to alternate data center. System Admins to switch over through Akamai traffic management.


Per Incident


You will notice that I have two additional columns, but the interesting one is “Cost”. It is important for IT departments to have an understanding of financial consequences of vulnerabilities and threats and their impact on an organization’s goal and objectives.

Obviously the framework that I have chosen in risk management is mitigation. There are other strategies in managing risk: transfer (third party to manage risk), acceptance (threats and vulnerabilities are a fact of life and allowing your information assets continue to operate with known flaws) and avoidance (remove any system that has vulnerability or a flaw). In the end how you choose to manage risk is a question resource, culture and the level of your organization’s risk tolerance.

Your risk management document is a living document and will need to be updated regularly. Remember threats and vulnerabilities are ever evolving phenomenon and your readiness and response will also need to change.


InfoSec must address three elements of your information assets: people, process and technology; it needs to be holistic and cover the organization as a whole. As part of your risk assessment exercise remember to include IT controls: procedural (written policies, procedures & standards which govern “people” behavior), technical (passwords, firewalls, network intrusion detection systems, data encryption, etc) and physical (monitoring of your facilities). Effective risk management strives to be proactive and innovative, minimize negligent behavior, and affect organization’s culture. It also seeks to determine an acceptable level of risk (threats and vulnerabilities can never be eliminated completely).  


SANS Institute,


Wikipedia Information Security:






[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: