Effectiveness of Security Control Risk Assessments for Enterprises: Assess Risks on the Business Impacts
The complexity of risks affecting the business has increased manifold and the need to gauge the Information Technology risks acting on the business operations has become paramount. As the technology is interfacing point for the exchange of information/data with entities & people, there is the need to build in the technological controls within the technology and at each of these interfacing points to ensure that the sensitive business information/data is handled appropriately.
The business managers who run business operations are looking how to contain the risks pertaining to the information technology. The need of any business operations is to operate securely and seamlessly leveraging Information Technology and ability to recover and resume the business without any loss of confidentiality, integrity and availability of business information/data in any event of a security incident. They also need to quantify the impact of the IT security risk on the critical business processes, and provide the business-level insight at the management level.
Hence there is pressing need to give the business managers the business perspective of security technology risks prevailing in the organizations business operations. The emphasis on the technology vulnerability shall be a priority only after there is an assurance that the required technological solutions exists.
Business and Technology Centric Security
Customers require solutions for two requirements
• Protect the FORTRESS (Business Operations) and bolster the defenses with the required FACADES (Technology Solutions)
• Strengthen the FAÇADE (Technology Solutions) for any weakness in its effectiveness
The above requirements has made us classify two types of Gaps in security controls
• Type I: Technological solution to be deployed for Business information/data controls: The business rationale of controls at any of the information/data interfacing points need to be understood and then the technology should be looked into as an enabler/solution provider.
• Type II: Vulnerabilities in the technology implemented which can be exploited: The technological vulnerabilities that exist which make the solution effectiveness less reliable.
The relevant business controls should be audited from the perspective of presence of technology solutions (Type I) and the effectiveness of the technology solution (Type II). It is imperative that both aspects are covered in the assessments for customers as this gives the comprehensive viewpoint to the customer of the security of its business operations.
Approach: Risk Assessments
It is recommended that a phased approach is followed to conduct Security Risk Assessments for Enterprise Business Operations. Risk Assessments are the first step in determining how to better safeguard an institution’s assets and reduce the probability that those assets will be compromised.
• Phase I: Business & Technology Landscape Overview includes the following steps:
o Identify the Business Services
o Understand the Business Operations
o Understand the Application Landscape
o Understand the Network and Server Infra Landscape
• Phase II: involves developing the Business Information/Data flow
o On the Physical infra landscape
o On the Logical Application Landscape
• As per the business data flows, phase 3 involves identifying the business controls required by business managers.
• Phase 4 involves identifying the weakness in controls’ IT landscape audits, including:
o Applications
o Infrastructure
• Phase 5, assess the risk for the weakness in control, involves assessing the business impact of risk and the prioritization of remediation for the business.
• Phase 6 includes recommendations for the risk treatment and implementation plan.
Risk Profiling: Business Driven Technological Controls
The Business operations of any small/medium/large sized company are supported by the IT Operations which need to operate at acceptable level of security for secure functioning. The business threats shall trigger the need for establishing the technological controls at the various interfaces.
“For the stock exchange operations, the need to secure the Very Small Aperture Terminal connectivity for access to trading terminal by the brokers from the remote locations is business requirement.”
“For a retail setup with multi locations geographical spread users accessing the business applications which has the critical business data, the solution for Identity and access management becomes a Business requirement.”
To ensure that the IT operations is operating securely the business requirements have to be clearly brought forward the Business Impacts can be done by assessment of the implemented Technological solutions.
Let’s take “Access Control” as a requirement for a Retail Business environment which is very critical from the Business perspective of ensuring the Risks of unauthorized access and modification of business critical data is minimum and controlled.
Access Control: The retail businesses have a distributed business and IT operations (HO-Head Office and Branch Network) with the users accessing the varied Business critical information Systems/Application. The user access has to be based on least privilege or consistent with job function. Such business and technology operations have a need to provide escalated privileges to resources at various instances and the controls need to be built in to establish accountability on access to various information resources.
The control to establish accountability to ensure that required users have the right permissions is a priority. This is critical with change of roles/branch transfers/department transfers/privilege escalation requirements/folder access changes/new users etc. The controls risk assessments cover the risks that may prevail in each of the business aspects of the access provisioning.
Opinion piece submitted by Satyanandan Atyam, B.E (I&P), M.M.S (Finance), CISA, LA ISO 27001, LA BCM 25999
The business managers who run business operations are looking how to contain the risks pertaining to the information technology. The need of any business operations is to operate securely and seamlessly leveraging Information Technology and ability to recover and resume the business without any loss of confidentiality, integrity and availability of business information/data in any event of a security incident. They also need to quantify the impact of the IT security risk on the critical business processes, and provide the business-level insight at the management level.
Hence there is pressing need to give the business managers the business perspective of security technology risks prevailing in the organizations business operations. The emphasis on the technology vulnerability shall be a priority only after there is an assurance that the required technological solutions exists.
Business and Technology Centric Security
Customers require solutions for two requirements
• Protect the FORTRESS (Business Operations) and bolster the defenses with the required FACADES (Technology Solutions)
• Strengthen the FAÇADE (Technology Solutions) for any weakness in its effectiveness
The above requirements has made us classify two types of Gaps in security controls
• Type I: Technological solution to be deployed for Business information/data controls: The business rationale of controls at any of the information/data interfacing points need to be understood and then the technology should be looked into as an enabler/solution provider.
• Type II: Vulnerabilities in the technology implemented which can be exploited: The technological vulnerabilities that exist which make the solution effectiveness less reliable.
The relevant business controls should be audited from the perspective of presence of technology solutions (Type I) and the effectiveness of the technology solution (Type II). It is imperative that both aspects are covered in the assessments for customers as this gives the comprehensive viewpoint to the customer of the security of its business operations.
Approach: Risk Assessments
It is recommended that a phased approach is followed to conduct Security Risk Assessments for Enterprise Business Operations. Risk Assessments are the first step in determining how to better safeguard an institution’s assets and reduce the probability that those assets will be compromised.
• Phase I: Business & Technology Landscape Overview includes the following steps:
o Identify the Business Services
o Understand the Business Operations
o Understand the Application Landscape
o Understand the Network and Server Infra Landscape
• Phase II: involves developing the Business Information/Data flow
o On the Physical infra landscape
o On the Logical Application Landscape
• As per the business data flows, phase 3 involves identifying the business controls required by business managers.
• Phase 4 involves identifying the weakness in controls’ IT landscape audits, including:
o Applications
o Infrastructure
• Phase 5, assess the risk for the weakness in control, involves assessing the business impact of risk and the prioritization of remediation for the business.
• Phase 6 includes recommendations for the risk treatment and implementation plan.
Risk Profiling: Business Driven Technological Controls
The Business operations of any small/medium/large sized company are supported by the IT Operations which need to operate at acceptable level of security for secure functioning. The business threats shall trigger the need for establishing the technological controls at the various interfaces.
“For the stock exchange operations, the need to secure the Very Small Aperture Terminal connectivity for access to trading terminal by the brokers from the remote locations is business requirement.”
“For a retail setup with multi locations geographical spread users accessing the business applications which has the critical business data, the solution for Identity and access management becomes a Business requirement.”
To ensure that the IT operations is operating securely the business requirements have to be clearly brought forward the Business Impacts can be done by assessment of the implemented Technological solutions.
Let’s take “Access Control” as a requirement for a Retail Business environment which is very critical from the Business perspective of ensuring the Risks of unauthorized access and modification of business critical data is minimum and controlled.
Access Control: The retail businesses have a distributed business and IT operations (HO-Head Office and Branch Network) with the users accessing the varied Business critical information Systems/Application. The user access has to be based on least privilege or consistent with job function. Such business and technology operations have a need to provide escalated privileges to resources at various instances and the controls need to be built in to establish accountability on access to various information resources.
The control to establish accountability to ensure that required users have the right permissions is a priority. This is critical with change of roles/branch transfers/department transfers/privilege escalation requirements/folder access changes/new users etc. The controls risk assessments cover the risks that may prevail in each of the business aspects of the access provisioning.
Opinion piece submitted by Satyanandan Atyam, B.E (I&P), M.M.S (Finance), CISA, LA ISO 27001, LA BCM 25999
Labels: 1/6/10, access control
