Professional Documents
Culture Documents
IT Asset Valuation Risk Assessment and Control Implementation Model - Joa - Eng - 0118
IT Asset Valuation Risk Assessment and Control Implementation Model - Joa - Eng - 0118
IT Asset Valuation Risk Assessment and Control Implementation Model - Joa - Eng - 0118
feature
IT Asset Valuation, Risk Assessment and
Control Implementation Model
The first steps in information security strategic areas required to carry out asset valuation and to
planning in any form of business are risk help measure risk and identification of the existing
management and risk evaluation. This is necessarily control gap of the company’s IT assets for regulatory,
broad, including business processes, people and management and audit purposes.
physical infrastructure, as well as the information
system. The security risk evaluation needs to The previous ontological framework briefly presents
assess the asset value to predict the impact and concepts hierarchically from asset valuation to
consequence of any damages, but it is difficult control implementation processes for a specific
to apply this approach to systems built using asset based on the summarized steps. This article
knowledge-based architectures.1 Knowledge- shows how to take the steps sensibly:
based systems attempt to represent knowledge
1. Identify the owner and custody of the asset.
explicitly via tools, such as ontologies and rules,
rather than implicitly via procedural code, the way 2. Identify and list information systems assets of
a conventional computer program does. Usually, the organization. (List all interfacing applications,
professionals face challenges to give assurance for people, hardware or other containers for each
organizations on asset valuation, risk management asset.)
and control implementation practices due to the
Containers are the place where an information
nonexistence of clear and agreed-on models and
asset or data “lives” or any type of information
procedures. The main objective of this article
asset (data) is stored transported or processed.3
is to propose simple and applicable models for
professionals to measure, manage and follow up 3. Identify the security objectives of confidentiality,
on assets, risk and controls implementation in the integrity and availability (CIA) and a weighting
organization. of the asset to conduct an impact assessment
based upon the criticality of the asset to the
An ISACA® Journal volume 5, 2016, article titled operation of the company.
“Information Systems Security Audit: An Ontological
4. Identify the asset’s security categories and its
Framework”2 briefly describes the fundamental
estimated value.
concepts (owner, asset, security objectives,
vulnerability, threat, attack, risk, control and security 5. Determine the threat and vulnerability’s
audit) and their relationships to the whole security quantitative value and rates.
audit activities/process. This article proposes
6. Estimate the probability of occurrence/likelihood
different models that help to measure and implement
of impact.
concepts objectively by using the previously
proposed ontological framework and empirical study. 7. Identify existing controls and perform a gap
The objectives are to identify risk-based auditable analysis.
how the data or from the threat summarizes the potential impact
definitions for the CIA security objectives.)
information is
This article discusses risk mitigation strategy based
processed, transferred on the CIA security objectives.
and stored in a
The overall objective of this section is to
secured manner. quantitatively measure risk impacts of an
organization’s specific IT assets and to propose
a proper mitigation strategy. Concepts from the
Risk Assessment and Management International Organization for Standardization (ISO)/
International Electrotechnical Commission (IEC)
The risk assessment comprises the qualitative ISO/IEC 27001:2013, Information technology—
assessment and quantitative measurement of Security techniques—Information security
individual risk, including the interrelationship of their management systems—Requirements,7 and
effects. Risk management constitutes a strategy empirical analysis results taken from interviews
to avoid losses and use available opportunities or, with professionals are used to illustrate various
rather, opportunities potentially arising from risk conclusions and approaches to implementation.
areas.6 Normally, no single strategy will be able Hence, quantitative measurement of risk impact is
to cover all IT asset risk, but a balanced set of implemented based on the following formula:
strategies will usually provide the best solutions.
Risk Impact = Potential Risk * Probability
Once the risk is identified, it can be evaluated as
of Occurrence
acceptable or not. If it is acceptable, no further
actions are required other than communicating and Potential Risk
monitoring the risk, but if the risk is not acceptable, This could be any type of risk that is conceivable
it must be controlled through four separate options for a business or any risk associated with an action
of prevention and/or mitigation measures: that is possible in certain circumstances. This risk
also refers to a threat or damage that may occur
1. Reduce the impact.
on operations of the business. When a business
Medium (2) 4 5 6 5 6 7 6 7 8
High (3) 5 6 7 6 7 8 7 8 9
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
Vulnerability is the intersection of three elements: a To measure the overall value of the severity of
system susceptibility or flaw, attacker access to the a vulnerability, the combination of the value of
flaw, and attacker capability to exploit the flaw.13 susceptibility and exposure rating must first be
decided, as shown in figure 7. (Note: This rating
Susceptibility is simply to measure the effort table is similarly used for threat factors [impact
required to successfully exploit a given weakness. and capability rating] in the following threat
For example, fire is a threat. Poor fire prevention assessment section.)
3 3 4 5
The model for grading the severity of the threat
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
uses impact and capability of the threat, similar to
the severity of vulnerability matrix in figure 6 and
Threats Assessment and Rating figure 7. The only difference is susceptibility and
Methodology exposure for vulnerabilities are replaced with impact
A general list of threats should be compiled, which and capability for threat.
is then reviewed by those most knowledgeable
about the system, organization or industry to identify Risk Impact Measurement
those threats that apply to the system.14 Each threat
Risk management is the act of determining
is derived from a specific vulnerability, rather than
what threats the organization faces, analyzing
identifying threats generally without considering
the vulnerabilities to assess the threat level and
vulnerability. Measuring the value of a threat depends
determining how to deal with the risk.15 Security
on the rating value of its impact and capability.
risk management is a strategy of management to
Impacts are a forceful consequence or a strong effect
reduce the possible risk from an unacceptable to an
of the launch of a threat on the business.
acceptable level.16 There are four basic strategies
for managing risk: transference, acceptance,
Capability is a measure of a threat agent’s ability
avoidance and mitigation.17
(including the level of effort required) to successfully
attack an asset by exploiting its vulnerabilities, e.g.,
M 2 3 4 5 3 4 5 6 4 5 6 7 5 6 7 8
H 3 4 5 6 4 5 6 7 5 6 7 8 6 7 8 9
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
and implemented control of an asset is relatively the DifferenceBetween.com, 16 April 2011, www.
most difficult task in the process, because of a lack differencebetween.com/difference-between-
of uniformity on subjective judgments during the information-system-audit-and-vs-information-
rating selection (high, low, medium) and the quality security-audit/
and accuracy of the results are highly dependent on 6 Op cit, Foroughi
the assessors’ professional experience. The models 7 Kamat, M.; ISO27k Implementers’ Forum,
described in this article can minimize error and “Matrices for Asset Valuation and Risk
introduce uniformity of activities and process results Analysis,” 2009, http://190.90.112.209/
carried out by different individuals/organizations. estandares/ISO27k-Matrices-for-Asset-
Generally, information security risk management/ Valuation-and-Risk-Analysis.pdf
evaluation is still a very complex field of research, 8 Op cit, Foroughi
with a lot of unexplored areas. More research is 9 Ibid.
needed to explore essentials. This research work 10 Village of Briarcliff Manor, Disaster Mitigation
can be based on the model proposed in this Act 2000 Hazard Mitigation Plan, New York,
article and perhaps could be focused on creating USA, July 2007, p. 5–9, www.briarcliffmanor.
mechanical or robotic techniques to implement org/pages/BriarcliffManorNY_Trustees/HMP/
quantitative measurement, thus avoiding subjective Section%205.3%20Hazard%20Ranking%20
judgments of high, low or medium. -%20Final.pdf
11 National Information Assurance Training
Endnotes and Education Center, NIATEC Glossary,
USA, http://niatec.info/Glossary.
1 Foroughi, F., “Information Asset Valuation aspx?term=6344&alpha=V
Method for Information Technology Security 12 Op cit, Shemlse
Risk Assessment,” Proceedings of the World 13 Kiyuna, A.; L. Conyers; Cyberwarfare Source
Congress on Engineering 2008, vol. I, Book, Lulu.com, 14 April 2015, p. 42
www.iaeng.org/publication/WCE2008/ 14 Elky, S.; “An Introduction to Information
WCE2008_pp576-581.pdf System Risk Management,” SANS Institute
2 Shemlse, G. K.; “Information Systems InfoSec Reading Room, 31 May 2006,
Security Audit: Ontological Framework,” www.sans.org/reading_room/whitepapers/
ISACA® Journal Practically Speaking blog, 26 auditing/introduction-information-system-risk-
September 2016, www.isaca.org/Journal/Blog/ management_1204
Lists/Posts/Post.aspx?ID=333 15 Gregg, M.; CISSP Exam Cram 2, Pearson IT
3 Caralli, R., et al.; “Introducing OCTAVE Certification, USA, 2005
Allegro: Improving the Information Security 16 Op cit, Elky
Risk Assessment Process,” Carnegie Mellon 17 Ibid.
University, USA, May 2007, www.sei.cmu.edu/ 18 RFC 4949, Internet Security Glossary, Version
reports/07tr012.pdf 2, August 2007, https://tools.ietf.org/html/
4 Caralli, R. A.; J. F. Stevens; L. R. Young; W. rfc4949
R. Wilson; “Introducing OCTAVE Allegro: 19 Op cit, Kamat
Improving the Information Security Risk 20 Ibid.
Assessment Process,” May 2007, 21 Op cit, Gregg
www.sei.cmu.edu/reports/07tr012.pdf 22 Ibid.
5 Olivia, “Difference Between Information
System Audit and Information Security Audit,”