Module: Computer Systems Security

Lesson: IT Security Requirements, Risk Assessments

© 2017 Arden University Ltd. All rights reserved.

Arden University Limited reserves all rights of copyright and all other intellectual property rights in these learning materials. No part of
any learning materials may be reproduced, stored in a retrieval system or transmitted in any form or by any means, including
without limitation electronic, mechanical, photocopying, recording or otherwise, without the prior written consent of Arden
University Limited.
IT Security Requirements, Risk Assessments

Introduction

This lesson begins with a brief section on what IT security requirements are. It is followed by a
detailed look at what risk assessment is. Risk management in the context of information
security risk management is addressed subsequently and the two standards associated with
risk management - ISO 27005 and ISO 31000 - are mentioned and a comparison between
these two standards is included. Some parts of this lesson are quoted from the standards and
the tone of the language could get somewhat legal!

Please watch the following presentation:

https://vimeo.com/214472708/7fa0731ade

Transcript

IT security requirements

IT security requirements describe functional and non-functional requirements that need to be

satisfied in order to achieve the security attributes of an IT system.

Security requirements that describe more concretely what must be done to assure the security
of a system and its data are typically required. http://www.opensecurityarchitecture.org/cms/
Open Security Architecture (OSA) suggests that four different security requirement types
should be distinguished:

Secure functional requirements: This is a security-related description that is integrated into

each functional requirement. Typically this also says what shall not happen. This
requirement artefact can, for example, be derived from misuse cases.

Functional security requirements: These are security services that need to be achieved by
the system under inspection. Examples could be authentication, authorisation, backup,
server clustering, etc. This requirement artefact can be derived from best practices,
policies, and regulations.

Non-functional security requirements: These are security-related architectural

requirements, like “robustness” or “minimal performance and scalability”. This
requirement type is typically derived from architectural principles and good practice
standards.

Secure development requirements: These requirements describe required activities during

system development, which assure that the outcome is not subject to vulnerabilities.
Examples could be “data classification”, “coding guidelines” or “test methodology”. These
requirements are derived from corresponding best practice frameworks like “CLASP”
Comprehensive, Lightweight Application Security Process.

© 2017 Arden University Ltd. ALl rights reserved

The standards document by the British Standards Institute highlights the need for risk
assessment strategy. Make a note and post your thoughts on the discussion board.

http://shop.bsigroup.com/upload/Standards%20&%20Publications/publications/BIP0076-Ch...

Risk assessment

Risk is a situation involving exposure to danger. It is associated with a possibility,

probability/likelihood or a chance of a situation occurring. The impact of any danger that occurs
requires estimation. Based on the estimated impact, the risk is either avoided or taken. In
broader terms, the effective safeguard of an asset is the result of a thorough evaluation of risks
and the procedures to avoid or minimise the impact of those risks. This process of taking steps
to minimise risk is termed risk management. The first step is to understand the risks and
assess the damage they can cause. Based on these inputs, specific controls are implemented
to ensure that dangers are contained.

Risk assessment is a term used to describe the overall process or method to:

Identify hazards and risk factors that have the potential to cause harm (hazard
identification).

Analyse and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).

Determine appropriate ways to eliminate the hazard, or control the risk when the hazard
cannot be eliminated (risk control).

A risk assessment is a thorough look at the workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you
analyse and evaluate how likely and severe the risk is. When this determination is made, you
can next decide what measures should be in place to effectively eliminate or control the harm
from happening.

Risk assessment is a systematic examination of a task, job or process that is carried out at
work for the purposes of identifying the significant hazards and the risk of someone being
harmed, and of deciding what further control measures you must take to reduce the risk to an
acceptable level.

Objectives of risk assessment

The objective of a risk assessment is to understand the existing system and environment, and
to identify risks through analysis of the information/data collected. By default, all relevant
information should be considered, irrespective of storage format. Several types of information
that are often collected include:

© 2017 Arden University Ltd. ALl rights reserved

 Security requirements and objectives

System or network architecture and infrastructure, such as a network diagram showing

how assets are configured and interconnected

Information available to the public or accessible from the organisation’s website

Physical assets, such as hardware, including those in the data centre, network and
communication components and peripherals (e.g. desktop, laptop, PDAs)

Operating systems, such as PC and server operating systems, and network management
systems

Data repositories, such as database management systems and files

A listing of all applications

Network details, such as supported protocols and network services offered

Security systems in use, such as access control mechanisms, change control, antivirus,
spam control and network monitoring

Security components deployed, such as firewalls and intrusion detection systems

Processes, such as a business process, computer operation process, network operation

process and application operation process

Identification and authentication mechanisms

Government laws and regulations pertaining to minimum security control requirements

Documented or informal policies, procedures and guidelines

The scope of an enterprise security risk assessment may cover the connection of the internal
network with the Internet, the security protection for a computer centre, a specific
department’s use of the IT infrastructure or the IT security of the entire organisation. Thus, the
corresponding objectives should identify all relevant security requirements, such as protection
when connecting to the Internet, identifying high-risk areas in a computer room or assessing
the overall information security level of a department. The security requirements should be
based on business needs, which are typically driven by senior management, to identify the
desired level of security protection. A key component of any risk assessment should be the
relevant regulatory requirements, such as Sarbanes-Oxley, Health Insurance Portability and
Accountability Act (HIPAA), the US Gramm-Leach-Bliley Act and the European Data Protection
Directive.

The typical tasks that are performed in a security assessment for an organisation are listed
below. Depending upon the requirements of the organisation, the relevant tasks are selected.
Mapping threats to assets and vulnerabilities can help identify their possible combinations.
Each threat can be associated with a specific vulnerability, or even multiple vulnerabilities.
Unless a threat can exploit a vulnerability, it is not a risk to an asset. The combinations of the
tasks must be reduced before performing a risk analysis; those that are either not feasible or

© 2017 Arden University Ltd. ALl rights reserved

not necessary require to be dropped. The interrelationship of assets, threats and vulnerabilities
is critical to the analysis of security risks.

The typical tasks are to:

Identify business needs and changes to requirements that may affect overall IT and
security direction

Review adequacy of existing security policies, standards, guidelines and procedures

Analyse assets, threats and vulnerabilities, including their impacts and likelihood

Assess physical protection applied to computing equipment and other network components

Conduct technical and procedural review and analysis of the network architecture,
protocols and components to ensure that they are implemented according to the security
policies

Review and check the configuration, implementation and usage of remote access systems,
servers, firewalls and external network connections, including the client Internet connection

Review logical access and other authentication mechanisms

Review current level of security awareness and commitment of staff within the organisation

Review agreements involving services or products from vendors and contractors

Develop practical technical recommendations to address the vulnerabilities identified, and

reduce the level of security risk.

The following report presents a qualitative risk analysis framework. Summarise the process in
the discussion forum.

https://pdfs.semanticscholar.org/3743/6a533bcbcd1bb42000383eae445840e5cefc.pdf

Security risk assessment process

Organisations perform IT enterprise security risk assessments to assess, identify and modify
their overall security posture and to enable security, operations, organisational management
and other personnel to collaborate and view the entire organisation from an attacker’s
perspective. This process is required to obtain organisational management’s commitment to
allocate resources and implement the appropriate security solutions.

A comprehensive enterprise security risk assessment also helps determine the value of the
various types of data generated and stored across the organisation. Without valuing the

© 2017 Arden University Ltd. ALl rights reserved

various types of data in the organisation, it is impossible to prioritise and allocate technology
resources where they are needed the most. To accurately assess risk, management must
identify the data that are most valuable to the organisation, the storage mechanisms of said
data and their associated vulnerabilities. An IT security risk assessment takes on many names
and can vary greatly in terms of method, rigour and scope, but the core goal remains the
same: to identify and quantify the risks to the organisation’s information assets. This
information is used to determine how best to mitigate those risks and effectively preserve the
organisation’s mission.

The risk assessment process comprises the following activities:

Asset identification: Identify the key system assets (or services) that have to be protected

Asset value assessment: Estimate the value of the identified assets

Exposure assessment: Assess the potential losses associated with each asset

Threat identification: Identify the most probable threats to the system assets

Attack assessment: Decompose threats into possible attacks on the system and the ways
that these may occur

Control identification: Propose the controls that may be put in place to protect an asset

Feasibility assessment: Assess the technical feasibility and cost of the controls

Security requirements definition: Define system security requirements; these can be

infrastructure or application system requirements.

Once the assets, threats and vulnerabilities are identified, it is possible to determine the impact
and likelihood of security risks. Figure 8.03 illustrates the functional flow and relationships
between each of these activities.

© 2017 Arden University Ltd. ALl rights reserved

 Figure 8.03 - Functional components and flow of risk assessment process

Included in the process are impact assessment and likelihood assessment. Impact assessment
is used interchangeably with the terms impact analysis and consequence assessment. The
impact on revenues, profits, cost, service levels, regulations and reputation are quantifiable. It
is necessary to consider the level of risk that can be tolerated and how, what and when assets
could be affected by such risks. The more severe the consequences of a threat, the higher the
risk.

A likelihood assessment estimates the probability of a threat occurring. In this type of

assessment, it is necessary to determine the circumstances that will affect the likelihood of the
risk occurring. Normally, the likelihood of a threat increases with the number of authorised
users. The likelihood can be expressed in terms of the frequency of occurrence, such as once
per day, once per month or once per year. The greater the likelihood of a threat occurring, the
higher the risk.

Figure 8.04 illustrates a template for evaluating the risk using a risk matrix. The green dotted
boxed portion is the risk portion of the matrix. The likelihood of the occurrence and the
potential impact determine the overall impact. For example a Highly unlikely occurrence with a
severity of Harmful will be Tolerable, whereas a Likely occurrence, which is Extremely Harmful
will be Intolerable. A similar approach is used to determine the impact of the threats on the
vulnerabilities in security devices and information system components (Figure 8.05). The
numbers in the boxed green area give a relative risk estimate and the total score provides the
overall risk estimate of the threats to the IT system in the entire organisation.

© 2017 Arden University Ltd. ALl rights reserved

 Figure 8.04 - A risk matrix

Figure 8.05 - Security threat matrix

Information risk management

Information risk management is a specific case of risk management in an organisation.

Business risk management is another case of risk management. In the context of the lesson,
the term information risk management is addressed in the following manner:

Information is the valuable meaning or knowledge that we derive from data; in other words,
it is the content of computer files, paperwork, conversations, expertise, intellectual property
and so forth.

© 2017 Arden University Ltd. ALl rights reserved

 Risks are the possibilities of harm

The term management implies someone proactively identifying, assessing, evaluating and
dealing with risks on an on-going basis, along with related governance aspects such as
direction, control, authorisation and resourcing of the process.

The overall approach to information risk management is similar to that relating to the topics
discussed in this lesson so far. Figure 8.06 illustrates the four essential steps in information
risk management. It illustrates (“External obligations”) the various inputs to each stage as well
as the need to fulfil statutory compliance with industry standards (such as PCI-DSS, HIPAA,
etc.). Notice that the changes (if and when needed) impact every step in the process.

Figure 8.06 - Information risk management

The first stage of the process is to identify potential information risks. Several factors or
information sources feed in to the “identify” step, including:

Vulnerabilities: The inherent weaknesses within our facilities, technologies, processes

(including information risk management itself!), people and relationships, some of which
are not even recognised as such.

Threats: The actors (insiders and outsiders) and natural events that might cause incidents
if they acted on vulnerabilities causing impacts.

Assets: Specifically information assets, in particular valuable information content but also,
to a lesser extent, the storage vessels, computer hardware, etc.

Impacts: The harmful effects of incidents and calamities affecting assets, damaging the
organisation and its business interests, and often third parties.

© 2017 Arden University Ltd. ALl rights reserved

 Incidents: These range in scale from minor, trivial or inconsequential events up to
calamities, disasters and outright catastrophes.

Advisories, standards etc.: The relevant warnings and advice put out by myriad
organisations such as CERT, the FBI, ISO/IEC, journalists, technology vendors, as well as
information risk and security professionals (our social network).

The “evaluate risks” stage involves considering/assessing all that information in order to
determine the significance of various risks, which in turn drives priorities for the next stage. The
organisation’s appetite or tolerance for risks is a major concern here, reflecting corporate
strategies and policies as well as the broader cultural drivers and personal attitudes of the
people engaged in risk management activities.

“Treat risks” means avoiding, mitigating, sharing and/or accepting them. This stage involves
both deciding what to do and doing it (implementing the risk treatment decisions).

“Handle changes” might seem obvious but it is called out on the diagram due to its
importance. Information risks are constantly in flux, partly as a result of the risk treatments, and
partly due to various other factors both within and without the organisation. Handle changes is
an important component of the process that is continually relevant to assess the risks in the
context of changing organisational/business requirements.

Refer to the following standards document ‘Information technology -Security techniques

-Information security management systems- Requirements. Summarise the requirements of
risk assessment as prescribed by the standards.

http://securitycn.com/img/uploadimg/20070924/183844756.pdf

ISO 27005

ISO/IEC 27005 is a heavyweight standard. The standard provides a number of annexes with
examples and further information for users.

The standard doesn't specify, recommend or even name any specific risk management
method. It does, however, imply a continual process consisting of a structured sequence of
activities, some of which are iterative:

Establish the risk management context (e.g. the scope, compliance obligations,
approaches/methods to be used, and relevant policies and criteria such as the
organisation’s risk tolerance or appetite).

Quantitatively or qualitatively assess (i.e. identify, analyse and evaluate) relevant

information risks, taking into account the information assets, threats, existing controls and
vulnerabilities, to determine the likelihood of incidents or incident scenarios, and the
predicted business consequences if they were to occur, in order to determine a “level of

© 2017 Arden University Ltd. ALl rights reserved

 risk”.

Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share
[with third parties]) the risks appropriately, using those “levels of risk” to prioritise them.

Keep stakeholders informed throughout the process.

Monitor and review risks, risk treatments, obligations and criteria on an on-going basis,
identifying and responding appropriately to significant changes.

Extensive appendices provide additional information, primarily by way of examples to

demonstrate the recommended approach.

The second edition of ISO/IEC 27005 was published in 2011. It reflects the general corporate
or enterprise-wide risk management standard ISO 31000:2009, “Risk management - Principles
and guidelines”, in the specific context of risks to or involving information.

ISO 31000 - Risk management

Risks affecting organisations can have consequences in terms of economic performance and
professional reputation, as well as environmental, safety and societal outcomes. Therefore,
managing risk effectively helps organisations to perform well in an environment full of
uncertainty.

ISO 31000:2009, titled “Risk management - Principles and guidelines”, provides principles,
framework and a process for managing risk. It can be used by any organisation regardless of
its size, activity or sector. Using ISO 31000 can help organisations increase the likelihood of
achieving objectives, improve the identification of opportunities and threats, and allocate and
use resources effectively for risk treatment.

However, ISO 31000 cannot be used for certification purposes, although it does provide
guidance for internal or external audit programmes. Organisations using it can compare their
risk management practices with an internationally recognised benchmark, providing sound
principles for effective management and corporate governance.

ISO 27005 vs ISO 31000

Both standards are guidelines for risk management. Figure 8.09 illustrates the commonality
between the two standards in terms of risk management. Notice the similarity of terms as well
as the similarity of the process. The difference is in the scope. In short, ISO 31000 is a
superset of ISO 27005.

© 2017 Arden University Ltd. ALl rights reserved

 Figure 8.09 - ISO 31000 vs ISO 27005

ISO 27005 standard “provides guidelines for information security risk management” and
“supports the general concepts specified in ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information security based on a risk management approach.”

ISO 31000 provides principles, a framework and a process for managing risks. It gives
consideration to all types of risks, unlike the aforementioned 27005, which is specific to
information security risks. ISO 27005 presents the guidelines for the risk management
evaluation and implementation as per the requirements of ISO 27001 standard, which relates
to information security management systems (ISMS). It establishes that risk management best
practices should be defined in accordance with the characteristics of the organisation, taking
into account the scope of its ISMS, the risk management context, as well as its industry.
According to the framework described in this standard for implementing the requirements of
ISMS, several different methodologies may be used; in the appendix of the document different
approaches to risk management, as it relates to information security, are introduced.

ISO 31000 are guidelines for risk management designing, implementation and maintenance
throughout an organisation, with an emphasis on ERM (enterprise risk management). The
scope of this approach to risk management is to enable all strategic, management and
operational tasks of an organisation throughout projects, functions and processes to be aligned
to a common set of risk management objectives. It serves as a master standard for each and
every risk management standard. Because of its general context, it provides overall guidelines
to any area of risk management (e.g. finance, engineering and security, among others).
Although most organisations already have a defined methodology in place to manage risks,
this new standard defines a set of principles that must be followed in order to ensure the
effectiveness of risk management. It suggests that companies should continually develop,
implement, and improve a framework whose goal is to integrate the process for managing risks

© 2017 Arden University Ltd. ALl rights reserved

associated with governance, strategy, and planning; this integration extends to management,
the reporting of data and results, policies, values and culture throughout the entire
organisation.

Summary

In the course of this lesson, you have received a fair idea of risk assessment and its role in risk
management. It is a key activity upon which most security requirements are based; in fact, the
entire set of security requirements are derived from the results of risk assessment and are
implemented as security controls. You noticed that the two standards ISO 27005 and ISO
31000 address organisational risk and are fairly similar in nature. The terms, activities and
tasks are similar and they differ only in their scope of application. In that sense, ISO 27005 is
IT specific whereas ISO 31000 is generic in its approach.

The following link provides a sample risk assessment report for a fictitious company.
Summarise the various steps involved in identifying the threats and vulnerabilities and plan a
risk assessment strategy.

https://itsecurity.uiowa.edu/sites/itsecurity.uiowa.edu/files/sampleriskassessmentre...

Essential and further reading

Essential reading

Bahtit, H., and Regragui, B., 2013. Risk management for ISO27005 decision support
[online]. International Journal of Innovative Research in Science, Engineering and
Technology. Available at:
https://pdfs.semanticscholar.org/5692/f8f8bad1bdc09e52a8f464565d59ca64dfef.pdf
[Accessed 26/01/2017].

Derock, A., Hebrard, P., and Vallée, F., 2010. Convergence of the latest standards
addressing safety and security for information technology [online]. Online proceedings of
Embedded Real Time Software and Systems (ERTS2 2010), Toulouse, France (May
2010). Available at: http://web1.see.asso.fr/erts2010/Site/0ANDGY78/Fichier/PAPIERS%2
0ERTS%202010/ERTS201... [Accessed 26/01/2016].

Further reading

De Bruijn, W., Spruit, M.R., and Van Den Heuvel, M., 2010. Identifying the cost of security
[online]. Journal of Information Assurance and Security, 5 (1). Available at:
https://pdfs.semanticscholar.org/41e8/fead50aca0ff87bc71699401c839de6047cc.pdf
[Accessed 26/01/2017].

Spremi?, M., 2012. Corporate IT risk management model: A holistic view at managing
information system security risks [online]. Information Technology Interfaces (ITI),

© 2017 Arden University Ltd. ALl rights reserved

 Proceedings of the ITI 2012 34th International Conference on Information Technology
Interfaces. IEEE, 299-304. Available at:
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6308022 [Accessed 26/01/2017].

References

OSA, 2016. IT security requirements [online]. Available at:

http://www.opensecurityarchitecture.org/cms/definitions/it_security_requirements
[Accessed 26/01/2017].

Canadian Centre for Occupational Health and Safety. Risk assessment [online]. Available
at: https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html [Accessed
26/01/2017].

Schmittling, R., and Munns, A., 2010. Performing a security risk assessment [online].
ISACA. Available at:
https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Ris...
[Accessed 26/01/2017].

http://www.opensecurityarchitecture.org/cms/

http://shop.bsigroup.com/upload/Standards%20&%20Publications/publications/BIP0076-Ch...

https://pdfs.semanticscholar.org/3743/6a533bcbcd1bb42000383eae445840e5cefc.pdf

http://securitycn.com/img/uploadimg/20070924/183844756.pdf

https://itsecurity.uiowa.edu/sites/itsecurity.uiowa.edu/files/sampleriskassessmentre...

© 2017 Arden University Ltd. ALl rights reserved

Powered by TCPDF (www.tcpdf.org)