The Risk Management Lifecycle: Protecting Critical Business Assets

In order to properly protect the critical assets in any business or government agency, security professionals, charged with this responsibility, must fully understand their risks prior to deploying any solution that will effectively protect these resources.

While many organisations have deployed security solutions such as firewalls and anti-virus programs, these efforts alone are not sufficient to protect crucial infrastructure components from the ever-evolving internal and external (Internet) threats. By fully understanding their risks and utilising each step of the lifecycle, any organisation will be able to successfully deploy an information security program to protect against the latest threats to their digital assets.

McAfee recommends companies follow a ten-step risk management lifecycle program, which can and should be personalised to meet specific organisational requirements and guidelines, but no step should be skipped or completed out of order.

An effective security enforcement policy is critical in reducing or eliminating threats to an organisation`s digital assets.

* Strategy - Understand what the goals and objectives are for an effective security programme, making sure that it is fully supported internally (including the authority to be enforced).
* Process - Understand how to manage the policy in an organisation and how it will be enforced. Establish procedures and process that will address violations or security incidents.
* Standards and guidelines - Build established standards into the policy and define new standards that will be supported and enforced by the policy.
* Communication of the policy - This is the most important step and includes educating all users affected by the policy, ensuring that they know where to find the policy, what to do and who to contact in the event of a violation or security incident.
* Enforcement on trusted systems - This step prevents users from installing unauthorised software, initialising insecure configuration changes, or adding components outside the bounds of a standard, authorised configuration.

To be effective once a set of security policies are established, an organisation must fully understand all of its digital assets that need to be protected. These targeted assets should not only include the easily recognised assets required for the core "business process" but must include every network, segment, system, user and application to achieve best practices for a comprehensive programme of risk management.

Step Three: Prioritise

Once vulnerable assets are identified a set of protection priorities must be created. The following issues should be considered when prioritising:

* Value - Not hard cost, rather the cost of downtime and recovery. For example, if this is a customer-facing Web application that generates revenue or has to be up to provide a service that supports revenue, consider the impact to revenue if down.
* Incident recovery costs - If an incident happened previously, how much did that down time cost and how much did the recovery cost? Was there impact from a virus? These are good baselines to consider helping resolve some of the guess work that often accompanies this step.
* Lost productivity - This includes the costs of data recovery, the amount of time a critical user or group are offline, the amount of time customers can`t access a site, missed delivery dates of new applications, etc.
* Operational impact - A specific example is the costs of system recovery that actually may fall outside of the security team. With spyware, for instance, system response time slows over time, calls to the help desk increase and eventually the only recovery option is to take that user offline and spend some period of time re-installing the infected system. This is where user priority becomes critical.
* Business process mapping - An example is the relationship between a customer-facing web application and the database it relies upon to provide service to the customer.

This step may seem daunting but a complete asset inventory and valuation is critical to effectively prioritise in terms of business systems versus development systems or customer data versus non-customer data.

This step is sometimes confusing as many organisations often find themselves treating all vulnerabilities the same. The only way to properly manage vulnerabilities is by knowing all of the critical assets within the network, prioritising them properly and discovering their vulnerabilities. What seems on the surface to be the same vulnerability occurring on multiple systems can actually be quite different. Understanding and fully utilising the proper approach to this step will in fact identify the most critical assets. By balancing the vulnerability findings with asset prioritisation, organisations can approach remediation in a prudent fashion. By following this entire lifecycle, the days of handing volumes of assessment tool reports to a systems administrator is a thing of the past.

However, for the greatest impact this step must be combined with the next step: Threats.

Quite often, an organisation finds itself fixing vulnerabilities on a wide scale without fully understanding the asset value or threats. This step involves not only understanding what a threat is, but also how or if it can be effective in an environment based on potential vulnerabilities. This is the final step in determining the true risk level and will help clarify potential threats in an environment and the expected impact to the assets.

By understanding the threats against the most vulnerable and critical assets, discovered and prioritised in steps two to four, any organisation will be prepared to deploy the proper protective technology for specific problems and address those problems in a "Protection-in-Depth" manner, as discussed below.

By utilising the following formula and data from steps one to five, a security manager is able to properly access the true level of risks to their organisations vulnerable assets.

R = A/C x V/C xT/C
R = Risk
A = Asset Value
V = Vulnerability Severity
T = Threat Criticality
C = Countermeasures

Because of the new protective technologies that are available, organisations are now able to install "security vulnerability patches" while permanent operating system and application patches are properly tested and planned. Step Eight: Remediation

Remediation involves reviewing all of the previous steps and then prioritising remediation actions, based on discoveries and actions obtained from those steps. With the proper deployment o f process and technology within step seven (Block) this remediation step will be obvious both to understand and execute (although this step is often completed too early in the lifecycle). When an early execution occurs, usually at the time a critical patch is released by a vendor, the result is the wrong protection technologies installed in the wrong place with the patch making no positive effect at stopping the attack.

End-user notification is a key component of Remediation, making sure the policy is available. This allows the end-users to be involved in the remediation of threats impacting them individually or the entire organisation.

Keep in mind that not all systems, users, and data are treated equally. In fact, the results of remediation might mandate addressing less critical vulnerabilities on more critical systems, based on the specific attack situation.

Successfully achieving remediation is a directly affected by implementing the prescribed protective technologies discussed in step seven Patches can then be rolled out in a prudent fashion after testing and scheduling to complete the operations remediation process.

By the time this step has been reached, a certain level of success closing security gaps has been achieved. It is now time to take a measurement of the impact of prior decisions. After accomplishing this step it maybe found that previously deployed solutions need refinement. Whatever the case, it`s critical that prior actions be measured.

Also, at this point a new, complete, vulnerability scan should be initiated to determine the latest risk score to answer the following questions:

* What impact to critical business systems did prior actions have?
* Were systems and users negatively impacted?
* Is the environment more secure now than when first started?
* Are additional actions necessary?
* Was productivity affected by any actions? Should these actions be curtailed?
* Did the environment change?
* Should additional technologies be deployed?

This last step provides the mandatory review of each threat situation and how successfully an organisation dealt with that threat. This involves the ability to discover, assess, react and remediate security related problems.

The results of this evaluation allow security managers to review policy and identify any necessary adjustments in the policy and/or lifecycle process and take action to remediate.

There are many considerations to take into account during a compliance review such as:

* Did actions up to this point align with the security policy?
* Does the policy need to be adjusted based on these findings?
* Did the environment or user-base force additional change?
* Are all systems in compliance with established standards?

New threats, impact or changes to the computing environment or user base, new business systems or applications, or changes in the organisation are also items to consider at this point.

New threats and vulnerabilities are emerging on a daily basis, whether they are focused at a service provider`s network, a corporation`s enterprise, specific internal systems, critical data, or end users are inconsequential at this point. The fact is that they exist and are not slowing down forces security professionals to stay up-to-date on not only the latest security threats to their assets, but also the ever changing business priorities for these assets. They must fully understand their vulnerabilities in order to properly understand their risks prior to deploying any solution that will effectively protect these assets.

By utilising and adapting the Risk Management Lifecycle, resulting in the implementation of a "Protection-in-Depth" strategy any service provider, business enterprise, government agency, or organisation can properly discover, understand, and defend their digital assets against both known and "zero-day" attacks.