cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gmagerr
Newcomer I

Risk Assessment Clarification

Hi,

 

I have a question regarding performing a risk assessment. Say there are 400 servers for example. We determine some of the threats to be an earthquake, mudslide, flooding, high winds, along with technical threats. So how does one go about performing the risk assessment? Do you perform it against each server, and determine the risk for each threat? I'm not 100% clear on how to do it, could someone please explain?

 

Thanks

8 Replies
AppDefects
Community Champion


@gmagerr wrote:

Hi,

 

I have a question regarding performing a risk assessment. Say there are 400 servers for example. We determine some of the threats to be an earthquake, mudslide, flooding, high winds, along with technical threats. So how does one go about performing the risk assessment? Do you perform it against each server, and determine the risk for each threat? I'm not 100% clear on how to do it, could someone please explain?

 

Thanks


You could for example group together the environmental threats to servers and then stratify based upon location and specific threats. Then list out specific risks and come up with a treatment plan that ensures business continuity for each location.

 

For the technical or logical threats this can be even more complex if you consider all of the dependencies. You can create "risk register" entries for common risks to servers and others that are specific to particular applications. That gives you the latitude to design a "risk treatment plan" with common or inheritable controls and controls that have been specifically tailored to mitigate unique risks. There is lots of guidance out there such as ISO/IEC 27005 and the NIST Risk Management Framework (RMF). I hope this help get you started.

 

Steve-Wilme
Advocate II

Take a look at ISO 27005 or NIST SP800-53 or some material on Octave.  You need to start by understanding your organisation's risk appetite.

 

No you would look at natural phenomena typically as a risk to continuity of operations i.e. threat to your data centre.  You'd look at similar risks such as loss of power or comms as a man made continuity risk.  There are actions you can take to reduce these risks; UPS, emergency generators, mobile gen sets, power feeds from different substations etc,  Comms would be two point of ingress diversely routed back to your telco.  These sort of risk fall into the 'accidents' category and are external to your organisation.

 

For human made threats you's typically group all servers that were vulnerable together and assess the threat against them as a collection.  So say you had 300 wintel servers, 80 Linux, a 16 node Dec Alpha cluster, a z series mainframe and some i series, the technical threats to each would be different.  The more obscure tech is less likely to be attacked, assuming most threats are commodity rather than targeted.  So for each human made threat you'd look at likelihood and impact and then work out your generic treatment approach; avoid, transfer/share, reduce or accept.  Look at the inherent risks first before you calculate the reduction provided by any insitu controls.  Also calculate the risk level with the in situ controls.  If the residual risk is still above appetite you need to propose further treatment.  Ultimately you need a senior owner to accept the residual level of risk after treatment.  Since keeping your organisation in operation is a board responsibility ownership should be possible to establish.  

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CraginS
Defender I


@gmagerr wrote:

... So how does one go about performing the risk assessment? ...


Gene,

Allow me to three more  references resource to your process. You correctly note that the potential threats, and resultant risks, are very broad and diverse. You can quickly run into budget limits when addressing the identified threats and risks. TO help in prioritizing your budget against them, consider using the CIS TOP 20 Security Controls. That list, with its expanded discussion, is based on getting  the most "bang for the buck" for money spent on protection. 

 

  Next, in order to structure your process of identifying threats and defining the related risks, take a look at the NIST system security engineering advice in NIST SP 800-160, Volume 1. 

 

Finally, I note that others may send you to the security control catalog in SP 800-53 to look at security controls. Please understand that you should not consider using that resource until after your completed risk assessment. It is overwhelming to dive into that huge lists controls and details to see what appears to be possibly useful to you. Instead, if you wish to follow the NIST Risk Management Framework, start with guidance found in SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle ...

 

Good luck! And please come back to the Community to report on key decisions and progress. We all can learn from you as you carry out your program.

 

Best regards,

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
AppDefects
Community Champion

Since there was a mention of control frameworks like NIST SP 800-53, rev 4 I wanted to mention that the BEST methodology and risk assessment techniques associated with evaluating those control "baselines" is the complementary publication NIST SP 800-53A. The document describes in depth how-to evaluate the effectiveness of security controls.

AppDefects
Community Champion


@Steve-Wilme wrote:

Take a look at ISO 27005 or NIST SP800-53 or some material on Octave.  You need to start by understanding your organisation's risk appetite.

 


Although I stopped using Octave and its variants many years ago. Here's a CMU SEI paper with a checklist (bonus!) that might help you think about "categories" of risks.

bjpatton
Newcomer I

Which Framework are you using?  NIST RMF is for Federal agencies, whereas the NIST CSF can be used for commercial organizations as well(but is also required for Federal agencies as well). 

  

AlecTrevelyan
Community Champion

While it's true to say the RMF is mandatory for US federal organisations, it's very much stated that other nonfederal organisations are encouraged to use it too - although, it's also fair to say I don't know any that do.

 

 

rmf-clarification.png

 

The CSF is a voluntary framework which was created with critical national infrastructure organisations in mind, which tend to be commercial rather than federal and hence not subject to mandatory use of the RMF, but obviously require to have strong levels of protection and resilience given their economic and national security importance.

 

bjpatton
Newcomer I

This article helped me a bit: https://www.itdojo.com/top-ten-differences-between-rmf-and-csf/

 

I think for private industry NIST Cybersecurity Framework can make more sense as it allows for more agility.  As a business is creating a program they may not be able to change the culture of an organization as quickly to be as prescriptive as the RMF dictates in assigning CISM's and going through an ATO process.  

 

Also, the EMASS tool is government software provided by DISA as I understand and not as readily available for private industry.  I believe different agencies have a different instance of those tools as well.  Ultimately there is a need for reciprocity and I think that is still being worked out.  It's interesting to me that different human being entering information into these tools may interpret answers different as well.

 

I don't work in the government industry so my understanding may be a bit off, but I feel that if you are a commercial organization you may be a lot more successful focusing on the NIST Cybersecurity Framework.  Whereas if you are deploying a service for others, ISO 27001 Framework may be more beneficial so you can have your processes certified by a third party providing more trust to your customers.