Information Security Today Home

Other Books by Tom Peltier

Information Security Policies and Procedures: A Practitioner's Reference, Second Edition
Complete Guide to CISM Certification
Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management
Information Security Fundamentals
Managing a Network Vulnerability Assessment

Introduction to Risk Analysis

Thomas R. Peltier

1. Overview
Risk management is a process that provides management with the balance of meeting business objectives or missions and the need to protect the assets of the organization cost effectively. In this period of increased external scrutiny due to the myriad questionable management decisions and the corresponding legislative backlash, risk management provides management with the ability to demonstrate actively due diligence and how they are meeting their fiduciary duty. This chapter examines how risk analysis helps managers meet their due diligence requirement.

2. The Difference between Risk Analysis and Risk Assessment
When we examine the business process development cycle (BPDC) (also known as the system development life cycle [SDLC]), we see that there are phases in which certain activities are scheduled to be performed. In the BPDC that I am familiar with, the first phase is the analysis process. This is the time when the case for a new project is created. The risk analysis, or project impact analysis (PIA), is used to document and demonstrate the business reasons why a new project should be approved. When the PIA is complete, the formal documentation is presented to the executive management committee for review, assessment, and possible approval. If approved by the committee, the proposal is then registered and becomes a "project."

Once a project has been approved, early in the next phase of the BPDC, the design phase, a risk assessment must be performed to identify the threats presented by this new project to the organization's mission or business objectives. The risk assessment allows the development team and the business stakeholders to identify potential threats, prioritize those threats into risks, and identify controls that can reduce the risks to acceptable levels. Knowing the control requirements in the design phase will help reduce costs when work begins on the project in the construction or development phase.

3. Risk Analysis and Due Diligence
Risk analysis is the process that allows management to demonstrate that it has met its obligation of due diligence when making a decision about moving forward with a new project, capital expenditure, investment strategy, or other such business process.

Due diligence has a number of variant definitions based on the industry that is being discussed. Typically, the consensus these definitions address is the measure of prudent activity, or assessment, as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent person under the particular circumstances. Due diligence is not measured by any absolute standard but depends on the relative facts of each case.

In brief, the risk analysis or PIA examines the factors that come into play when trying to determine if a project should be approved. The PIA examines the tangible impacts; e.g., capital outlay, development costs, and long-term costs such as continued operations and maintenance. The risk analysis also addresses intangible impacts, such as customer connivance or regulatory compliance.

When the risk analysis is complete, the results are presented to a management oversight committee that is charged with reviewing new project requests and deciding whether or not to move forward. If the request is approved, the project is registered and a risk assessment is scheduled for early in the design phase of the BPDC or SDLC. The documentation is retained for a period of time and then can be used by the organization if ever there are any questions about why a project was or was not approved.

4. Risk Assessment and Fiduciary Duty
Because many organizations do not know what the threats and risks are to operate in the changing business environment, a formal risk assessment process must be conducted early in the design phase. Risk assessment provides a process to identify threats systematically and then determine risk levels based on a specific methodology designed for the organization conducting the assessment. After establishing a risk level, the project under development can then look to identify control measures that will reduce the risk to acceptable levels.

Risk assessment has four key deliverables: 1. Identify threats to the organization's mission 2. Prioritize those threats into risk levels 3. Identify mitigating controls or safeguards 4. Create an action plan to implement those mitigating controls

The output from the risk analysis and risk assessment processes will generally be used twice. The first time will be when decisions are made: for the risk analysis, that means deciding whether or not to proceed on a new project; for the risk assessment, that means identifying the types of controls or safeguards that need to be implemented. For risk assessment, the output will identify what countermeasures should be implemented or document that management has determined that the best decision is to accept the risk.

The other time the results will be used is when the "spam hits the fan." That is, when a problem arises and the organization must show the process it used to reach the decisions that it did. The documentation created in the risk management processes will allow the organization to show who was involved, what was discussed, what was considered, and what decisions were made.

By implementing risk analysis and risk assessment, an organization has the tools in place to make informed business decisions. By integrating these processes across the entire enterprise, the organization can take back control of its activities from outside interference. With an effective risk assessment process in place, only those controls and safeguards that are actually needed will be implemented. An enterprise will never again face having to implement a mandated control to "be in compliance with audit requirements."

5. Performing a Risk Analysis
Risk analysis is a process used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Another term for this process is project impact analysis (PIA). It will require an in-depth cost-benefit analysis to be conducted. The process gives organization management the opportunity to examine and assess a proposal before it becomes a live project. This examination should not only determine whether the project should be approved but it should also establish key objectives or impacts.

The risk analysis process is conducted in the analysis phase of the SDLC. Here the interested parties are charged with building their case and presenting the proposal to the management review committee for approval and initial funding (Figure 1).

System development life cycle (SDLC) chart

Figure 1 System development life cycle (SDLC) chart.

The goal of the risk analysis process is to present to the management approval team the business reasons the proposal should become a project and then become part of the production environment. In addition to the pros and cons of accepting the proposal, the risk analysis will allow the team to establish the project goals and objectives, the risks and critical success factors, and the organization and implementation of the approved project.

The risk analysis process can take as little as a week or may take several months to complete depending on the size and scope of the project. Early on, the project proposal team will want to identify all the stakeholders or those individuals with a vested interest in the project. These individuals will help the proposal team examine and meet the risk analysis objectives.

Once the risk analysis is complete, the champion and the project lead take the document to the executive committee that reviews and approves new projects. This process could take more than one meeting with the committee. If the committee turns the proposal down, this process must be documented and the report filed away. Unsuccessful proposal reports should be kept for a period of five to seven years. The retention period will depend on the requirements identified by the records-management program of the organization.

If the proposal is successful, the champion and the project lead next visit the project management office to register the project. Part of this process will be the requirement to complete the pre-screening process, which is discussed in detail in Chapter 3. The pre-screening process asks a few questions that will help determine whether this project will require a full risk assessment or business impact analysis. The only other element required early on in the SDLC is for the project team to classify the data to be found and used with the project.

6. Risk Analysis Elements
Part of the risk analysis will examine the costs of the project. When researching costs, the team will establish any costs for procurement of the project and any development costs. Although these costs are important, they do not represent the actual or total cost of the project. In your project proposal, it will be beneficial to have a chart similar to the one shown in Table 1.

Table 1 Risk Analysis Table

Risk Analysis Table

Probably the lowest part of the overall cost for any project is the actual procurement or development costs. The costs that I find have the most impact include operations and maintenance. In the mid-1990s, as companies began to deploy to the Internet, the need for security was reinforced in the risk assessment process. One of the solutions was to implement a firewall. One electrical utility began the implementation in August 1995. The head of information security was told that there would be a need for a firewall to protect the organization as it connected to the Internet. The security professional was not initially concerned because the firewall was hardware and as such was a capital expenditure, which would be part of the Operations department's budget. That part of the implementation was true; however, what he didn't know about was the need for a firewall administrator. This added cost was compounded when the total number of firewalls was going to be fifteen, and that administration was a 24/7 operation, so there was going to be a need for more than one administrator.

When working through the risk analysis process, it is always important to consider the impact of converting to a new process or having to migrate processes or data over to the new structure. During a recent class on risk management, a fellow security professional shared with the class that a former PeopleSoft company had just converted to SAP. We decided to use this project to walk through the components of the risk analysis process. We discussed the nine key components examined in the risk analysis table (Table 1). When we got to the discussion on conversion and migration, the discussion took a scary turn. It was related to the class that the conversion process was a most-formidable exercise. The process took over a year and many employees, including IT, financial, and HR, worked long hours. We discussed where one could go to find such information on conversion impact. We thought about user groups or asking fellow professionals or the vendor. We did a quick search of the Internet and found a number of articles that helped the class fill in the needed figures.

During our investigation, we found the following in a very interesting article, "The Great PeopleSoft Migration" by Joab Jackson in Government Computing News, March 7, 2005:

If all goes according to schedule, the Defense Department will complete the Defense Integrated Military Human Resources System - estimated to be the world's largest human resources program - in 2013. Unfortunately, 2013 is also the year DIMHRS will become a legacy system, because that's the year Oracle Corp. plans to end support for PeopleSoft applications, the platform DIMHRS will run on.

Last December, when database vendor Oracle purchased PeopleSoft Inc., agency heads faced a tough decision. Should they stick with Oracle as the company migrated PeopleSoft users over to its own e-business platform? Or would the upgrade be so arduous, the new features so underwhelming, that making the switch would be untenable?

Spending all of that time to implement a process only to discover that it will be running a non-supported legacy system is an issue that should have been uncovered in the risk analysis process.

7. Other Considerations
Although it is important to consider all of the elements of cost in deciding to move forward, the outlay of capital expenditures is just part of the risk analysis process. What must also be considered is the cost of not moving forward with a project. What would be the impact to the enterprise if it was decided to delay or not approve the project? How would not moving forward impact the competitive advantage of the organization? How would this decision impact the ability to meet the mission of the enterprise? How would strategic business partners, suppliers, vendors, and other stakeholders be impacted?

In the late 1980s, many big organizations decided to convert from a paper-based order entry system to an e-commerce process. This foray into electronic data interchange (EDI) caught a number of suppliers off guard. EDI is the process of using telecommunications to exchange documents between companies. Orders, purchase agreements, shippers, and the like were going to be converted to electronic format. These small suppliers were concerned that they would not be able to meet the aggressive implementation deadline established by the big vendors. One manufacturer established a compromise for the handling of paper-based documents. They vendor would charge the supplier a one-dollar-per-page handling fee for each sheet of paper submitted. This handling fee would be automatically deducted from the amount owed the supplier.

When conducting a risk analysis, it is vital that as many factors as possible be uncovered. This is why the risk analysis should have access to the stakeholders and those with a vested interest in the project. Asking questions and exploring options is vitally important. Later in this chapter we will review a sample set of questions that can be used to improve the risk analysis process.

Another important factor to consider in this process is the impact of regulatory compliance issues. The new project should, whenever possible, enhance regulatory requirements. Gap analysis, which is discussed in Chapter 5, provides the organization with the ability to identify all of the regulatory laws and regulations and map them against the industry standards that the organization is using as its baseline security controls. The organization then maps their policies, procedures, and standards to the all-inclusive set of standards. This allows the organization to identify any areas where it needs to improve for regulatory compliance.

Any time a risk analysis is preformed, it will be important to review the gap analysis to ensure that the new project does not impact the compliance issues.

Sometimes a new idea or concept is drafted by a department such as marketing, and it gains support and then management acceptance before the infrastructure, budget, or security personnel have an opportunity to perform a formal risk analysis. A number of years ago we were hired to perform a network vulnerability assessment on a utility company located in the Southwest. The technical team was running a port scan of the firewall and my technician came running in to inform us that there were some ports open that were major security issues. We went to the firewall administrator and asked why the ports were open. The firewall administrator told us senior management had requested that they be opened so that local high school students could have access to the Internet. Our investigation discovered that marketing had approached the utility's management and indicated that it would be a good public service to provide Internet access to the students. When we presented the security hole to management, we were informed that no one was told what ports were opened, so there should be no security risk!

Once when performing a physical security review, we found a UNIX server located in an office area. We could not find the server on any list of hardware provided by the IT department. We went back to the user department with the lead IT auditor and the information security officer. When we asked about the server, we were informed that it had been purchased as "filing" equipment and a contractor had been hired to develop a new bill-paying program for them. They had tested the program and were just getting ready to contact IT to have their server connected to the network.

The tangible way to measure success is to see a lower bottom line for cost. Risk assessment can assist in this process by identifying only those controls that are needed to be implemented. Organizations are not implementing controls because they think they are needed. Only those actions that are actually required are being implemented. For risk analysis, the metric is that only those projects that show a true business need are being implemented.

Another way that the success of a risk analysis and risk assessment is measured is if there is a time when management decisions are called into review. By having a formal process in place that demonstrates the due diligence of management in the decision-making process, this kind of inquiry will be dealt with quickly and successfully.

8. When to Conduct a Risk Analysis
Whenever money or resources are to be spent, a risk analysis should be conducted. This process will provide the business reasons that should be used to justify the decision to move forward with a new project or capital expenditure. The documentation of this process can be used by management to demonstrate that they have been performing their due diligence responsibilities.

Typically, the output from a risk analysis will be used twice. The first time will be when the organization decides whether or not to move forward with a development or capital project. The other, and often the most important time is when the organization is being examined by some third party and they are looking to management to find out why the project was approved. This documented process will provide the necessary material to defend any decision.

9. Final Words
For risk analysis and project impact analysis, the need to demonstrate due diligence is an important output of the process. However, the overriding reason to conduct these processes is that it makes good business sense. The organization proceeds on certain paths based on need and the ability of the organization to meet those specific business or mission needs. The risk analysis process provides management with a consistent tool to be used to determine where the organization's limited resources will provide the best return on investment.

10. Sample Risk Analysis Questionnaire
It is important to establish a set of questions that will help the team present the best set of options for the approval process. When I am working on putting together such a report, I examine each of these questions with the champion and the project lead to ensure that the objectives are firmly established in business need. It will be necessary to include all of those individuals with a vested interest in the project or stakeholders (Table 2).

Table 2 Project Impact Analysis Questionnaire

Project Impact Analysis Questionnaire

11. Sample Risk Analysis Report Outline

  1. Name of project and brief description
  2. Project champion/owner
  3. Business reason or need for project
  4. Estimated cost of project
    1. Money
    2. Time
    3. Resources
  5. Regulatory impact
  6. Infrastructure impact
  7. Maintenance cost
  8. Time line

Items 3, 4, 5, 6, and 7 should have a minimum of one paragraph of supporting material. In item 4, the estimated cost of the project, it is often best to use a visual like the one provided in Table 2.

About the Author

How to Complete a Risk Assessment in 5 Days or Less Chapter 2 from How to Complete a Risk Assessment in 5 Days or Less by Thomas R. Peltier. New York: Auerbach Publications, 2008.

Listen to interview with Tom.

Subscribe to Information Security Today

Powered by VerticalResponse

© Copyright 2009-2010 Auerbach Publications