Question: Is there a relationship between risk assessment and specific regulations like the Payment Card Industry Data Security Standard (PCI DSS)?

Answer: The PCI DSS is a data security standard that organizations processing credit card payments are supposed to adhere to. While it's not really directly related to the risk assessment process in any traditional way, non-compliance with the standard has proven to be a risk in and of itself -- in some cases resulting in businesses having to cease operations unexpectedly.

Question: At what point does having backup 24/7/365 become prohibitively expensive for a company looking to cut overhead wherever it can?

Please note: I am looking at this from the viewpoint of a small and midsized business (SMB) -- companies with less than 500 employees, most of which have fewer than 100 employees. Most SMBs can't afford this level of reliability and resilience you talk about here. They want a degree of resilience (in the sense they don't want to lose the data, but they have a lot more room to maneuver with respect to service levels compared to Fortune 500 companies that have always-on infrastructure) but they can't afford nor do they need the 24/7/365 levels.

Answer: The point of risk assessment is to identify the things that can prevent an organization from performing its mission or continuing to operate. No two companies will have exactly the same risks or even the same tolerance for risk. Some small business owners accept a lot of risk in order to operate at a higher profit margin. The theory being if they make more, and disaster strikes, they can rebuild the business in less time because they have more resources. A more risk-averse approach is just the opposite: Pay more now to avoid interruption or having to rebuild the business. The larger or more mature a business becomes, the less risk it's likely to tolerate, but at any level, risk tolerance is highly subjective. Ultimately it's up to the management to decide what level they're comfortable with.

Post a comment

Question: Do you think there are new, major threats posed, as some enterprises start to adopt consumer smartphones like the iPhone?

Answer: Smartphones have the potential to introduce a considerable amount of risk to the enterprise. These devices have become fully functional hand-held computers with a full-time Internet connection. While exploits for these sorts of devices have been sparse, the potential is undeniable. The average smartphone contains a treasure trove of personal and corporate information including email addresses, financial account information, documents, communications, and in some cases, network access credentials. To make matters worse, in most cases the devices communicate over the telecommunications provider's network rather than the corporate network, which effectively bypasses security controls typically implemented for desktop and laptop computer users. As contemporary security practitioners continue to raise the bar on the corporate network, the corporate smartphone will likely become a prime target, with personal users of the devices being swept up as well.

Question: Who should be responsible for determining what constitutes the "crown jewels" in building a risk assessment? And what process would you recommend for using your risk assessment to build a threat assessment?

Answer: Unless you are a very small organization there are typically multiple stakeholders involved in identifying the "crown jewels" (critical assets or processes) of the organization. Often times, one business process owner isn't even aware of a critical area of another business process that could seriously affect the whole organization. For example, an IT infrastructure manager might not understand the mission-critical aspects of the transportation manager's area, and vice-versa. Critical areas will differ greatly, depending upon the specific business, but any effort should seek to identify all stakeholders in areas likely to contain critical processes.

Risk assessments and threat assessments are usually inter-related efforts. Generally speaking, a threat assessment seeks deeper understanding of a known threat, where risk assessment seeks deeper understanding of the risk posed by threats known or otherwise. In many cases threats are identified in the risk assessment phase and then analyzed further in a specific threat assessment. In other cases the threats are simply assessed as part of the risk assessment process.

Question: Does one combine risk assessment with risk management?

Answer: Assessment is part of the management process. If you don't know what your risks are, then you can't manage them. Risk management is a cyclical process, which ideally repeats at a frequency relative to the amount of acceptable risk to the organization. The more risk, the higher the frequency, and vice versa.

Question: What would you list as the major threats involving enterprise routers?

Answer: There are a few things I typically look for when assessing the security posture of a router. Ten years ago all you needed to break into a non-Cisco router was the default password! Now, thankfully, things are much improved.

Routers are infrastructure devices that often operate for years with relatively little change in configuration. Because of this, they are often not updated or patched regularly. In some cases, especially with Cisco routers, they reach a point where the equipment can no longer be upgraded, as it lacks the resources to run the latest versions of the operating system. This, of course, can leave your router vulnerable to a wide variety of exploits.

I don't like to see routers managed with Telnet; most are capable of Secure Shell (SSH) now, and that is preferable in almost all cases. If Telnet must be used, compensating controls such as full content monitoring should be deployed. Because routers are central to the functioning of a network they should be carefully watched – and rarely are.

Routers should also be configured to use external log servers, without which you will probably not detect a brute-force attempt on the administrator password. In addition, all router configuration files should be regularly reviewed for evidence of tampering and overly permissive or special permission access-control lists (ACLs) that are no longer needed.

Question: Are there ways for CIOs to identify, quantify, and manage threats that pose a risk to an organization, company, government, human population, or even an individual... and still come out ahead?

Answer: While there are no guarantees in any risk management methodology, success lies in integrating the practice of actively identifying and quantifying risks into day-to-day business management.

Each business has different risks to manage, human error as opposed to credit card theft for example, and must choose to either innovate or follow an industry leader in its sector when it comes to methodology. Successful risk management is usually a deeply integrated process, while one-off projects are often unsuccessful.

Coming out ahead really depends on your ability to understand actual net impact, make pragmatic financial decisions, and integrate with your existing business or personal processes.