Introducing Risk Assessment & ISO17799

This post is about an often overlooked feature of the Serio CMDB. Risk Assessment is a formal process of identifying and measuring risks posed to organisational Items - for example the risk of a hard disk crash on a key server, the risk of theft of laptops, the risk of hackers stealing customer data, the risk of someone spilling coffee on a computer and so on.

Risk Assessment helps you to decide on Changes that you need to make to your systems to reduce risks (of course, Change Management naturally complements the Risk Assessment process by providing controlled a way to implement such Changes). Naturally Risk Assessment is a proactive activity – trying to stop the costs associated with Incidents before they occur.

A formal Risk Assessment exercise is a key step in gaining BS7799/ ISO17799 certification. BS7799 requires that you should develop a Risk Assessment methodology which takes into account the value of Items to your organisation and the seriousness of threats.

So far so good. Serio adds value to this by providing a framework for storing and reporting on the results of your Risk Assessment exercise which is geared towards the requirements of BS7799.

The Risk Assessment Process

The Risk Assessment process in Serio consists of gathering information about Items and the risks they are exposed to. This information is stored in the Serio Configuration Database for reporting and analysis (if you’ve ever wondered what the Threats and Vulnerability icons were for, this is it).

The following description introduces the main concepts and stages of the Risk Assessment process. Once you have familiarised yourself with this introduction, please see the Risk Assessment Roadmap in the HowTo guide (distributed with Serio products) for a step-by-step guide to implementing the Risk Assessment process using Serio.

1. Identify organisational Items that must be protected from risk. Such Items may include:

  • Key servers or network equipment
  • Key applications, such as web or email servers
  • Information (Virtual) Items, including databases or files containing sensitive information, such as customer records, product specifications, sales data, eMails, etc.
  • Services, such as heating, lighting, power and telecoms.

2. Use your knowledge and experience of your organisation to assign an Organisational Value to these Items. This is a matter of answering the question, "On a scale of, say, 1 to 5, how important is this Item to our organisation, in terms a loss of availability, confidentiality, or integrity?" A score of 5 indicates the highest Organisational Value.

3. List the Vulnerabilities of these Items. Any aspect of an Item's location, function, use, or characteristics which puts the Item at risk should be counted as a Vulnerability. Assign a Vulnerability Level, on a scale of 1 to 5, to each Vulnerability. (A score of 5 indicates the highest Vulnerability Level.) For example:

  • Exposure of web server to the Internet (4)
  • Mis-configuration of the firewall (3)
  • Positioned underneath the air conditioning water storage tank (3)

4. List the Threats posed to the Items. Theft, breakages, hacking, website defacement, viruses, worms, media failure, and security violations are all examples of Threats that Items may face.

Note: Relationship between Threats and Vulnerabilities There is a link between Vulnerabilities and Threats.

For example, the fact that a laptop is portable (Vulnerability) exposes it to the possibility of theft and breakage (Threats). If a computer's operating system is misconfigured (Vulnerability), it may be threatened by viruses, worms, or unauthorised access (Threats).

Identification of Threats and Vulnerabilities is an iterative process: discovering Threats may lead you to identify Vulnerabilities, and these in turn may reveal further Threats, etc.

5. For each Item, assign a Threat Level, on a scale of 1 to 5, to each of the Threats that you have identified. (A score of 5 indicates the highest level of Threat.)

Two Items may face a Threat at an equal Threat Level. For example, two servers may be equally threatened by hard disk failure. However, where one of the Items is more valuable to your organisation than the other, the Threat to the more valuable Item is clearly more important. To reflect this, Serio calculates the Risk Level associated with a Threat, according to the following formula: 

Risk Level of Threat = Organisational Value of Item x Threat Level

For example,

  • Web Site (Organisational Value = 4)
  • Defacement Threat (Threat Level = 4)
  • Risk Level = 4 x 4 = 16.

6. As you gather information about Items, Threats, and Vulnerabilities, you can store it in Serio. You can then use this data you to produce reports or to search for Items which are exposed to unacceptable levels of Risk or Vulnerability. This analysis should help you identify Changes that you need to make to your systems to reduce the risks arising from particular Threats or Vulnerabilities.