Assets and Risk Management
James D. Stewart
CIS 527, Information Technology Risk Management
Dr. Glen Hines
October 28, 2018
Assets and Risk Management
Risk assessment is about determining what the risks are, where they are, and which are of the most importance. It’s about figuring out how to mitigate the risks to a level that is acceptable for an organization to function at a normal level. Successful risk management involves a great understanding of assets and risks. Identifying vulnerabilities and the threats to assets directly influences the way in which risks are managed. There are different types of assets that need protection and professionals use different risk assessment methods and various approaches to identify threats. It is also important to understand the relationship between access and risk.
Risk Assessment Methodologies
Two main risk assessment methods used in information technology are quantitative and qualitative. A critical factor in choosing a particular methodology is the availability and quality of relevant input data (Nichtigal, 2013). Quantitative requires a lot of data and is an objective method that uses numbers like dollar values (Gibson, 2015). Qualitative is a subjective method that uses relative values based on expert opinions (Gibson, 2015). Quantitative analysis can take longer than qualitative analysis, which can usually be done much quicker.
There are many methodologies used for risk assessment. Depending on the need and environment, three popular methodologies are as follows: asset audit, pipeline model, and attack trees (Wee, 2003). An asset audit is simply identifying an organization’s assets and if they are properly protected. This is a fairly easy and straight forward method. With the pipeline model, risks are assessed on a pipeline that consists of the following five components: active processes, communications processes, stable data processes, inquiry processes, and access control processes. Each pipeline is reviewed according to the five components to determine whether the security requirements are met or if there are vulnerabilities that need to be addressed (Wee, 2003). Attach trees are a bit more advanced and address who, when, how, why and with what probability an attack will happen (Wee, 2003). The tree starts at the top with the goal of an attacker and the branches depict different ways that the attacks could be carried out to reach the goal.
A threat is something that is likely to or has the possibility to cause damage or danger. The purpose of a threat assessment is to identify threats and the goal is not to identify all threats, but to identify as many as possible. More importantly, it is imperative to identify the most likely threats to focus on. Another area of significance is time. Threats change so assessments are performed for a certain timeframe and must be re-evaluated, updated and re-run depending on the time and environment. One method of ensuring all threats are addressed is to use the seven domains of a typical information technology (IT) infrastructure which includes the User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Doman, Remote Access Domain, and System/Application Domain (Gibson, 2015, p. 202). When approaching a threat assessment, there are two key approaches and techniques to use. The first is to review historical data. This involves analyzing past data for a particular organization, similar organizations and for the local area (Gibson, 2015). The second and more complex approach is to perform threat modeling. Threat modeling is a proactive strategy where the initial approach is from the viewpoint of a hacker or adversary. It’s a hypothetical process where potential threats can be identified, itemized and prioritized. Because threat modeling can be very complex and extensive, it’s often best to limit the capacity to certain assets.
Types of AssetsAn asset is a thing or person that is useful or of value. Organizations have many types of assets that need to be secured and protected. A business asset is typically property or equipment the business owns in order to run the company. Requirements of daily functionality is an easy and simple way to identify assets. Things like hardware, software, data, and personnel are all examples of assets that require protection. On a broader scope, assets can be broken down into four types: current assets, fixed assets, tangible assets and intangible assets. Current assets are more short-term things like cash or can be easily transferred into cash. Fixed assets are more long-term and not easily converted to cash like property, equipment and machinery. Tangible assets are the physical and financial resources of a business such as cash, land, buildings and vehicles. Lastly, intangible assets are not material, but still have value to an organization. Examples of tangible assets include intellectual property, licenses, trade secrets, reputation and brand. Most organizations carry some form of all of these assets and they must all be protected.
Access and Risk
Access and risk have a close relationship along with benefits and tradeoffs of restricting access to an organization’s assets. Authorized access to any information has some level of risk. Unauthorized access can be devastating. Access control can be physical or logical and regulates who can access areas, data and applications in an organization. Personnel should only have access to applications and information required to do their job. Information that has a higher risk should have a higher level of access control. To mitigate the risks associated with access control, it is necessary to identify the risks associated with access controls and to assess the level of those risks (Singleton, 2010). Tradeoffs include more IT regulating and monitoring and audits. New hires, terminations, role changes, department changes, promotions and demotions all require possible changes which can require much effort to maintain in a large organization. Another drawback is the monitoring of available personal with specific access. If a person is unavailable with access to restricted data that is needed in an immediate manner, protocols need to be in place to address these types of situations. IT professionals and security analysts must ensure that access controls are adequate to mitigate the risks associated with access, including limiting the access of legitimate employees to need to know, and mitigating the risk of an unauthorized intrusion (Singleton, 2010).
ReferencesGibson, D. (2015). Managing risk in information systems (2nd ed.). Burlington, MA: Jones ; Bartlett Learning.
Nachtigal, N. M., Fruetel, J. A., Gleason, N. J., Helms, J., Imbro, D. R., ; Sumner, M. C.
(2013). Analysis of Alternatives for Risk Assessment Methodologies and Tools
(SAND2013-8616). Retrieved from Sandia National Laboratories website:
Singleton, T. (2010). Mitigating IT Risks for Logical Access. Retrieved from https://www.isaca.org/Journal/archives/2010/Volume-5/Pages/Mitigating-IT-Risks-for-Logical-Access.aspx
Wee, N. S. (2003, June 29). An Overview of Practical Risk Assessment Methodologies.
Retrieved from https://www.giac.org/paper/gsec/3287/overview-practical-risk-