Click here to load reader
Upload
satyanandan-atyam
View
21
Download
0
Embed Size (px)
Citation preview
PLEASE SCROLL DOWN FOR ARTICLE
This article was downloaded by: [Atyam, satyanandan B.]On: 15 March 2011Access details: Access Details: [subscription number 929825809]Publisher Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK
Information Security Journal: A Global PerspectivePublication details, including instructions for authors and subscription information:http://www.informaworld.com/smpp/title~content=t768221795
Effectiveness of Security Control Risk Assessments for Enterprises: Assesson the Business Perspective of Security RisksSatyanandan B. Atyama
a MindTree Ltd., Bangalore, India
Online publication date: 19 November 2010
To cite this Article Atyam, Satyanandan B.(2010) 'Effectiveness of Security Control Risk Assessments for Enterprises:Assess on the Business Perspective of Security Risks', Information Security Journal: A Global Perspective, 19: 6, 343 —350To link to this Article: DOI: 10.1080/19393555.2010.514892URL: http://dx.doi.org/10.1080/19393555.2010.514892
Full terms and conditions of use: http://www.informaworld.com/terms-and-conditions-of-access.pdf
This article may be used for research, teaching and private study purposes. Any substantial orsystematic reproduction, re-distribution, re-selling, loan or sub-licensing, systematic supply ordistribution in any form to anyone is expressly forbidden.
The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae and drug dosesshould be independently verified with primary sources. The publisher shall not be liable for any loss,actions, claims, proceedings, demand or costs or damages whatsoever or howsoever caused arising directlyor indirectly in connection with or arising out of the use of this material.
Information Security Journal: A Global Perspective, 19:343–350, 2010Copyright © Taylor & Francis Group, LLCISSN: 1939-3555 print / 1939-3547 onlineDOI: 10.1080/19393555.2010.514892
Effectiveness of Security Control RiskAssessments for Enterprises: Assess on the
Business Perspective of Security RisksSatyanandan B. AtyamMindTree Ltd., Bangalore, India ABSTRACT Today’s businesses being IT enabled, the complexity of risks
affecting the business has increased manifold and the need to gauge theInformation Technology risks acting on the business operations has becomeparamount. The business managers who run business operations need tooperate securely and seamlessly leveraging Information Technology and abil-ity to recover and resume the business without any loss of confidentiality,integrity and availability of business information/data in any event of a secu-rity incident.There is a need to quantify the impact of the IT security risk on the critical busi-ness processes, and provide the business-level insight at the management level.It is critical to classifying the Risk Ratings as per the impact on the businessoperations. This approach allows the organizations to understand and prioritizethe security risk management activities that make the most sense for their orga-nization to secure the business operations instead of trying to protect againstevery conceivable threat.
KEYWORDS Business Impact, Security Risk, Type I Controls, Type II Controls, RiskAssessment, Access Control, IT Controls, PCI DSS, ISO 17799, NIST, Stock Exchange
Address correspondence toSatyanandan B. Atyam, FlatNo B 204, Purvankara Sunshine Appts,Sarjapur Road, Bangalore, India.E-mail: [email protected]
DEFINITIONS, ABBREVIATION, ACRONYMS& TERMINOLOGY
The terms in use in the document are explained below:
Acronym Description
FTP File Transfer ProtocolPCI- DSS Payment Card Industry and Data Security StandardsNIST National Institute of Standards and TechnologyHO Head OfficeBusiness The operations of business which use technology
Operations to enable the business processes.EOD End of DayEDI Electronic Data InterchangeVSAT Very Small Aperture Terminal
343
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
The complexity of risks affecting today’s informa-tion technology-enabled businesses have increasedsignificantly. As the technology is an interfacing pointfor the exchange of information/data with entitiesand people, there is the need to build controls inthe technological components and at each of theseinterfacing points to ensure that the sensitive businessinformation/data are handled appropriately. Hence,the need to gauge the information security risksacting on the IT and business operations has becomeparamount.
The need of any business operations is to operatesecurely and seamlessly leveraging information tech-nology and, in the event of a security incident, torecover and resume without any loss of confidentiality,integrity, and availability of business information/data.The business managers who run business operations arelooking at containing the risks associated with infor-mation technology. They need to quantify the impactof the information security risk on the critical busi-ness processes and provide the business-level insight atthe management level. Hence, there is pressing need togive the business managersthe business perspective of security technology risksprevailing in the organizations business operations.
The priority is to have the right security posture withappropriate technological solutions on the IT land-scape. Once there is assurance that the right solutionsare implemented for a secure posture, the focus willbe on the effectiveness of implemented technologi-cal solutions. Business managers will prioritize whenassessing the vulnerability in the configuration of tech-nological solutions once there is an assurance that therequired technological solutions exist for the effectivesecurity posture.
BUSINESS AND TECHNOLOGYCENTRIC SECURITY
Customers require solutions for two require-ments:
• Protect the FORTRESS (business operations) andbolster the defenses with the required FACADES(technology solutions).
• Strengthen the FAÇADE (technology solutions) forany weakness in its effectiveness.
There are two types of gaps in security controls, basedon the above requirements:
• Type I: Technological solution to be deployed forbusiness information/data controls: The businessrationale of controls at any of the information/datainterfacing points needs to be understood, and thetechnology should be viewed as an enabler/solutionprovider.
• Type II: Vulnerabilities in the technology imple-mented which can be exploited: The technologicalvulnerabilities that exist which make the solutioneffectiveness less reliable.
The relevant business controls should be audited fromthe perspective of presence of technology solutions(Type I) and the effectiveness of technological solu-tion (Type II). It is imperative that both aspects arecovered in the assessments, as this gives the customera comprehensive view of the security of the businessoperations.
APPROACH: RISK ASSESSMENTSRisk assessments are the first step in deter-
mining how to safeguard enterprise assets andreduce the probability that those assets will becompromised. A phased approach to risk assessment isrecommended.
Phase I: Business & Technology landscape overview,includes the following steps:
• Identify the business services• Understand the business operations• Understand the application landscape• Understand the network and server infrastructure
landscape
Phase II involves developing the businessinformation/data flow:
• On the physical infra landscape• On the logical application landscape
Phase III involves identifying the business con-trols required by business managers. This will be inaccordance with the requirements for data protection.
Phase IV involves identifying the weakness in con-trols for IT landscape audits, including applicationsand infrastructure.
Phase V assesses the weakness in control, involvesassessing the business impact of risk and the prioritiza-tion of remediation for the business.
S. B. Atyam 344
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
Phase VI includes recommendations for the risktreatment and implementation plan.
RISK PROFILING: BUSINESS DRIVENTECHNOLOGICAL CONTROLS
The business operations of any company, regardlessof its size, are supported by the IT operations, whichneed to operate at acceptable level of security. Thebusiness threats shall trigger the need for establishingthe technological controls at the various interfaces. Thebusiness operations for a typical stock exchange maycomprise the following:
• Trading front office• Trading back office• Collateral operations• Clearing operations• Settlement operations• Risk management
The stock exchange business operations consistof trading, clearing, settlement, and risk manage-ment functions, which are technology enabled. Thesefunctions are core to the stock exchange operations andneed to have strong IT controls. If any technology vul-nerability is exploited, it may lead to exposure that mayaffect the business.
The business requirements will drive certain con-trols for the above listed business operations, which areimplemented through technology.
A clearly articulated business requirement for datasecurity will give inputs on the controls that need tobe built upon with technology. This will give inputs onthe technological solutions (Type I controls) that needto be implemented.
“For the stock exchange operations, the need to secure the VerySmall Aperture Terminal (VSAT) connectivity for access to trad-ing terminal by the brokers from the remote locations is businessrequirement.”
“For a retail setup with multi locations geographical spread usersaccessing the business applications which has the critical businessdata, the solution for Identity and access management becomes aBusiness requirement.”
Lack of implemented technological solutions willbe classified as vulnerabilities. The business impactcan be determined upon assessment of the vulnerabil-ities and probability of threat exploiting the identifiedvulnerabilities.
The typical representation of risk profiling of theType I IT controls for the security control risk assess-ment is depicted in Figure 1.
The X axis in Figure 1 represents the “Type I” ITcontrols that can be used as a parameter to detect anyvulnerability and measure the corresponding risk in theIT operations. The number of identified risk is rep-resented in the Y axis. The Y axis is a pure number.that indicates the number of risks found for the corre-sponding Type I IT control. The risks are categorizedas high, medium, and low, with qualitative definitionas mentioned in Table 1.
The risk profiling of Type I IT controls shownin Figure 1 can be appreciated by a detailed
FIGURE 1 Risk profiling of “Type I” IT controls: control risk assessments.
345 Effectiveness of Security Control Risk Assessments
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
TABLE 1 Risk Categorization
RISK = IMPACT ∗ PROBABILITY
RiskHigh Undesirable and requires immediate
attention; Controls to be implementedimmediately
Medium Undesirable and requires corrective actionbut some management discretion isallowed
Low Acceptable but with management review
understanding of any one control mapped to the busi-ness operations. Let us take “Access Control” as arequirement for a retail business environment, whichis critical from the business perspective of ensuring therisks of unauthorized access and modification of busi-ness critical data are minimum and controlled.
Access ControlRetail businesses have distributed business and IT
operations (e.g., head office and branch network),with the users accessing the varied business criticalinformation systems/application. User access shouldbe based on least privilege or be consistent withjob function. There is a need to provide esca-lated privileges to resources at various instancesand, hence, controls need to be built in to estab-lish accountability. This is critical with change ofroles/branch, transfers/department, transfers/privilege,
TABLE 2 Quantitative Metric: Access Control
IT control parameters
Sample size ofauditableinstances
No of instancesnon conformity
observed
Access rights review 10 2Password
management10 3
Segregation of duties 10 4System configuration 10 1User connectivity 10 8User profiles 10 6Privilege management 10 9Clear screen 10 2Session time outs 10 3Log-on procedure 10 9User identification and
authentication10 4
Limitation ofconnection time
10 1
Sensitive systemisolation
10 6
escalation requirements/folder, access changes/newusers, and so forth. The controls risk assessmentsshould cover the risks that may prevail in each busi-ness aspect of identity management. The quantitativemetric is detailed in Table 2.
Figure 2 depicts the as-is metrics of implementedtechnological controls against the desired state ofconfigurations for systems and applications across anenterprise. For a given sample size of assets, the metricsgive the quantitative representation of the gaps. The
FIGURE 2 Risk profiling: access control.
S. B. Atyam 346
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
TAB
LE3
Bu
sin
ess
Imp
act
of
Ris
ks
Co
ntr
ols
Thre
atV
uln
erab
ility
Imp
act
seve
rity
(I)
Pro
bab
ility
of
thre
ato
ccu
rren
ce(O
)
Ris
kp
rio
rity
(R)
R=I
∗ OC
on
tro
lap
plic
abili
ty:B
usi
nes
sim
pac
t
Acc
ess
Rig
hts
Rev
iew
Un
auth
ori
zed
Acc
ess
Secu
rity
Failu
re
Rev
iew
of
use
rac
cess
leve
lsin
syst
ems
(tra
nsa
ctio
np
roce
ssin
g)
app
licat
ion
sar
en
ot
carr
ied
ou
to
na
per
iod
icb
asis
.
Med
ium
Med
ium
Med
ium
Inth
ed
istr
ibu
ted
bu
sin
ess
and
ITo
per
atio
ns
(ho
me
offi
cean
db
ran
chn
etw
ork
)w
ith
the
use
rsac
cess
ing
the
vari
edin
form
atio
nsy
stem
s,th
eco
ntr
olt
oes
tab
lish
acco
un
tab
ility
toen
sure
that
req
uir
edu
sers
hav
eth
eri
gh
tp
erm
issi
on
sis
ap
rio
rity
.Th
isis
crit
ical
wit
hch
ang
eo
fro
les/
bra
nch
tran
sfer
s/d
epar
tmen
ttr
ansf
ers/
pri
vile
ge
esca
lati
on
req
uir
emen
ts/fo
lder
acce
ssch
ang
es/n
ewjo
inee
s,et
c.Pa
ssw
ord
Man
agem
entU
nau
tho
rize
dac
cess
Secu
rity
Failu
res
Larg
en
um
ber
of
acti
veu
sers
on
syst
emsy
stem
sh
avin
gd
efau
ltp
assw
ord
s.
Hig
hH
igh
Hig
hTh
ere
qu
irem
ent
of
the
use
rs(b
usi
nes
san
dIT
)to
follo
wg
oo
dse
curi
typ
ract
ices
(as
ap
art
of
org
aniz
atio
ns
acce
pta
ble
use
rp
ract
ice)
soth
atth
ep
ote
nti
alfo
ran
un
auth
ori
zed
acce
ssto
the
info
rmat
ion
do
esn
ot
hap
pen
and
toes
tab
lish
acco
un
tab
ility
on
acce
ssto
vari
ou
sin
form
atio
nre
sou
rces
inth
eo
rgan
izat
ion
.To
pre
ven
tm
isu
seo
fin
form
atio
np
roce
ssin
gfa
cilit
ies.
Seg
reg
atio
no
fd
uti
esU
nau
tho
rize
dA
cces
sU
nau
tho
rize
dM
od
ifica
tio
n
Ther
eis
imp
rop
erse
gre
gat
ion
of
du
ties
amo
ng
the
ITIn
fra
and
the
Ap
plic
atio
ns
Gro
up
for
the
syst
emad
min
istr
ato
rac
tivi
ties
.Th
ere
are
occ
asio
ns
wh
enth
esy
stem
adm
inis
trat
ion
acti
vity
isd
rive
nb
yap
plic
atio
ng
rou
ps.
Hig
hM
ediu
mM
ediu
mR
ole
s&
Res
po
nsi
bili
ties
nee
dto
be
pro
per
lyse
gre
gat
edto
pre
ven
tfr
aud
s,es
tab
lish
clea
ro
wn
ersh
ipan
dac
cou
nta
bili
tyto
ach
ieve
effe
ctiv
eco
ntr
olo
ver
op
erat
ion
s.
Syst
emC
on
fig
ura
tio
nUn
auth
ori
zed
Acc
ess
Un
auth
ori
zed
Mo
difi
cati
on
The
syst
emco
nfi
gu
rati
on
isin
adeq
uat
ean
dp
uts
rest
rict
ion
so
nth
ety
pe
of
pro
gra
ms
that
can
be
load
edo
nth
esy
stem
.Th
isin
con
jun
ctio
nw
ith
imp
rop
erp
rivi
leg
ees
cala
tio
nco
nfi
gu
rati
on
sle
aves
the
syst
emh
igh
lyin
secu
re.
Hig
hLo
wM
ediu
mTh
eq
uan
tum
of
syst
emd
evel
op
men
tlif
ecyc
leac
tivi
tyh
app
enin
gfo
rth
en
ewb
usi
nes
sre
qu
irem
ents
for
the
crit
ical
tran
sact
ion
pro
cess
ing
syst
ems
han
dlin
gse
nsi
tive
bu
sin
ess
dat
am
akes
itn
eces
sary
for
bri
ng
ing
inth
ese
cure
con
fig
ura
tio
nse
ttin
gs
toen
sure
the
pro
gra
ms
inp
rod
uct
ion
are
con
tro
lled
.
Use
rC
on
nec
tivi
tyU
nau
tho
rize
dA
cces
sTh
eu
sers
log
on
toth
esy
stem
usi
ng
the
clie
nt
acce
ss.T
he
FTP
fro
mth
ish
asn
ot
bee
nd
isab
led
.
Med
ium
Low
Low
The
sen
siti
veb
usi
nes
ses
dat
aca
nb
eFT
Pto
loca
lm
ach
ine
of
such
vuln
erab
ility
are
no
tp
lug
ged
.
Use
rPr
ofi
les
Lack
of
acco
un
tab
ility
Man
yp
rofi
les
hav
eth
ese
curi
tyad
min
istr
ato
ran
dse
curi
tyo
ffice
rp
rivi
leg
esin
the
pro
du
ctio
nen
viro
nm
ents
.
Med
ium
Low
Low
Toes
tab
lish
acco
un
tab
ility
on
acce
ssto
vari
ou
sin
form
atio
nre
sou
rces
inth
eo
rgan
izat
ion
.Th
eu
niq
ue
use
rre
gis
trat
ion
shal
len
able
the
trac
eab
ility
of
the
use
rac
tivi
ties
wh
ich
isa
pri
ori
tyin
the
info
rmat
ion
syst
emen
viro
nm
ent. (C
on
tin
ued
)
347
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
TAB
LE3
(Co
nti
nu
ed)
Co
ntr
ols
Thre
atV
uln
erab
ility
Imp
act
seve
rity
(I)
Pro
bab
ility
of
thre
ato
ccu
rren
ce(O
)
Ris
kp
rio
rity
(R)
R=I
∗ OC
on
tro
lap
plic
abili
ty:B
usi
nes
sim
pac
t
Priv
ileg
eM
anag
emen
tDat
aEx
po
sure
Un
auth
ori
zed
Acc
ess
Som
eo
fth
eg
rou
pp
rofi
les
are
hav
ing
pas
swo
rdsi
gn
on
.D
irec
tly
log
inth
rou
gh
gro
up
pro
file
sp
oss
ible
tosy
stem
s.
Hig
hLo
wM
ediu
mTh
eb
usi
nes
san
dte
chn
olo
gy
op
erat
ion
sh
ave
an
eed
top
rovi
de
esca
late
dp
rivi
leg
esto
reso
urc
esat
vari
ou
sin
stan
ces
and
the
con
tro
lsn
eed
tob
eb
uild
into
esta
blis
hac
cou
nta
bili
tyo
nac
cess
tova
rio
us
info
rmat
ion
reso
urc
es.
Cle
arSc
reen
Dat
aEx
po
sure
Un
auth
ori
zed
Acc
ess
The
des
kto
ps
of
syst
eman
dn
etw
ork
adm
inis
trat
ors
do
no
th
ave
the
auto
mat
icsc
reen
lock
ou
tp
olic
yd
efin
ed.
Med
ium
Med
ium
Med
ium
Un
auth
ori
zed
acce
ssca
no
ccu
r,an
dth
ere
can
be
un
auth
ori
zed
mo
difi
cati
on
and
dis
rup
tio
no
fth
ein
fras
tru
ctu
reco
mp
on
ents
.
Sess
ion
Tim
eO
uts
Dat
aEx
po
sure
Un
auth
ori
zed
Acc
ess
The
sess
ion
inac
tivi
tyh
asb
een
con
fig
ure
das
60m
inu
tes.
Med
ium
Med
ium
Med
ium
The
tim
e-o
ut
del
ayis
no
tre
flec
tin
gth
ese
curi
tyri
sks
of
the
area
,th
ecl
assi
fica
tio
no
fth
ein
form
atio
nb
ein
gh
and
led
and
the
app
licat
ion
sb
ein
gu
sed
,an
dth
eri
sks
rela
ted
toth
eu
sers
of
the
equ
ipm
ent.
Ati
me-
ou
tfa
cilit
ysh
ou
ldcl
ear
the
sess
ion
scre
enan
dal
so,p
oss
ibly
late
r,cl
ose
bo
thap
plic
atio
nan
dn
etw
ork
sess
ion
saf
ter
ad
efin
edp
erio
do
fin
acti
vity
.Lo
gO
nPr
oce
du
res
Dat
aEx
po
sure
Un
auth
ori
zed
Acc
ess
An
yon
eel
sew
ho
get
sth
eac
cess
toth
esy
stem
can
log
on
tom
ain
fram
esy
stem
,if
the
use
rh
aslo
gg
edin
on
ceb
efo
re.
Byp
ass
isal
low
ed.
Hig
hH
igh
Hig
hIn
the
dis
trib
ute
db
usi
nes
san
dIT
op
erat
ion
s(h
om
eo
ffice
and
bra
nch
net
wo
rk)
wit
hth
eu
sers
acce
ssin
gth
eb
usi
nes
scr
itic
altr
ansa
ctio
nb
ased
info
rmat
ion
syst
ems
toen
sure
acco
un
tab
ility
that
req
uir
edu
sers
hav
eth
eac
cess
pri
vile
ges
isa
pri
ori
ty.
Use
rId
enti
fica
tio
nan
dA
uth
enti
cati
onD
ata
Exp
osu
reU
nau
tho
rize
dA
cces
s
Ther
ear
ew
eak
auth
enti
cati
on
mec
han
ism
sin
pla
cefo
rac
cess
thro
ug
hw
irel
ess
acce
ssp
oin
ts.
Hig
hH
igh
Hig
hTh
isw
eakn
ess
inth
eau
then
tica
tio
nm
ech
anis
mm
ayle
adto
un
auth
ori
zed
acce
ssan
dth
eLA
Nn
etw
ork
may
lay
exp
ose
d.
Lim
itat
ion
of
Co
nn
ecti
on
tim
e
Dat
aEx
po
sure
Loss
of
Dat
aIn
teg
rity
Wit
hd
istr
ibu
ted
app
licat
ion
sp
roce
ssin
gth
eb
usi
nes
sd
ata,
the
con
solid
atio
no
fth
ed
ata
fro
mth
ed
istr
ibu
ted
dat
abas
esin
the
cen
tral
dat
abas
eh
app
ens
con
tin
uo
usl
yat
any
po
int
of
the
day
.
Hig
hH
igh
Hig
hTh
isb
ein
gn
ot
anen
d-o
f-d
ayac
tivi
tyth
ere
isa
risk
of
the
dat
aat
the
cen
tral
d/b
no
tre
flec
tin
gth
eac
tual
stat
us
ifth
esy
nch
ron
izat
ion
pro
cess
esar
ein
itia
ted
any
tim
ed
uri
ng
the
day
.
Sen
siti
veSy
stem
Iso
lati
on
Dat
aEx
po
sure
The
Elec
tro
nic
Dat
aIn
terc
han
ge
(ED
I)re
qu
est
of
ord
ers
ism
ade
fro
ma
syst
em,w
hic
his
NO
Tp
hys
ical
lyan
dlo
gic
ally
sep
arat
edfr
om
the
oth
ersy
stem
s.
Hig
hM
ediu
mH
igh
The
wh
ena
sen
siti
veap
plic
atio
nis
toru
nin
ash
ared
envi
ron
men
t,th
eap
plic
atio
nsy
stem
sw
ith
wh
ich
itw
illsh
are
reso
urc
esan
dth
eco
rres
po
nd
ing
risk
ssh
ou
ldb
eid
enti
fied
and
acce
pte
db
yth
eo
wn
ero
fth
ese
nsi
tive
app
licat
ion
.As
the
bu
sin
ess
dat
ais
bei
ng
han
dle
dth
eIm
pac
to
fd
ata
com
pro
mis
eis
crit
ical
.
348
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
metrics of 10 represents the degree of weakness ofcontrols across the asset profile in the enterprise. Theparameters are depicted in Figure 2.
Business Impacts of the Risks UnderEach Control
For each control parameter, the risks and controlapplicability for a typical distributed IT operation(home office and branch network) of a retail busi-ness with the users accessing the varied informationis depicted in Table 3. These are representative sets ofcontrol parameters and the risks which may be contex-tual to a particular environment of the organization.
RISK PROFILING: TECHNOLOGICALCONTROLS
Risk Assessment for Typical Type IIControls
The weakness in the security controls can be ana-lyzed through a manual review of configurations ofdevices, supporting documentation, and by runningthe vulnerability assessment tools for the server andthe network infrastructure. The output gives the stateof security configurations (known and detected securityflaws) in the asset.
The findings from the tools are the baseline con-figurations. The tools generate the risk rating analysisof the configurations settings. The risk rating maychange in context with the operations and specificapplications environment. This is where the businesscontext has to be brought in and, as per the appli-cations and network landscape in terms of the openports/services, the risk rating of the vulnerabilities canbe reevaluated.
The organizations use varied vulnerability assess-ment tools for varied requirements of Web application,router specific, data mining, war dialing, and so forth.
CONCLUSIONThe above analysis is on the basis on author’s expe-
rience in conducting control risk assessment for largeenterprises in the banking financial) and retail sectorinternationally. It is critical to classify the risk ratingsas per the impact on the business operations. Thisapproach allows the organizations to understand andprioritize the security risk management activities that
make the most sense for their organization, instead oftrying to protect against every conceivable threat. Theteam of business managers and IT team can arrive atthe risk and the impact it can have on the businessoperations. The impact assessment will in turn allowthe team to arrive at the level of risk tolerance withinan organization.
To perceive business value out of the Informationsecurity consulting projects the controls risk assess-ments should be done keeping business perspective,in driving the requirements for securing the enter-prise. The ability to value the business impact of thetechnology vulnerability without having bias towardsthe gravity of the technology vulnerability (acrosstech platforms) in isolation, is critical for clients toaccept and find value in the control risk assessmentreport.
This is a progressive approach to give the organi-zation a roadmap to prioritize on there investmentplanning to address the identified IT pain points (risks)in their business operations.
REFERENCESAlAboodi, S. (2003, May). Proposal of new approach for assessing the
maturity of information security. Master’s thesis, Hull University, UK.Coderre, D. (2005). Global technology audit guide continuous auditing:
Implications for assurance, monitoring, and risk assessment. IIA.Government Accounting Office. Information security risk assessment
GAO practices of leading organizations. Supplement to GAO exec-utive guide on information security management, May 1998.
IS auditing procedure -IS risk assessment measurement, ISACA.NIST 800–34, Contingency planning guide for information technology
systems. International Organization for Standardization, ISO 17799,2000. Available from: http://www.iso.org
PCI DSS (Payments Card Industry-Data Security Standards) requirements.Software Engineering Institute (SEI). Octave. Carnegie Mellon University.
Available from: http://www.cert.org/octave/
BIOGRAPHYSatyanandan B. Atyam, Certification CISSP (CertifiedInformation System Security Professional), B.E.(Industrial Engineering), M.M.S. (Finance), CISA(Certified Information System Auditor), PCI: DSSImplementer (CPISI), LA ISMS (Information SecurityManagement Systems): ISO 27001, LA BCM: 25999(Business Continuity Management System), is abusiness information security, assurance & controlprofessional with seven years of experience. He isworking as a senior security consultant with MindTreeLtd., India, where he works with customers in thebanking, finance, capital markets, and retail domains
349 Effectiveness of Security Control Risk Assessments
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011
to strengthen their information security processes.Prior to this, he worked with National Stock Exchangeof India Ltd & ICICI Lombard General InsuranceCompany Ltd. He explores technology from the
business perspective to provide assurance to clients onthe presence and effectiveness of the IT controls in thebusiness and IT operations. He is also a specialist ininformation risk management.
S. B. Atyam 350
Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011