PLEASE SCROLL DOWN FOR ARTICLE

This article was downloaded by: [Atyam, satyanandan B.]On: 15 March 2011Access details: Access Details: [subscription number 929825809]Publisher Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

Information Security Journal: A Global PerspectivePublication details, including instructions for authors and subscription information:http://www.informaworld.com/smpp/title~content=t768221795

Effectiveness of Security Control Risk Assessments for Enterprises: Assesson the Business Perspective of Security RisksSatyanandan B. Atyama

a MindTree Ltd., Bangalore, India

Online publication date: 19 November 2010

To cite this Article Atyam, Satyanandan B.(2010) 'Effectiveness of Security Control Risk Assessments for Enterprises:Assess on the Business Perspective of Security Risks', Information Security Journal: A Global Perspective, 19: 6, 343 —350To link to this Article: DOI: 10.1080/19393555.2010.514892URL: http://dx.doi.org/10.1080/19393555.2010.514892

Full terms and conditions of use: http://www.informaworld.com/terms-and-conditions-of-access.pdf

This article may be used for research, teaching and private study purposes. Any substantial orsystematic reproduction, re-distribution, re-selling, loan or sub-licensing, systematic supply ordistribution in any form to anyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae and drug dosesshould be independently verified with primary sources. The publisher shall not be liable for any loss,actions, claims, proceedings, demand or costs or damages whatsoever or howsoever caused arising directlyor indirectly in connection with or arising out of the use of this material.

Information Security Journal: A Global Perspective, 19:343–350, 2010Copyright © Taylor & Francis Group, LLCISSN: 1939-3555 print / 1939-3547 onlineDOI: 10.1080/19393555.2010.514892

Effectiveness of Security Control RiskAssessments for Enterprises: Assess on the

Business Perspective of Security RisksSatyanandan B. AtyamMindTree Ltd., Bangalore, India ABSTRACT Today’s businesses being IT enabled, the complexity of risks

affecting the business has increased manifold and the need to gauge theInformation Technology risks acting on the business operations has becomeparamount. The business managers who run business operations need tooperate securely and seamlessly leveraging Information Technology and abil-ity to recover and resume the business without any loss of confidentiality,integrity and availability of business information/data in any event of a secu-rity incident.There is a need to quantify the impact of the IT security risk on the critical busi-ness processes, and provide the business-level insight at the management level.It is critical to classifying the Risk Ratings as per the impact on the businessoperations. This approach allows the organizations to understand and prioritizethe security risk management activities that make the most sense for their orga-nization to secure the business operations instead of trying to protect againstevery conceivable threat.

KEYWORDS Business Impact, Security Risk, Type I Controls, Type II Controls, RiskAssessment, Access Control, IT Controls, PCI DSS, ISO 17799, NIST, Stock Exchange

Address correspondence toSatyanandan B. Atyam, FlatNo B 204, Purvankara Sunshine Appts,Sarjapur Road, Bangalore, India.E-mail: satyanandan.atyam@gmail.com

DEFINITIONS, ABBREVIATION, ACRONYMS& TERMINOLOGY

The terms in use in the document are explained below:

Acronym Description

FTP File Transfer ProtocolPCI- DSS Payment Card Industry and Data Security StandardsNIST National Institute of Standards and TechnologyHO Head OfficeBusiness The operations of business which use technology

Operations to enable the business processes.EOD End of DayEDI Electronic Data InterchangeVSAT Very Small Aperture Terminal

343

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

The complexity of risks affecting today’s informa-tion technology-enabled businesses have increasedsignificantly. As the technology is an interfacing pointfor the exchange of information/data with entitiesand people, there is the need to build controls inthe technological components and at each of theseinterfacing points to ensure that the sensitive businessinformation/data are handled appropriately. Hence,the need to gauge the information security risksacting on the IT and business operations has becomeparamount.

The need of any business operations is to operatesecurely and seamlessly leveraging information tech-nology and, in the event of a security incident, torecover and resume without any loss of confidentiality,integrity, and availability of business information/data.The business managers who run business operations arelooking at containing the risks associated with infor-mation technology. They need to quantify the impactof the information security risk on the critical busi-ness processes and provide the business-level insight atthe management level. Hence, there is pressing need togive the business managersthe business perspective of security technology risksprevailing in the organizations business operations.

The priority is to have the right security posture withappropriate technological solutions on the IT land-scape. Once there is assurance that the right solutionsare implemented for a secure posture, the focus willbe on the effectiveness of implemented technologi-cal solutions. Business managers will prioritize whenassessing the vulnerability in the configuration of tech-nological solutions once there is an assurance that therequired technological solutions exist for the effectivesecurity posture.

BUSINESS AND TECHNOLOGYCENTRIC SECURITY

Customers require solutions for two require-ments:

• Protect the FORTRESS (business operations) andbolster the defenses with the required FACADES(technology solutions).

• Strengthen the FAÇADE (technology solutions) forany weakness in its effectiveness.

There are two types of gaps in security controls, basedon the above requirements:

• Type I: Technological solution to be deployed forbusiness information/data controls: The businessrationale of controls at any of the information/datainterfacing points needs to be understood, and thetechnology should be viewed as an enabler/solutionprovider.

• Type II: Vulnerabilities in the technology imple-mented which can be exploited: The technologicalvulnerabilities that exist which make the solutioneffectiveness less reliable.

The relevant business controls should be audited fromthe perspective of presence of technology solutions(Type I) and the effectiveness of technological solu-tion (Type II). It is imperative that both aspects arecovered in the assessments, as this gives the customera comprehensive view of the security of the businessoperations.

APPROACH: RISK ASSESSMENTSRisk assessments are the first step in deter-

mining how to safeguard enterprise assets andreduce the probability that those assets will becompromised. A phased approach to risk assessment isrecommended.

Phase I: Business & Technology landscape overview,includes the following steps:

• Identify the business services• Understand the business operations• Understand the application landscape• Understand the network and server infrastructure

landscape

Phase II involves developing the businessinformation/data flow:

• On the physical infra landscape• On the logical application landscape

Phase III involves identifying the business con-trols required by business managers. This will be inaccordance with the requirements for data protection.

Phase IV involves identifying the weakness in con-trols for IT landscape audits, including applicationsand infrastructure.

Phase V assesses the weakness in control, involvesassessing the business impact of risk and the prioritiza-tion of remediation for the business.

S. B. Atyam 344

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

Phase VI includes recommendations for the risktreatment and implementation plan.

RISK PROFILING: BUSINESS DRIVENTECHNOLOGICAL CONTROLS

The business operations of any company, regardlessof its size, are supported by the IT operations, whichneed to operate at acceptable level of security. Thebusiness threats shall trigger the need for establishingthe technological controls at the various interfaces. Thebusiness operations for a typical stock exchange maycomprise the following:

• Trading front office• Trading back office• Collateral operations• Clearing operations• Settlement operations• Risk management

The stock exchange business operations consistof trading, clearing, settlement, and risk manage-ment functions, which are technology enabled. Thesefunctions are core to the stock exchange operations andneed to have strong IT controls. If any technology vul-nerability is exploited, it may lead to exposure that mayaffect the business.

The business requirements will drive certain con-trols for the above listed business operations, which areimplemented through technology.

A clearly articulated business requirement for datasecurity will give inputs on the controls that need tobe built upon with technology. This will give inputs onthe technological solutions (Type I controls) that needto be implemented.

“For the stock exchange operations, the need to secure the VerySmall Aperture Terminal (VSAT) connectivity for access to trad-ing terminal by the brokers from the remote locations is businessrequirement.”

“For a retail setup with multi locations geographical spread usersaccessing the business applications which has the critical businessdata, the solution for Identity and access management becomes aBusiness requirement.”

Lack of implemented technological solutions willbe classified as vulnerabilities. The business impactcan be determined upon assessment of the vulnerabil-ities and probability of threat exploiting the identifiedvulnerabilities.

The typical representation of risk profiling of theType I IT controls for the security control risk assess-ment is depicted in Figure 1.

The X axis in Figure 1 represents the “Type I” ITcontrols that can be used as a parameter to detect anyvulnerability and measure the corresponding risk in theIT operations. The number of identified risk is rep-resented in the Y axis. The Y axis is a pure number.that indicates the number of risks found for the corre-sponding Type I IT control. The risks are categorizedas high, medium, and low, with qualitative definitionas mentioned in Table 1.

The risk profiling of Type I IT controls shownin Figure 1 can be appreciated by a detailed

FIGURE 1 Risk profiling of “Type I” IT controls: control risk assessments.

345 Effectiveness of Security Control Risk Assessments

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

TABLE 1 Risk Categorization

RISK = IMPACT ∗ PROBABILITY

RiskHigh Undesirable and requires immediate

attention; Controls to be implementedimmediately

Medium Undesirable and requires corrective actionbut some management discretion isallowed

Low Acceptable but with management review

understanding of any one control mapped to the busi-ness operations. Let us take “Access Control” as arequirement for a retail business environment, whichis critical from the business perspective of ensuring therisks of unauthorized access and modification of busi-ness critical data are minimum and controlled.

Access ControlRetail businesses have distributed business and IT

operations (e.g., head office and branch network),with the users accessing the varied business criticalinformation systems/application. User access shouldbe based on least privilege or be consistent withjob function. There is a need to provide esca-lated privileges to resources at various instancesand, hence, controls need to be built in to estab-lish accountability. This is critical with change ofroles/branch, transfers/department, transfers/privilege,

TABLE 2 Quantitative Metric: Access Control

IT control parameters

Sample size ofauditableinstances

No of instancesnon conformity

observed

Access rights review 10 2Password

management10 3

Segregation of duties 10 4System configuration 10 1User connectivity 10 8User profiles 10 6Privilege management 10 9Clear screen 10 2Session time outs 10 3Log-on procedure 10 9User identification and

authentication10 4

Limitation ofconnection time

10 1

Sensitive systemisolation

10 6

escalation requirements/folder, access changes/newusers, and so forth. The controls risk assessmentsshould cover the risks that may prevail in each busi-ness aspect of identity management. The quantitativemetric is detailed in Table 2.

Figure 2 depicts the as-is metrics of implementedtechnological controls against the desired state ofconfigurations for systems and applications across anenterprise. For a given sample size of assets, the metricsgive the quantitative representation of the gaps. The

FIGURE 2 Risk profiling: access control.

S. B. Atyam 346

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

TAB

LE3

Bu

sin

ess

Imp

act

of

Ris

ks

Co

ntr

ols

Thre

atV

uln

erab

ility

Imp

act

seve

rity

(I)

Pro

bab

ility

of

thre

ato

ccu

rren

ce(O

)

Ris

kp

rio

rity

(R)

R=I

∗ OC

on

tro

lap

plic

abili

ty:B

usi

nes

sim

pac

t

Acc

ess

Rig

hts

Rev

iew

Un

auth

ori

zed

Acc

ess

Secu

rity

Failu

re

Rev

iew

of

use

rac

cess

leve

lsin

syst

ems

(tra

nsa

ctio

np

roce

ssin

g)

app

licat

ion

sar

en

ot

carr

ied

ou

to

na

per

iod

icb

asis

.

Med

ium

Med

ium

Med

ium

Inth

ed

istr

ibu

ted

bu

sin

ess

and

ITo

per

atio

ns

(ho

me

offi

cean

db

ran

chn

etw

ork

)w

ith

the

use

rsac

cess

ing

the

vari

edin

form

atio

nsy

stem

s,th

eco

ntr

olt

oes

tab

lish

acco

un

tab

ility

toen

sure

that

req

uir

edu

sers

hav

eth

eri

gh

tp

erm

issi

on

sis

ap

rio

rity

.Th

isis

crit

ical

wit

hch

ang

eo

fro

les/

bra

nch

tran

sfer

s/d

epar

tmen

ttr

ansf

ers/

pri

vile

ge

esca

lati

on

req

uir

emen

ts/fo

lder

acce

ssch

ang

es/n

ewjo

inee

s,et

c.Pa

ssw

ord

Man

agem

entU

nau

tho

rize

dac

cess

Secu

rity

Failu

res

Larg

en

um

ber

of

acti

veu

sers

on

syst

emsy

stem

sh

avin

gd

efau

ltp

assw

ord

s.

Hig

hH

igh

Hig

hTh

ere

qu

irem

ent

of

the

use

rs(b

usi

nes

san

dIT

)to

follo

wg

oo

dse

curi

typ

ract

ices

(as

ap

art

of

org

aniz

atio

ns

acce

pta

ble

use

rp

ract

ice)

soth

atth

ep

ote

nti

alfo

ran

un

auth

ori

zed

acce

ssto

the

info

rmat

ion

do

esn

ot

hap

pen

and

toes

tab

lish

acco

un

tab

ility

on

acce

ssto

vari

ou

sin

form

atio

nre

sou

rces

inth

eo

rgan

izat

ion

.To

pre

ven

tm

isu

seo

fin

form

atio

np

roce

ssin

gfa

cilit

ies.

Seg

reg

atio

no

fd

uti

esU

nau

tho

rize

dA

cces

sU

nau

tho

rize

dM

od

ifica

tio

n

Ther

eis

imp

rop

erse

gre

gat

ion

of

du

ties

amo

ng

the

ITIn

fra

and

the

Ap

plic

atio

ns

Gro

up

for

the

syst

emad

min

istr

ato

rac

tivi

ties

.Th

ere

are

occ

asio

ns

wh

enth

esy

stem

adm

inis

trat

ion

acti

vity

isd

rive

nb

yap

plic

atio

ng

rou

ps.

Hig

hM

ediu

mM

ediu

mR

ole

s&

Res

po

nsi

bili

ties

nee

dto

be

pro

per

lyse

gre

gat

edto

pre

ven

tfr

aud

s,es

tab

lish

clea

ro

wn

ersh

ipan

dac

cou

nta

bili

tyto

ach

ieve

effe

ctiv

eco

ntr

olo

ver

op

erat

ion

s.

Syst

emC

on

fig

ura

tio

nUn

auth

ori

zed

Acc

ess

Un

auth

ori

zed

Mo

difi

cati

on

The

syst

emco

nfi

gu

rati

on

isin

adeq

uat

ean

dp

uts

rest

rict

ion

so

nth

ety

pe

of

pro

gra

ms

that

can

be

load

edo

nth

esy

stem

.Th

isin

con

jun

ctio

nw

ith

imp

rop

erp

rivi

leg

ees

cala

tio

nco

nfi

gu

rati

on

sle

aves

the

syst

emh

igh

lyin

secu

re.

Hig

hLo

wM

ediu

mTh

eq

uan

tum

of

syst

emd

evel

op

men

tlif

ecyc

leac

tivi

tyh

app

enin

gfo

rth

en

ewb

usi

nes

sre

qu

irem

ents

for

the

crit

ical

tran

sact

ion

pro

cess

ing

syst

ems

han

dlin

gse

nsi

tive

bu

sin

ess

dat

am

akes

itn

eces

sary

for

bri

ng

ing

inth

ese

cure

con

fig

ura

tio

nse

ttin

gs

toen

sure

the

pro

gra

ms

inp

rod

uct

ion

are

con

tro

lled

.

Use

rC

on

nec

tivi

tyU

nau

tho

rize

dA

cces

sTh

eu

sers

log

on

toth

esy

stem

usi

ng

the

clie

nt

acce

ss.T

he

FTP

fro

mth

ish

asn

ot

bee

nd

isab

led

.

Med

ium

Low

Low

The

sen

siti

veb

usi

nes

ses

dat

aca

nb

eFT

Pto

loca

lm

ach

ine

of

such

vuln

erab

ility

are

no

tp

lug

ged

.

Use

rPr

ofi

les

Lack

of

acco

un

tab

ility

Man

yp

rofi

les

hav

eth

ese

curi

tyad

min

istr

ato

ran

dse

curi

tyo

ffice

rp

rivi

leg

esin

the

pro

du

ctio

nen

viro

nm

ents

.

Med

ium

Low

Low

Toes

tab

lish

acco

un

tab

ility

on

acce

ssto

vari

ou

sin

form

atio

nre

sou

rces

inth

eo

rgan

izat

ion

.Th

eu

niq

ue

use

rre

gis

trat

ion

shal

len

able

the

trac

eab

ility

of

the

use

rac

tivi

ties

wh

ich

isa

pri

ori

tyin

the

info

rmat

ion

syst

emen

viro

nm

ent. (C

on

tin

ued

)

347

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

TAB

LE3

(Co

nti

nu

ed)

Co

ntr

ols

Thre

atV

uln

erab

ility

Imp

act

seve

rity

(I)

Pro

bab

ility

of

thre

ato

ccu

rren

ce(O

)

Ris

kp

rio

rity

(R)

R=I

∗ OC

on

tro

lap

plic

abili

ty:B

usi

nes

sim

pac

t

Priv

ileg

eM

anag

emen

tDat

aEx

po

sure

Un

auth

ori

zed

Acc

ess

Som

eo

fth

eg

rou

pp

rofi

les

are

hav

ing

pas

swo

rdsi

gn

on

.D

irec

tly

log

inth

rou

gh

gro

up

pro

file

sp

oss

ible

tosy

stem

s.

Hig

hLo

wM

ediu

mTh

eb

usi

nes

san

dte

chn

olo

gy

op

erat

ion

sh

ave

an

eed

top

rovi

de

esca

late

dp

rivi

leg

esto

reso

urc

esat

vari

ou

sin

stan

ces

and

the

con

tro

lsn

eed

tob

eb

uild

into

esta

blis

hac

cou

nta

bili

tyo

nac

cess

tova

rio

us

info

rmat

ion

reso

urc

es.

Cle

arSc

reen

Dat

aEx

po

sure

Un

auth

ori

zed

Acc

ess

The

des

kto

ps

of

syst

eman

dn

etw

ork

adm

inis

trat

ors

do

no

th

ave

the

auto

mat

icsc

reen

lock

ou

tp

olic

yd

efin

ed.

Med

ium

Med

ium

Med

ium

Un

auth

ori

zed

acce

ssca

no

ccu

r,an

dth

ere

can

be

un

auth

ori

zed

mo

difi

cati

on

and

dis

rup

tio

no

fth

ein

fras

tru

ctu

reco

mp

on

ents

.

Sess

ion

Tim

eO

uts

Dat

aEx

po

sure

Un

auth

ori

zed

Acc

ess

The

sess

ion

inac

tivi

tyh

asb

een

con

fig

ure

das

60m

inu

tes.

Med

ium

Med

ium

Med

ium

The

tim

e-o

ut

del

ayis

no

tre

flec

tin

gth

ese

curi

tyri

sks

of

the

area

,th

ecl

assi

fica

tio

no

fth

ein

form

atio

nb

ein

gh

and

led

and

the

app

licat

ion

sb

ein

gu

sed

,an

dth

eri

sks

rela

ted

toth

eu

sers

of

the

equ

ipm

ent.

Ati

me-

ou

tfa

cilit

ysh

ou

ldcl

ear

the

sess

ion

scre

enan

dal

so,p

oss

ibly

late

r,cl

ose

bo

thap

plic

atio

nan

dn

etw

ork

sess

ion

saf

ter

ad

efin

edp

erio

do

fin

acti

vity

.Lo

gO

nPr

oce

du

res

Dat

aEx

po

sure

Un

auth

ori

zed

Acc

ess

An

yon

eel

sew

ho

get

sth

eac

cess

toth

esy

stem

can

log

on

tom

ain

fram

esy

stem

,if

the

use

rh

aslo

gg

edin

on

ceb

efo

re.

Byp

ass

isal

low

ed.

Hig

hH

igh

Hig

hIn

the

dis

trib

ute

db

usi

nes

san

dIT

op

erat

ion

s(h

om

eo

ffice

and

bra

nch

net

wo

rk)

wit

hth

eu

sers

acce

ssin

gth

eb

usi

nes

scr

itic

altr

ansa

ctio

nb

ased

info

rmat

ion

syst

ems

toen

sure

acco

un

tab

ility

that

req

uir

edu

sers

hav

eth

eac

cess

pri

vile

ges

isa

pri

ori

ty.

Use

rId

enti

fica

tio

nan

dA

uth

enti

cati

onD

ata

Exp

osu

reU

nau

tho

rize

dA

cces

s

Ther

ear

ew

eak

auth

enti

cati

on

mec

han

ism

sin

pla

cefo

rac

cess

thro

ug

hw

irel

ess

acce

ssp

oin

ts.

Hig

hH

igh

Hig

hTh

isw

eakn

ess

inth

eau

then

tica

tio

nm

ech

anis

mm

ayle

adto

un

auth

ori

zed

acce

ssan

dth

eLA

Nn

etw

ork

may

lay

exp

ose

d.

Lim

itat

ion

of

Co

nn

ecti

on

tim

e

Dat

aEx

po

sure

Loss

of

Dat

aIn

teg

rity

Wit

hd

istr

ibu

ted

app

licat

ion

sp

roce

ssin

gth

eb

usi

nes

sd

ata,

the

con

solid

atio

no

fth

ed

ata

fro

mth

ed

istr

ibu

ted

dat

abas

esin

the

cen

tral

dat

abas

eh

app

ens

con

tin

uo

usl

yat

any

po

int

of

the

day

.

Hig

hH

igh

Hig

hTh

isb

ein

gn

ot

anen

d-o

f-d

ayac

tivi

tyth

ere

isa

risk

of

the

dat

aat

the

cen

tral

d/b

no

tre

flec

tin

gth

eac

tual

stat

us

ifth

esy

nch

ron

izat

ion

pro

cess

esar

ein

itia

ted

any

tim

ed

uri

ng

the

day

.

Sen

siti

veSy

stem

Iso

lati

on

Dat

aEx

po

sure

The

Elec

tro

nic

Dat

aIn

terc

han

ge

(ED

I)re

qu

est

of

ord

ers

ism

ade

fro

ma

syst

em,w

hic

his

NO

Tp

hys

ical

lyan

dlo

gic

ally

sep

arat

edfr

om

the

oth

ersy

stem

s.

Hig

hM

ediu

mH

igh

The

wh

ena

sen

siti

veap

plic

atio

nis

toru

nin

ash

ared

envi

ron

men

t,th

eap

plic

atio

nsy

stem

sw

ith

wh

ich

itw

illsh

are

reso

urc

esan

dth

eco

rres

po

nd

ing

risk

ssh

ou

ldb

eid

enti

fied

and

acce

pte

db

yth

eo

wn

ero

fth

ese

nsi

tive

app

licat

ion

.As

the

bu

sin

ess

dat

ais

bei

ng

han

dle

dth

eIm

pac

to

fd

ata

com

pro

mis

eis

crit

ical

.

348

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

metrics of 10 represents the degree of weakness ofcontrols across the asset profile in the enterprise. Theparameters are depicted in Figure 2.

Business Impacts of the Risks UnderEach Control

For each control parameter, the risks and controlapplicability for a typical distributed IT operation(home office and branch network) of a retail busi-ness with the users accessing the varied informationis depicted in Table 3. These are representative sets ofcontrol parameters and the risks which may be contex-tual to a particular environment of the organization.

RISK PROFILING: TECHNOLOGICALCONTROLS

Risk Assessment for Typical Type IIControls

The weakness in the security controls can be ana-lyzed through a manual review of configurations ofdevices, supporting documentation, and by runningthe vulnerability assessment tools for the server andthe network infrastructure. The output gives the stateof security configurations (known and detected securityflaws) in the asset.

The findings from the tools are the baseline con-figurations. The tools generate the risk rating analysisof the configurations settings. The risk rating maychange in context with the operations and specificapplications environment. This is where the businesscontext has to be brought in and, as per the appli-cations and network landscape in terms of the openports/services, the risk rating of the vulnerabilities canbe reevaluated.

The organizations use varied vulnerability assess-ment tools for varied requirements of Web application,router specific, data mining, war dialing, and so forth.

CONCLUSIONThe above analysis is on the basis on author’s expe-

rience in conducting control risk assessment for largeenterprises in the banking financial) and retail sectorinternationally. It is critical to classify the risk ratingsas per the impact on the business operations. Thisapproach allows the organizations to understand andprioritize the security risk management activities that

make the most sense for their organization, instead oftrying to protect against every conceivable threat. Theteam of business managers and IT team can arrive atthe risk and the impact it can have on the businessoperations. The impact assessment will in turn allowthe team to arrive at the level of risk tolerance withinan organization.

To perceive business value out of the Informationsecurity consulting projects the controls risk assess-ments should be done keeping business perspective,in driving the requirements for securing the enter-prise. The ability to value the business impact of thetechnology vulnerability without having bias towardsthe gravity of the technology vulnerability (acrosstech platforms) in isolation, is critical for clients toaccept and find value in the control risk assessmentreport.

This is a progressive approach to give the organi-zation a roadmap to prioritize on there investmentplanning to address the identified IT pain points (risks)in their business operations.

REFERENCESAlAboodi, S. (2003, May). Proposal of new approach for assessing the

maturity of information security. Master’s thesis, Hull University, UK.Coderre, D. (2005). Global technology audit guide continuous auditing:

Implications for assurance, monitoring, and risk assessment. IIA.Government Accounting Office. Information security risk assessment

GAO practices of leading organizations. Supplement to GAO exec-utive guide on information security management, May 1998.

IS auditing procedure -IS risk assessment measurement, ISACA.NIST 800–34, Contingency planning guide for information technology

systems. International Organization for Standardization, ISO 17799,2000. Available from: http://www.iso.org

PCI DSS (Payments Card Industry-Data Security Standards) requirements.Software Engineering Institute (SEI). Octave. Carnegie Mellon University.

Available from: http://www.cert.org/octave/

BIOGRAPHYSatyanandan B. Atyam, Certification CISSP (CertifiedInformation System Security Professional), B.E.(Industrial Engineering), M.M.S. (Finance), CISA(Certified Information System Auditor), PCI: DSSImplementer (CPISI), LA ISMS (Information SecurityManagement Systems): ISO 27001, LA BCM: 25999(Business Continuity Management System), is abusiness information security, assurance & controlprofessional with seven years of experience. He isworking as a senior security consultant with MindTreeLtd., India, where he works with customers in thebanking, finance, capital markets, and retail domains

349 Effectiveness of Security Control Risk Assessments

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011

to strengthen their information security processes.Prior to this, he worked with National Stock Exchangeof India Ltd & ICICI Lombard General InsuranceCompany Ltd. He explores technology from the

business perspective to provide assurance to clients onthe presence and effectiveness of the IT controls in thebusiness and IT operations. He is also a specialist ininformation risk management.

S. B. Atyam 350

Downloaded By: [Atyam, satyanandan B.] At: 14:40 15 March 2011