Skip Navigation
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10
Table of Contents Glossary of Terms
CHAPTER 2
Assessing Your Needs
 
 
Illustration of the Cover of Safeguarding Your Technology
   
CHAPTER 2 IN A NUTSHELL:
Introduction to Risk Assessment
Commonly Asked Questions
Components of Risk
Guidelines for Risk Assessment
Closing Thoughts on Risk Assessment
Risk Assessment Checklist
     
Introduction to Risk Assessment
 It can be a risky world out there-a single mistake can get a principal sued, a school board to forbid the exchange of vital education records, or the local legislature to deny technology funding.
What would the damage be to an educational institution if confidential student aptitude information for which it was responsible was lost or misplaced?  Would it cost the organization $2,000 to rekey the information? $20,000 to readminister the tests?  Perhaps $200,000 in settling legal suits?  How about $2,000,000 in technology funding from wary lawmakers who become fearful of entrusting private information about their constituents' children to presumably unsafe record systems?  Estimating the actual dollar figure for every school building, campus, district, and state education agency is well beyond the scope of a single document but it is not outside the realm of issues responsible administrators should be considering in their own organizations.  After all, if the public and its representative governing bodies were to lose confidence in an education organization's ability to protect confidential information, even the most severe estimates of the consequences might not be all that implausible--and a $2,000,000 issue deserves attention.

So, what could cause a multimillion dollar information leak?  An intruder, a negligent operator, or a disgruntled employee?  How about a technological snafu?  Or even a tornado?  A tornado, you ask?  It's possible.  If those ominous winds were to blow in while your guidance staff was reviewing printed copies of confidential files, you could never be quite sure where those records might end up.

Important point How can such a catastrophe be prevented?  In the case of a tornado, it probably can't.  But like other potential troubles, even the devastating effects of a tornado can be minimized through a well-conceived  and properly implemented security policy.  The first phase in more effectively securing your information and equipment begins with a process referred to as risk assessment.  Put simply, risk assessment involves identifying:  

Performing a risk assessment is a lot like the early stages of buying insurance- you shouldn't spend your money on protection unless you know exactly what your needs are.
  • Assets your organization possesses
  • Potential threats to those assets
  • Points in your organization where you may have vulnerabilities to those threats
  • Probabilities of threats striking an organizational vulnerability
  • Cost estimates of losses should a potential threat be realized

Such an endeavor may seem complicated on the surface, but it doesn't have to be.  Risk assessment is a straight-forward process and a most necessary step in decision-making.  By evaluating risk, you are determining your needs so that you don't spend valuable resources on unnecessary safeguards while, at the same time, you don't leave yourself exposed to unprotected loss.

Risk assessment forces an organization to consider the range of potential threats and vulnerabilities it faces.

What will your risk assessment tell you?  Well, since risk assessment is a process and not a product, it depends on your specific situation.  As stated above, it should identify your organization's assets, threats, vulnerabilities, probabilities of incursion, and associated costs.  How can that help you plan security?  It tells you what you have, what it's worth, what to worry about, where you're weak, and why you should be concerned in the first place.

Say, for example, that you realize that the old building in which you store your staff records (an asset) was not constructed with fire-resistant materials in the way you would require for a newly built structure (a vulnerability)-and you also realize that it's conceivable that a fire (a threat) could strike the site (a probability that, while low, is real, and could therefore be estimated).  The question becomes whether you should introduce countermeasures to protect your staff records from a fire.

Knowing what you do about the asset, vulnerability, threat, and probability, the answer then depends upon the cost of replacing that lost asset.  If you are in a very small school, it might be feasible to resurvey your staff to gather lost information at relatively little cost; therefore you could afford to risk the loss of staff records.

In contrast, however, while it might also be possible to resurvey staff in a large state system as well, the associated costs would be much greater-so much so that despite the low probability of a fire damaging your asset (the records), you wouldn't want to accept the risk because it would be far too costly to assume should the threat (the fire) actually strike.  Thus, a small school could theoretically accept the threat of a fire while a large state system should rebuild to meet fire-resistant standards.  Right?  Not so fast-that's not quite the answer.

While it may seem like a valid conclusion given the information presented, other issues must also be considered.  One influencing factor might be that the building in question stores not only staff records, but also  student and fiscal records as well, all of which are maintained on a state-of-the-art computer system.  Suddenly the low cost of resurveying a few teachers doesn't seem like an adequate solution because of the other costs you would likely incur should a fire occur at your site.

  Serious discussions of security issues include terms like threats, vulnerabilities, penetrations, and countermeasures because of their precise meanings.  While such terminology may seem somewhat out of place in an education publication, it's included in this document all the same in an effort to be consistent with accepted security conventions.

Such an analysis of alternative countermeasures illustrates the importance of working from exhaustive lists of assets, threats, and vulnerabilities

Yet another consideration when evaluating the merit of protection plans is the option of alternative solutions.  Yes, rebuilding would be an effective way of protecting your records in the example above, but so might be installing a sprinkler system or training staff to use fire extinguishers.  There is also the option of keeping multiple copies of the information in different locations (known in the technical world as "off-site backups").  That way, the only chance you have of losing your information would be if there was a combination of highly improbable fires that destroyed both the primary site and each backup site.  Supplement this with an insurance policy to replace your equipment, and you have yet another effective but less expensive security alternative to rebuilding.
Important point It is precisely these types of thoughts that the risk-assessment process should elicit.  In fact, a properly executed risk assessment provides decision-makers with a methodical approach to determining security strategies-not based on a sales pitch or gut instinct, but on the concrete, context-specific findings of cost/benefit analysis.
In a world of limited budgets, risk assessment provides an organization with the information it requires to accurately prioritize its needs.  Options for meeting those needs can then be considered, ranked accordingly, and funded to reflect priority.

back to topback to home page

Commonly Asked Questions
Commonly Asked Questions

Q. Where do I begin to protect information and equipment?
A. The answer to that question can be very straightforward if you know the answers to two related questions: (1) What information and equipment do you want to protect? and (2) What do you want to protect it from?  Drawing conclusions about these important issues can be accomplished most effectively by a systematic approach to determining your assets, threats, and vulnerabilities-a process referred to here as risk assessment.  Risk assessment is a collaborative effort to identify potential threats to your organization's assets, estimate the likelihood of those  threats being realized, and quantify the costs attributable to potential losses.

Q. Why should I worry about all these details when I have far-reaching insurance policies to cover my losses?
A. First of all, many insurance policies cover only tangible assets (e.g., equipment).  As is emphasized throughout this document, however, information is often more valuable than the equipment that is used to access it.  After performing a risk assessment, you will be in a better position to inquire about additional insurance policies to cover your information as well.  You can then make sure that you have insured yourself against reasonably probable, high-cost losses because risk assessment will have helped you determine what they are more likely to be.  Remember, as an educational administrator, you are the expert on your organization, not an insurance agent.  It is your job to know where and why you need insurance coverage-so review all policies after performing your risk assessment.  Don't pay for insurance you don't need and make sure that you have those policies you do need.

Q. Even if my risk assessment identifies real threats and vulnerabilities, how can I possibly deal with them with such a small staff (not to mention budget)?
A. The fewer the resources you have to put into protecting your organization, the more vital the risk assessment process becomes.  Think about it.  If you have unlimited security funding, then you may have enough resources to protect yourself against the entire spectrum of threats.  Having said that, however, it should be noted that even the wealthiest organizations should perform a risk assessment to be sure that they have considered all of their potential threats.  On the other hand, if funds are scarce, you need to perform a risk assessment to accurately prioritize your needs before allotting your limited resources.  In this way, risk assessment provides you with the information needed to address your most pressing needs first and increase the effectiveness of those resources that are at your disposal, whatever they may be.

back to topback to home page


Components of Risk

What is a risk?  For the purpose of information security and this document, a risk is any hazard or danger to which your information or equipment is subject.  Storing an expensive computer within reach of an open window is risky.  Allowing students to have access to computerized grade books might also be considered risky.  But even if you now know what a risk is, the question of what is at risk still remains-and the answer is your assets.

Assets

An asset is often defined as real property.  This being the case, it's quite probable that your organization's computer equipment is prominently listed on the balance sheets as an asset-a fitting designation, especially considering the large amounts of money that the equipment surely cost.  But recall that the only reason all those dollars were spent on technology in the first place was so that you could manipulate your organization's information more efficiently-information like student academic data, special support service files, staff health records, and organizational financial figures. The equipment is important only because it is the mechanism by which you access the files that are so essential to the operation of the educational enterprise.  Information is the real asset.

Equipment is, of course, very valuable, but never forget that the real asset is the information.


Although there appears to be more threats that come from outside of the organization, internal threats (e.g., authorized users who are either accident-prone, negligent, or criminal) are far more likely to breach system security than external threats.
Threats

It is estimated that as much as 67 percent of networked computers are infected with one form of a virus or another in a given year.3  Even accounting for the growing prevalence of virus threats, more than half of all reported system damage is caused by unintentional employee action-in most cases, simple negligence.  Any such action, actor, or event that contributes to risk is referred to as a threat.

Examples of Threats to an Organization's Assets
Natural Threats
Lightning
Flood
Forest Fire
Dirt
Tornado
Earthquake
Humidity
Rain/Water Damage
Hurricane
Snow/Ice Storm
High Temperatures
Time (Aging Media)
Manmade Threats (Intentional)
Theft
Hacking

Computer Viruses
Vandalism
File Sabotage
Unauthorized Copying
Arson
Wire Taps
Manmade Threats (Unintentional)
Equipment Failure
Spilled Beverages
Computer Viruses
Lost Documentation
Power Fluctuations
User Error
Heating Units
Lost Encryption Keys
Magnetic Fields
Air Conditioning Ducts
Programmer Error
Aging Facilities

As you consider types of potential threats, notice the secondary distinction that becomes relevant in the manmade category between intentional and unintentional threats.  Intentional manmade threats are a source of particular resentment for many people.  After all, why should an organization have to spend its valuable resources on keeping users from willfully causing damage?  The same question can be asked about the need for uninsured motorist insurance, but the results will be the same.  You have to be able to account for people who are unwilling to play by the rules!

Deliberate unauthorized assaults on a system can make sense to potential intruders when two conditions are met:4
  1. The intruder can benefit substantially from the act (i.e., something of value can be gained).
  2. The act requires relatively little effort in comparison with the potential gains.
The message is clear:
    Know the potential value of your information and make penetration more difficult than it's worth.
  Threats and vulnerabilities exist whether you are aware of them or not-risk assessment  helps to inform decision-makers of their presence.
Vulnerabilities

Vulnerabilities refer to points within a system that are open to attack or damage.  What type of attack?  That depends on the threat.  Vulnerabilities are the mechanisms by which threats access your system.  Think of a thief (a threat), for example, who is ready to strike your building (which houses your assets).  An open back window through which that thief might enter the premises is a vulnerability.

Countermeasures

A countermeasure is a step planned and taken in opposition to another act or potential act.  While ultimately aimed at rebuffing threats, countermeasures are often deployed strategically at points of vulnerability, as is the case when a lock (a countermeasure) is installed on a back window through which a thief may try to enter your building (see vulnerabilities above).  Countermeasures are often designed to serve one of the following functions:5

Something you should do
  • Prevention
For example, by initiating backup procedures,  threats are prevented from damaging your lone copy of information in a single event.
  • Deterrence
For example, by training users about the legal consequences of unacceptable use, potential threats who might otherwise consider destructive activities may be deterred.
  • Containment
For example, by segmenting each separate type of  information in your system, even active threats can be limited to the record areas they can find and enter.
  • Detection
For example, by reviewing records of user activity, commonly referred to as audit trails, unwelcome activity can be uncovered.
  • Recovery
For example, by preparing and testing a contingency plan, "lost" systems and "damaged" information can be salvaged (or at least losses and damage can be minimized).

Dealing with Risk

  Options for dealing with risk:
  1. Counter it (an informed decision)
  2. Accept it (also an informed decision)
  3. Ignore it (an uninformed decision and a poor strategy)
Creating a risk-free environment is unrealistic, but instituting a "trusted system" (i.e., one that while not perfect is trustworthy) is possible.6  The reason for this limitation is that you simply cannot counter all risk.  In actuality, countering risk is only one of three potential ways in which to deal with threats and vulnerabilities.  Although it may seem counter-intuitive based on the stated purpose of this document, risk can also be accepted (sometimes a very stable strategy) or ignored (not a good plan under any circumstances).

Under what conditions could accepting risk make sense?  Well, it is theoretically possible that an asteroid could smash into the earth and land, of all places, on your office.  The risk is real, albeit small, and can be estimated as such.  Should you, therefore, endeavor to build a concrete vault two miles beneath the surface of the earth to store backup files of your records, or should you accept the risk of an asteroid strike and figure that your system will be the last of your worries should the event actually occur?  Your risk assessment (see Steps 1-8 below) and common sense will probably tell you that you can safely afford to accept the residual risk of asteroid strikes.  That's right, you don't have to counter any and every risk conceivable, only those it makes sense to address based on the results of your risk assessment.



On the other hand, ignoring risk is not a stable strategy (although it is an all too common practice).  Risks are everywhere.  If you choose not to perform a risk assessment and, instead, simply choose to ignore your risks, they are still there all the same-you just won't be prepared for them.  Thus, despite the fact that it is possible to handle risk in any of the three ways-counter it, accept it, or ignore it--only the first two are stable strategies, and both depend on the results of an accurate risk assessment.

While potential risks should never be ignored, it only makes sense for an organization to focus its attention on those risks that are most likely to affect the system.

back to topback to home page


Guidelines for Risk Assessment

 
 

Something you should do

  You don't want to put a 50-dollar lock on a 20-dollar hammer-unless you're a carpenter and you would lose more than 50-dollars' worth of business in the time it took to replace that 20-dollar tool.
A properly conceived and implemented risk assessment should:7

  • Provide the basis for deciding whether countermeasures are needed

  • Ensure that additional countermeasures counter actual risk

  • Save money that might have been wasted on unnecessary countermeasures

  • Determine whether residual risk (that risk which remains after countermeasures have been introduced) is acceptable

Risk Assessment Outline

The Players: It's a Team Effort

Timing: First Things First Take Stock in What You Have and What It's Worth

Step 1 - Identify Sensitive Information and Critical Systems
Step 2 - Estimate the Value of System Components
Identify Your Potential Threats and Vulnerabilities
Step 3 - Identify Threats
Step 4 - Identify Vulnerabilities
Step 5 - Estimate the Likelihood of a Potential Penetration Becoming an Actual Penetration
Think Through Your Defensive Options
Step 6 - Identify Countermeasures Against Perceived Threats and Vulnerabilities
Step 7 - Estimate Costs of Implementing Countermeasures
Make Informed Decisions
Step 8 - Select Suitable Countermeasures for Implementation


If top educational administrators in an organization don't actively participate in, and outwardly demonstrate their commitment to, the security effort, no one else in the organization will either.
The Players: It's a Team Effort

The process of risk assessment should be initiated and led by the top educational administrators in an organization.  But although the endeavor is captained by chief administrators, feedback from all levels and job categories is required.  At a minimum, information collectors, data providers, data entry staff, and data processors and managers should be involved in the early stages of risk assessment.  In short, more people involved in the brainstorming process results in more ideas being generated.

It Really Happens!

A large and technologically sophisticated school district was having difficulties with the good practice of backing up its networked computer files each night.  It seemed that despite the data manager's best efforts to verify that all of the computer equipment used in the copying process was working properly, one portion or another of the tapes would invariably fail to copy every night-namely, there would always be a "blank spot" on the backup file where nothing had actually been copied.  To make matters more perplexing, the data manager, well-trained in her field, had finally decided to try running the backup procedures in the middle of the work day just to test the equipment.  Surprisingly, after repeated failures in the evenings, the process worked perfectly.  Now thoroughly frustrated by the situation, she decided to stay several hours after work so that she could observe the backup system in action first hand.  Three hours after everyone but the cleaning staff had left for the day, the tapes began the automatic copying process without a hitch.  The data manager monitored the tape speed, the cabling between the computers, and even the room temperature.  In fact, she was so totally engrossed with her inspection of the system that she barely noticed the custodian when he walked into the room and said hello.  The focused woman, somewhat startled by the man, looked up to reply to the greeting-only to see him pulling the backup computer's power cord from the outlet in order to plug in his vacuum cleaner.  "So," she said to herself ironically, "that's why we have such a clean computer room."



While it is never too late to do the right thing, postponing risk assessment invites undue peril and unnecessary liability.
Timing: First Things First
Risk Assessment is a prerequisite for any serious attempt to implement a security policy within an organization.  It's a step that simply cannot be ignored.  After all, unless the organization's needs are first accurately assessed, there is no way of knowing whether financial and staff resources are being wisely invested in security initiatives.

Take Stock of What You Have and What It's Worth
Only careful and collaborative efforts will yield worthwhile results.  Be inclusive, exhaustive, and realistic when documenting your assets.

Step 1 - Identify sensitive information and critical systems:  The goal here is to make a distinction between general information and systems (i.e., that information and those systems that are helpful to your organization as it carries out its mission) and sensitive information and critical systems (i.e., that information and those systems that are private and/or vital to your organization as it carries out its mission).

For example, the computer that houses the "HELP" file for your organization's word processing software is a "general" support component.  While it is most helpful to have access to user HELP when facing a word processing problem, the files themselves are not vital to running a school or school system.  Conversely, the new software that manages a school system's substitute teacher scheduling is vital to the teaching mission.  If it isn't available and working properly, principals could potentially find themselves with classrooms full of students who have no teacher.  And that makes the system "critical" if ever there was one.

Sensitive information is that information which if lost or compromised might negatively affect the owner of the information or require substantial resources to recreate.
  • An example of sensitive information would be personal student or staff records.
Critical systems are those systems or system components (hardware or software) that if lost or compromised would jeopardize the ability of the system to continue processing.
  •  An example of a critical system might be the cabling that links your administrative and instructional computer networks.8

Important point Don't allow yourself to feel restricted when brainstorming-among other pitfalls, avoid working within the paradigm of conventional technical definitions if you feel that they might limit your ability to construct an exhaustive list of your assets.  For instance, when considering critical systems, don't restrict yourself to physical systems, which traditionally require actual hardware connections.  In your organization and information system, perhaps two stand-alone computers in the same room constitute a single system.  Remember, the primary consequence of Step 1 is that all equipment and information identified as being either sensitive or critical needs to be given strong consideration as high priorities on the list of concerns that demand security.  To leave out a component because you didn't think broadly enough leaves the organization vulnerable.

 It must be acknowledged that while even a well-reasoned estimate is little more than an educated guess, it is still a better gauge of reality than wild speculation or, even worse, blatant disregard.

Something you should do

Step 2 - Estimate the value of system components:  Estimating the value of your information system is not always simple, but the task is made more manageable by focusing on the word "estimate."  After all, it may very well be impossible, or at least impractical, to try to derive a precise dollar value for some assets (especially information assets).  Instead, try to calculate a reasonable approximation of the replacement value of each component of the system-both equipment and information.  Be sure to consider the following factors when deriving your estimation:
  • Direct replacement costs of hardware, software, and peripherals (Would there be installation costs? Consultant fees? Necessary upgrades?)

  • Replacement costs of stored information (Would rekeying be necessary? Resurveying?)

  • Costs associated with the disruption of service or other activities (Would you have to pay staff overtime during the recovery period?  What about extra school days at the end of the year to make up for missed time?)

  • Indirect but real costs associated with a loss of public confidence (Would it impede current or future data collection efforts?  What would be the effect on legislative initiatives?)
Again, keep in mind that while the costs of hardware and software tend to be more readily measurable, information costs are very real as well.  You may not be able to call a vendor and say "What is my information worth?" the way you can call your equipment salesperson, but you still have to ask yourself "What is it worth to my organization?" Estimates of these costs, no matter how rough, give you a more accurate sense of the true value of important information assets.
Remember that people often rely on information in their school records for their entire lives-to get jobs, to apply to schools, and to verify age and credentials.  Dollars and cents may be a poor measure of the value of such information.
One common mistake in this process that can lead to serious flaws in assessment results is when you focus on only the sensitive and critical segments (as identified in Step 1) when estimating the value of an information system. While identifying sensitive information and critical systems is necessary for setting priorities, all information has value and requires attention in this step.  If it doesn't, the information's overall utility should be reconsidered.  After all, if it isn't valuable enough to recover or rekey upon being damaged (which requires a cost that can be estimated), what purpose could it possibly be serving?

If information isn't valuable enough to warrant consideration of its protection and recovery, can it be valuable enough to warrant precious disk space in the first place?

Identify Your Potential Threats and Vulnerabilities
How do you identify threats and vulnerabilities?  In a word: Brainstorm!  No idea about potential threats or vulnerabilities is unimportant.  However, keep in mind that management has a very limited perspective on information and system use.  Maximize the resources at your disposal by including representatives from all organizational levels and duty types in the brainstorming effort.  After all, you don't want that cleaning staff left out when they might be the only people on duty to protect equipment and information after hours.  Nor do you want to exclude those library assistants who oversee the computers your students use to log on to the Internet.  Always keep an open mind to what your users have to say.

Step 3 - Identify threats:  What actors, actions, or events threaten your system?  Refer to the examples on page 15 before creating an exhaustive list through a collaborative brainstorming process.  Be sure to consider the following types of threats:

  • Natural (e.g., fire, flood, lightning, and humidity)
  • Manmade unintentional (e.g., negligence and accidents)
  • Manmade intentional (e.g., hackers and viruses)

Step 4 - Identify vulnerabilities:  Where is your system susceptible?  Consider vulnerabilities to natural threats and both intentional and unintentional manmade threats as identified in Step 3.  Also look at other examples of threats, as listed on page 15, to see if any new ideas are triggered.  After this initial brainstorming, organize the list of vulnerabilities you've generated into categories such as the following and then once again see if additional thoughts come to mind:

  • Physical concerns (e.g., room access, building construction, and climate)
  • Hardware- and software-related issues (e.g., equipment, programs, and compatibility)
  • Media liabilities (e.g., disks, tapes, hard drives, and print copies)
  • Communications (e.g., access points and encryption)
  • Human concerns (e.g., personnel and office behavior)

Where Is Your Office Vulnerable?
The following happens in the typical office quite frequently:
  • A door is propped open and doesn't have a lock (see Chapter 5).
  • A cup of coffee is set on a computer case (see Chapter 5).
  • A computer monitor sits within plain sight and easy reach of a window (see Chapter 5).
  • Wiring is in the way of foot traffic (see Chapter 5).
  • Equipment is plugged into wall sockets without a surge protector (see Chapter 5).
  • Outlets are overloaded (see Chapter 5).
  • Backup files are stored in the same room as the original files (see Chapter 6).
  • Floppy disks are shared haphazardly and are not labeled (see Chapter 6).
  • Someone's password is written and posted on their monitor (see Chapter 8).
  • A computer is logged on but has been left unattended (see Chapter 8).
Is any of this happening in your office?
If it is, your system is vulnerable!

Step 5 - Estimate the likelihood of a potential penetration becoming an actual penetration:  What is the probability of a threat capitalizing on a vulnerability?  As difficult as answering such a question might appear to be, you don't have to be able to predict the future in order to generate reasonable probabilities of future events.  Use logic, as possible, to support your estimates.  For example, for an institution located along the Mississippi River, earthquakes and floods are threats that are within the realm of possibility, but logic will tell you that the site is probably much more susceptible to floods.  Using flood histories, the likelihood of the next 100-year flood can be estimated.  Similarly, by researching earthquake data, you can estimate the likelihood of earthquakes as well.

Think Through Your Defensive Options


For recommended countermeasure options, see Chapter 5 (Physical Security), Chapter 6 (Information Security), Chapter 7 (Software Security), Chapter 8 (User Security), and Chapter 9 (Network Security).

Step 6 - Identify countermeasures against perceived threats and vulnerabilities:  This step parallels Steps 3 and 4 in that its purpose is to generate an exhaustive list of ideas-this time potential solutions to the concerns caused by your identified threats and vulnerabilities.  When considering options, be sure to keep in mind that many threats and vulnerabilities can be addressed by more than one countermeasure.  A potential thief, for example, could be thwarted by better locks, video cameras and other electronic surveillance, or even trained security patrol officers.  Step 6 focuses on generating a list of such options for each perceived threat and vulnerability, not in selecting what appears to be the preferred option.  That is attempted only after an exhaustive list is finalized and costs/benefits are considered.  Issues to consider when brainstorming potential countermeasures include:

  • Physical security equipment and procedures-location and environmental strategies such as climate monitors, required building specifications, and regulations governing room access and food and beverage use

  • Information security practices-storage and use regulations such as labeling and write-protecting files

  • Software security techniques-purchasing and programming concerns such as copyright infringements and proper documentation

  • User access controls-data and system access issues, including log-in and password protection

  • Networking security initiatives-connectivity issues like firewalls and encryption strategies
A big screen television is nice, but not if it's in a room that is 8 feet wide by 9 feet long.  So, too, must countermeasure solutions be compatible with an organization's environment in order to be effective.

Estimates should account for both start-up and maintenance costs.
 
Step 7 - Estimate costs of implementing countermeasures:  This step entails determining the costs associated with countermeasures identified in Step 6.  Remember that the vast majority of costs are twofold: initial and ongoing.  Be certain to consider all of the following factors:

  • Both money and time for research, development, procurement, installation, and maintenance of security features

  • Staff training time-the costs are real and absolutely necessary

  • Altered productivity (e.g., having each employee spend one minute using a virus scanner three times each day may amount to only three minutes of work time per day, but when calculated for the entire organization and compounded by a host of other possible security activities, such seemingly insignificant costs can add up)

  • Countermeasures already available to the organization that may require less investment to institute (e.g., if your accounting office currently uses certain security procedures, there may be fewer training costs because you already have a core of people who can share their expertise)

It Really Happens!

The local elementary school decided to purchase five new computers for its media center--no small investment considering its limited technology budget. Mr. Watkins, the librarian, would supervise their use and was in charge of the acquisition. He went down to the computer store to inspect the merchandise one last time before making a final commitment. While he was there, he bumped into the salesperson who had so ably advised him throughout the selection process. As they chatted, Mr. Watkins mentioned that he was very excited about the purchase, but also a bit nervous. "I've never had to run a computer lab before," he admitted. "In truth, I bet that the students know more about these computers than I do." The salesperson, with the best of intentions, mentioned that the store offered a service package that provided on-site maintenance on equipment they sold for only $100 per piece per year. Mr. Watkins immediately agreed to order the package, deciding that it was a waste to spend all that money on the equipment in the first place if he was not properly trained to keep the machines up-and-running. Privately, he absolutely dreaded the thought of having kids running through-out the lab with nothing to do as he tried to tinker with the complicated equipment in vain.

Two months later, after the new computers had been purchased and installed, Mr. Watkins noticed that one of the monitors wouldn't turn on properly. Not wanting to push a panic button, he called the building custodian to check the outlet. "Nah, it's not the power," the custodian reported. "We'd better get the guys from central office down here." Mr. Watkins looked at him with surprise, "Why would we bother them when I have a service contract from the store where I bought the monitor?" At that point, two months after an extra $500 had been spent on maintenance contracts, Mr. Watkins finally found out that the school district serviced instructional equipment at no cost to the schools. "Wow," he thought as he looked with despair at the service contract he had purchased without much consideration, "what a waste of money!"


 
 Recognize that because of the gray areas associated with estimating the value of information and the likelihood of threat incidents, risk assessment is not an exact science- don't be afraid to leave yourself some room to adjust your findings so that you can accommodate good, old-fashioned common sense.
Make Informed Decisions

Step 8 - Select suitable countermeasures for implementation:  In Step 8, it's finally time to decide which countermeasures make the most sense to implement.  Remember that there will probably be more than one countermeasure that can protect your system from any given threat or vulnerability, so you have some choices.  Your job is to determine which strategy makes the most sense from a cost/benefit perspective.  This can be accomplished by comparing your estimated costs of potential losses for a given period of time (Steps 2-5) with actual security costs that would be incurred when preventing such a loss for the same period of time (Step 7).

A desired level of risk reduction is achieved when further reduction would cost more than the benefits gained.

Important Point One way to decrease your actual security costs is to keep in mind that a single countermeasure can actually serve as a solution to multiple threats and vulnerabilities.  An example of this is when security officers who protect your most sensitive areas serve as a countermeasure to both external intruders and potentially misguided staff.  Such a compromise solution is really no compromise at all-two potential threats are being countered for the price of one.  In effect, you're getting twice the protection for the cost of a single countermeasure!

back to topback to home page

Imporant Point Closing Thoughts on Risk Assessment

Once you determine your needs and priorities through the above eight steps, you can then make security decisions based on concrete information.  Sales pitches from vendors and gut instinct on the part of well-intentioned, but perhaps uninformed, staff need no longer serve as reasons for making security policy when competent administrators are armed with the information required to make rational, valid decisions.

It should be emphasized that decision-makers must be involved in the entire process of risk assessment.  Should, instead, they rely simply upon cost/benefit analysis without being aware of other important factors that might have been uncovered in the process, they might not make a completely informed decision.  A good example of this would be if it was determined in Step 1 that some of the student information on a computer was actually sensitive.  As discussed throughout this document, those confidential records would need to be protected regardless of cost/benefit analysis because of the various laws in place that mandate protection of student and family education records.  Not knowing this important fact could, in such an instance, lead to disastrous results for the organization and its students!

An exception to the rule: Failure to introduce risk reduction cannot be justified by cost/benefit analysis if there are compelling non-financial reasons for mandating it (e.g., privacy or appropriate use laws).

back to topback to home page

Risk Assessment Checklist

While it may be tempting to simply refer to the following checklist as your security plan, to do so would limit the effectiveness of the recom-mendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to customize policy to meet an organization's specific needs- a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.

Security Checklist for Chapter 2
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.

Check Points
for Risk Assessment
  1. Is the process of risk assessment being championed by a top-level decision-maker?
      Click here
  1. Is feedback being elicited from representatives of all user types?
      Click here
  1. Have sensitive information and critical systems been identified (Step 1)?
      Click here
  1. Has the value of all system components (not just sensitive information and critical systems) been estimated (Step 2)?
      Click here
  1. Has an exhaustive list of potential threats been generated (Step 3)?
      Click here
  1. Has an exhaustive list of vulnerabilities been generated (Step 4)?
      Click here
  1. Has the likelihood of a potential penetration becoming an actual penetration been estimated (Step 5)?
      Click here
  1. Has an exhaustive list of countermeasures to identified threats and vulnerabilities been generated (Step 6)?
      Click here
  1. Have the costs of implementing identified countermeasures been estimated (Step 7)?
      Click here
  1. Have suitable countermeasures been selected for implementation (Step 8)?
      Click here

Quote- An ounce of prevention is worth a pound of cure. (source unknown)  

back to topback to home page
back to previous chapternext chapter