|
|
 |
PKI Policies and Procedures: Threat and Risk Assessment
The threat and risk asesment template addresses specific circumstances of your business and its secure operation using standards-based methodology. The threat and risk asesment document should be updated annually, or any time there are changes to the system security configuration of the operation. Because the threat and risk asesment document describes certain vulnerabilities in detail, it is an internal document.
The methodology used in the template is a four-step industry and government standard, widely adopted as an effective and comprehensive systems approach. Based on risk management, the methodology is sufficiently flexible to apply it to an organization comprehensively or to a specific facility, location, branch or program within an organization.
- Step One: Preparation The first step is to identify and categorize the information and assets associated with the business, operation, and system, and to assess the sensitivity of the information and assets in terms of required security attributes. Knowledge of the nature of the business carried out by the organization is necessary to identify the sensitivity, importance and value of the information and assets. A statement of sensitivity identifies the security attributes and analyzes them in the specific context. Security attributes to be considered include: confidentiality, integrity, availability, authentication, non-repudiation, accountability, and reliability. For a PKI system, information to be protected normally includes root key material, transaction data, authority transactions, user personal information and proprietary information in the business database, certificate information in the CA database, systems including the components of the PKI and the firewalls, and other system security software and hardware. Information and assets can be categorized and analyzed against the security attributes either qualitatively or quantitatively.
- Step Two: Threat assessment All generic threats to sensitive information and assets are considered, such as disclosure (loss of confidentiality), interruption (loss of non-repudiation, accountability, reliability, and availability), removal (loss of all attributes), modification (loss of integrity, authentication, accountability, reliability), and destruction (loss of all attributes except confidentiality). These threats are then broken down into specific threats, or threat agents (the factors that can cause the threats to occur), and the likelihood of those threats occurring is assessed, as is the impact of the threat's occurrence.
- Step Three: Risk assessment Risk assessment encompasses two subordinate steps. First, the safeguards in place and their effectiveness in deterring or preventing the identified threats are reviewed. From this, based on the threat information, vulnerabilities can be identified. A vulnerability is either an inherent weakness in the system, a flaw or weakness created by the application, or lack of appropriate safeguards to counter identified threats. Based on the vulnerability assessment, associated risk can then be assessed.
- Step Four: Recommendations Recommendations focus on the areas of highest risk and could also include recommendations to remove safeguards for low risk threats. A useful threat and risk assessment provides management with a profile of the security status of the facility, program, or system under review. When possible, it provides information on resources associated with recommendations and enables management to make informed decisions on security.
Risks can be mitigated through the application of additional safeguards; risk can be avoided by curtailing certain high risk activities, or risk can be accepted. The risk that remains after recommended safeguards have been put in place is called residual risk. Management must decide whether the residual risk is acceptable or whether even more safeguards are needed to reduce risk. In most circumstances, some residual risk is tolerable.
The threat and risk assesment is followed by implementation, monitoring, review, and feedback. It is a continuing processthat ensures that threats and risks are continually known and addressed. System change, personnel change, site change, and changes to system parameters or business operations dictate a review of threats and risks.
The SPYRUS template is based on widely accepted international standards such as ISO Technical Report 13335: Guidelines for the Management of IT Security.
|
|
