Mountains

Documenting Risk Assessments

By shellatreille | returnsyourgazeart | 30 Nov 2020


It is important for an organization to perform risk assessments on their WLANs (Wireless Local Area Networks) and IP (Internet Protocol) Mobility.  Risk assessments should be performed regularly.  They are an important part of risk management procedures.  Risk assessments assist an organization with calculating their acceptable risk level.  These assessments also assist with creating control measures (Metivier, 2017).  Risk assessments are a fundamental part of securing an organization’s IT assets.  The risk assessment process provides the parameters and minimum-security requirements needed for risk assessments.  Risk assessment procedures should address important risk assessment theories using a step-by-step method so that all risk assessments are conducted in the same manner.  Every risk assessment should be appropriately documented (U.S. Department of Education, 2004).  The results of a risk assessment should be regularly reviewed to confirm that all the assessment’s results are still applicable (Metivier, 2017).  The processes documented in risk assessment procedures must be used reliably throughout the entire organization.  This documentation will create a standardized approach to conducting current and future risk assessments.  It will also assist with security audits (U.S. Department of Education, 2004).  

Risk measures the amount of an organization’s IT resources that will become unprotected based on the misuse of a weakness by a possible threat.  Risk consists of two parts.  Part One is the influence that a misused weakness will have on an organization’s business objectives or functions.  Part Two is the probability that a weakness will materialize.  A risk assessment assists an organization with evaluating and understanding the risks that are related to possible threats and weaknesses.  A risk assessment assists with measuring the usefulness of an organization’s current WLAN and IP Mobility security controls (U.S. Department of Education, 2004).  There are several risk categories that the organization should consider including in their risk assessment plan, which include strategic, reputational, operational, transactional, and compliance (Metivier, 2017). 

Threats to an organization include circumstances, events, or acts that could harm the organization’s WLAN and IP Mobility by destroying, disclosing, modifying, or denying service to automated information resources.  The three categories of threats include natural, environmental, and human.  Natural threats are disasters caused by extreme weather or earthquakes.  Environmental threats are environmental control failures caused by utility failures.  Human threats are threat agents, which include insiders, contractors, subcontractors, former employees, unauthorized users, current employees, and any authorized or approved users.  Threats can exploit vulnerabilities (U.S. Department of Education, 2004). 

The risk assessment process should provide information to the organization with regards to their IT security.  This process should be efficient, organized, and flexible.  It should be a reliable process used across the entire WLAN and IP Mobility.  It should create the parameters and minimum standards that will be required for all risk assessments that correspond with IT security policies.  The risk assessment process can be utilized by an organization to conduct risk assessments during all phases of the WLAN’s and IP mobility’s life cycle. It can assist with understanding the risk assessment reports that were conducted (U.S. Department of Education, 2004). 

A risk assessment’s objective is to measure the influence that possible threats will have on weaknesses.  A risk assessment benefits an organization by assisting them with recognizing vulnerabilities.  It allows them to make informed decisions about the implementation of security controls and remediation methods.  It supports reliable approaches to risk evaluation.  It permits them to place values on possible losses.  It also arranges risk levels based on how important they are to mission criticality and sensitive information (U.S. Department of Education, 2004). 

A risk assessment questionnaire should be created to obtain all pertinent data with regards to managerial, operational, and technical controls that will be used.  Interviews with individuals or teams responsible for the WLAN and IP Mobility should be conducted in order to obtain pertinent information on the current IT system, security, and procedures that are in place.  An onsite site survey should be conducted in order to retrieve information on the physical, environmental, operational, and technical security of the WLAN and IP Mobility.  There are various documents that should be reviewed before the risk assessment is conducted, including mission statements, IT inventory information, security policies, organizational charts, system function requirements, lists of system components and applications, system architecture diagrams, firewall and router policies, server and workstation configuration files, system security controls, operations manual, SOP (Standard Operating Procedures), reports from previous risk assessments, physical security plans, configuration management policies, disaster recovery plans, site floor maps, and system user manuals.  During the risk assessment, scanning and network mapping tools should be used.  Examples of these tools include Nmap (Network Mapper), Nessus, and SARA (Security Auditor’s Research Assistant) (U.S. Department of Education, 2004). 

Step One of a risk assessment characterizes the system.  Step One obtains information on system documents.  Interviews are also conducted (U.S. Department of Education, 2004).  This step assists the organization with identifying security threats.  The system’s processes, functions, and applications will be reviewed.  The information that should be obtained on each process, function, and application include its definition, what it does, the type of data it uses, the vendor’s name, the internal and external interfaces, its users, its data flow, and where its information is traveling (Metivier, 2017).  Other information collected includes the organization’s mission, system security requirements, business operations, system policies, system security architecture, system and network security controls, organizational policies and procedures, physical and procedural security controls, system operating environment information, functional requirements, information storage and flows, and the organization's security posture (U.S. Department of Education, 2004). 

The data that is obtained from existing documentation, such as the inventory submission form from the system and personnel interviews, should be reviewed and evaluated to find out what the system boundaries, functionality, and security requirements are.  A suitable risk assessment is unable to be conducted until the system boundaries are known, along with determining security requirements and other requirements that are unique to the organization’s system.  Mission criticality and information sensitivity levels all must be established since they will help identify threats in Step 2 and weaknesses in Step 3.  Once the system has been characterized, the rest of the risk assessment can be performed (U.S. Department of Education, 2004). 

Step Two of a risk assessment identifies threats.  The information obtained from Step One will be used to create a list of possible threats and threat agents.  Advisories, interviews, incident reports, and other resources will be utilized to identify possible threats (U.S. Department of Education, 2004).  There are many threats that could harm an organization’s WLAN and IP Mobility.  Unauthorized access can be malicious or accidental.  Unauthorized access can occur via a direct hacking attack, a compromised system, malware, viruses, worms, trojans, loss or theft of mobile devices, data theft, and / or an internal threat.  There could be a misuse of information or privilege by an authorized user.  This could occur due to unauthorized data usage and unauthorized changes.  There could be data leaks and unintentional information exposure.  Examples of this include allowing unencrypted USB drives without restricting them, poor paper retention and destruction policies, broadcasting NPPI (Non-Public Personal Information) over unsecured channels, and unintentionally transmitting sensitive information to the incorrect recipient.  There could be data loss, which could be due to inadequate replication and back-up procedures.  Disruption of services and productivity could also occur (Metivier, 2017).  

Step Three of a risk assessment identifies vulnerabilities.  Step Three methodically assesses the weaknesses that could be a potential problem for the system resources and information.  Based on this information, a list of possible vulnerabilities is generated.  The information that is used to create the system vulnerabilities list includes previous risk assessments, audit comments, advisories, interviews with key personnel, current security controls, system characterization, mission criticality, and information sensitivity levels.  The system vulnerabilities list will be mapped to the threats that were discovered in Step Two (U.S. Department of Education, 2004).  Also, during Step Three, inherent risk and risk impact will be determined.  Impact ratings include high, medium, and low.  A high risk will have a major impact on an organization.  A medium impact will cause an organization to incur damages and inconveniences.  However, the organization will be able to recover.  A low impact will cause the organization minimal or almost no harm.  The data obtained from characterizing the system is used in this step.  It assists the organization with determining what the impact will be if the threat was implemented (Metivier, 2017). 

Step Four of a risk assessment analyzes risk.  Evaluating system risks includes evaluating threats, vulnerabilities, mission criticality, and information sensitivity levels.  These items were established during the risk assessment’s previous steps.  The goal of Step Four is to create a risk statement and assign risk levels to all the threats and vulnerabilities that were identified (U.S. Department of Education, 2004).  The amount of risk can be calculated using an equation, which is “Risk Rating = Impact (if exploited) x Likelihood (of exploit in the assessed control environment).”  A severe risk is a major threat to an organization and risk reduction remediation should be instantaneous.  An elevated risk is a threat to the organization, but risk reduction remediation can be performed in a sensible timeframe.  A low risk is a threat that is common and typically accepted, but it could still negatively impact the organization.  During this step, the control environment will also be analyzed.  The organization will recognize threat prevention, mitigation, detection, and compensating controls and what their connection is to each detected threat (Metivier, 2017). 

Risk impact, level, likelihood, and prioritization must also be established during Step Four.  Risk impact is the amount of possible damage that could be caused by an exploited vulnerability.  To establish risk impact, mission criticality and information sensitivity can provide useful information.  Other information should be used, such as the inherent value and importance level of the system resources that are at risk.  If these resources are compromised, the amount of negative impact that this will have on the organization must be assessed.  The level of risk impact can be measured as high, medium, or low (U.S. Department of Education, 2004). 

To establish risk likelihood, all threats and vulnerabilities are evaluated.  Vulnerability exploitation assessment includes reviewing threat capability, threat frequency, and usefulness of existing remediation measures.  The likelihood that a vulnerability will be exploited by a threat can be measured as high, medium, or low (U.S. Department of Education, 2004).  The control environment will be used to assist with determining a likelihood rating.  A high rating means that the threat is very motivated and very capable.  The controls that have been implemented to prevent the vulnerability from being exercised are unsuccessful.  A medium rating means that the threat is motivated and capable.  The controls that have been implemented might hinder the successful exercise of the vulnerability.  A low rating means that the threat doesn’t have any motivation or capability.  The controls that have been implemented might prevent or hinder the vulnerability from being exercised (Metivier, 2017).  Risk level is provided after values are assigned to risk impact and risk likelihood.  The risk level will be equal to the intersection of the risk likelihood and risk impact values (U.S. Department of Education, 2004).  

Once the risk assessment is completed, risks must be prioritized.  The risk assessment report is given to the organization.  The organization must prioritize each risk, which will assist with the creation of a remediation plan to tackle the risks that were detected.  The risk prioritization process will be based on the organization’s mission, objectives, mission criticality, business operations, and system’s inventory submission form.  The costs and benefits of risk mitigation must also be evaluated.  An organization can rank risk levels using time limits, cost and / or level of effort.  Risk mitigation should be based on the needs of the system that is being assessed for risk (U.S. Department of Education, 2004). 

Step Five of a risk assessment is identifying recommendations.  Step Four provided the organization with a statement of risk and risk level.  This information will be used to identify remediation measures that will be used to mitigate risks.  Remediation measures include devices, procedures, safeguards, techniques, or any other method that will diminish a risk or vulnerability.  When remediation measures are being reviewed, the level of effort, costs, emerging technologies, time limits, and feasibility must be considered.  Controls should also be employed.  These controls include managerial, operational, and technical.  Once remediation measures are identified, they will be re-assessed so that new vulnerabilities won’t be introduced.  Once Step Five is finished, the risk assessment is done (U.S. Department of Education, 2004). 

Step Six of a risk assessment documents all the results in a detailed report.  The report should include information collected in the first five steps.  The report should include accurate details on the risks that are associated with the WLAN, IP Mobility, IT assets, the system, applications, functions, and any other processes included within the scope of the risk assessment.  All supporting findings and control details should be included in the report.  It should also include all applicable recommendations that can help the organization decrease risk and increase their security posture.  The report should include appropriate management responses to all findings and recommendations.  All risk assessment calculations should be included in the report.  The report should include all control details outlined by categories (Tyler Cybersecurity, n.d.). 

The organization should evaluate the results found within the report.  Risk mediation measures and costs should be identified.  A security action plan should be created.  Action should be taken so that the IT security requirements for each risk are completed (U.S. Department of Education, 2004).  The report should provide the organization with information on what might go wrong, the likelihood that this type of event will happen, and the harm it will do if it does happen.  This information will help the organization detect inherent risks based on relevant threats, threat sources, and related vulnerabilities.  It will also assist the organization with determining what the impact will be if the threat source was effective.  It will help the organization calculate the likelihood of occurrence, while using the control environment to assist with determining residual risk.  An organization’s decision-making and policy development will be influenced by the risk assessment’s results.  The report should document their IT assets.  To manage risk effectively, an understanding of the importance of their IT assets must be obtained.  This will allow the IT assets to be properly reviewed for risk exposures (Metivier, 2017a). 

It is important for an organization to perform a regular risk assessment on their WLAN and IP Mobility.  The risk assessment should also be appropriately documented.  An organization is exposed to risks daily, which is why risk management is so important.  Properly managing risk begins with risk assessment.  When an organization doesn’t evaluate risks, those risks won’t be adequately managed.  Unmanaged risks will leave an organization vulnerable to security threats on their WLAN and IP Mobility.  Risk assessment procedures should support an organization’s objectives while decreasing risk in a cost-effective manner.  An organization should create an operational framework that aligns with their size, scope, and complexity.  Internal and external systems must be identified that are essential to the organization’s business operations, along with any that process, store, or transmit sensitive data.  Once this information is obtained, a risk assessment schedule can be developed that’s based upon mission criticality and information sensitivity.  This will result in a cost-effective and manageable plan that will safeguard the organization’s IT assets, WLAN, and IP Mobility while maintaining productivity and operational efficiency (Metivier, 2017). 

 

References

Metivier, B. (2017, April 11). 6 Steps to a Cybersecurity Risk Assessment [Blog]. Retrieved from Tyler

Cybersecurity / Sage Advice - Cybersecurity Blog:

https://www.tylercybersecurity.com/blog/6-steps-to-a-cybersecurity-risk-assessment

 

Metivier, B. (2017a, May 04). How to Define Cybersecurity Risk [Blog]. Retrieved from Tyler Cybersecurity

/ Sage Advice - Cybersecurity Blog:

https://www.tylercybersecurity.com/blog/how-to-define-cybersecurity-risk

 

Tyler Cybersecurity. (n.d.). Cybersecurity Risk Assessment and Analysis. Retrieved from Tyler

Cybersecurity: https://www.tylercybersecurity.com/services/cybersecurity-consulting-advisory-

services/risk-assessment

 

U.S. Department of Education. (2004, January 13). Handbook for Information Technology Security

Risk Assessment Procedures. Retrieved from Administrative Communications System: U.S.

Department of Education: https://www2.ed.gov/policy/gen/leg/foia/acshbocio7.pdf

How do you rate this article?

3


shellatreille
shellatreille

Artist, Photographer, Writer, Creative Innovator, Website / Graphic Designer, & Human Resources Manager in Orem, Utah. I enjoy learning new things, traveling to historic, paranormal, & abandoned places, rock hounding, museums, technology, & the abstract.


returnsyourgazeart
returnsyourgazeart

This blog will showcase my photography, art, short stories, poetry, and recipes. It will be abstract and colorful. My website: www.ReturnsYourGazeArt.com and www.shellatreille.com

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.