• Choose a category
• All
• Classic-Fiction

Real World Scenario

Conducting a Risk Assessment

You’ve been asked to do a quick assessment of the risks your company faces from a security perspective. What steps might you take to develop an overview of your company’s problems?

You should interview the department heads and the owners to determine what information they feel needs additional security and what the existing vulnerabilities are from their perspectives. You should also evaluate the servers to determine their known vulnerabilities and how you might counter them. Additionally, you should make sure you do a physical assessment of the facility to evaluate what physical risks you must counter. Armed with this information, you have a place to start, and you can determine which measures may be appropriate for the company from a risk perspective.

When you’re doing a risk assessment, one of the most important things to do is to prioritize. Not everything should be weighed evenly because some events have a greater likelihood of happening; in addition, a company can live with some risks, whereas others would be catastrophic. One method of measurement to consider is annualized rate of occurrence (ARO). This is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you’re computing risk assessment, remember this formula:

SLE x ARO = ALE

Thus, if you can reasonably expect that every SLE will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.

Real World Scenario

Risk-Assessment Computations

As a security professional, you should know how to compute SLE, ALE, and ARO. Given any two of the numbers, it’s possible to calculate the third. For this exercise, compute the missing values:

1. You’re the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing is estimated to be 25 percent, and a failure would lead to three hours of downtime and cost $ 5,000 in components to correct. What is the ALE?

The SLE is $ 80,000 ($25,000 x 3 hours + $5,000), and the ARO is .25. Therefore the ALE is $20,000 ($ 80,000 x .25).

2. You’re the administrator for a research firm that works on only one project at a time and collects data through the Web to a single server. The value of each research project is approximately $100,000. At any given time, an intruder could commandeer no more than 90 percent of the data. The industry average for ARO is .33. What is the ALE?

The SLE equals $90,000 ($100,000 x .9), and the ARO is .33. Therefore, the ALE is $29,700 ($90,000 x .33).

3. You work at the help desk for a small company. One of the most common requests you must respond to is to help retrieve a file that has been accidentally deleted by a user. On average, this happens once a week. If the user creates the file and then deletes it on the server (about 60 percent of the incidents), then it can be restored in moments from the shadow copy, and there is rarely any data lost. If the user creates the file on their workstation and then deletes it (about 40 percent of the incidents), and if it can’t be recovered and it takes the user an average of two hours to re-create it at $12 an hour, what is the ALE?

The SLE is $24 ($12 x 2), and the ARO is 20.8 (52 weeks x .4). Therefore the ALE equals $499.20 ($24 x 20.8).

Developing Policies, Standards, and Guidelines

The process of implementing and maintaining a secure network must first be addressed from a policies, standards, and guidelines perspective. This sets the tone, provides authority, and gives your efforts the teeth they need to be effective. Policies and guidelines set a standard of expectation in an organization.