Monthly Archives: December 2014

Threat Risk Assessment: A Quick Primer

‘Tis the season for data breaches!

From an information security perspective, the news has been downright depressing lately. In the wake of recent career-halting data breaches, it couldn’t hurt to start thinking about threat risk assessments for your organization.

While there are numerous types of threat risk assessment methods, they all try to answer the same questions in regards to organizational assets:

  •      What needs to be protected?
  •      Who and/or what are the threats and vulnerabilities?
  •      What are the implications if they were damaged or lost?
  •      What is the value to the organization?
  •      What can be done to minimize exposure to the loss or damage?

The objective of a threat risk assessment is to provide recommendations that can maximize the organizational protection of confidentiality, integrity, and availability while still allowing functionality and usability.

The primary phases of a threat risk assessment are:

  • Scope: This phase identifies what needs to be protected, the sensitivity of what is being protected, and what systems and applications are included in the assessment.
  • Data Collection and Analysis: This step involves collecting and analyzing all policies and procedures that are in place to determine any applicable gaps in documentation. Systems and applications identified in the scope are audited to determine their current state. Key personnel are normally interviewed during this stage as well.
  • Vulnerability Analysis: This step takes what was identified in the data collection/analysis and determines the current exposure, and whether current safe guards are sufficient in terms of confidentiality, integrity, or availability. It will also indicate whether the proposed safe guards will be sufficient. The vulnerabilities are graded according to the level of risk that they pose to the organization.
  • Threat Analysis: Threats are described as anything that would contribute to the tampering, destruction, or interruption of any service or item of value. This analysis will look at every element of risk that could conceivably happen. Threats must be looked at as they relate to the business environment and how they can affect that environment. These threats are graded in a similar manner as vulnerabilities.
  • Determination of Acceptable Risk: This step involves the analysis of the findings to help determine, with the help of key stakeholders, what level of risk is acceptable to the organization.

A threat risk assessment should be a continual process that is reviewed regularly to determine if current safe guards are still effective.

If you don’t perform some form of a threat/risk analysis, you leave your organization open to a world of hurt that could destroy your ability to conduct business.

For further information, please see Dell’s whitepaper on the current and future state of IT security.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Compliance: Hard core Dell users get it!

I arrived at Dell World in Austin Texas on November 4. For the record, I was not a Dell customer attending a Dell customer event—an outsider of sorts, not to say that I didn’t feel welcome. The famous Texas hospitality was more than evident!

Luckily I was able to select conference sessions ahead of time, as the selection was massive. Naturally, I gravitated towards any sessions that revolved around information security.

I attended a session which discussed compliance from a user’s perspective… how to effectively achieve it on your own, or as I like to call it “How to make the auditor happy.”

Data breaches are rampant… almost commonplace in this day and age. A week rarely goes by without at least one large corporation in the news for losing personally identifiable information due to inadequate security controls. Information security awareness is higher than it’s ever been, but understanding complex compliance requirements is an intimidating endeavour to say the least. Many users are starting to self-assess (even if not officially required to), but eventually get bogged down by the technical details and jargon. Hiring a security auditor is always an option, but many lack the financial resources to do so. Being able to attend sessions like these at Dell World is a great benefit to both its users and partners.

Here are some of the key takeaways from the discussion:

1. How to manage by automation

  • Administer and revoke access rights and permissions
  • Implement best-practice compliance reporting
  • Protect, retain and retrieve data for on-the-fly investigations
  • Enforce compliance with company policies across desktops, laptops, etc.

2. How to remediate by changing the way you operate

  • Implement preventative controls
  • Establish policy over accounts, privileges and resources
  • Establish perimeter boundaries through application control and visibility

 3. How to think like an auditor

  • Track security and performance indicators
  • Audit and report on user activity
  • Perform checks for segregation of duties
  • Enable real-time alerts
  • Establish Security and Compliance awareness training
  • Analyze access rights and permissions to critical data
  • Determine configuration settings and set baselines

There were numerous opportunities for me to reveal myself as a PCI Qualified Security Assessor during the session, but I decided to stay quiet in order to hear unbiased opinions from the attendees.

I wasn’t disappointed. The questions from the audience were thoughtful and challenging. They know too well that the real world often gets in the way when it comes to implementing adequate security controls, but at the same time they are taking compliance seriously.

It warms this auditor’s heart. Well done Dell.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.