Data Security: A 5-Step Risk Assessment Plan

By Peyton Engel | Posted August 04, 2010

Organizations of all sizes face a constant barrage of data security threats.  Botnets, malware, worms and hacking are just a few things that keep IT managers and small business owners awake at night, wondering if their network is safe and strong enough to deflect the next attack.  Rather than reaching for a sleep aid to get through the night, you need a coherent way to prioritize and address data security risks.

Microsoft STRIDE risk assessment spreadsheet; small business data protection
Microsoft’s STRIDE method is a simple way for you to rate threats to your information assets.
(Click for larger image)
.

Too many organizations are overwhelmed and either suffer from a “security paralysis,” or attempt to apply a few “best practices” in the hope that what worked for another company will work for them.  Neither of these approaches is a rational strategy for protecting information assets or for maximizing the value returned from security investments. 

While some organizations have the ability or the obligation to engage in a formal risk assessment process, sometimes smaller organizations may want to pursue an internal assessment.  CDW advises small businesses to consider five steps to develop a solid foundation for their security strategy. These steps are ideal for organizations that need simple guidance on getting started.  CDW also advises SMBs to invest the time and effort to develop meaningful results, as well as to understand any existing risk assessment requirements. 

To get started, include decision makers from across your organization.  A group of five to seven people works best, but the goal is to have all departments represented (e.g. IT department, finance department, C-level management, business owner, etc.). Once you have your team assembled, you're ready to begin the 5-step process.

1. Identify information assets.  Consider the primary types of information that your company handles (e.g., social security numbers, payment card numbers, patient records, designs, human resources data), and make a priority list of what needs to be protected.  As a guide, plan to spend no more than one to two hours on this step.

2. Locate information assets.  Identify and list where each item on the information asset list resides within the organization (e.g., file servers, workstations, laptops, removable media, PDAs and phones, databases).

3. Classify information assets.  Assign a rating to your information asset list.  Consider a 1-5 scale, with the following categories:

  1.  
    1. Public information (e.g., marketing campaigns, contact information, finalized financial reports, etc.)
    2. Internal, but not secret, information (e.g., phone lists, organizational charts, office policies, etc.)
    3. Sensitive internal information (e.g., business plans, strategic initiatives, items subject to non-disclosure agreements, etc.)
    4. Compartmentalized internal information (e.g., compensation information, merger and acquisition plans, layoff plans, etc.)
    5. Regulated information (e.g., patient data, classified information, etc.)

This classification scheme lets you rank information assets based on the amount of harm caused if the information was disclosed or altered.  The team should strive to be realistic and aim for consensus.

4. Conduct a threat-modeling exercise.  Rate the threats facing your top-rated information assets.  One option is to use Microsoft’s STRIDE method, which is simple, clear and covers most of the top threats (see pictured chart).  You might consider using an outside consultant with experience in this area to facilitate conversation.  Develop a spreadsheet for each asset, listing the STRIDE categories on the X axis:

STRIDE:

  • Spoofing of Identity
  • Tampering with Data
  • Repudiation of Transactions
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege

On the Y axis, list the data locations identified in Step 2.  For each cell, make estimates of the following:

  •  
    • The probability of this threat actually being carried out against this asset at the location in question
    • The impact that a successful exploitation of a weakness would have on the organization

Use a 1-10 scale for each of the above (e.g., 1 is "not very likely" or "this would not have a large impact,” 10 is "quite probable" or "catastrophic").  Then multiply those two numbers together and fill them into the cells.  The spreadsheet should be populated with numbers from 1 to 100.  This activity will likely take a full day for smaller organizations and several days for larger ones.

5. Finalize data and start planning.  Multiply all the cells in each of the worksheets by the classification rating assigned to the asset in Step 3.  The result is a rational and comprehensive ranking of threats to the organization.  It includes both the importance of the assets at stake and a broad spectrum of possible contingencies.  A reasonable security plan will tackle the risks identified with the highest numbers.  Many organizations set security thresholds as follows:

  •  
    •  
      • 1-250: Will not focus on threats at this level
      • 250-350: Will focus on these threats as time and budget allow
      • 350-450: Will address these threats by the end of the next budget year
      • 450-500: Will focus immediate attention on these threats

These thresholds are just examples, and in practice, the results will likely be skewed either towards the top or bottom of the scale, so you should adjust responses accordingly.

The goal of the risk assessment exercise is to lay a foundation for sensible security planning.  Going through a risk assessment exercise alone will not actually fix security problems; the real work -- building protective, risk-reducing solutions -- still lies ahead. 

CDW recommends that you align security spending with specific threats and to focus on cost-effective measures.  Having a prioritized list of threats lets you to focus your efforts on the areas that matter most and avoid spending on security technologies or activities that are less essential or irrelevant to fixing identified problems.

Peyton Engel is a technical architect for CDW.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date